Me
Application Infrastructure Azure

MeshCentral on Ubuntu 24.04 on Azure User Guide

| Product: MeshCentral on Ubuntu 24.04 LTS on Azure

Overview

MeshCentral is an open source, self hosted remote monitoring and management platform. Install the lightweight MeshCentral agent on your Windows, Linux and macOS devices and then remote control the desktop, transfer files, open a remote terminal, and monitor and patch those devices from a single web console, all from your own server with no third party cloud in the middle. The cloudimg image installs Node.js LTS, npm installs MeshCentral 1.2.1 natively, and runs it as a dedicated system service bound to the loopback connector 127.0.0.1:4430. Because MeshCentral is HTTPS native (its console and agent tunnels use secure WebSockets), nginx terminates TLS on port 443 with a per-VM self signed certificate and reverse proxies to MeshCentral, while port 80 serves an unauthenticated health endpoint and redirects everything else to HTTPS. MeshCentral uses its built in NeDB database (no external MongoDB required), and its database, configuration and certificates live on a dedicated Azure data disk. A unique site admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • MeshCentral 1.2.1 installed natively on Node.js 22 LTS and run as the meshcentral system service
  • The embedded NeDB database (no external MongoDB required)
  • nginx terminating TLS on :443 (per-VM self signed certificate) and reverse proxying to MeshCentral on 127.0.0.1:4430 with the WebSocket upgrade
  • Port 80 serving an unauthenticated /healthz endpoint and redirecting all other traffic to HTTPS
  • Self signup disabled and a unique site admin password generated on first boot, recorded in a root only file (username admin)
  • A dedicated Azure data disk at /var/lib/meshcentral holding the NeDB database, config.json and TLS certificates
  • meshcentral.service + nginx.service as systemd units, enabled and active
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point for a small fleet; size up for more managed devices and concurrent remote sessions. NSG inbound: allow 22/tcp from your management network, and 80/tcp + 443/tcp for the console and agent connections. The appliance ships a self signed certificate, so for production put your own domain and a trusted certificate (for example Let's Encrypt) in front of it (see Maintenance).

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for MeshCentral by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name meshcentral \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name meshcentral --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name meshcentral --port 443 --priority 1020

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active meshcentral.service nginx.service

Both report active. MeshCentral runs as a Node.js service bound to the loopback connector 127.0.0.1:4430, and nginx fronts it: TLS on port 443 with the WebSocket upgrade the console requires, plus a port 80 health endpoint and HTTPS redirect. MeshCentral's database and certificates live on the dedicated Azure data disk mounted at /var/lib/meshcentral.

meshcentral.service and nginx.service active, the MeshCentral and Node versions, and the loopback 4430, 443 and 80 listeners

Step 5 - Retrieve your admin password

The MeshCentral site admin password is generated uniquely on the first boot of your VM and written to a root only file:

sudo cat /root/meshcentral-credentials.txt

This file contains MESHCENTRAL_USERNAME (always admin), MESHCENTRAL_PASSWORD and the URL to open. Store the password somewhere safe. The file is mode 0600 and owned by root, so only an administrator can read it.

The MeshCentral configuration bound to the loopback port with self signup disabled, the NeDB database and certificates on the dedicated data disk, and the root only 0600 credentials file

Step 6 - Confirm the health endpoints

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/healthz
curl -sk https://localhost/healthz

Both return ok. Port 80 returns HTTP 301 and redirects to HTTPS; the console at https://<vm>/ returns HTTP 200. The /healthz endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

The nginx health endpoints returning ok on both port 80 and 443, port 80 redirecting to HTTPS with 301, and the MeshCentral console returning HTTP 200 over TLS

Step 7 - Verify authentication from the command line

MeshCentral's login is a form post over the TLS edge that establishes a session cookie. The check below authenticates with the correct per-VM password and reaches the console, while a wrong password stays on the login page. Because the command embeds your unique password, run it interactively rather than from a script - substitute the value of MESHCENTRAL_PASSWORD from Step 5 for <MESHCENTRAL_PASSWORD>:

login() { j=$(mktemp); bf=$(mktemp); \
  curl -sk -o /dev/null -c "$j" -b "$j" --data-urlencode action=login \
    --data-urlencode username=admin --data-urlencode "password=$1" https://127.0.0.1/; \
  curl -sk -b "$j" -o "$bf" https://127.0.0.1/; \
  grep -qi logout "$bf" && echo "authenticated (reached console)" || echo "rejected"; \
  rm -f "$j" "$bf"; }
login '<MESHCENTRAL_PASSWORD>'

The correct per-VM password prints authenticated (reached console); a wrong password prints rejected. Loopback checks like this are excluded from MeshCentral's brute force throttle so your health checks never lock the account; connections from real client IP addresses keep full brute force protection.

The admin authentication round trip: the correct per-VM password reaches the authenticated console and a wrong password is rejected on the login page

Step 8 - Sign in to the console

Browse to https://<vm-public-ip>/. The appliance uses a self signed certificate, so accept the browser warning (or, for production, put your own domain and certificate in front - see Maintenance). MeshCentral shows a sign-in page; enter the username admin and the password from Step 5.

The MeshCentral sign-in page in the browser

Step 9 - The device console

After signing in you land on the My Devices console. This is where every device you enrol appears, grouped into device groups. From here you can remote control the desktop, open a remote terminal, transfer files and see live status for each managed machine.

The MeshCentral My Devices console after signing in as the site administrator

Step 10 - Add a device

Create a device group, then click Add Agent to get the installer for your platform. MeshCentral generates a small agent for Windows, Linux, macOS and more; run it on a device and that machine appears in the console within seconds, ready for remote control.

The MeshCentral add device group and agent installation panel listing the Windows, Linux and macOS agents

Step 11 - Manage your account

Open My Account from the menu to change your password, enable two-factor authentication and manage account settings. As the site administrator you can also open My Server to see server status and manage users.

The MeshCentral My Account page showing account settings and security options for the site administrator

Step 12 - Confirm data lives on the dedicated disk

MeshCentral's data - the NeDB database (users, device groups, enrolled devices, event and stats history), config.json and the generated TLS certificates - is stored under /var/lib/meshcentral on the dedicated Azure data disk, so it survives OS changes and can be resized independently:

findmnt /var/lib/meshcentral

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Password: the site admin password is set on first boot. To change it, sign in and use My Account, or manage users from the My Server area.
  • TLS and your own domain: the appliance ships a per-VM self signed certificate on port 443. For production, point a DNS name at the VM and install a trusted certificate (for example with certbot / Let's Encrypt), then set that name as the cert value in /var/lib/meshcentral/config.json and restart meshcentral.service so agents are issued the correct server address.
  • Agents: install the MeshCentral agent on each device you want to manage from Add Agent in a device group; agents connect back to the server over port 443.
  • Upgrades: MeshCentral is installed under /opt/meshcentral; to upgrade, npm install meshcentral@<version> in that directory and restart meshcentral.service. Your data under /var/lib/meshcentral is preserved.
  • Storage: all MeshCentral state lives under /var/lib/meshcentral on the data disk; back up that volume to protect your users, device groups and history.
  • Self signup: the image disables new account self signup, so only the site admin account exists until you add more users from My Server.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.