In this article I am going to show you step-by-step instructions on how to build a hybrid app collection in Azure RemoteApp.
Quick Reminder of Hybrid App Collections
The benefit of a hybrid app collection is that it allows you to enable users to log into Azure-based and Azure-managed RDS session hosts, while still using company owned servers and services. The below illustration depicts such a scenario:
- A domain controller provides either single sign-on (ADFS) or shared sign-on (DirSync or AD Connect) integration with Azure AD (AAD). The Azure directory is used by RemoteApp to authenticate user login requests.
- A custom template is created and loaded into Azure Remote App. A hybrid app collection is created with the ability to join the resulting session hosts to the customer’s Active Directory (not AAD, but the actual domain). The session host virtual machines run on a dedicated VNET, which has a VPN connection to the customer network. This means that the RemoteApp-managed machines are members of the domain and are subject to Group Policy, which can access customer services.
- Users sign into RemoteApp to use the published applications.
- The users can use the published client applications to access services on the customer’s servers via traditional AD authentication and the VPN connection.
The ability to integrate a hybrid app collection so deeply with an Active Directory and with customer services is what makes this solution so interesting to me. It takes very new technologies and concepts and brings them within the scope of technologies that we have been using for up to 15 years. It can also make legacy services accessible to users all over the world in a very secure manner.
Creating a Custom Template
The first step of the process is to create a custom template, which you can learn how to do in my article, How to Create an Azure RemoteApp Template. This allows you to publish applications of your own in the Azure cloud, subject to technical and licensing requirements.
Integrate Azure Active Directory
This is a subject that’s bigger than the scope of this guide. You have multiple options including:
- AD Connect, which is currently in preview
The good news is that if you have configured Office 365, then you probably already know how to do this stuff. Make sure that the UPN of your users in Active Directory (example: [email protected] in a domain called petri.com) matches the UPN in AAD. If you don’t do this, then users will not be able to sign into RemoteApp and will get an unambiguous “resources not available” error.
Create a RemoteApp App Collection
Log into the Azure management portal and browse to RemoteApp and click Create A RemoteApp Collection. A dialog appears:
- Click Create With VPN to create a hybrid collection.
- Enter a unique name for your collection.
- Choose a plan: a Basic plan is for light-weight users, and a Standard plan is for productivity users.
Create a Virtual Network
The session hosts of a hybrid app collection will be connected to an Azure virtual network. You will create one of these with a gateway for VPN connectivity. Browse into your new app collection, and you should be greeted with the quick start instructions. Click the blue cloud with a lightning bolt in the top navigation bar. Click Link A Virtual Network, where you can create a new RemoteApp virtual network or reuse an existing RemoteApp virtual network.
Click Create A New RemoteApp Virtual Network, name it, and select a region. In the Network Address Spaces screen, you need to enter the addresses of two networks:
- Virtual Network Address Space: This is the private network address of the new network that your session host virtual machines will run in. Ensure that this will not overlap with your existing network(s) and that routing should be OK once a VPN connection is created.
- Local Network Address Space: This is the private network address(es) of your server network(s) that the RemoteApp virtual network will connect to.
The next screen is very important and must be completed correctly. Three pieces of information are required:
- DNS server IP addresses: These addresses will be used to dynamically configure the IP stacks of the new RemoteApp session hosts. Ensure that the addresses can resolve the domain name of your private Active Directory. Tip: use your domain controllers’ IP addresses because they are DNS servers. The DNS traffic will traverse the VPN connection.
- VPN Device IP Address: This is the public IP address of your server network’s VPN device. This is required to connect the gateway of the new RemoteApp virtual network to your server network with a VPN connection.
The third item is whether you want to create a static or a dynamic gateway. This will be determined by:
- How many networks you want to connect together: A static gateway allows two networks to be connected in a 1:1 fashion. A dynamic gateway is required for multiple (1:N) networks to be connected.
- Your server network’s gateway: Some firewalls only support a static gateway. Some will require a dynamic gateway.
Note: An Azure virtual network requires a dynamic gateway for a VNET to VNET VPN — have you figured out how that could make for an interesting solution?
When you finish the wizard, a little box beside Link A Virtual Network indicates that a job is running behind the scenes to create the virtual network. Wait until this is completed.
Complete the VPN Connection
A VPN shared-secret key is created for the gateway of the RemoteApp virtual network. Click Get Key to copy this key and use it to create a VPN connection between your server network and the new RemoteApp app collection. Consult your network device manufacturer’s instructions on how to complete this step.
Prepare Active Directory
Open Active Directory Users and Computers to manage your Active Directory (not AAD). Enable the Advanced view and create an OU for RemoteApp session hosts. Azure RemoteApp will join the Azure-based virtual session hosts to your domain and place the computer objects in this OU. In my example, I created a sub-OU called RemoteApp in a root OU called Petri, in a domain called petri.com.
To enable this, you will need a service account. Create a normal and non-administrative user in Active Directory. In my example, I created a user called RemoteApp, with a UPN of [email protected] Open the properties of the RemoteApp OU, select Security, and click Advanced.
Click Select Principal and select the new service account, which is [email protected] in my example. Ensure that any permission change will effect this object (the OU) and all descendent objects. Next, add the Create Computer Objects and Delete Computer Objects rights to the account before saving all of the changes.
Domain Join Details
Back in the Azure management portal, click Join Local Domain in the quick start view of your app collection. Enter the name of the domain, the OU that you just created to join the RemoteApp session hosts and the service account details. The following image shows you how to do both of these steps:
Do not continue until you have double-checked:
- That the VPN connection is running.
- The local network settings of your VPN network are complete and include all networks of your server network.
- The DNS settings of the RemoteApp virtual network are valid and will resolve your AD’s domain name, the domain controllers, and the domain’s services.
Group Policy and More
When you deploy the session hosts of your new hybrid app collection, you are actually deploying virtual machines running the Session Host role in an RDS farm, with all the complexity of a RDS farm hidden by RemoteApp. These session hosts are domain members, just like with any virtual RDS farm that you might create on Hyper-V or on vSphere. They sign into the domain, apply group policy just like normal session hosts, and the users get login scripts and group policy just like any user signing into a traditional RDS farm. And that is where you can do some clever things:
- Deploy Group Policy for the session hosts: Do things to lock down and secure the session hosts.
- Deploy loopback policy processing for the users: Ensure that anyone logging into the session hosts receives a configuration that is appropriate for an RDS session, such as hiding the local drives of the session host, run login scripts, and more.
You’re doing user and machine administration at this point, something that you might have been doing for quite a long time!
Deploy Session Hosts
The next step is to create your first session host. Click Link A Template Image, click Link An Existing Template, and select one of the templates that you previously uploaded.
Now you must wait, possibly for quite some time — take lunch, go home, or find something else to do for an hour. Behind the scenes new virtual machines are being created and provisioned by Azure. A part of the provisioning process is to:
- Assign the DNS settings of the RemoteApp network in the IP stack of the session host guest OS.
- Attempt to join the guest OS to your domain using the details you previously supplied over the VPN connection that you previously created.
I have found that failures at this point are related to the domain join process:
- The local network settings of the RemoteApp virtual network are incomplete or incorrect.
- The DNS server settings in the RemoteApp virtual network are incorrect.
- The specified DNS server(s) cannot resolve the domain name or domain services.
- The RemoteApp service account in the Active Directory cannot join computers to the OU you specified.
- The supplied domain join information is incorrect.
If the domain join works, then a new computer will be joined to your RemoteApp OU in Active Directory (not AAD). You can breathe a sigh of relief!
You can publish any program that is installed in your custom template, assuming that it meets the technical requirements. Browse into the new app collection and then into Publishing. Click Publish RemoteApp Program. What you are doing here is selecting programs that are listed in the custom template’s Start Screen to be available to anyone that has permission to sign into the app collection.
After you have published something, you get a new Publish button. This allows you to reopen the above dialog to add or remove published programs. You can also publish programs based on their file path. This is a nice way to publish a useful program, such as File Explorer.
You are now ready to grant user access to the app collection. Browse to Assign Users in the app collection. You can either type in the UPN of the user name as it appears in both AAD and Active Directory, or create a CSV with lots of user UPNs and import that.
Now your users can sign into your hybrid RemoteApp app collection using the RemoteApp client for their device’s OS (Windows has a special client) and in their session:
- Get Group Policy assigned to them
- Access server network services
- Have permission and access to domain services
- Use their home directory
- Share files with each other on file servers