Developer s Guide to Azure RemoteApp Hybrid Collection Deployment

Similar documents
Microsoft Azure Course Content

Microsoft Azure for AWS Experts

Course Outline. Module 1: Microsoft Azure for AWS Experts Course Overview

Exam : Implementing Microsoft Azure Infrastructure Solutions

Developing Microsoft Azure Solutions (70-532) Syllabus

Implementing Microsoft Azure Infrastructure Solutions

[MS20533]: Implementing Microsoft Azure Infrastructure Solutions

40390: Microsoft Azure for AWS Experts

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

ENABLING AND MANAGING OFFICE 365

Implementing Microsoft Azure Infrastructure Solutions (20533)

[MS10992]: Integrating On-Premises Core Infrastructure with Microsoft Azure

RSA SecurID Access Configuration for Microsoft Office 365 STS (Secure Token Service)

Developing Microsoft Azure Solutions (70-532) Syllabus

Course Outline. Enabling and Managing Office 365 Course 20347A: 5 days Instructor Led

20742: Identity with Windows Server 2016

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

Developing Microsoft Azure Solutions (70-532) Syllabus

NETWORKING AND ACTIVE DIRECTORY CONSIDERATIONS ON MICROSOFT AZURE FOR USE WITH VMWARE HORIZON CLOUD SERVICE. VMware Horizon Cloud Service

20347: Enabling and Managing Office hours

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

M20742-Identity with Windows Server 2016

Education and Support for SharePoint, Office 365 and Azure

Enabling and Managing Office 365

Course Outline 20742B

Office : Enabling and Managing Office 365. Upcoming Dates. Course Description. Course Outline

Title: Deploying AD into Windows Azure with No Corporate Connectivity

Identity with Windows Server 2016

[MS20347]: Enabling and Managing Office 365

20533B: Implementing Microsoft Azure Infrastructure Solutions

1. Click on "IaaS" to advance to the Windows Azure Scenario. 2. Click to configure the "CloudNet" Virtual Network

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

Enabling and Managing Office 365 (NI152) 40 Hours MOC 20347A

Delivering applications with Azure RemoteApp. Rasmus Hald

to know how and when to apply which Microsoft technology. In many cases, you can combine multiple

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

Office 365 Administration and Troubleshooting

Developing Microsoft Azure Solutions

MD-101: Modern Desktop Administrator Part 2

Enabling and Managing Office 365

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

10997: Office 365 Administration and Troubleshooting

Tech Dive: Microsoft Azure Identity Management and Office 365

Microsoft Official Curriculum Enabling and Managing Office 365 (5 Days - English) Programme détaillé

Microsoft Enabling and Managing Office 365

ENABLING AND MANAGING OFFICE 365

At Course Completion After completing this course, students will be able to:

The Pathway to the Cloud Using Azure SQL Managed Instance

Enabling and Managing Office 365

Identity with Windows Server 2016

Course AZ-100T01-A: Manage Subscriptions and Resources

20398: Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) and On- Premises Tools

Overview of Microsoft Virtualization

Course Content of Office 365:

Office 365 Administration and Troubleshooting

Active Directory Services with Windows Server

Enabling and Managing Office 365

Microsoft Implementing Microsoft Azure Infrastructure Solutions.

Planning and Administering SharePoint 2016

O365 Solutions. Three Phase Approach. Page 1 34

Microsoft Azure Integration and Security. Course Code: AZ-101; Duration: 4 days; Instructorled

Integrating On-Premises Identity Infrastructure with Microsoft Azure

MOC 20417C: Upgrading Your Skills to MCSA Windows Server 2012

Active Directory Services with Windows Server

MCSA Office 365 Bootcamp

Course Outline. Deploying and Managing Windows 10 Using Enterprise Services Course B: 5 days Instructor Led

Deploying and Managing Windows 10 Using Enterprise Services

SharePoint 2016 Administrator's Survival Camp

SAP Security in a Hybrid World. Kiran Kola

COURSE B: DEPLOYING AND MANAGING WINDOWS 10 USING ENTERPRISE SERVICES

Real4Test. Real IT Certification Exam Study materials/braindumps

This confirms that Ricky T has completed the following courses:

ACTIVE DIRECTORY SERVICES WITH WINDOWS SERVER

Office 365 Administration and Troubleshooting

Microsoft AZ-101 Exam

C: Deploying and Managing Windows 10 Using Enterprise Services. Duration: 5 days; Instructor-led

MOC 20417B: Upgrading Your Skills to MCSA Windows Server 2012

Azure for On-Premises Administrators Practice Exercises

Paperspace. Deployment Guide. Cloud VDI. 20 Jay St. Suite 312 Brooklyn, NY Technical Whitepaper

Identity with Microsoft Windows Server 2016 (MS-20742)

20347: Enabling and Managing Office 365

"Charting the Course... MOC C: Deploying and Managing Windows 10 Using Enterprise Services. Course Summary

Course 10993A: Integrating On-Premises Identity Infrastructure with Microsoft Azure

Leveraging Azure Services for a Scalable Windows Remote Desktop Deployment

Identity with Windows Server 2016 (20742)

Advanced Technologies of SharePoint 2016

Advanced Technologies of SharePoint 2016

Microsoft Active Directory Services with Windows Server

MarkLogic Server. MarkLogic Server on Microsoft Azure Guide. MarkLogic 9 January, 2018

COURSE OUTLINE: A Advanced Technologies of SharePoint 2016

Deploying and Managing Windows 10 Using Enterprise Services

Why Choose MS Azure?

ArcGIS Enterprise: Portal Administration BILL MAJOR CRAIG CLEVELAND

70-533_. Number: Passing Score: 800 Time Limit: 120 min File Version: Microsoft

Developing Microsoft Azure Solutions

COURSE OUTLINE: B Deploying and Managing Windows 10 Using Enterprise Services. Course Name. Course Duration Course Structure Course Overview

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Actual4Dumps. Provide you with the latest actual exam dumps, and help you succeed

Index. Pranab Mazumdar, Sourabh Agarwal, Amit Banerjee 2016 P. Mazumdar et al., Pro SQL Server on Microsoft Azure, DOI /

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Transcription:

Developer s Guide to Azure RemoteApp Hybrid Collection Deployment ABSTRACT I. II. ABSTRACT AZURE REMOTEAPP 1. What is Azure RemoteApp? 2. How It Works Behind the Scene 3. Advantages of Azure RemoteApp 4. Cloud Collection vs. Hybrid Collection 2 2 2 3 3 3 III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS 4 AND NETWORK FOR HYBRID DEPLOYMENT 1. Problem Definition 2. Infrastructure Preparation 2.1 Site-to-Site VPN to Make Azure RemoteApp Available in Azure Resource Manager 2.2 Deploy Active Directory (replicated AD) in the Cloud 3. Implementation 3.1 Application Package: Migrating Java App to RemoteApp 3.2 Domain Integration: A Hybrid Identity Management System of Azure AD Connect 3.3 Azure Remote App Hybrid Deployment IV. SUMMARY 4 4 4 6 7 7 8 10 10 V. ABOUT THE AUTHOR 11 1

I. ABSTRACT Azure RemoteApp is Microsoft s sure-fire solution to providing secure, remote access to Azure-based applications from different user devices. I introduced Azure RemoteApp to my customers as soon as it was released. Its technical and business capabilities have captured the interest of many businesses. Customers can save a significant amount of time, effort, and money by easily allowing Bring Your Own Device (BYOD) model amongst their employees and vendors. The product, however, is not entirely without technical drawbacks. Certain doubts about the product need to be addressed in order for it to reach the highest level of efficiency. For instance, How to standardize, simplify and automate any application deployment?, In what way can we optimize upgrading, patching process with the minimum downtime?, Can user management be easier and more effective?. Azure RemoteApp comes in two collections: cloud collection for applications which do not require connection to any resources on companies' networks; and hybrid collection for applications that not only host and store data in the Azure cloud, but also allow you to access data and resources stored on local network. With some of my customers choosing hybrid collection for complete control over their applications, I decided to carry out a few PoCs of my own. I hope to decipher the question of integrating Azure RemoteApp with existing, on-premises network, domain and packaging application for hybrid deployment. I will discuss such topic within the scope of this paper. II. AZURE REMOTEAPP 1.WHAT IS AZURE REMOTEAPP? According to Microsoft, Azure RemoteApp is a solution that brings the functionality of the on-premises Microsoft RemoteApp program, backed by Remote Desktop Services, to Azure. It helps provide secure, remote access to applications from many different user devices. Azure RemoteApp is part of the Microsoft Virtual Desktop Infrastructure. It uses RDP, a WAN-ready protocol that is resilient to network latency and loss. Azure RemoteApp enables users to share apps and resources on almost any device. While the applications are running remotely from Windows Servers on Azure Cloud, it appears to the users as if they are running locally on client devices. 2

2.HOW IT WORKS BEHIND THE SCENE Azure RemoteApp is built based on Windows Server Remote Desktop Session Host (RD Session Host), which allows users to host Windows-based programs and/or full Windows desktop, making it appear as if they are running on the end user s local computers. Users can connect to a RD Session Host server to run programs, save files, or use network resources while seeing and using only their individual sessions. The session execution occurs on the server and is managed by the server operating system. Azure RemoteApp is deployed in Windows Server 2012 R2 Datacenter operating system with 3 available template images: Des cription R oles and Features Windows Server 2012 Based on Microsoft Windows Server 2012 R2 Datacenter operating system -.NET Framework 4.5, 3.5.1, 3.5 - Desktop Experience - Ink and Handwriting Services - Media Foundation - Remote Desktop Session Host - Windows PowerShell 4.0 - Windows PowerShell ISE - WoW64 Support - Adobe Flash Player - Microsoft Silverlight - Microsoft System Center 2012 Endpoint Protection - Microsoft Windows Media Player Microsoft Office 365 ProPlus Microsoft Office 2013 Professional Plus An extension of the Windows Server 2012 image - Access - Excel - Lync - OneNote - OneDrive for Business - Outlook - PowerPoint - Project - Visio - Word - Microsoft Office Pro ofing Tools 3.ADVANTAGES OF AZURE REMOTEAPP - No complex on-premises infrastructure configuration and minimize infrastructure cost (move CAPEX to OPEX); - Easily scale up or down to meet the changing needs of your businesses; - End-users can access RemoteApp program from any devices (Windows, ios, Mac OS X and Android devices) anywhere; - Protect corporate resources and ensure compliances; 4.CLOUD COLLECTION VS. HYBRID COLLECTION Azure RemoteApp provides flexible deployment options: you can either choose a cloud-based deployment (where you deploy a standalone cloud service), or select a hybrid deployment (where the service is integrated into your on-premises infrastructure). Cloud Collection Hybrid Collection Hosting Is hosted and stores all data for programs in Azure cloud. Is hosted and stores data in Azure cloud and allows users to access data and resources stored in local network. Identity Management Can use Microsoft account or corporate credentials synchronized or federated with Azure Active Directory account. Can use corporate credentials synchronized or federated with Azure Active Directory account. Maintenance Microsoft updates the applications and operating systems. The administrators only need to control the user access. The administrators are in charge of maintaining the image and applications. RDS Servers No need to domain-join the RDS servers to Active Directory. The administrator can domain-join the RDS servers. 3

III. INTEGRATING AZURE REMOTEAPP WITH EXISTING, ON-PREMISES AD, DNS AND NETWORK FOR HYBRID DEPLOYMENT 1.PROBLEM DEFINITION In this paper, I would like to walk you through the detailed guideline to integrating Azure RemoteApp with existing, on-premises network, domain and packaging application for hybrid deployment. I will also address the following limitations regarding Azure Remote- App hybrid collection installation: - The JSON-driven Azure Resource Management (ARM) is the latest REST API for resource grouping, tagging and managing. While most of the recent VMs and role instances run on a VNet created in ARM, Azure RemoteApp can only support the classic ASM (Azure Service Management) API, which is an XML-driven REST API - Azure Active Directory is a centralized identity system that manages access accounts to Azure RemoteApp collections. If you want to use similar credentials with on-premises applications, Azure AD doesn t support them by default. - Since Azure RemoteApp collections are accessible from the Internet, integrating them with other application layers (such as application layer or database layer) requires direct connection between these layers and the Internet. However, this is a rather unsecured solution. - Azure AD cannot handle the Windows authentication/ authorization of applications. 2.INFRASTRUCTURE PREPARATION 2.1.SITE-TO-SITE VPN TO MAKE AZURE REMOTEAPP AVAILABLE IN AZURE RESOURCE MANAGER Two different ways to manage Microsoft Azure cloud resources are ARM and ASM REST APIs. Each interface has a separate UI Portal experience, REST API, PowerShell module, and mode of operation in the Azure Cross-Platform (xplat) CLI Tool. Azure VNet Site-to-Site VPN (between VNet and VNet) can help connect ARM to ASM VNets, get them work together, and make Azure RemoteApp available in ARM VNets. Connecting virtual networks is a great solution to cross-region geo-redundancy and geo-presence, setting up Regional multi-tier applications with strong isolation boundary, cross subscription, and inter-organization communications in Azure. The below figure shows the outcome of connecting an on-premise virtual network with a cloud-based network using Site-to-Site VPN. The same process can be applied when linking a classic VNet with an ARM. Configure VNet to VNet connection 1 Create corresponding local networks for VNets Virtual Network Virtual Network Site Definition Local Network Site Definition Local Network S ite to C onnect nguyens-onpremise-vnet nguyens-onpremise-vnet (10.0.0.0/26) nguyens-onpremise-local (10.0.0.0/ 26) nguyens-cloud-local nguyens-cloud-vnet nguyens-cloud-vnet (10.1.0.0/26) nguyens-cloud-local (10.1.0.0/26) nguyens-onpremise-local Please note that you will need to define each virtual network twice first, as an Azure virtual network, and second, as a local network site connected to other virtual network. You must ensure the Address Space elements specified in both definitions are the same. Otherwise, the communication will not work correctly between the two virtual networks. Upon adding a new local network, you will need to specify your local network information with any VPN Device IP Address (we need to come back and update this information later), and define the address space for your local network (it must be matched with respective VNet configuration). 4

2 Configure connection gateway Site-to-site VPN is enabled by selecting the Connect to local network option in the Configure tab in each VNet. You will then see the note a gateway subnet is required. This means you need to go back to the Dashboard tab and click on the Create Gateway button (In this case, I chose Dynamic Routing option). Azure takes a few minutes to finish deploying gateway for each VNet. The gateway IP address will appear once the gateway is created. You need to update the configuration of each local network to make sure it matches with its relevant gateway IP address. 3 Establish cross-premise tunnel You can use any private key, but I suggest generating a private key using the VNet s Manage Shared Key feature. -LocalNetworkSiteName nguyens-onpremise-local -Shared- Key <<private key>> And here is the result: Azure PowerShell is required to establish cross-premise tunnel between two networks. To enable site-to-site connection, you need to execute Set-AzureVNetGatewayKey cmdlet. In my case, the following script was executed: You can connect or disconnect the connection between two VNets any time you want. You can also reuse Active Directory/DNS Server like I did with my networks. Set-AzureVNetGatewayKey -VNetName nguyens-onpremise-vnet -LocalNetworkSiteName nguyens- 1 cloud-local -SharedKey <<private key>> 2 Set-AzureVNetGatewayKey -VNetName nguyens-cloud-vnet 5

2.2.DEPLOY ACTIVE DIRECTORY (REPLICATED AD) IN THE CLOUD Before installing Active Directory in Azure VNet, you should make sure that a Domain Controller (DC) subnet has been created inside the VNet, and a new Virtual Machine created inside the DC Subnet. Keep in mind that the VM s size should be compatible with your organization s need. I opted for an A1 VM, which is in Standard Tier. Install Active Directory Windows Service - Select Add Roles and Features from Server Manager. - Select Role-based or Feature-based installation type. - Select server from server pool. - Choose Active Directory Domain Services as Server Role. - Check Restart the destination server automatically if required checkbox and start installing. Promote server to a domain controller - After VMs are restarted, click the warning icon in Server Manager and start promoting your server to a domain controller. - Select option Add a new forest and fill in the root domain name. - Make sure you choose Domain Name System (DNS) server and enter the Directory Services Restore Mode (DSRM) password in the Domain Controller Options step. Reserve static IP Address for Domain Controller The IP addresses assigned to both Cloud Services roles and Virtual Machines can be changed during the repair of cloud infrastructure. Thus, you need to reserve a static IP address for Domain Controller by running the Set-AzureStaticVNetIP cmdlet. 1- Get-AzureVM -ServiceName <<service name>> -Name <<vm name>> 2- Set-AzureStaticVNetIP -IPAddress <<IP address>> 3- Update-AzureVM Reset DNS Server for Azure VNet - In Server Manager select Tools > DNS to start resetting DNS Server configuration. - Open Properties of your DNS Server node. - Remove unable to resolved IP Address and restart your Domain Controller server. - Ignore the warning in DNS Options step. - The NetBIOS domain name will be populated automatically. - Specify the location of AD DS database, log files, and SYSVOL (as a best practice, attach new disk to store all items below instead of using default drive). - Click on Install button and wait for moment to finish all configuration. Configure VNet to use new DNS Server You almost finish the process of deploying Domain Controller server within your VNet. To navigate your VNet, select Configure tab and add server information into DNS Server field to complete the last step. 6

3.IMPLEMENTATION 3.1.APPLICATION PACKAGE: MIGRATING JAVA APP TO REMOTEAPP Azure RemoteApp supports streaming 32-bit or 64-bit Windows-based applications from a Windows Server 2012 R2 installation. Most existing 32-bit or 64-bit Windows-based applications run as is in RemoteApp (Remote Desktop Services, or formerly known as Terminal Services) environment. Windows-based applications refer to applications which are implemented with Microsoft s technologies like.net Framework and SQL Server, or any applications that can run well in Windows environment such as Java applications. Can we run a Java application with RemoteApp? To unveil this question, I decided to build my own PoC instead of using reference from someone else. Since my PoC could not cover all the cases and my scenario was rather simply, my answer is partially yes. In my PoC, I selected JMeter (http://jmeter.apache.org/), a Java application, and included some *.bat files (which help validating environment configuration and application s dependencies). Here s how to build my PoC: 1 Start creating a new template image for RemoteApp service. You can either build the template in local machine, or use Azure Virtual Machine like I did. Microsoft provides a robust gallery that helps you quickly set up your working environment. In this case, I created my VM with Windows Server Remote Desktop Session Host image. 3 Make sure that all errors reported by the script are fixed before running SysPrep and capturing the image. 4 \ You can then navigate the RemoteApp and import an Image from your Virtual Machines library. In my PoC, I named my template image java-remoteapp. Wait for the new template to be uploaded before creating a new RemoteApp collection based on your custom template. 5 The JMeter application was published using Path and my runnable package was located in C:\Program Files\apache-jmeter-2.13\bin\jmeter.bat. 2 Next, I installed Java and JMeter, then performed some testings to make sure the application ran properly. Microsoft provides the PowerShell script and the template to validate all prerequisites for Azure RemoteApp. You can find and run it easily by clicking ValidateRemoteAppImage icon on the desktop. 6 The provisioning and configuration of the new RemoteApp collection are completed. Now you can access and review the remote JMeter version. You can also save files in the RemoteApp storage and come back later to resume your work. 7

3.2.DOMAIN INTEGRATION: A HYBRID IDENTITY MANAGEMENT SYSTEM OF AZURE AD CONNECT Azure Active Directory (Azure AD) is Microsoft s multi-tenant cloud-based directory and identity management service, which controls authentication by giving employees and business partners single sign-on (SSO) access to SaaS applications, such as O365, SFDC, Dropbox, and so on. Though the service itself does not support using similar credentials for on-premises applications by default, it provides the capability to integrate with existing on-premises Active Directory to enable a hybrid identity management solution. Tool and Integration model - Federated Identities: This model requires a synchronized identity, but the user s password is verified by the on-premises identity provider. This means the password hash doesn t have to be synchronized to Azure AD. This model can be applied to integration with Active Directory Federation Services (AD FS) or third party identity provider. Azure AD Connect integrates on-premises identity system like Windows Server Active Directory with Azure Active Directory, and connect users to Azure SaaS applications. Azure AD Connect has 3 essential features: - Synchronization Services: Ensure the users and groups information in your on-premises environment matches to that in the cloud. - Active Directory Federation Services: Address complex deployments that include domain join SSO, enforcement of AD sign-in policy, and smart card 3rd party MFA. - Health Monitoring: Provides robust monitoring through a central location in the Azure portal. Azure AD Connect supports two models: Synchronized Identities and Federated Identities. - Synchronized Identities: Synchronizing user accounts and optional passwords from on-premises AD to Azure AD. This means an user will use the same password to access on-premises and Azure resources. 8

3 Steps to enable integration Step 1 Add a custom domain A custom domain is required for on-premises and Azure AD integration. You can add a domain in the dashboard of your selected Active Directory. Make sure your public domain is similar to your AD domain (in my case, it s sonnn2.com). You will then need to verify the custom domain by adding TXT record in your DNS settings. Next, verify and set your custom domain as primary domain. In this case, I apply synchronized identity model so my domain is not planned for Single Sign-On. - Customize Settings: Used when you have multiple forests. Support many on-premises topologies, and allow you to customize sign-in option, such as AD FS for federation. Whichever settings you opt for, make sure you use relevant accounts to connect to Azure AD (Global Admin account) and AD DS (Enterprise Administrator account). Step 2 Add a Global Admin account Create a new global admin account in your domain to control the overall AD synchronization process. Step 3 Install AD Connect and Configure Synchronization Download Azure Active Directory Connect from Download Center, and install it in the proxy server (which can access to AD servers and the Internet). Start AD Connect configuration after your installation is complete. You can either choose Express settings (default settings), or Customized settings. - Express Settings: Recommended if you have a single forest AD. You can sign in with the same password using password synchronization. Now, your on-premises AD and Azure AD are connected. 9

3.3.AZURE REMOTEAPP HYBRID DEPLOYMENT It is recommended to move the Azure RemoteApp collections into a subnet to reduce the exposure of application layer to the Internet. - Click on New > App Services > RemoteApp > Create with VNet. Choose Virtual Network and Subnet you want to deploy your app collection into. Make sure Join Local Domain is checked. - Create a new Organization Unit (e.g. RemoteApp) in the Domain Controller, and a new RemoteApp Service Account under the new OU (e.g. remoteapp@sonnn2.com). Below is a simple way to configure a local domain. - In the new app collection dashboard, you can find a quick guide to finish the configuration - Once the local domain is configured, link the app collection with a template image by selecting a virtual machine image. The guideline for moving applications, specifically Java, to Azure RemoteApp was previously discussed in this paper. The process can take a few hours to complete. Then you can publish and use the app with your on-premises local account. SUMMARY Azure RemoteApp Hybrid Collection helps you publish a custom set of applications that run in a domain-joined environment, while maintaining access to on-premises resources over a Site-to-Site VPN. I hope that you have gained some insights into the Azure Remote- App as a service, as well as the hybrid collection installation process, from infrastructure preparation to app deployment. 10

ABOUT THE AUTHOR Son Nguyen is a Cloud Solution Architect currently working for FPT Software s Cloud Innovation team. With deep knowledge in AWS and Microsoft Azure, Son acts as a cloud consultant in various areas, ranging from assessment to architecture design, supporting customers in Japan, the EU and the US. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback