Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »


This article outlines the resources and corresponding configuration to run Jiwa on the Azure platform.

The SQL Azure Database-as-a-service is used, and Remote Desktop services to deliver the Jiwa application as a remoteApp.

The Azure platform is ever-changing and best practices will change along with it.

At the time of this article was published, the best practices were followed for a generic environment - however the reader should perform their own due diligence on the current best practices for delivering Windows desktop applications via cloud hosted remote Apps, and also the best way to integrate into their organisation.

Subscription

An Azure subscription needs to be created. Visit https://portal.azure.com/ and sign in with an existing Microsoft account, or create one.

Azure Active Directory

The Azure Active Directory is an identity service.  This is where you create users.  When you create an Azure subscription, the directory is created for you.  You may already have your users in this directory if you already have an Office 365 subscription - as this uses the same directory for managing users.

Login to your Azure portal via https://portal.azure.com/ and search for Active Directory and select it.


\


On the left hand pane, select Users



A list of users should appear.



If you have no users, create them.

Azure Active Directory Domain Services (ADDS)

Before we can create a virtual machine, an Azure Active Directory Domain Service needs to be created.  The Windows Server machine we later will be provisioning requires a Domain to connect to before Remote Desktop Services can be deployed, and the Azure Active Directory Domain Service is what we use to establish a Domain.  On-prem Domains can be used instead via VPN gateway, but that is beyond the scope of this document.

You will need to add and verify ownership of a custom domain.  To verify ownership you will need to create a TXT record in your public DNS.  Follow the guidance in the portal when adding the custom domain.

Azure Virtual Machine

An Azure virtual machine is used to deliver the Jiwa application via Remote Desktop Services.  This is a Windows machine running Windows Server 2019 or later.

About Machine Sizes

Typically, we use B4ms sized VM’s for up to 30 users.  For more users either create additional VM’s and load balance, or just scale up to B8ms.  If you only have 1 to 12 users, or it's a test machine, you might get away with a B2ms

"B" refers to the burst size.  B machines are typically cheaper because Microsoft assume you're not using them 24x7.

"2" or "4" refers to the number of cores - 2 core is 8GB, 4 cores is 16GB.

Jiwa typically runs at 512 MB per user; allow 2GB for the operating system.

Create the VM

In the Azure portal, locate Virtual Machines and select Create


In the Basics tab, choose the Create new option the the Resource group and provide a name.

Also choose a virtual machine name and select an appropriate region.  Choose a region closest to where the majority of users are geographically located.

The Image to select is Windows Server 2019 Datacenter edition.



When first provisioning we need port 3389 open on the firewall, so leave that selected - this will be removed for security reasons once we configure Remote Desktop to use HTTPS instead.



On the Networking tab, we and to select the Virtual network associated with the Azure Active Directory Domain Services.



The remaining options are optional - it is recommended to enable backups for the VM - but note that no data is stored on the VM, so if the VM becomes unusable all that is needed is to provision a new VM from scratch.

All data is stored with the SQL Azure database.

Continue to the Review + Create step and choose Create.

When completed, locate the VM in the list of virtual machines and select it.

Set DNS Name

On the Overview tab, select the Not configured link next to the DNS name 



Enter in a DNS name and press Save


In your public DNS, add a CNAME record to point to the azure DNS record.  For example, in the above example, I have a DNS in Azure for the VM of jiwards.australiaeast.cloudapp.azure.com.  I want my users to use jiwards.jiwa.com.au to reach the machine, so I enter a DNS CNAME record in my DNS provider (Cloudflare in this example) which maps jiwards.jiwa.com.au to jiwards.australiaeast.cloudapp.azure.com, and without the need for the VM to have a static IP address:



We won't be able to connect using that DNS name just yet - the *.australiaeast.cloudapp.azure.com domain will need to be used until we create the necessary SSL certificates.

Connect to the machine

Back in the Overview tab for the VM, select the Connect → RDP option


Click Download RDP File



Open the RDP file - the publisher warning appears - choose Connect



Then enter the administrator credentials you provided when creating the VM :


Click Yes to the certificate warning:



Join the Domain

We need to now join the machine to the Azure Active Directory.  In Control Panel, locate the System and Security > System panel and under the Computer name, domain and workgroup settings, click Change Settings



In the System Properties dialog which appears, press the Change... button



Select the Domain option and enter the custom domain configured in the Azure Active Directory Domain Services


You'll then be prompted to enter the credentials of an account with permissions to join the domain:



You will then receive a confirmation prompt:



You'll then be prompted to restart the machine.  Follow the prompts and restart it.


Reconnect as a Domain user

RDP to the machine again, but this time don't use the local Administrator account - use an account from the Active Directory



Deploy Remote Desktop Session Host Role

In the Server Manager (this will open automatically) select the Add roles and features option


Click Next to the Before you Begin page of the wizard


Choose Remote Desktop Services Installation for the Installation Type page of the wizard



Choose Quick Start for the Deployment Type



Choose Session-based desktop deployment for the Deployment Scenario



Press Next on the Server Selection page



Check the "Restart the destination server automatically if required" checkbox and then press the Deploy button



Wait for the deployment to complete



The machine will automatically restart.  Reconnect whenever it does.  When you reconnect the View progress dialog will be shown - press Close when it finishes.



Configure Remote Desktop Services

From within the Server Manager Dashboard, select Remote Desktop Services



In the Deployment Overview, select the green plus icon for RD Gateway



Press the right arrow button to add the server in the Server Pool list to the Selected List




Click Next.

Enter the FQDN for the machine, and press Next



Press the Add button



The Gateway role service will then be deployed.



Install a web browser

There are some things to download and install via a browser and the Internet Explorer browser bundled with Windows Server 2019 is unfit for this purpose.  Install a web browser (Edge, Chrome or Firefox).

SSL Certificates and auto-renewal

Free, auto-renewed certificates can be obtained from Let's Encrypt using the win-acme utility.

Visit https://www.win-acme.com/ and download the version with plugin support.







Verify Firewall rules for certificate validation

In order for the win-acme tool to generate a certificate, it needs to be able to reach the machine using the Fully Qualified Domain Name (FQDN) the certificate is for. It does this via a HTTP request on port 80 (there are other options, but this is the simplest).  In the Network Security Group for the VM, ensure that both port 443 and port 80 are open to all public IP addresses.

Run win-acme

Open an elevated command prompt (Run as administrator) and change directory to the C:\Program Files\win-acme folder


Type in wacs.exe and press enter



Select Create certificate (full options) (M):



Select Manual Input (2), and then enter the FQDN



Press enter to accept the Friendly name, then select option 2 to Serve verification files from memory:



Select the RSA key option:



Select option 4 to place the certificate into the Windows Certificate Store:



Then select option 2 to store in the My General computer store (for Exchange/RDS):



Choose 3: PFX archive

Enter a path to save the exported certificate to (eg: C:\Users\mikes\Documents\Certificates), and select option 2 for the .pfx password (Type / paste in console)


Enter a password for the pfx.



Choose 5: No (additional) store steps



Choose 3: No (additional) installation steps



Answer y to Open the Terms of service document


Answer y to agree with the terms:



Enter recipient email addresses for any problems:



Verification of domain ownership will then take place.  win-acme will create a Windows Scheduled Task to auto-renew the certificate every 3 months - answer n


Assign certificates to RDS deployment

In Server Manager > Remote Desktop Services select Edit Deployment Properties from the Tasks combo-box on the Deployment Overview pane


Select the Certificates tab and then select Select existing certificate...



Press the Browse button and choose the pfx we configured win-acme to generate:



Enter the pfx password and check the Allow the certificate to be added... checkbox



Click the Apply button



Repeat for each Role Service in the Certificates tab of the Configure the deployment dialog.



SQL Azure

For Azure SQL we use Standard tier – 50 DTU’s is usually the minimum, but we have a couple of customers using less.

If the customer has multiple databases (as often is the case – NZ operation, AU operation for instance) we’ll create an elastic pool of 100 DTU’s and have all the databases in there.

SQL Database

Database size depends entirely on the nature of the customers business – for a newly provisioned customer we start at 10GB.  We have customers who have 90GB+ sized databases, but not many.

To use an RDS VM it must connect to either a domain controller or Azure Active Directory Domain Services

Remote Desktop Services

Note that the RDS server requires CAL licences for each user – this is a once-off purchase, and you can obtain these from various on-line retailers 

HTML 5 client

SSL Certificates and auto-renewal

App Registration for Email through Office 365 (Microsoft Graph API)

Point to Site VPN


MS Azure Data Backups

Add on extra $$ a month to backup the VM if deemed necessary – we generally don’t as it’s just Windows Server 2019 and Jiwa – nothing that can’t rapidly be rebuilt.


MS Azure Calculator

If you haven’t already, you can use the Azure pricing calculator to see the pricing options - https://azure.microsoft.com/en-au/pricing/calculator

Of particular interest might be the discounts offered for paying up-front for VM’s for 1 or 3 years (41% discount for 1 year, 62% discount for 3 years).


What you would need to do to allow us to help you (permissions, et al)

 



win-acme

  • No labels