Developer s Guide to Azure RemoteApp Hybrid Collection Deployment
ABSTRACT
I. ABSTRACT 2
II. AZURE REMOTEAPP 2
1. What is Azure RemoteApp? 2
2. How It Works Behind the Scene 3
3. Advantages of Azure RemoteApp 3
4. Cloud Collection vs. Hybrid Collection 3
III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS 4
AND NETWORK FOR HYBRID DEPLOYMENT
1. Problem De nition 4
2. Infrastructure Preparation 4
2.1 Site-to-Site VPN to Make Azure RemoteApp Available in Azure Resource Manager 4
2.2 Deploy Active Directory (replicated AD) in the Cloud 6
3. Implementation 7
3.1 Application Package: Migrating Java App to RemoteApp 7
3.2 Domain Integration: A Hybrid Identity Management System of Azure AD Connect 8
3.3 Azure Remote App Hybrid Deployment 10
IV. SUMMARY 10
V. ABOUT THE AUTHOR 11
www.fpt-software.com 1 I. ABSTRACT
Azure RemoteApp is Microsoft’s sure- re solution to providing secure, remote access to Azure-based applications from different user devices. I introduced Azure RemoteApp to my customers as soon as it was released. Its technical and business capabilities have captured the interest of many businesses. Customers can save a signi cant amount of time, effort, and money by easily allowing Bring Your Own Device (BYOD) model amongst their employees and vendors.
The product, however, is not entirely without technical drawbacks. Certain doubts about the product need to be addressed in order for it to reach the highest level of ef ciency. For instance, “How to standardize, simplify and automate any application deployment?”, “In what way can we optimize upgrading, patching process with the minimum downtime?”, “Can user management be easier and more effective?”.
Azure RemoteApp comes in two collections: cloud collection for applications which do not require connection to any resources on companies' networks; and hybrid collection for applications that not only host and store data in the Azure cloud, but also allow you to access data and resources stored on local network. With some of my customers choosing hybrid collection for complete control over their applications, I decided to carry out a few PoCs of my own. I hope to decipher the question of integrating Azure RemoteA- pp with existing, on-premises network, domain and packaging application for hybrid deployment. I will discuss such topic within the scope of this paper.
II. AZURE REMOTEAPP
1.WHAT IS AZURE REMOTEAPP?
According to Microsoft, Azure RemoteApp is a solution that brings the functionality of the on-premises Microsoft RemoteApp program, backed by Remote Desktop Services, to Azure. It helps provide secure, remote access to applications from many different user devices. Azure RemoteApp is part of the Microsoft Virtual Desktop Infrastructure. It uses RDP, a WAN-ready protocol that is resilient to network latency and loss.
Azure RemoteApp enables users to share apps and resources on almost any device. While the applications are running remotely from Windows Servers on Azure Cloud, it appears to the users as if they are running locally on client devices.
www.fpt-software.com 2 2.HOW IT WORKS BEHIND THE SCENE
Azure RemoteApp is built based on Windows Server Remote and using only their individual sessions. The session execution Desktop Session Host (RD Session Host), which allows users to occurs on the server and is managed by the server operating host Windows-based programs and/or full Windows desktop, system. making it appear as if they are running on the end user’s local computers. Users can connect to a RD Session Host server to run Azure RemoteApp is deployed in Windows Server 2012 R2 programs, save les, or use network resources while seeing Datacenter operating system with 3 available template images:
Description Roles and Features
Windows Server Based on Microsoft - .NET Framework 4.5, 3.5.1, 3.5 - WoW64 Support 2012 Windows Server 2012 R2 - Desktop Experience - Adobe Flash Player Datacenter operating system - Ink and Handwriting Services - Microsoft Silverlight - Media Foundation - Microsoft System Center 2012 - Remote Desktop Session Host Endpoint Protection - Windows PowerShell 4.0 - Microsoft Windows Media Player - Windows PowerShell ISE
Microsoft O ce An extension of the Windows - Access - PowerPoint 365 ProPlus Server 2012 image - Excel - Project - Lync - Visio Microsoft O ce - OneNote - Word 2013 - OneDrive for Business - Microsoft O ce Pro o ng Tools Professional Plus - Outlook
3.ADVANTAGES OF AZURE REMOTEAPP
- No complex on-premises infrastructure con guration and - End-users can access RemoteApp program from any devices minimize infrastructure cost (move CAPEX to OPEX); (Windows, iOS, Mac OS X and Android devices) anywhere; - Easily scale up or down to meet the changing needs of your - Protect corporate resources and ensure compliances; businesses;
4.CLOUD COLLECTION VS. HYBRID COLLECTION
Azure RemoteApp provides exible deployment options: you can either choose a cloud-based deployment (where you deploy a standalone cloud service), or select a hybrid deployment (where the service is integrated into your on-premises infrastructure).
Cloud Collection Hybrid Collection
Hosting Is hosted and stores all data for programs in Is hosted and stores data in Azure cloud and allows Azure cloud. users to access data and resources stored in local network.
Identity Can use Microsoft account or corporate credentials Can use corporate credentials synchronized or Management synchronized or federated with Azure Active Directory federated with Azure Active Directory account. account.
Maintenance Microsoft updates the applications and operating The administrators are in charge of maintaining the systems. image and applications. The administrators only need to control the user access.
RDS Servers No need to domain-join the RDS servers to Active The administrator can domain-join the RDS servers. Directory.
www.fpt-software.com 3 III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS AND NETWORK FOR HYBRID DEPLOYMENT
1.PROBLEM DEFINITION
In this paper, I would like to walk you through the detailed guideline - Azure Active Directory is a centralized identity system that to integrating Azure RemoteApp with existing, on-premises manages access accounts to Azure RemoteApp collections. If you network, domain and packaging application for hybrid deployment. want to use similar credentials with on-premises applications, I will also address the following limitations regarding Azure Remote- Azure AD doesn’t support them by default. App hybrid collection installation: - Since Azure RemoteApp collections are accessible from the - The JSON-driven Azure Resource Management (ARM) is the Internet, integrating them with other application layers (such as latest REST API for resource grouping, tagging and managing. application layer or database layer) requires direct connection While most of the recent VMs and role instances run on a VNet between these layers and the Internet. However, this is a rather created in ARM, Azure RemoteApp can only support the classic unsecured solution. ASM (Azure Service Management) API, which is an XML-driven - Azure AD cannot handle the Windows authentication/ REST API authorization of applications.
2.INFRASTRUCTURE PREPARATION 2.1.SITE-TO-SITE VPN TO MAKE AZURE REMOTEAPP AVAILABLE IN AZURE RESOURCE MANAGER Two different ways to manage Microsoft Azure cloud resources The below gure shows the outcome of connecting an on-premise are ARM and ASM REST APIs. Each interface has a separate UI virtual network with a cloud-based network using Site-to-Site VPN. Portal experience, REST API, PowerShell module, and “mode” of The same process can be applied when linking a classic VNet with operation in the Azure Cross-Platform (xPlat) CLI Tool. an ARM. Azure VNet – Site-to-Site VPN (between VNet and VNet) can help connect ARM to ASM VNets, get them work together, and make Azure RemoteApp available in ARM VNets.
Connecting virtual networks is a great solution to cross-region geo-redundancy and geo-presence, setting up Regional multi-tier applications with strong isolation boundary, cross subscription, and inter-organization communications in Azure.
Con gure VNet to VNet connection 1 Create corresponding local networks for VNets
Virtual Network Virtual Network Site Local Network Site Local Network S ite to De nition De nition Connect
nguyens-onpremise-vnet nguyens-onpremise-vnet nguyens-onpremise-local nguyens-cloud-local (10.0.0.0/26) (10.0.0.0/ 26)
nguyens-cloud-vnet nguyens-cloud-vnet nguyens-cloud-local nguyens-onpremise-local (10.1.0.0/26) (10.1.0.0/26)
Please note that you will need to de ne each virtual network twice Upon adding a new local network, you will need to specify your – rst, as an Azure virtual network, and second, as a local local network information with any VPN Device IP Address (we network site connected to other virtual network. You must ensure need to come back and update this information later), and de ne the Address Space elements speci ed in both de nitions are the the address space for your local network (it must be matched with same. Otherwise, the communication will not work correctly respective VNet con guration). between the two virtual networks.
www.fpt-software.com 4 2 Con gure connection gateway
Site-to-site VPN is enabled by selecting the Connect to local Azure takes a few minutes to nish deploying gateway for each network option in the Con gure tab in each VNet. You will then see VNet. The gateway IP address will appear once the gateway is the note “a gateway subnet is required”. This means you need to created. You need to update the con guration of each local go back to the Dashboard tab and click on the Create Gateway network to make sure it matches with its relevant gateway IP button (In this case, I chose Dynamic Routing option). address.
3 Establish cross-premise tunnel
You can use any private key, but I suggest generating a private key using the VNet’s Manage Shared Key feature. -LocalNetworkSiteName nguyens-onpremise-local -Shared- Key <
And here is the result:
You can connect or disconnect the connection between two VNets any time you want. You can also reuse Active Azure PowerShell is required to establish cross-premise tunnel Directory/DNS Server like I did with my networks. between two networks. To enable site-to-site connection, you need to execute Set-AzureVNetGatewayKey cmdlet. In my case, the following script was executed:
Set-AzureVNetGatewayKey -VNetName nguyens-onprem- ise-vnet -LocalNetworkSiteName nguyens- 1 cloud-local -SharedKey <
www.fpt-software.com 5 2.2.DEPLOY ACTIVE DIRECTORY (REPLICATED AD) IN THE CLOUD
Before installing Active Directory in Azure VNet, you should make Reserve static IP Address for Domain Controller sure that a Domain Controller (DC) subnet has been created inside The IP addresses assigned to both Cloud Services roles and Virtual the VNet, and a new Virtual Machine created inside the DC Machines can be changed during the repair of cloud infrastructure. Subnet. Keep in mind that the VM’s size should be compatible with Thus, you need to reserve a static IP address for Domain Controller your organization’s need. I opted for an A1 VM, which is in Stand- by running the Set-AzureStaticVNetIP cmdlet. ard Tier.
Install Active Directory Windows Service 1- Get-AzureVM -ServiceName <
Promote server to a domain controller - In Server Manager select Tools > DNS to start resetting DNS Server con guration. - After VMs are restarted, click the warning icon in Server Manager - Open Properties of your DNS Server node. and start promoting your server to a domain controller. - Remove unable to resolved IP Address and restart your - Select option Add a new forest and ll in the root domain Domain Controller server. name. - Make sure you choose Domain Name System (DNS) server and enter the Directory Services Restore Mode (DSRM) password in the Domain Controller Options step.
- Ignore the warning in DNS Options step. - The NetBIOS domain name will be populated automatically. - Specify the location of AD DS database, log les, and SYSVOL (as a best practice, attach new disk to store all items below instead of using default drive). Con gure VNet to use new DNS Server - Click on Install button and wait for moment to nish all You almost nish the process of deploying Domain Controller con guration. server within your VNet. To navigate your VNet, select Con gure tab and add server information into DNS Server eld to complete the last step.
www.fpt-software.com 6 3.IMPLEMENTATION
3.1.APPLICATION PACKAGE: MIGRATING JAVA APP TO REMOTEAPP
Azure RemoteApp supports streaming 32-bit or 64-bit 3 Make sure that all errors reported by the script are xed before Windows-based applications from a Windows Server 2012 R2 running SysPrep and capturing the image. installation. Most existing 32-bit or 64-bit Windows-based applica- tions run “as is” in RemoteApp (Remote Desktop Services, or former- ly known as Terminal Services) environment. Windows-based applications refer to applications which are implemented with Microsoft’s technologies like .NET Framework and SQL Server, or any applications that can run well in Windows environ- ment such as Java applications. “Can we run a Java application with RemoteApp?” To unveil this question, I decided to build my own PoC instead of using reference from someone else. Since my PoC could not cover all the cases and my scenario was rather simply, my answer is partially yes. In my PoC, I selected JMeter (http://jmeter.apache.org/), a Java application, and included some *.bat les (which help validating environment con guration and application’s dependencies). Here’s how to build my PoC:
1 Start creating a new template image for RemoteApp service. You can either build the template in local machine, or use Azure Virtual Machine 4 \ You can then navigate the RemoteApp and import an Image like I did. Microsoft provides a robust gallery that helps you quickly set up from your Virtual Machines library. In my PoC, I named my template your working environment. In this case, I created my VM with Windows image java-remoteapp. Wait for the new template to be uploaded Server Remote Desktop Session Host image. before creating a new RemoteApp collection based on your custom template.
5 The JMeter application was published using Path and my runnable package was located in C:\Program Files\apache-jmeter-2.13\bin\jmeter.bat.
2 Next, I installed Java and JMeter, then performed some testings 6 The provisioning and con guration of the new RemoteApp to make sure the application ran properly. Microsoft provides the collection are completed. Now you can access and review the PowerShell script and the template to validate all prerequisites for remote JMeter version. You can also save les in the RemoteApp Azure RemoteApp. You can nd and run it easily by clicking storage and come back later to resume your work. ValidateRemoteAppImage icon on the desktop.
www.fpt-software.com 7 3.2.DOMAIN INTEGRATION: A HYBRID IDENTITY MANAGEMENT SYSTEM OF AZURE AD CONNECT
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud-based directory and identity management service, which controls authentication by giving employees and business partners single sign-on (SSO) access to SaaS applications, such as O365, SFDC, Dropbox, and so on. Though the service itself does not support using similar credentials for on-premises applications by default, it provides the capability to integrate with existing on-premises Active Directory to enable a hybrid identity management solution.
- Federated Identities: This model requires a synchronized identity, but the user’s password is veri ed by the on-premises identity provider. This means the password hash doesn’t have to be synchronized to Azure AD. This model can be applied to integration with Active Directory Federation Services (AD FS) or third party Tool and Integration model identity provider.
Azure AD Connect integrates on-premises identity system like Windows Server Active Directory with Azure Active Directory, and connect users to Azure SaaS applications. Azure AD Connect has 3 essential features: - Synchronization Services: Ensure the users and groups’ information in your on-premises environment matches to that in the cloud. - Active Directory Federation Services: Address complex deployments that include domain join SSO, enforcement of AD sign-in policy, and smart card 3rd party MFA. - Health Monitoring: Provides robust monitoring through a central location in the Azure portal.
Azure AD Connect supports two models: Synchronized Identities and Federated Identities. - Synchronized Identities: Synchronizing user accounts and optional passwords from on-premises AD to Azure AD. This means an user will use the same password to access on-premises and Azure resources.
www.fpt-software.com 8 3 Steps to enable integration Step 1 – Add a custom domain - Customize Settings: Used when you have multiple forests. A custom domain is required for on-premises and Azure AD integra- Support many on-premises topologies, and allow you to customize tion. You can add a domain in the dashboard of your selected sign-in option, such as AD FS for federation. Active Directory. Make sure your public domain is similar to your AD Whichever settings you opt for, make sure you use relevant domain (in my case, it’s sonnn2.com). accounts to connect to Azure AD (Global Admin account) and AD You will then need to verify the custom domain by adding TXT DS (Enterprise Administrator account). record in your DNS settings. Next, verify and set your custom domain as primary domain. In this case, I apply synchronized identity model so my domain is not planned for Single Sign-On.
Step 2 – Add a Global Admin account Create a new global admin account in your domain to control the overall AD synchronization process.
Step 3 – Install AD Connect and Con gure Synchronization
Download Azure Active Directory Connect from Download Center, and install it in the proxy server (which can access to AD servers and the Internet).
Start AD Connect con guration after your installation is complete. You can either choose Express settings (default settings), or Customized settings. - Express Settings: Recommended if you have a single forest Now, your on-premises AD and Azure AD are connected. AD. You can sign in with the same password using password synchronization.
www.fpt-software.com 9 3.3.AZURE REMOTEAPP HYBRID DEPLOYMENT
It is recommended to move the Azure RemoteApp collections into - Create a new Organization Unit (e.g. RemoteApp) in the Domain a subnet to reduce the exposure of application layer to the Controller, and a new RemoteApp Service Account under the new Internet. OU (e.g. [email protected]). Below is a simple way to - Click on New –> App Services –> RemoteApp –> Create with con gure a local domain. VNet. Choose Virtual Network and Subnet you want to deploy your app collection into. Make sure Join Local Domain is checked.
- In the new app collection dashboard, you can nd a quick guide to nish the con guration
- Once the local domain is con gured, link the app collection with a template image by selecting a virtual machine image. The guideline for moving applications, speci cally Java, to Azure RemoteApp was previously discussed in this paper. The process can take a few hours to complete. Then you can publish and use the app with your on-premises local account.
SUMMARY
Azure RemoteApp Hybrid Collection helps you publish a custom set of applications that run in a domain-joined environment, while maintaining access to on-premises resources over a Site-to-Site VPN. I hope that you have gained some insights into the Azure Remote- App as a service, as well as the hybrid collection installation process, from infrastructure preparation to app deployment.
www.fpt-software.com 10 ABOUT THE AUTHOR
Son Nguyen is a Cloud Solution Architect currently working for FPT Software’s Cloud Innovation team. With deep knowledge in AWS and Microsoft Azure, Son acts as a cloud consultant in various areas, ranging from assess- ment to architecture design, supporting customers in Japan, the EU and the US.
www.fpt-software.com 11