Privilege Management Console Post-Deployment Steps

You need to perform the following steps after PMC has deployed successfully:

Resolve DNS Settings

You need to be able to resolve the DNS before you can log in to PMC. If you intend to use a public DNS that has not yet been created, you need to create manual entries in the host files of the machines that need to communicate, such as the cluster nodes (including where the portal is installed).

If you use a single, external load balancer, you need to add an entry in the host file that points to the IP of your internal load balancer and your DNS Name. If you use the external load balancer only, you need to add an entry to your host file that points to the IP of your load balancer.

You can find your internal load balancer IP address in Azure:

  1. Select Resource Groups and locate the one that you named for the PMC deployment. For example, PMC-rg-mycompany.
  2. Click the Type column to order the list by type and look for Load balancer. If you configured an internal load balancer as well as an external load balancer, two load balancers appear in the list.
  3. If you configured one external load balancer (default), only one load balancer appears in the list. Click that load balancer name to see the IP address.
  4. If you configured an internal load balancer as well as the external load balancer, click the load balancer name postfixed with internal to see the IP address.

In this example, an internal load balancer is configured, as well as the default external load balancer.

In this example, there is an internal load balancer configured, as well as the default external one.


  1. The Public IP address is shown on the bottom right of the Overview panel. To resolve your DNS Name, you can add an entry for this IP address with the DNS Name of your SSL certificate in the portal VM host file and, as well as to endpoints you want to be able to connect to PMC.

The portal VM and jump box VM are listed next to the load balancers in your resource group. They are of Type Virtual Machine and their names are portalVM and jumpBoxVM, respectively.

If you configure an internal load balancer, you also need to use a VPN or peered network to complete the setup.

For information on connecting to a virtual machine in Azure, please see How to connect and sign on to an Azure virtual machine running Windows.

Install the SSL Certificate

If you use an SSL certificate that is trusted by a global provider, you do not need to do any further steps. If the SSL certificate is not trusted by a global provider, before you can log in to PMC, you need to install the SSL root certificate into the trusted root store of the local machine of the node where PMC is installed:

  1. Copy the CER portion of the root certificate to the node where you installed PMC. By default, this is the first node.
  2. Double-click the certificate and select Install Certificate.
  3. Select Local Machine and click Next.
  4. Select Place all certificates in the following store and click Browse.
  5. Select the second option, Trusted Root Certification Authorities and click OK.
  6. Click Next and then Finish to complete the installation.

The rest of the required PMC certificate chain is generated for you by the PMC deployment script.

Turn off Jump Box

Once the deployment finishes and you confirm the deployment is successful, disable the jump box until you need access to it. The jump box is created by the deployment script.


Do not delete the jump box. Be sure to only disable it.

Turning off the jump box after the PMC installation finishes decreases the attack vector of the PMC network. You can turn the jump box on when required.

  1. Go to the Azure portal.
  2. Navigate to the resource group for this PMC installation.
  3. Click the jump box VM.
  4. Click Stop.
  5. The machine shuts down. To turn it back on, click Start.

Clean Deployment Machine

There are two steps that need to be completed on your deployment machine:

Deployment Folder Deletion

Before you delete your Deployment folder, copy the Certs folder to a secure location, as you need to keep these certificates.The Deployment folder contains certificates and other sensitive files. Delete this folder from the deployment machine. You can use the PowerShell command Remove-Item to purge the data from your deployment machine. This function does not use the Recycle Bin.

Certificate Removal

The certificates can be retrieved from your jump box or the Azure key vault.

During the PMC installation, certain certificates are created and installed on the deployment machine. These should be removed from your deployment box using these instructions:

  1. Open Microsoft Management Console (MMC).
  2. Click File, and then Add/Remove Snap-in.
  3. Select Certificates from the Available snap-ins section.
  4. Click Add >.
  5. Click Finish.
  6. Click OK.
  7. Expand Certificates.
  8. Delete the following certificates from your deployment machine by right-clicking and selecting Delete from the context menu:
    • iC3ClusterAdmin
    • iC3ConfigurationEncipherment
    • iC3RootCA
    • iC3TenantCA
    • iC3TenantServiceIdentity
    • iC3SSL
  9. Save and close the MMC.

Cluster Admin

A certificate called ClusterAdmin is also installed during the PMC deployment process. It is used when connecting to the Service Fabric instance within the PMC network. There is no security risk in keeping this certificate on your deployment machine. In addition, you need to install this certificate to view the health of your service fabric cluster.

Remove Public IP Address from Azure Firewall Exceptions

The PMC infrastructure setup script creates a firewall exception for your public IP during setup. Follow these steps to remove the exception:

  1. Go to the Azure portal.
  2. Navigate to the resource group for this PMC installation.

In the All types filters dropdown, check the box for SQL servers.

  1. In the All types filters dropdown, check the box for SQL servers. This action will display both the Reporting SQL server and the SQL server for the management and Blob databases.


  1. For each SQL server:
    • Select Firewalls & virtual networks from the Security sub-menu.
    • Find the IP address with the Rule Name field set to Allow Client IP to SQL.

    Click the ellipsis menu (...) and then click Delete.

    • Click the ellipsis menu (...) and then click Delete.