This document was created to help you get familiar with itopia + Google environment integration and configuration. it also contains some tips and few basic dos and don’ts for your deployment management. 

Detailed information about each topic is available in the below sections and links.

itopia Status Page

A portal that provides live information about itopia’s availability as well as details on uptime and past incidents. We want to communicate with clarity and transparency so you’re never left in the dark if things aren’t working as expected. 

Whenever there's an issue with our software or related services, we will let you know in the Statuspage. If you subscribe you'll receive live notifications about service outages, updates and scheduled maintenance via email or sms.

Networking

Google creates a default network per zone. Each one has a subnet size /20. These subnets cannot be modified. Changes in networking are not recommended. If any changes need to be done on the default network settings, it’s out of the scope of itopia CAS support.

Single servers should not be removed from the domain for correct functionality of the environment.

Firewall Rules

Firewall rules created at the deployment are the way for our software to communicate with your servers. We’ve already sourced the rules so only itopia management services can access the servers using those tags.

They shouldn’t be modified or deleted because such changes can break the integration with itopia. 

The main tags: cas-access, allow-access

You can open ports from itopia - Servers module, other changes can be done from Google Cloud Console. We recommend confirming with itopia support team before making such changes.

GPO’s

Itopia preloads certain set of policies for user management and security. The policies are created at the deployment. Every deployment includes Microsoft Office 2013 and 2016 ADMX templates which allow you to create your own set of group policies for Office management.

It’s not recommended to make any changes to the itopia preloaded policies but if absolutely necessary, inform itopia support team through the in-app chat to confirm the consequences of such changes.

OU Structure

Itopia creates the domain with standard OU structure for companies. It’s not recommended to move users or admins from the default OU because the itopia software will not be able to find those users in a different location.

Pagefile Management

 In some cases the page file configuration can be set to just 1 GB. The best practice is to set the page file to be automatically managed by the operating system as described in the above guide.

Admin accounts

The system creates domain admin accounts for every deployment that you send to Google cloud through itopia. 

Itopia creates an “itoadmin” domain admin service account for the itopia systems to be able to execute actions in your deployment's domain. The account shouldn’t be disabled, renamed or reset in Active Directory because the integration with itopia CAS will break.

IP Quotas

Google sets certain limits to the usage of IPs and other resources. It’s their way of protecting themselves against fraudulent accounts. Quotas on your account depend on your account usage history and the data center zone. Quotas should be monitored regularly since they can affect your deployments in itopia and the correct scaling functionality. In other words, if your quota is low, you will not be able to deploy new servers or increase server resources. Quotas can be increased anytime from Google Cloud Console. To check and increase your quotas, go to IAM & ADMIN from the main menu and select “Quotas”.

Autoscaling

Autoscaling is the system’s ability to automatically increase or decrease your server count or server resources. By default, the autoscale is enabled on all deployments you manage from itopia and is based on end-user count. As you deploy more users or remove some, the system automatically adjusts the resources to the user count. If you are in the itopia Pro plan, you can adjust the system’s autoscaling criteria to your needs.
In all itopia plans, you have the ability to disable the autoscaling and manage the resources manually. If the resources or the machine type are changed manually and the autoscaling wasn't disabled, the system will change the resources back to match the autoscaling settings.

Instances/ Server management

The basic infrastructure servers (domain controller, user session server/ file server) are created during the provision. You can add other servers like App servers or SQL servers using itopia - Servers module. If you create new instances directly in Google, they will not integrate with itopia and you will not be able to manage them through the portal.

Google data centers

Google expands their data center network all over the world. There are 3 major ones in US: East 1 (South Carolina), East 4 (Virginia), Center (Iowa), West (Oregon). You can test the latency to any datacenter here.

Gateway deployment

You can provision RD Gateway before or after the environment deployment. SSL certificate is needed for the gateway and it should be requested for the hostname in following format: xxx.yourdomain.com where xxx is the 3 letter deployment code that is automatically assigned to the deployment.
There's also an option of requesting a Wildcard SSL, it's the most recommended option since it can cover unlimited host names (or subdomains) for 1 domain. You can even save some cost if you decide to purchase wildcard and then use your domain for all your deployments' RDP file configuration.

Server uptime

The uptime schedule is based on every deployment’s time zone. We recommend to schedule the Domain Controller (pdc server) to turn on a little sooner than the rest of the servers to give it enough time to start the services and avoid it not joining the domain. 5 min before the rest of the servers should be enough.

Backup Solution

Snapshots work great for the disaster recovery because they recover the entire virtual machine. It's recommended to also have a standard backup solution in place (e.g. VSS/ Windows backups) as an addition to Snapshots to be able to quickly recover files without reverting the disk back to an older snapshot or following a longer process of recovering a drive, attaching it to the server and removing it after the restore.

Snapshots can run anytime, however, for SQL servers it’s recommended to turn them off before running the snapshot in case there’s only one drive for the OS database and the logs. 

User creation, user profile configuration

User profile configuration is taking advantage of the User Profile Disk (UPD) technology in Windows Server remote desktop services. Each user is assigned a virtual hard disk which will hold their profiles, including their home folders.

When creating a user in itopia CAS, the system doesn’t allow using special characters such as ‘ or - in the username and in the first or the last name.

Logon Scripts

Each user gets created with a logon script, it shouldn’t be modified in any way. It manages mapped drives and application shortcuts. If they are changed, the update might fail later when changes are made to the user account.

Application management

Applications must be installed on the terminal servers manually with command “change user /install” and when finished with command “change user /execute”. Itopia helps you keep track of the installed applications through Tasks module and allows you to restrict them.

Folder permissions

The permissions can be managed through itopia. Anything that’s under C:\Customer data can be managed through itopia Folders module. Other drives and locations are not integrated with itopia management portal.

Best migration practice is to create the folder structure and security groups first and then assign all the permissions to the folders before moving the data. You will get faster performance when the folders are empty and after dropping the data in, they will just inherit the permissions of the parent folders.

VPN

After creating a VPN, you will get billed according to Google pricing, itopia doesn't charge for VPN.
When a VPN is created, there is certain amount of time where multiple steps are taken on Google end (e.g assigning the IP). It’s happening in the background. Give the system 5 - 10 min. to finish the changes before testing VPN.

Did this answer your question?