Introduction

This guide outlines a step-by-step process of deploying a typical ProcessRobot Server setup on Microsoft Azure cloud service. This setup includes the following components:

  • Two ProcessRobot Server instances (Windows Server 2016 VMs)
  • One Microsoft Active Directory Server (Windows Server 2016 VM)
  • One Microsoft SQL Server instance (Windows Server 2016 VM)
  • Three Redis Sentinel instances (Ubuntu Server 18.04 LTS VMs)
  • Three Elasticsearch Cluster instances (Ubuntu Server 18.04 LTS VMs)
  • One Azure Load Balancer (Standard SKU)
  • One Solobot (Windows 10 VM)

An overview of the deployment architecture is provided below:

 


 

 

Instructions

The following steps indicate the basic configuration for the aforementioned components on an Azure environments.

1. Azure Environment

Create the required Virtual network, Network security group, Resource group and Availability set according to architecture requirements.

Any VMs created in Azure cannot be added to an Availability set after their creation, or switch Availability sets, so ensure you have clarified this requirement before implementation.

2. VMs

Create the new Windows Server 2016 instances, that will be used to host one Windows Active Directory server and one or more ProcessRobot Servers.

Example VM properties:

  • OS: Windows Server 2016 Datacenter
  • Size: Standard B2ms
  • Networking: HTTP, HTTPS, RDP allowed
  • NIC: Advanced (same security group for all VMs)


3. Windows Server - Network Settings

After VM creation:

  • Login to Windows with admin user (default)
  • Go to: Network Connections -> Ethernet -> Properties -> TCP/IPv4
  • Switch to Static IP virtual switch
  • Change IPs in IPv4 settings of Ethernet adapter
  • Secondary VM should be configured to see primary VM as DNS server


 

 

Example configuration for Active Directory VM:

  • IP address: 10.0.0.17
  • Subnet mask: 255.255.255.0
  • Default gateway: 10.0.0.1
  • Preferred DNS server: 127.0.0.1

Example configuration for primary ProcessRobot Server VM:

  • IP address: 10.0.0.4
  • Subnet mask: 255.255.255.0
  • Default gateway: 10.0.0.1
  • Preferred DNS server: 10.0.0.17

Example configuration for secondary ProcessRobot Server VM:

  • IP address: 10.0.0.5
  • Subnet mask: 255.255.255.0
  • Default gateway: 10.0.0.1
  • Preferred DNS server: 10.0.0.17

Example configuration for SQL Server VM:

  • IP address: 10.0.0.6
  • Subnet mask: 255.255.255.0
  • Default gateway: 10.0.0.1
  • Preferred DNS server: 10.0.0.17

In Server Manager -> Local Server, disable IE Enhanced Security Configuration.

In Networking settings: Defender Firewall -> Advanced Settings -> Inbound/Outbound Rules -> Port, add TCP/6090.

Ping between VMs to confirm connectivity. If communication fails, turn off client Defender Firewall for the Domain network.

In Windows Firewall -> Turn Windows Firewall on or off -> Domain network settings, select “Turn off Windows Firewall”. Ping both ways again to confirm connectivity. Reboot.

4. Active Directory VM

In Windows Server Manager -> Add Roles and Features, follow the directions of the wizard to enable the required roles (i.e. Active Directory Domain Services, IIS). Reboot.

Promote the server to Domain Controller by following the wizard in Tasks. Create a new forest with the following properties, keeping the default values of any other settings.

Example forest properties:

  • Name: processrobot.demo
  • Password: same with admin password

Go to Group Policy Management -> <Expand forest name> -> Group Policy Results (right-click) -> Group Policy Results Wizard -> This computer -> Do not display user policy settings in the results (display computer policy settings only) -> Finish

Follow this Microsoft guide to enable user delegation (i.e. to overcome access restrictions). Main Steps:

Go to Group Policy Management -> expand forest name -> Domains > expand domain name -> Domain Controllers -> Default Domain Controllers Policy (right-click) -> Edit -> Expand "Computer Configuration\Policies\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment" -> Enable computer and user accounts to be trusted for delegation -> Add User or Group -> Type "Administrators" -> OK

In settings, verify that "Enable computer and user accounts to be trusted for delegation" is granted to BUILTIN\Administrators. Reboot.

In Server Manager -> Tools -> Active Directory Users and Computers, add the necessary SideBot/SoloBot users; make sure you also add them as members of the "Domain Admins", "Remote Desktop Users" and "Remote Management Users" groups.

The above users should essentially be replicated with identical properties to every subsequent VM that is added in the domain.


 

 

Domain Administrator restricted access

In case you cannot perform certain actions in Windows as Domain Administrator ("Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."), proceed with the following change:

Enter gpedit.msc in Windows Search to open the Group Policy Editor.

Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Enable "User Account Control: Admin Approval Mode for the Built-in Administrator account". Reboot.

5. ProcessRobot Server VM

In all ProcessRobot VMs you create, ensure you set its DNS IP to the Active Directory VM’s static IP.

Add the new server in the same domain as the Active Directory VM: System -> Computer name, domain and workgroup settings -> Change settings -> Change -> (Member of) Domain: processrobot.demo

If required, use AD admin user credentials (domain\username, password). Reboot.

6. SQL Server VM

Ensure you set its DNS as the Active Directory VM’s static IP.

Add the new server in the same domain as the Active Directory VM: System -> Computer name, domain and workgroup settings -> Change settings -> Change -> (Member of) Domain: processrobot.demo

If required, use AD admin user credentials (domain\username, password). Reboot.

Download and install Microsoft SQL Server Developer Edition 2017, following the ProcessRobot Server Installation Guide.

7. Redis VMs

Create three new Ubuntu Server 18.04 LTS instances that will host the Redis cluster.

Example VM properties:

  • OS: Ubuntu Server 18.04 LTS
  • Size: Standard D2s v3
  • Networking: HTTP, HTTPS, SSH allowed
  • NIC: Advanced (same security group for all VMs)

Create a new admin user in each instance

$ sudo apt -y update && sudo apt -y upgrade && sudo apt -y install build-essential openssh-server curl ssh git python-pip libssl-dev gettext unzip python autoconf automake pkg-config tcl libjemalloc-dev

$ sudo ufw allow 6379 && sudo ufw allow 26379


Download redis in /tmp from the redis website and build by consecutively executing the make / make test / make install commands.

$ mkdir -p /etc/redis

$ mkdir -p /var/redis

$ cp redis.conf sentinel.conf /etc/redis/


 Edit the "redis_init_script" and add the following lines:

sudo vi utils/redis_init_script

REDISPORT=6379
PIDFILE="/var/run/redis.pid"
 CONF="/etc/redis/redis.conf"

 

 

Copy the executable files into the corresponding directories:

$ cp utils/redis_init_script /etc/init.d/redis

$ cp src/redis-server /usr/local/bin/

$ cp src/redis-sentinel /usr/local/bin/

$ cp src/redis-cli /usr/local/bin/


 In all three VMs, create a redis.conf and sentinel.conf file under /etc/redis directory with the following contents:

redis.conf (VM #1)

protected-mode no
daemonize yes
port <your_redis_port>
dir /var/redis
 logfile "/var/log/redis.log"


 sentinel.conf (VM #1)

protected-mode no

port <your_sentinel_port>

logfile "/var/log/redis-sentinel.log"

sentinel monitor <your_master_redis_node_name> <your_master_redis_node_ip> <your_redis_port> 2

sentinel down-after-milliseconds <your_master_redis_node_name> 5000

sentinel failover-timeout <your_master_redis_node_name> 10000


 
redis.conf (VM #2)

protected-mode no

daemonize yes

port <your_redis_port>

dir /var/redis

slaveof <your_master_redis_node_ip> <your_redis_port>

logfile "/var/log/redis.log"


 sentinel.conf (VM #2)

protected-mode no

port <your_sentinel_port>

logfile "/var/log/redis-sentinel.log"

sentinel monitor <your_master_redis_node_name> <your_master_redis_node_ip> <your_redis_port> 2

sentinel down-after-milliseconds <your_master_redis_node_name> 5000

sentinel failover-timeout <your_master_redis_node_name> 10000


 redis.conf (VM #3)

protected-mode no

daemonize yes

port <your_redis_port>

dir /var/redis

slaveof <your_master_redis_node_ip> <your_redis_port>

logfile "/var/log/redis.log"


 
sentinel.conf (VM #3)

protected-mode no

port <your_sentinel_port>

logfile "/var/log/redis-sentinel.log"

sentinel monitor <your_master_redis_node_name> <your_master_redis_node_ip> <your_redis_port> 2

sentinel down-after-milliseconds <your_master_redis_node_name> 5000

sentinel failover-timeout <your_master_redis_node_name> 10000


 Create a new init.d file to start the redis process, with the following contents:

sudo vi /etc/init.d/redis

#!/bin/sh

#

# Simple Redis init.d script conceived to work on Linux systems as it does use of the /proc filesystem.

 

### BEGIN INIT INFO

# Provides:  redis

# Default-Start: 2 3 4 5

# Default-Stop: 0 1 6

# Short-Description: Redis data structure server

# Description: Redis data structure server. See https://redis.io

### END INIT INFO

 

REDISPORT=6379

EXEC=/usr/local/bin/redis-server

CLIEXEC=/usr/local/bin/redis-cli

 

PIDFILE=/var/run/redis.pid

CONF="/etc/redis/redis.conf"

 

case "$1" in

    start)

        if [ -f $PIDFILE ]

        then

                echo "$PIDFILE exists, process is already running or crashed"

        else

                echo "Starting Redis server..."

                $EXEC $CONF

        fi

        ;;

    stop)

        if [ ! -f $PIDFILE ]

        then

                echo "$PIDFILE does not exist, process is not running"

        else

                PID=$(cat $PIDFILE)

                echo "Stopping ..."

                $CLIEXEC -p $REDISPORT shutdown

                while [ -x /proc/${PID} ]

                do

                    echo "Waiting for Redis to shutdown ..."

                    sleep 1

                done

                echo "Redis stopped"

        fi

        ;;

    *)

        echo "Please use start or stop as first argument"

        ;;

esac

 

Make the file executable:

$ chmod 755 /etc/init.d/redis

 

 

Create a new init.d file to start the sentinel process, with the following contents:

 

sudo vi /etc/init.d/sentinel
 


#!/bin/sh

#

# Simple Sentinel init.d script conceived to work on Linux systems as it does use of the /proc filesystem.

 

### BEGIN INIT INFO

#Provides: sentinel

#Required-Start: $syslog

#Required-Stop: $syslog

#Default-Start: 2 3 4 5

#Default-Stop: 0 1 6

#Short-Description: start and stop sentinel

#Description: Sentinel daemon

### END INIT INFO

 

SENTINELPORT=26379

EXEC=/usr/local/bin/redis-sentinel

CLIEXEC=/usr/local/bin/redis-cli

 

PIDFILE=/var/run/sentinel.pid

CONF="/etc/redis/sentinel.conf"

 

case "$1" in

    start)

        if [ -f $PIDFILE ]

        then

            echo "$PIDFILE exists, process is already running or crashed"

        else

            echo "Starting Sentinel server..."

            nohup $EXEC $CONF >> /var/log/redis-sentinel.log 2>&1 &

            echo $! > "${PIDFILE}";

        fi

        ;;

    stop)

        if [ ! -f $PIDFILE ]

        then

            echo "$PIDFILE does not exist, process is not running"

        else

            PID=$(cat $PIDFILE)

            echo "Stopping ..."

            $CLIEXEC -p $SENTINELPORT shutdown

            while [ -x /proc/${PID} ]

            do

                echo "Waiting for Sentinel to shutdown ..."

                sleep 1

            done

            rm -rf $PIDFILE

            echo "Sentinel stopped"

        fi

        ;;

    *)

        echo "Please use start or stop as first argument"

        ;;

esac

 

Make the file executable:

$ chmod 755 /etc/init.d/sentinel


 Now you can start redis and sentinel processes in all three VMs by executing the following commands:

$ sudo /etc/init.d/redis start

 (Alternatively: sudo redis-server /etc/redis/redis.conf &)

$ sudo /etc/init.d/sentinel start

 (Alternatively: sudo redis-server /etc/redis/sentinel.conf --sentinel &)


 To confirm the processes are running, you can execute the following check:

ps -ef | grep redis

 

General configuration information:

  • Redis Port : 6379
  • Sentinel Port : 26379
  • Redis Config file : /etc/redis/redis.conf
  • Sentinel Config file : /etc/redis/redis.conf
  • Redis Log file : /var/log/redis.log
  • Sentinel Log file : /var/log/redis-sentinel.log
  • Data dir : /var/redis
  • Redis Executable : /usr/local/bin/redis-server
  • Sentinel Executable : /usr/local/bin/redis-sentinel
  • CLI Executable : /usr/local/bin/redis-cli

8. ProcessRobot Server application installation

Install ProcessRobot Server, with all required ProcessRobot Components and ProcessRobot Web Console. Fill in the following connection string, customizing it accordingly:

Connection string: Password=@Password123; Persist Security Info=True; User ID=ProcessRobot; Initial Catalog=ProcessRobotDB; Data Source=TST-ERIC-SQL-1;
IP: <computer_name>
 Port: 6090

Install the Softomotive Chrome extension and any personal license file.

Redis configuration settings (prefer IPs instead of DNS names):
Addresses: 10.0.0.12:26379;10.0.0.11:26379;10.0.0.13:26379
Master Name: mymaster
 Password: -

9. Server Self-signed Certificate (optional)

In Active Directory VM, launch IIS Manager.

Go to Server Certificates -> Right-click -> Create Self-Signed Certificate -> Name with <hostname> (Personal) -> Right-click on it -> Export

Go to Microsoft Management Console (mmc.exe) -> File -> Add/Remove Snap-ins -> Certificates (Add) -> Computer Account -> Local Computer

In Main Menu -> Certificates -> Personal -> Certificates -> <hostname> certificate -> Details -> Issuer -> Copy this name into ProcessRobot Server Certificate Name field (Certificate Validation Mode: None)

After ProcessRobot installation completion in the corresponding VMs, change the below lines in C:\Program Files\ProcessRobot\Server and C:\Program Files\ProcessRobot\Client config files and restart ProcessRobot Server service (all actions as Administrator):

AppSettings.config

<add key="SupportMixedAuthentication" value ="true"/>

<add key="CertificateFindValue" value ="<your_first_pr_server_dns>.<your_domain_name>"/>

AppServerAddress.config:

<serverAddress><add key="ServerIPAndPort" value="<your_first_pr_server_dns>.<your_domain_name>:6090;<your_first_pr_server_dns>.<your_domain_name>:6090"/></serverAddress>

AppRedisSettings.config:

<RedisConfiguration NodeAddresses="" SentinelAddresses="<your_first_redis_node_ip>:26379;<your_second_redis_node_ip>:26379;<your_third_redis_node_ip>:26379" MasterName="<your_master_redis_node_name>" Password=""></RedisConfiguration>


Launch Control Desk and choose Windows Authentication. In Settings -> Users, create a new user of the "ProcessRobot" type and give them the "Administrator" role; assign the required Robots, log out and log back in with new user via ProcessRobot Authentication.

Copy the exported .pfx file into the second ProcessRobot Server VM and import it in the IIS Manager. Then restart ProcessRobot Server service and login to Control Desk with the new user using ProcessRobot Authentication.

10. Elasticsearch VMs

Create three new Ubuntu Server 18.04 LTS instances, that will be used to host the Elasticsearch cluster.

Example VM properties

OS: Ubuntu Server 18.04 LTS
Size: Standard D2s v3
Networking: HTTP, HTTPS, SSH allowed
 NIC: Advanced (same security group for all VMs)

Create a new admin user in each instance:

$ sudo apt -y install default-jre && apt-transport-https

$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

$ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

$ sudo apt update && sudo apt -y install elasticsearch

$ systemctl enable elasticsearch.service


 Edit elasticsearch.yml with the following contents (and repeat for each additional VM):

sudo vi /etc/elasticsearch/elasticsearch.yml

cluster.name: tst-cluster ## cluster name should be the same in all VMs

node.name: es-node-1 ## each VM should have different node.name

node.master: true

node.data: true

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: <first_vm_internal_ip_address>

transport.host: <first_vm_internal_ip_address>

http.port: 9200

transport.tcp.port: 9300

discovery.zen.ping.unicast.hosts: ["<first_vm_internal_ip_address>", "<second_vm_internal_ip_address>","<third_vm_internal_ip_address>"]

discovery.zen.minimum_master_nodes: 2

cluster.initial_master_nodes: ["es-node-1", "es-node-2", "es-node-3"]


 Initiate Elasticsearch process and install Kibana:

$ service elasticsearch start

$ sudo apt -y install kibana

$ systemctl enable kibana.service

  

Edit kibana.yml with the following contents (and repeat for each additional VM):

 

sudo vi /etc/kibana/kibana.yml

 

server.port: 5601

server.host: <first_vm_internal_ip_address>

server.name: "kibana-tst-node-1"

elasticsearch.hosts: ["http://<first_vm_internal_ip_address>:9200"]


 Initiate Kibana process and open the required ports:

$ service kibana start

$ sudo ufw allow 9200 && sudo ufw allow 9300 && sudo ufw allow 5601


 Using a web browser, open http://<first_vm_internal_ip_address>:5601 to access the Kibana web app.

Follow the ElasticSearch ProcessRobot Configuration Guide to update the Log4Net.config file in order to accept Elasticsearch indexes prlog and prkpi, then create these two Index Patterns on Kibana.

Note: Edit the following lines

<connectionString value="Scheme=http;User=elastic;Pwd=changeme;Server=<first_vm_internal_ip_address>;Index=prlog;Port=9200;rolling=false"/>

<connectionString value="Scheme=http;User=elastic;Pwd=changeme;Server=<first_vm_internal_ip_address>;Index=prkpi;Port=9200;rolling=false"/>

<bufferSize value="0" />

 

11. Azure Load Balancer configuration

Go to Azure Portal -> Load Balancers -> Add.

Create a new Internal Standard SKU LB, which will link to its dedicated Backend pool (in this pool, the two ProcessRobot Server VMs will be added).

After creating the LB, go to both ProcessRobot Server VMs -> Networking -> Load balancing -> Add load balancing and assign the LB using the previously created Backend pool.

12. SoloBot / SideBot client installation

Create a Windows 10 VM (in AWS you can select Windows Server 2016 since W10 images are not available) and perform the standard network configuration changes (static IP, Windows Firwall, computer name change, add it to AD server domain).

Go to System Settings -> Remote settings -> (Remote tab) Select Users -> Add and add the SideBot/SoloBot user already configured in Domain Controller Active Directory.

After rebooting, login as the SideBot/SoloBot user.

Install Google Chrome.

Install ProcessRobot with at least Process Studio, SideBot/SoloBot components included.

Ensure the C:\Program Files\ProcessRobot\Clients\AppServerAddress.config file contains the IP instead of the hostname in the "ServerIPAndPort" value, while AppCertificateName.config and AppSettings.config should contain the Domain Controller certificate name (Manage Computer Certificates -> Personal -> Certificates -> Issued By).