Appendix C: Ivanti Policy Secure Resource Manager Template for an Existing Virtual Network

Ivanti Policy Secure provides sample Azure template files to deploy Ivanti Policy Secure Virtual Appliance on Azure. Users can modify this to make it suitable for their need. Visit https://www.ivanti.com and download the pulsesecure-pps-3-nics.zip file, and unzip it to get azuredeploy.json.

This template creates a new Ivanti Policy Secure with 3 NICs, Vnet, three subnets, NSG policies attached to Ivanti Policy Secure internal, external and management nets. All 3 NICs of Ivanti Policy Secure are configured with dynamic IP configuration and enabled IP forwarding. Public IPs are attached to the Ivanti Policy Secure external and management NIC.

The template has following sections:

parameters

This section defines the parameters used for deploying Ivanti Policy Secure on Azure. It contains parameter name, its default value and the mouse-over help text that is displayed when mouse is placed over the parameter in Azure Web portal. The parameters defined here are displayed in the Custom Deployment page of Azure portal.

variables

This section defines variables that will be used in the functions defined in the resources section.

resources

This section defines resource types that are deployed or updated in a resource group.

outputs

This section defines the public IP address and FQDN returned after successful deployment of Ivanti Policy Secure on Azure.

parameters

PPS Storage Account Name: This is the name of the Ivanti Policy Secure Storage Account where the Ivanti Policy Secure Azure vhd image is stored.

PPS Storage Account Resource Group Name: The is the name of the Ivanti Policy Secure Storage Account Resource Group where the Ivanti Policy Secure Azure vhd image is stored.

PPS Image Location URI: The is the URL to the location where Ivanti Policy Secure Azure vhd image is stored.

PPS VM Name: This is the name given to Ivanti Policy Secure Virtual Appliance.

PPS Config: This section contains provisioning parameters that are required during the deployment of a Virtual Appliance. An XML-based configuration file can be present in another Virtual Machine in Azure cloud or in the corporate network which is accessible for Ivanti Policy Secure through site-to-site VPN between Azure and the corporate data center.

Ivanti Policy Secure accepts the following parameters as provisioning parameters:

  • primary-dns
  • secondary-dns
  • wins-server
  • dns-domain
  • username
  • ssh-publickey
  • cert-common-name
  • cert-random-text
  • cert-organization
  • config-download-url
  • config-data
  • auth-code-license
  • enable-license-server
  • accept-license-agreement
  • enable-rest

For details about these parameters, see Ivanti Policy Secure Provisioning Parameters.

SSH Public Key: This is an RSA public key that is used to access Ivanti Policy Secure via SSH.

DNS Label Prefix Mgmt: This is the prefix for Management Interface DNS label.

Resource Group Name of Exiting Virtual Network: Name of the Resource Group that contains the existing Virtual network.

Existing Virtual Network Name: Name of the existing Virtual network.

Existing Internal Subnet: Subnet from which Ivanti Policy Secure Internal Interface needs to lease IP.

Existing External Subnet: Subnet from which Ivanti Policy Secure External Interface needs to lease IP.

Existing Management Subnet: Subnet from which Ivanti Policy Secure Management Interface needs to lease IP.

variables

PPS Internal NIC: This is network interface card of Ivanti Policy Secure Internal network.

PPS External NIC: This is network interface card of Ivanti Policy Secure External network.

PPS Management NIC: This is network interface card of Ivanti Policy Secure Management network.

PPS Management Public IP: This is public IP address assigned to Ivanti Policy Secure Management Subnet.

Public IP Address Type: This variable is defined as static IP.

NSG Internal Subnet: This variable defines Network Security Group’s Internal Subnet policy.

NSG External Subnet: This variable defines Network Security Group’s External Subnet policy.

NSG Management Subnet: This variable defines Network Security Group’s Management Subnet policy.

VM Size: This variable defines Ivanti Policy Secure Virtual Machine size. It is 4 cores, 144MB memory.

Virtual Network ID: This variable defines Ivanti Policy Secure Virtual Network name.

API Version

resources

publicIPAddresses/publicIPAddr1: This block is responsible for creating public IP address which is static in nature. This is used for management interface IP address of Ivanti Policy Secure .

networkSecurityGroups/nsgExt: This block is responsible for creating policy. The created policy is applied to Network Security Group’s External interface.

The following security rules can be defined:

  • allowHTTPS
  • allowHTTP
  • allowRADIUSAuth
  • allowRADIUSAccounting
  • allowRADIUSCoA
  • allowSyslogUDP
  • allowSyslogTCP
  • allowSNMPTrap
  • allowSRXConnection
  • allowScreenOSConn
  • allowDHCP
  • allowTACACSPlus
  • allowPostgresDataSync

networkSecurityGroups/nsgMgmt: This block is responsible for creating policy. The created policy is applied to Network Security Group’s Management interface.

The following security rules can be defined:

  • allowHTTPS
  • allowHTTP
  • allowCustomSSH
  • allowDMI
  • denyAll

networkSecurityGroups/nsgInt: This block is responsible for creating policy. The created policy is applied to Network Security Group’s Internal interface.

The following security rules can be defined:

  • allowHTTPS
  • allowHTTP
  • allowRADIUSAuth
  • allowRADIUSAccounting
  • allow RADIUSCoA
  • allowSyslogUDP
  • allowSyslogTCP
  • allowSNMPTrap
  • allowSRXConnection
  • allowScreenOSConn
  • allowDHCP
  • allowTACACSPlus
  • allowPostgresDataSync
  • allowCustomSSH

networkInterfaces/ppsExtNic: This block is responsible for creating network interface. The created network interface is applied to network interface card of Ivanti Policy Secure External interface. The creation of this network interface depends on:

  • Ivanti Policy Secure Virtual Network name
  • Public IP address of External Subnet

networkInterfaces/ppsMgmtNic: This block is responsible for creating network interface. The created network interface is applied to network interface card of Ivanti Policy Secure Management interface. The creation of this network interface depends on:

  • Ivanti Policy Secure Virtual Network name
  • Public IP address of Management Subnet

networkInterfaces/ppsIntNic: This block is responsible for creating network interface. The created network interface is applied to network interface card of Ivanti Policy Secure Internal interface. The creation of this network interface depends on:

  • Ivanti Policy Secure Virtual Network name

virtualMachines/PPSVmName: This block is responsible for creating Virtual Machine name. The created Virtual machine name is applied to Ivanti Policy Secure Virtual Machine. The creation of Ivanti Policy Secure Virtual Machine name depends on:

  • Network Interface Card of Ivanti Policy Secure Internal interface
  • Network Interface Card of Ivanti Policy Secure External interface
  • Network Interface Card of Ivanti Policy Secure Management interface

outputs

The outputs section defines the public IP address and FQDN that is displayed on successful deployment of Ivanti Policy Secure on Azure.