MeshCentral on Ubuntu 24.04 on Azure User Guide
Overview
MeshCentral is an open source, self hosted remote monitoring and management platform. Install the lightweight MeshCentral agent on your Windows, Linux and macOS devices and then remote control the desktop, transfer files, open a remote terminal, and monitor and patch those devices from a single web console, all from your own server with no third party cloud in the middle. The cloudimg image installs Node.js LTS, npm installs MeshCentral 1.2.1 natively, and runs it as a dedicated system service bound to the loopback connector 127.0.0.1:4430. Because MeshCentral is HTTPS native (its console and agent tunnels use secure WebSockets), nginx terminates TLS on port 443 with a per-VM self signed certificate and reverse proxies to MeshCentral, while port 80 serves an unauthenticated health endpoint and redirects everything else to HTTPS. MeshCentral uses its built in NeDB database (no external MongoDB required), and its database, configuration and certificates live on a dedicated Azure data disk. A unique site admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- MeshCentral 1.2.1 installed natively on Node.js 22 LTS and run as the
meshcentralsystem service - The embedded NeDB database (no external MongoDB required)
- nginx terminating TLS on
:443(per-VM self signed certificate) and reverse proxying to MeshCentral on127.0.0.1:4430with the WebSocket upgrade - Port 80 serving an unauthenticated
/healthzendpoint and redirecting all other traffic to HTTPS - Self signup disabled and a unique site admin password generated on first boot, recorded in a root only file (username
admin) - A dedicated Azure data disk at
/var/lib/meshcentralholding the NeDB database,config.jsonand TLS certificates meshcentral.service+nginx.serviceas systemd units, enabled and active- 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point for a small fleet; size up for more managed devices and concurrent remote sessions. NSG inbound: allow 22/tcp from your management network, and 80/tcp + 443/tcp for the console and agent connections. The appliance ships a self signed certificate, so for production put your own domain and a trusted certificate (for example Let's Encrypt) in front of it (see Maintenance).
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for MeshCentral by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create -> Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name meshcentral \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name meshcentral --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name meshcentral --port 443 --priority 1020
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active meshcentral.service nginx.service
Both report active. MeshCentral runs as a Node.js service bound to the loopback connector 127.0.0.1:4430, and nginx fronts it: TLS on port 443 with the WebSocket upgrade the console requires, plus a port 80 health endpoint and HTTPS redirect. MeshCentral's database and certificates live on the dedicated Azure data disk mounted at /var/lib/meshcentral.

Step 5 - Retrieve your admin password
The MeshCentral site admin password is generated uniquely on the first boot of your VM and written to a root only file:
sudo cat /root/meshcentral-credentials.txt
This file contains MESHCENTRAL_USERNAME (always admin), MESHCENTRAL_PASSWORD and the URL to open. Store the password somewhere safe. The file is mode 0600 and owned by root, so only an administrator can read it.

Step 6 - Confirm the health endpoints
nginx serves an unauthenticated health endpoint for load balancers and probes:
curl -s http://localhost/healthz
curl -sk https://localhost/healthz
Both return ok. Port 80 returns HTTP 301 and redirects to HTTPS; the console at https://<vm>/ returns HTTP 200. The /healthz endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

Step 7 - Verify authentication from the command line
MeshCentral's login is a form post over the TLS edge that establishes a session cookie. The check below authenticates with the correct per-VM password and reaches the console, while a wrong password stays on the login page. Because the command embeds your unique password, run it interactively rather than from a script - substitute the value of MESHCENTRAL_PASSWORD from Step 5 for <MESHCENTRAL_PASSWORD>:
login() { j=$(mktemp); bf=$(mktemp); \
curl -sk -o /dev/null -c "$j" -b "$j" --data-urlencode action=login \
--data-urlencode username=admin --data-urlencode "password=$1" https://127.0.0.1/; \
curl -sk -b "$j" -o "$bf" https://127.0.0.1/; \
grep -qi logout "$bf" && echo "authenticated (reached console)" || echo "rejected"; \
rm -f "$j" "$bf"; }
login '<MESHCENTRAL_PASSWORD>'
The correct per-VM password prints authenticated (reached console); a wrong password prints rejected. Loopback checks like this are excluded from MeshCentral's brute force throttle so your health checks never lock the account; connections from real client IP addresses keep full brute force protection.

Step 8 - Sign in to the console
Browse to https://<vm-public-ip>/. The appliance uses a self signed certificate, so accept the browser warning (or, for production, put your own domain and certificate in front - see Maintenance). MeshCentral shows a sign-in page; enter the username admin and the password from Step 5.

Step 9 - The device console
After signing in you land on the My Devices console. This is where every device you enrol appears, grouped into device groups. From here you can remote control the desktop, open a remote terminal, transfer files and see live status for each managed machine.

Step 10 - Add a device
Create a device group, then click Add Agent to get the installer for your platform. MeshCentral generates a small agent for Windows, Linux, macOS and more; run it on a device and that machine appears in the console within seconds, ready for remote control.

Step 11 - Manage your account
Open My Account from the menu to change your password, enable two-factor authentication and manage account settings. As the site administrator you can also open My Server to see server status and manage users.

Step 12 - Confirm data lives on the dedicated disk
MeshCentral's data - the NeDB database (users, device groups, enrolled devices, event and stats history), config.json and the generated TLS certificates - is stored under /var/lib/meshcentral on the dedicated Azure data disk, so it survives OS changes and can be resized independently:
findmnt /var/lib/meshcentral
The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.
Maintenance
- Password: the site admin password is set on first boot. To change it, sign in and use My Account, or manage users from the My Server area.
- TLS and your own domain: the appliance ships a per-VM self signed certificate on port 443. For production, point a DNS name at the VM and install a trusted certificate (for example with certbot / Let's Encrypt), then set that name as the
certvalue in/var/lib/meshcentral/config.jsonand restartmeshcentral.serviceso agents are issued the correct server address. - Agents: install the MeshCentral agent on each device you want to manage from Add Agent in a device group; agents connect back to the server over port 443.
- Upgrades: MeshCentral is installed under
/opt/meshcentral; to upgrade,npm install meshcentral@<version>in that directory and restartmeshcentral.service. Your data under/var/lib/meshcentralis preserved. - Storage: all MeshCentral state lives under
/var/lib/meshcentralon the data disk; back up that volume to protect your users, device groups and history. - Self signup: the image disables new account self signup, so only the site admin account exists until you add more users from My Server.
- Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.
Support
cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.