Developers Guide to Azure RemoteApp Hybrid Collection Deployment ABSTRACT I. ABSTRACT 2 II. AZURE REMOTEAPP 2 1. What is Azure RemoteApp? 2 2. How It Works Behind the Scene 3 3. Advantages of Azure RemoteApp 3 4. Cloud Collection vs. Hybrid Collection 3 III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS 4 AND NETWORK FOR HYBRID DEPLOYMENT 1. Problem Denition 4 2. Infrastructure Preparation 4 2.1 Site-to-Site VPN to Make Azure RemoteApp Available in Azure Resource Manager 4 2.2 Deploy Active Directory (replicated AD) in the Cloud 6 3. Implementation 7 3.1 Application Package: Migrating Java App to RemoteApp 7 3.2 Domain Integration: A Hybrid Identity Management System of Azure AD Connect 8 3.3 Azure Remote App Hybrid Deployment 10 IV. SUMMARY 10 V. ABOUT THE AUTHOR 11 www.fpt-software.com 1 I. ABSTRACT Azure RemoteApp is Microsoft’s sure-re solution to providing secure, remote access to Azure-based applications from different user devices. I introduced Azure RemoteApp to my customers as soon as it was released. Its technical and business capabilities have captured the interest of many businesses. Customers can save a signicant amount of time, effort, and money by easily allowing Bring Your Own Device (BYOD) model amongst their employees and vendors. The product, however, is not entirely without technical drawbacks. Certain doubts about the product need to be addressed in order for it to reach the highest level of efciency. For instance, “How to standardize, simplify and automate any application deployment?”, “In what way can we optimize upgrading, patching process with the minimum downtime?”, “Can user management be easier and more effective?”. Azure RemoteApp comes in two collections: cloud collection for applications which do not require connection to any resources on companies' networks; and hybrid collection for applications that not only host and store data in the Azure cloud, but also allow you to access data and resources stored on local network. With some of my customers choosing hybrid collection for complete control over their applications, I decided to carry out a few PoCs of my own. I hope to decipher the question of integrating Azure RemoteA- pp with existing, on-premises network, domain and packaging application for hybrid deployment. I will discuss such topic within the scope of this paper. II. AZURE REMOTEAPP 1.WHAT IS AZURE REMOTEAPP? According to Microsoft, Azure RemoteApp is a solution that brings the functionality of the on-premises Microsoft RemoteApp program, backed by Remote Desktop Services, to Azure. It helps provide secure, remote access to applications from many different user devices. Azure RemoteApp is part of the Microsoft Virtual Desktop Infrastructure. It uses RDP, a WAN-ready protocol that is resilient to network latency and loss. Azure RemoteApp enables users to share apps and resources on almost any device. While the applications are running remotely from Windows Servers on Azure Cloud, it appears to the users as if they are running locally on client devices. www.fpt-software.com 2 2.HOW IT WORKS BEHIND THE SCENE Azure RemoteApp is built based on Windows Server Remote and using only their individual sessions. The session execution Desktop Session Host (RD Session Host), which allows users to occurs on the server and is managed by the server operating host Windows-based programs and/or full Windows desktop, system. making it appear as if they are running on the end user’s local computers. Users can connect to a RD Session Host server to run Azure RemoteApp is deployed in Windows Server 2012 R2 programs, save les, or use network resources while seeing Datacenter operating system with 3 available template images: Description Roles and Features Windows Server Based on Microsoft - .NET Framework 4.5, 3.5.1, 3.5 - WoW64 Support 2012 Windows Server 2012 R2 - Desktop Experience - Adobe Flash Player Datacenter operating system - Ink and Handwriting Services - Microsoft Silverlight - Media Foundation - Microsoft System Center 2012 - Remote Desktop Session Host Endpoint Protection - Windows PowerShell 4.0 - Microsoft Windows Media Player - Windows PowerShell ISE Microsoft Oce An extension of the Windows - Access - PowerPoint 365 ProPlus Server 2012 image - Excel - Project - Lync - Visio Microsoft Oce - OneNote - Word 2013 - OneDrive for Business - Microsoft Oce Pro ong Tools Professional Plus - Outlook 3.ADVANTAGES OF AZURE REMOTEAPP - No complex on-premises infrastructure conguration and - End-users can access RemoteApp program from any devices minimize infrastructure cost (move CAPEX to OPEX); (Windows, iOS, Mac OS X and Android devices) anywhere; - Easily scale up or down to meet the changing needs of your - Protect corporate resources and ensure compliances; businesses; 4.CLOUD COLLECTION VS. HYBRID COLLECTION Azure RemoteApp provides exible deployment options: you can either choose a cloud-based deployment (where you deploy a standalone cloud service), or select a hybrid deployment (where the service is integrated into your on-premises infrastructure). Cloud Collection Hybrid Collection Hosting Is hosted and stores all data for programs in Is hosted and stores data in Azure cloud and allows Azure cloud. users to access data and resources stored in local network. Identity Can use Microsoft account or corporate credentials Can use corporate credentials synchronized or Management synchronized or federated with Azure Active Directory federated with Azure Active Directory account. account. Maintenance Microsoft updates the applications and operating The administrators are in charge of maintaining the systems. image and applications. The administrators only need to control the user access. RDS Servers No need to domain-join the RDS servers to Active The administrator can domain-join the RDS servers. Directory. www.fpt-software.com 3 III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS AND NETWORK FOR HYBRID DEPLOYMENT 1.PROBLEM DEFINITION In this paper, I would like to walk you through the detailed guideline - Azure Active Directory is a centralized identity system that to integrating Azure RemoteApp with existing, on-premises manages access accounts to Azure RemoteApp collections. If you network, domain and packaging application for hybrid deployment. want to use similar credentials with on-premises applications, I will also address the following limitations regarding Azure Remote- Azure AD doesn’t support them by default. App hybrid collection installation: - Since Azure RemoteApp collections are accessible from the - The JSON-driven Azure Resource Management (ARM) is the Internet, integrating them with other application layers (such as latest REST API for resource grouping, tagging and managing. application layer or database layer) requires direct connection While most of the recent VMs and role instances run on a VNet between these layers and the Internet. However, this is a rather created in ARM, Azure RemoteApp can only support the classic unsecured solution. ASM (Azure Service Management) API, which is an XML-driven - Azure AD cannot handle the Windows authentication/ REST API authorization of applications. 2.INFRASTRUCTURE PREPARATION 2.1.SITE-TO-SITE VPN TO MAKE AZURE REMOTEAPP AVAILABLE IN AZURE RESOURCE MANAGER Two different ways to manage Microsoft Azure cloud resources The below gure shows the outcome of connecting an on-premise are ARM and ASM REST APIs. Each interface has a separate UI virtual network with a cloud-based network using Site-to-Site VPN. Portal experience, REST API, PowerShell module, and “mode” of The same process can be applied when linking a classic VNet with operation in the Azure Cross-Platform (xPlat) CLI Tool. an ARM. Azure VNet – Site-to-Site VPN (between VNet and VNet) can help connect ARM to ASM VNets, get them work together, and make Azure RemoteApp available in ARM VNets. Connecting virtual networks is a great solution to cross-region geo-redundancy and geo-presence, setting up Regional multi-tier applications with strong isolation boundary, cross subscription, and inter-organization communications in Azure. Congure VNet to VNet connection 1 Create corresponding local networks for VNets Virtual Network Virtual Network Site Local Network Site Local Network S ite to Denition Denition Connect nguyens-onpremise-vnet nguyens-onpremise-vnet nguyens-onpremise-local nguyens-cloud-local (10.0.0.0/26) (10.0.0.0/ 26) nguyens-cloud-vnet nguyens-cloud-vnet nguyens-cloud-local nguyens-onpremise-local (10.1.0.0/26) (10.1.0.0/26) Please note that you will need to dene each virtual network twice Upon adding a new local network, you will need to specify your – rst, as an Azure virtual network, and second, as a local local network information with any VPN Device IP Address (we network site connected to other virtual network. You must ensure need to come back and update this information later), and dene the Address Space elements specied in both denitions are the the address space for your local network (it must be matched with same. Otherwise, the communication will not work correctly respective VNet conguration). between the two virtual networks. www.fpt-software.com 4 2 Congure connection gateway Site-to-site VPN is enabled by selecting the Connect to local Azure takes a few minutes to nish deploying gateway for each network option in the Congure tab in each VNet. You will then see VNet. The gateway IP address will appear once the gateway is the note “a gateway subnet is required”. This means you need to created. You need to update the conguration of each local go back to the Dashboard tab and click on the Create Gateway network to make sure it matches with its relevant gateway IP button (In this case, I chose Dynamic Routing option). address. 3 Establish cross-premise tunnel You can use any private key, but I suggest generating a private key using the VNet’s Manage Shared Key feature. -LocalNetworkSiteName nguyens-onpremise-local -Shared- Key <<private key>> And here is the result: You can connect or disconnect the connection between two VNets any time you want.