As announced few hours ago at Ignite this year Windows Server 2019 will be available this October . But to me my biggest take-away is that Windows Admin Center is been updated to version 1809, to support Windows Server 2019 and Azure hybrid scenarios.
Ready for Windows Server 2019
Last week article was about deploying Windows Admin Center on a Windows Server 2016 (Core), but I didn’t mention the upgrade path or checked if WAC was already installed.
So I’ve changed the script to address that requirements and ready to be re-used for Windows Server 2019 (core).
Microsoft’s Modern Lifecycle Policy
For customers currently using version 1804 of Windows Admin Center, upgrade to version 1809 is required within 30 days to remain supported under Microsoft’s Modern Lifecycle Policy.
Install-WAC.ps1 powershell script
The installation/upgrade process is straightforward, so the process requires to set just your port number and eventually a certificate thumbprint. What I added is also once the installation process is completed, a couple of checks if the service is running (ServerManagementGateway) and the desired port used (according to my settings 443) is open as expected and custom certificate instead of a self-signed one.
Read the previous article. If you want to consider your deployment “stateless” and just using Windows Admin Center in Gateway mode a self-sign certificate is an easier way of deploying it on your network, you can always use a reverse proxy later (IIS as a Reverse Proxy, NGINX as a Reverse Proxy or Apache as a Reverse Proxy).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
#requires -runasadministrator # Paolo Frigo, https://www.scriptinglibrary.com # #WINDOWS ADMIN CENTER DOCs #https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/deploy/install $WAC_Online = "http://aka.ms/WACDownload" $WAC_Installer = "C:\windows\Temp\wac.msi" $Port = 443 # Leave it blank if you want to generate a Self-Signed Certificate. $CertificateThumbprint = "" $IsAdminCenterInstalled = [bool] (Get-WmiObject -class win32_product | Where-Object {$_.Name -eq "Windows Admin Center"}) If ($IsAdminCenterInstalled){ $ReInstall = Read-Host "Admin Center is already installed. Do you want to re-install/upgrade it? [Y/N]" If ( ("N","n") -contains $ReInstall){ Write-Warning "Ok, No further action is required." Exit 0 } } Invoke-WebRequest -Uri $WAC_Online -OutFile $WAC_Installer #if CertificateThumbprint is defined and installed on the system will be used during the installation if ([bool](get-childitem cert: -recurse | where-object {$_.thumbprint -eq $CertificateThumbprint})){ msiexec /i $WAC_Installer /qn SME_PORT=$Port SME_THUMBPRINT=$CertificateThumbprint SSL_CERTIFICATE_OPTION=installed } else{ msiexec /i $WAC_Installer /qn SME_PORT=$Port SSL_CERTIFICATE_OPTION=generate } #Post Installation Checks do { if ((Get-Service ServerManagementGateway).status -ne "Running"){ Write-Output "Starting Windows Admin Center (ServerManagementGateway) Service" Start-Service ServerManagementGateway } Start-sleep -Seconds 5 } until ((Test-NetConnection -ComputerName "localhost" -port $Port).TcpTestSucceeded) Write-Output "Installation completed and Windows Admin Center is running as expected." |
Using your SSL Certificate
If you want to use a SSL Certificate, you need to install it first and get its thumbprint with one of these methods:
1 |
PS> Get-ChildItem Cert:\LocalMachine\My\ |
1 |
certutil -store my |
Or checking the details on the certificate file itself:
In case you have more issues, there is a useful troubleshoot page that I suggest you to read: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/troubleshooting
As usual this script is available on my github repository.
Can you verify if WAC works behind NGINX reverse proxy? I am able to get login request but then fails 400 . using enterprise cert.
Hi Tj,
Thanks for your comment.
Is Nginx terminating SSL as well? If so the first thing I would do is testing it with a self-signed certificate, if between the reverse proxy and WAC there is a valid certificate (self-signed or provided by your local CA) it shouldn’t be a problem. Anyway looking at the release cycle of WAC you can re-generate the self-signed certificate every time you upgrade (at least every 3/4 months).
I have opnsense running on a cloud instance with NGINX reverse proxy to vpn network to the windows admin center host which has a CA on the internal domain and on the opnsense I have a Let’s encrypt cert that handles the external , I have several websites/services that are able to connect and use this setup including guacamole server using websocket. So not sure why/where the connection is failing after login prompt for windows admin center is reached. WAC works fine internally and no cert error on domain joined machines.