If you are deploying your PowerSyncPro instance within Azure, you can have the prerequisites already installed via a Azure Marketplace server image.

The Marketplace server has the following features

• PowerSyncPro 3.1.25161.2
• Windows Server 2022 (no hardening, out the box server)
• SQL 2022 Standard (default installation)
• SQL Management Studio 20
• IIS with URL rewrite and ARR.

The documentation, prerequisites, installation guide and configuration guides are your single source of truth to ensure the server meets your project requirements. For example, you will need to review the performance scaling of your server to meet the size of your project.

There is currently a single server image in the marketplace for PowerSyncPro, it can be used for all implementations, Migrations Agent and Directory Synchronisations. 

In the future there may be additional market place offerings, but they will all have the same base image, this is for marketing purposes.

Find the images using this marketplace search URL. (or type “PowerSyncPro” in Azure marketplace.)

https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=powersyncpro

The default ports have been configured within the PowerSyncPro installation process, the windows server firewall has been opened with the following.

• 443: for the Migration Agent endpoint
• 5001: for gRPC for remote agent endpoints.
• 5000: for PowerSyncPro direct kestrel access

You will need to update your NSG to account for your circumstances.

Review the documentation for information on what endpoints you require for your project. How do I publish PowerSyncPro endpoints? - PowerSyncPro also provide more details on the difference circumstances. You do not need to follow these actions as the Update_PSP_Cert.exe process completes them, however this article will provide more context around configuration and security.

To complete the configuration of the server, you will need to provide your public endpoint SSL certificate (appropriate for your circumstances) in .pfx form.

• The c:\temp directory should open first time you log into the server, if not, navigate to this directory.
• Copy your pfx certificate (which contains a private key into the c:\temp directory (you can copy multiple but only 1 will be requested through the process)
• Update_PSP_Cert.exe runs automatically at first logion, this will ask a set of questions to complete the configuration.
• When the process is complete, it will restart the server.
• Once restarted log onto the server again and goto http:\\localhost:5000 to start configuring PowerSyncPro

The Update_PSP_Cert.exe executable will perform the following actions

• Copies your certificate to the local computer personal certificate store.
• Update the URL rewrite rules to allow for your endpoint domain name, which also only allows /agent/* URLs.
• Updates IIS to bind your certificate to port 443.
• Add your SSL domain name the hosts file.
• Update the PowerSyncPro appsettings.json to have your certificate for gRPC traffic, for remote agents.

This is what you are presented with when you log into the server for the first time after creating the marketplace image

Other guidance for the configuration of your server, you will need to consider the following.

• decide on your access methodology for remote controlling (RDP) your server, for example identifying your Network Security Group, or any other access methodology.
   
• decide on your PowerSyncPro directory configuration connecting to your Active Directory, for example, direct line of sight to a DC or using remote sync/proxy agents. (Synchronising across disconnected networks and high-security environments)
   
• if you need to join the server to a domain and use a service account (or GMSA) rather than the system account, then you will need to do this before configuring anything in PowerSyncPro, at present any configuration will be encrypted with local system DPAPI. Therefore, update the “run-as” on the PowerSyncPro service with the appropriate AD account before configuring PowerSyncPro. You will also need to consider how the service account will access SQL and update SQL permissions to the PowerSyncProDb accordingly.
   
• harden the server to your security posture and requirements.
   
• the internet presentable external DNS entry for your chosen endpoint needs to be allocated the public IP of the server.
   
• for migration agent endpoint, configure your endpoint access methodology, for example assign a public IP to the server and open up port 443 on the NSG.
   
• for remote agents, open up port 5001 on the NSG for the IP addresses or firewall for the remote agent servers.