Amazon WorkSpaces : A Cost-effective Alternative to Windows Virtual Desktop

An Amazon WorkSpace is a cloud-based virtual desktop that can act as a replacement for a traditional desktop. A WorkSpace is available as a bundle of operating system, compute resources, storage space, and software applications that allow a user to perform day-to-day tasks just like using a traditional desktop.

Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help businesses scale and grow.

Monthly App Cost (Price Dated 06/08/2019):

Application Bundle Applications Additional Monthly Price
Default applications bundle Utilities Firefox, 7-Zip No additional charge
Plus applications bundle Microsoft Office Professional, Trend Micro Worry-Free Business Security Services, Firefox, WinZip Additional $15 per month

Compute cost sample (Price Dated 06/08/2019):

Compute Root Volume User Volume Monthly Pricing
4 vCPU, 16 GB Memory 80 GB 100 GB $104
8 vCPU, 32 GB Memory 80 GB 100 GB $154
8 vCPU, 15 GB Memory, 1 GPU, 4 GB Graphics Memory 100 GB 100 GB $880
16 vCPU, 122 GB Memory, 1 GPU, 8 GB Video Memory 100 GB 100 GB $1,228

Requirements:

AWS Virtual Private Cloud

  • Configure a VPC with Private Subnets and a NAT Gateway
  • Configure a VPC with Public Subnets

Ports

  • TCP/UDP 53 – DNS
  • TCP/UDP 88 – Kerberos authentication
  • UDP 123 – NTP
  • TCP 135 – RPC
  • UDP 137-138 – Netlogon
  • TCP 139 – Netlogon
  • TCP/UDP 389 – LDAP
  • TCP/UDP 445 – SMB
  • TCP 1024-65535 – Dynamic ports for RPC
  • TCP 443
  • TCP 80

Access Control

  • Grant IAM users permission to AWS Workspace

Internet Access

  • Allow ports 443 and 80 to 0.0.0.0/0

LDAP authentication

  • AD Connector — Use your existing on-premises Microsoft Active Directory. Users can sign into their WorkSpaces using their on-premises credentials and access on-premises resources from their WorkSpaces.
  • Microsoft AD — Create a Microsoft Active Directory hosted on AWS.
  • Simple AD — Create a directory that is compatible with Microsoft Active Directory, powered by Samba 4, and hosted on AWS.
  • Cross trust — Create a trust relationship between your Microsoft AD directory and your on-premises domain.

Task 1: Configure a VPC with Private Subnets and a NAT Gateway

Step 1: Allocate an Elastic IP Address

Allocate an Elastic IP address for your NAT gateway as follows. Note that if you are using an alternative method of providing internet access, you can skip this step.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Elastic IPs.
  3. Choose Allocate new address.
  4. On the Allocate new address page, choose Allocate and make a note of the Elastic IP address, then choose Close.

Step 2: Create a VPC. Create a VPC with one public subnet and two private subnets as follows.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPC Dashboard.
  3. Choose Launch VPC Wizard.
  4. Choose VPC with Public and Private Subnets and then choose Select.
  5. Configure the VPC as follows:
    1. For IPv4 CIDR block, type the CIDR block for the VPC. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.
    2. For VPC name, type a name for the VPC.
  6. Configure the public subnet as follows:
    1. For IPv4 CIDR block, type the CIDR block for the subnet.
    2. For Availability Zone, keep No Preference.
    3. For Public subnet name, type a name for the subnet (for example, WorkSpaces Public Subnet).
  7. Configure the first private subnet as follows:
    1. For Private subnet’s IPv4 CIDR, type the CIDR block for the subnet.
    2. For Availability Zone, select the first one in the list (for example, us-west-2a).
    3. For Private subnet name, type a name for the subnet (for example, WorkSpaces Private Subnet 1).
  8. For Elastic IP Allocation ID, choose the Elastic IP address that you created. Note that if you are using an alternative method of providing internet access, you can skip this step.
  9. Choose Create VPC. Note that it takes several minutes to set up your VPC. After the VPC is created, choose OK.

Step 3: Add a Second Private Subnet

In the previous step, you created a VPC with one public subnet and one private subnet. Use the following procedure to add a second private subnet.

  1. In the navigation pane, choose Subnets.
  2. Choose Create Subnet.
  3. For Name tag, type a name for the private subnet (for example, WorkSpaces Private Subnet 2).
  4. For VPC, select the VPC that you created.
  5. For Availability Zone, select the second one in the list (for example, us-west-2b).
  6. For IPv4 CIDR block, type the CIDR block for the subnet.
  7. Choose Yes, Create.

Step 4: Verify and Name the Route Tables. You can verify and name the route tables for each subnet.

  1. In the navigation pane, choose Subnets, and select the public subnet that you created.
    1. On the Route Table tab, choose the ID of the route table (for example, rtb-12345678).
    2. Select the route table. Type a name (for example, workspaces-public-routetable) and choose the check mark to save the name.
    3. On the Routes tab, verify that there is one route for local traffic and another route that sends all other traffic to the internet gateway for the VPC.
  2. In the navigation pane, choose Subnets, and select the first private subnet that you created (for example, WorkSpaces Private Subnet 1).
    1. On the Route Table tab, choose the ID of the route table.
    2. Select the route table. Type a name (for example, workspaces-private-routetable) and choose the check mark to save the name.
    3. On the Routes tab, verify that there is one route for local traffic and another route that sends all other traffic to the NAT gateway.
  3. In the navigation pane, choose Subnets, and select the second private subnet that you created (for example, WorkSpaces Private Subnet 2). On the Routes tab, verify that the route table is the private route table (for example, workspaces-private-routetable). If the route table is different, choose Edit and select this route table.

Task 2: Configure a VPC with Public Subnets (Optional if you have completed task 1)

Step 1: Create a VPC with one public subnet as follows.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose VPC Dashboard.
  3. Choose Launch VPC Wizard.
  4. Choose VPC with a Single Public Subnet and then choose Select.
  5. For IPv4 CIDR block, type the CIDR block for the VPC. We recommend that you use a CIDR block from the private (non-publicly routable) IP address ranges specified in RFC 1918. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.
  6. For VPC name, type a name for the VPC.
  7. For Public subnet’s IPv4 CIDR, type the CIDR block for the subnet.
  8. (Optional) For Subnet name, type a name for the subnet.
  9. For Availability Zone, choose the first one in the list.
  10. Choose Create VPC. After the VPC is created, choose OK.

Step 2: Add a Second Public Subnet

In the previous step, you created a VPC with one public subnet. Use the following procedure to add a second public subnet and associate it with the route table for the first public subnet, which has a route to the internet gateway for the VPC.

  1. In the navigation pane, choose Subnets.
  2. Choose Create Subnet.
  3. For Name tag, type a name for the subnet.
  4. For VPC, select the VPC that you created.
  5. For Availability Zone, choose the second one in the list.
  6. For IPv4 CIDR block, type the CIDR block for the subnet.
  7. Choose Create. After the subnet is created, choose Close.
  8. Associate the new public subnet with the route table created for the first subnet as follows:
    1. Select the checkbox for the first subnet.
    2. On the Route Table tab, choose the ID of the route table.
    3. On the Subnet Associations tab, choose Edit subnet associations.
    4. Select the checkbox for the second subnet and choose Save.

Step 3: Assign the Elastic IP Address

You can assign Elastic IP addresses to your WorkSpaces automatically or manually. To use automatic assignment, see Configure Automatic IP Addresses. To assign Elastic IP addresses manually, use the following procedure.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Expand the row for the WorkSpace and note the value of WorkSpace IP. This is the primary private IP address of WorkSpace.
  4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  5. In the navigation pane, choose Elastic IPs. If you do not have an available Elastic IP address, choose Allocate new address and follow the directions.
  6. In the navigation pane, choose Network Interfaces.
  7. Select the network interface for your WorkSpace. Note that the value of VPC ID matches the ID of your WorkSpaces VPC and the value of Primary private IPv4 IP matches the primary private IP address of the WorkSpace that you noted earlier.
  8. Choose Actions, Associate Address.
  9. On the Associate Elastic IP Address page, choose an Elastic IP address from Address and then choose Associate Address.

Option 1: Launch a WorkSpace Using AWS Managed Microsoft AD

Step 1: Create an AWS Managed Microsoft AD Directory

First, create an AWS Managed Microsoft AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. Note that there are no users in the directory initially. You will add a user in the next step when you launch the WorkSpace.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose Directories.
  3. Choose Set up Directory, Create Microsoft AD.
  4. Configure the directory as follows:
    1. For Organization name, type a unique organization name for your directory (for example, my-demo-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
    2. For Directory DNS, type the fully-qualified name for the directory (for example, workspaces.demo.com).
    3. For NetBIOS name, type a short name for the directory (for example, workspaces).
    4. For Admin password and Confirm password, type a password for the directory administrator account. For more information about the password requirements, see Create Your AWS Managed Microsoft AD Directory in the AWS Directory Service Administration Guide.
    5. (Optional) For Description, type a description for the directory.
    6. For VPC, select the VPC that you created.
    7. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).
    8. Choose Next Step.
  5. Choose Create Microsoft AD.
  6. Choose Done. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

Step 2: Create a WorkSpace

Now that you have created an AWS Managed Microsoft AD directory, you are ready to create a WorkSpace.

To create a WorkSpace

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Choose Launch WorkSpaces.
  4. On the Select a Directory page, choose the directory that you created, and then choose Next Step. Amazon WorkSpaces registers your directory.
  5. On the Identify Users page, add a new user to your directory as follows:
    1. Complete Username, First Name, Last Name, and Email. Use an email address that you have access to.
    2. Choose Create Users.
    3. Choose Next Step.
  6. On the Select Bundle page, select a bundle and then choose Next Step.
  7. On the WorkSpaces Configuration page, choose a running mode and then choose Next Step.
  8. On the Review & Launch WorkSpaces page, choose Launch WorkSpaces. The initial status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE and an invitation is sent to the email address that you specified for the user.

Step 3: Connect to the WorkSpace

After you receive the invitation email, you can connect to your WorkSpace using the client of your choice. After you sign in, the client displays the WorkSpace desktop.

Note

When you are connected to your WorkSpace from a Windows or MacOS client, you can toggle the fullscreen display by using following command shortcuts:

  • Windows client: Ctrl+Alt+Enter
  • MacOS client: Control+Option+Return

To connect to the WorkSpace

  1. Open the link in the invitation email. When prompted, specify a password and activate the user. Remember this password as you will need it to sign in to your WorkSpace.
  2. When prompted, download one of the client applications or, for Windows WorkSpaces, launch Web Access. http://clients.amazonworkspaces.com/
  3. Start the client, enter the registration code from the invitation email, and choose Register.
  4. When prompted to sign in, type the user name and password for the user, and then choose Sign In.
  5. (Optional) When prompted to save your credentials, choose Yes.

Option 2: Launch a WorkSpace Using AD Connector (Hybrid Identity or On-prem User Identity using Windows Active Directory)

Step 1: Create an AD Connector

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose Directories.
  3. Choose Set up Directory, Create AD Connector.
  4. For Organization name, type a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.
  5. For Connected directory DNS, type the fully-qualified name of your on-premises directory (for example, example.com).
  6. For Connected directory NetBIOS name, type the short name of your on-premises directory (for example, example).
  7. For Connector account username, type the user name of a user in your on-premises directory. The user must have permissions to read users and groups, create computer objects, and join computers to the domain.
  8. For Connector account password and Confirm password, type the password for the on-premises user account.
  9. For DNS address, type the IP address of at least one DNS server in your on-premises directory.
  10. (Optional) For Description, type a description for the directory.
  11. Keep Size as Small.
  12. For VPC, select your VPC.
  13. For Subnets, select your subnets. The DNS servers that you specified must be accessible from each subnet.
  14. Choose Next Step.
  15. Choose Create AD Connector. It takes several minutes for your directory to be connected. The initial status of the directory is Requested and then Creating. When directory creation is complete, the status is Active.

Step 2: Create a WorkSpace

Now you are ready to launch WorkSpaces for one or more users in your on-premises directory.

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
  2. In the navigation pane, choose WorkSpaces.
  3. Choose Launch WorkSpaces.
  4. For Directory, choose the directory that you created.
  5. Choose Next. Amazon WorkSpaces registers your AD Connector.
  6. Select one or more existing users from your on-premises directory. Do not add new users to an on-premises directory through the Amazon WorkSpaces console.  To find users to select, you can type all or part of the user’s name and choose Search or choose Show All Users. Note that you cannot select a user that does not have an email address.
  7. After you select the users, choose Add Selected and then choose Next Step.
  8. Under Select Bundle, choose the default WorkSpace bundle to be used for the WorkSpaces. Under Assign WorkSpace Bundles, you can choose a different the bundle for an individual WorkSpace if needed. When you have finished, choose Next Step.
  9. Choose a running mode for your WorkSpaces and then choose Next Step. For more information, see Manage the WorkSpace Running Mode.
  10. Choose Launch WorkSpaces. The initial status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE.
  11. Send invitations to the email address for each user. For more information, see Send an Invitation Email.

Step 3: Connect to the WorkSpace

You can connect to your WorkSpace using the client of your choice. After you sign in, the client displays the WorkSpace desktop.

  • Windows client: Ctrl+Alt+Enter
  • MacOS client: Control+Option+Return

To connect to the WorkSpace

  1. Open Google Chrome, browse http://clients.amazonworkspaces.com/
  2. When prompted, download one of the client applications or launch Web Access.
  3. Start the client, enter the registration code from the invitation email, and choose Register.
  4. When prompted to sign in, type the username and password for the user, and then choose Sign In.
  5. (Optional) When prompted to save your credentials, choose Yes.

Migrating Azure VM to AWS EC2 using AWS Server Migration Service

Requirements for Azure connector

The recommended VM size of Azure connector is F4s – 4 vCPUs and 8 GB RAM. Ensure that you have a sufficient Azure CPU quota in the region where you are deploying the connector.

  • A Standard Storage Account (cannot be Premium) under which the connector can be deployed.
  • A virtual network where the connector can be deployed.
  • Allow inbound port 443 within the connector’s virtual network or not to the the public internet to view the connector dashboard.
  • Outbound Internet access for AWS, Azure, and so on.

Operating Systems Supported by AWS SMS

  • Microsoft Windows Server 2003 R2 or later version
  • Ubuntu 12.04 or later
  • Red Hat Enterprise Linux (RHEL) 5.1-5.11 or later
  • SUSE Linux Enterprise Server 11 with SP1 or later
  • CentOS 5.1-5.11, 6.1-6.6, 7.0-7.6
  • Debian 6.0.0-6.0.8, 7.0.0-7.8.0, 8.0.0
  • Oracle Linux 5.10-5.11 with el5uek kernel
  • Fedora Server 19-21

Considerations for Migration Scenarios

  • A single Server Migration Connector appliance can only migrate VMs under one subscription and one Azure Region.
  • After a Server Migration Connector appliance is deployed, you cannot change its subscription or Region unless you deploy another connector in the new subscription/Region.
  • AWS SMS supports deploying any number of Server Migration Connector appliance VMs to support migration from multiple Azure subscriptions and Regions in parallel.

Migration Steps   

  • Step 1: Download the Connector Installation Script
  • Step 2: Validate the Integrity and Cryptographic Signature of the Script File
  • Step 3: Run the Script
  • Step 4: Configure the Connector
  • (Alternative Procedure) Deploy the Server Migration Connector Manually
  • Step 5. Replicate Azure VM to AWS EC2 instance

Step1: Download the PowerShell script and hash files from the following URLs:

    After download, transfer the files to the computer or computers where you plan to run the script.

Step 2: Validate the Integrity and Cryptographic Signature of the Script File

To validate script integrity using cryptographic hashes (PowerShell). Use one or both of the downloaded hash files to validate the integrity of the script file. To validate with the MD5 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm MD5

        To validate with the SHA256 hash, run the following command in a PowerShell window:

        PS C:\Users\Administrator> Get-FileHash aws-sms-azure-setup.ps1 -Algorithm SHA256

Compare the returned hash values with the values provided in the downloaded files, aws-sms-azure-setup.ps1.md5 and aws-sms-azure-setup.ps1.sha256.

Next, use either PowerShell or the Windows user interface to check that the script file includes a valid signature from AWS. To check the script file for a valid cryptographic signature (PowerShell)

PS C:\Users\Administrator> Get-AuthenticodeSignature aws-sms-azure-setup.ps1 | Select *

PS C:\Users\Administrator\Desktop\aws-sms-azure-setup.ps1

To check the script file for a valid cryptographic signature (Windows GUI). In Windows Explorer, open the context (right-click) menu on the script file and choose Properties, Digital Signatures, Amazon Web Services, and Details. Verify that the displayed information contains “This digital signature is OK” and that “Amazon Web Services, Inc.” is the signer.

Step 3: Run the Script

Run this script from any computer with PowerShell 5.1 or later installed.

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser

PS C:\Users\Administrator> Set-ExecutionPolicy -ExecutionPolicy UnRestricted -Scope LocalMachine

PS C:\Users\Administrator> Connect-AzAccount

If you’re a Cloud Solution Provider (Azure CSP), the -TenantId value must be a tenant ID.

PS C:\Users\Administrator> Connect-AzAccount -TenantId ‘xxxx-xxxx-xxxx-xxxx’

PS C:\Users\Administrator> Connect-AzureRmAccount -Tenant “xxxx-xxxx-xxxx-xxxx” -SubscriptionId “yyyy-yyyy-yyyy-yyyy”

PS C:\Users\Administrator> .\aws-sms-azure-setup.ps1 -StorageAccountName name -ExistingVNetName name -SubscriptionId id -SubnetName name

StorageAccountName =  The name of the Azure storage account where you want to deploy the connector.

ExistingVNetName = The name of the Azure virtual network where you want to deploy the connector.

SubscriptionId = The ID of the subscription to use. The default subscription for the account is used.

SubnetName = The name of the subnet in the virtual network. The subnet named “default” is used.

Step 4: Configure the Connector

RDP to another VM on the same virtual network where you deployed the connector, use Google chrome browser  to the connector’s web interface using the following URL, https://ip-address-of-connector

  1. On the connector landing page, choose Get started now
  2. Review the license agreement, select the check box, and choose Next.
  3. Create a password for the connector. The password must meet the displayed criteria. Choose Next.
  4. On the Network Info page, you can find instructions to perform network-related tasks, such as setting up AWS proxy for the connector. Choose Next.
  5. On the Log Uploads page, select Upload logs automatically and choose Next.
  6. On the Server Migration Service page, provide the following information:
  7. For AWS Region, choose your Region from the list.
  8. For AWS Credentials, enter the IAM credentials that you created in Configure AWS SMS Permissions and Roles. Choose Next.
  9. On the Azure Account Verification page, verify that your Azure subscription ID and location are correct. This connector can migrate VMs under this subscription and location. Provide the object ID of the System Assigned Identity of the connector VM, which was provided as output from the deployment script.
  10. If you successfully set up the connector, the Congratulations page is displayed. To view the health status of the connector, choose Go to connector dashboard.
  11. To verify that the connector that you registered is listed, open the Connectors page on the Systems Manager console.

(Alternative Procedure) Deploy the Server Migration Connector Manually

Complete this procedure to install the connector manually in your Azure environment.

To install the connector manually

Log into the Azure Portal as a user with administrator permissions for the subscription under which you are deploying this connector.

Make sure that you are ready to supply a Storage Account, its Resource Group, a Virtual Network, and the Azure Region as described in Requirements for Azure connector.

Download the connector VHD and associated files from the URLs in the following table.

 Verify the cryptographic integrity of the connector VHD using procedures similar to those described in Step 2: Validate the Integrity and Cryptographic Signature of the Script File.

Upload the connector VHD and associated files to your Storage Account.

$resourceGroupName = “myResourceGroup”

$urlOfUploadedVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $resourceGroupName -Destination $urlOfUploadedVhd -LocalFilePath “E:\Virtual hard disks\myVHD.vhd”

Create a new managed disk with the following parameter values:

$sourceUri = “https://storageaccount.blob.core.windows.net/vhdcontainer/osdisk.vhd”

$osDiskName = “myOsDisk”

$osDisk = New-AzDisk -DiskName $osDiskName –Disk (New-AzDiskConfig -AccountType Standard_LRS -Location $location -CreateOption Import -SourceUri $sourceUri) -ResourceGroupName $destinationResourceGroup

 Where $SourceUri or Storage Blob (Choose the VHD blob you uploaded from step 3.c.)

Create a public IP address and NIC

Create the public IP. In this example, the public IP address name is set to myIP.

$ipName = “myIP”

$pip = New-AzPublicIpAddress  -Name $ipName -ResourceGroupName $destinationResourceGroup

   -Location $location  -AllocationMethod Dynamic

Create the NIC. In this example, the NIC name is set to myNicName.

$nicName = “myNicName”

$nic = New-AzNetworkInterface -Name $nicName -ResourceGroupName $destinationResourceGroup -Location $location -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

Set the VM name and size

$vmName = “myVM”

$vmConfig = New-AzVMConfig -VMName $vmName -VMSize “F4s”

$vm = Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id

Add the OS disk

$vm = Set-AzVMOSDisk -VM $vm -ManagedDiskId $osDisk.Id -StorageAccountType Standard_LRS -DiskSizeInGB 128 -CreateOption Attach -Windows

Complete the VM

New-AzVM -ResourceGroupName $destinationResourceGroup -Location $location -VM $vm

Download the two role documents:

    Edit SMSConnectorRole.json. Change the name field to sms-connector-role-subscription_id. Then change the AssignableScopes field to match your subscription ID.

    Edit SMSConnectorRoleSA.json. Change the name field to sms-connector-role-storage_account. For example, if your account is testStorage, then the name field must be sms-connector-role-testStorage. Then change the AssignableScopes field to match your Subscription, Resource Group, and Storage Account values.

You must use Az CLI or Az PowerShell for this step.

PS C:\Users\Administrator> New-AzRoleDefinition -InputFile C:\Temp\roleDefinition.json

Assign roles to the connector VM. In Azure Portal, choose Storage Account, Access Control, Roles, Add, Add Role Assignment. Choose the role sms-connector-role, assign access to Virtual Machine, and select the connector VM’s System Assigned Identity from the list. Repeat this for the role sms-connector-role-storage_account.

Restart the connector VM to activate the role assignments.

Step 4: Configure the SMS Connector.

This step guides you to replicating Azure VMs Using the AWS SMS Console. Use the AWS SMS console to import your server catalog and migrate your Azure VMs to Amazon EC2. You can perform the following tasks:

  1. Replicate a server using the console
  2. Monitor and modify server replication jobs
  3. Shut down replication

To replicate a VM from Azure to AWS using the console

  1. Install the Server Migration Connector as described in Getting Started with AWS Server Migration Service, including the configuration of an IAM service role and permissions.
  2. In a web browser, open the SMS homepage.
  3. In the navigation menu, choose Connectors. Verify that the connector that you deployed in your Azure environment is shown with a status of healthy.
  4. If you have not yet imported a catalog, choose Servers, Import server catalog. To reflect new servers added in your Azure environment after your previous import operation, choose Re-import server catalog. This process can take up to a minute.
  5. Select a server to replicate and choose Create replication job.
  6. On the Configure server-specific settings page, in the License type column, select the license type for AMIs to be created from the replication job. Windows servers can only use Bring Your Own License (BYOL). Choose Next.
  7. On the Configure replication job settings page, the following settings are available:
  8. For Replication job type, choose a value. The One-time migration option triggers a single replication of your server without scheduling repeating replications.
  9. For Start replication run, configure your replication run to start either immediately or at a later date and time up to 30 days in the future. The date and time settings refer to your browser’s local time.
  10. For IAM service role, provide (if necessary) the IAM service role that you previously created.
  11. For Enable automatic AMI deletion, configure AWS SMS to delete older replication AMIs in excess of a number that you provide in the field.
  12. For Enable AMI Encryption, choose a value. If you choose Yes, AWS SMS encrypts the generated AMIs. Your default CMK is used unless you specify a non-default CMK. For more information, see Amazon EBS Encryption.
  13. For Enable notifications, choose a value. If you choose Yes, you can configure Amazon Simple Notification Service (Amazon SNS) to notify a list of recipients when the replication job has completed, failed, or been deleted.
  14. For Pause replication job on consecutive failures, choose a value. The default is set to Yes. If the job encounters consecutive failures, it will be moved to the PausedOnFailure state and not marked Failed immediately.
  15. Choose Next.
  16. On the Review page, review your settings. If the settings are correct, choose Create. To change the settings, choose Previous. After a replication job is set up, replication starts automatically at the specified time and interval.
  17. On the Replication jobs page, select a job and choose Actions, Start replication run. This starts a replication run that does not affect your scheduled replication runs, except in the case that the on-demand run is still ongoing at the time of your scheduled run. In this case, the scheduled run is skipped and rescheduled at the next interval. The same thing happens if a scheduled run is due while a previous scheduled run is still in progress.
  18. In the AWS SMS console, choose Replication jobs. You can view all replication jobs by scrolling through the table. In the search bar, you can filter the table contents on specific values. Filter the jobs by PausedOnFailure to identify all the paused jobs.
  19. After you have finished replicating a server, you can delete the replication job. Choose Replication jobs, select the desired job, choose Actions, and then choose Delete replication jobs. In the confirmation window, choose Delete. This stops the replication job and cleans up any artifacts created by the service (for example, the job’s S3 bucket). This does not delete any AMIs created by runs of the stopped job.
  20. Once Replication is complete, Pause the replication, Shutdown the Azure VM and Power on AWS EC2 instances.
  21. Once Migration is complete and when you are done using a connector and no longer need it for any replication jobs, you can disassociate it. Choose Connectors and select the connector to disassociate. Choose Disassociate at the top-right corner of its information section and choose Disassociate again in the confirmation window. This action de-registers the connector from AWS SMS.

Prepare Windows 10 Master Image & Deploy Windows Virtual Desktop

Microsoft announced Windows Virtual Desktop and began a private preview. Since then, we’ve been hard at work developing the ability to scale and deliver a true multi-session Windows 10 and Office 365 ProPlus virtual desktop and app experience on any device.

Windows Virtual Desktop will also be extended and enriched by leading partners in the following ways:

  • Citrix can extend Windows Virtual Desktop capabilities with their Citrix Cloud services.
  • Through our partnership with Samsung, Windows Virtual Desktop will provide highly mobile First line Workers access to a full Windows 10 and Office 365 ProPlus experience with Samsung DeX.
  • Software and service providers will extend Windows Virtual Desktop to offer targeted solutions in the Azure marketplace.
  • Microsoft Cloud Solution Providers (CSPs) will deliver end-to-end desktop-as-a-service (DaaS) offerings and value-added services to their customers.

Prepare Image

Prepare Windows 10 Ent Golden Image to be used for Windows Virtual Desktop in Azure Cloud. Execute the following steps on the Windows 10 Ent master image.

Step1: Remove Persistent Routing using this command, route delete

Step2: Remove Proxy Server using this Command, netsh winhttp reset proxy

Step3: Set the disk SAN policy to Onlineall using this command, diskpart then san policy=onlineall

Step4: Set time zone to Windows Automatic

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation’ -name “RealTimeIsUniversal” -Value 1 -Type DWord -force

Set-Service -Name w32time -StartupType Automatic

Step5: Setup Power Profile using this command powercfg /setactive SCHEME_MIN

Step6: Setup TEMP and TMP and location to default

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TEMP” -Value “%SystemRoot%\TEMP” -Type ExpandString -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment’ -name “TMP” -Value “%SystemRoot%\TEMP” -Type ExpandString –force

Step7: Setup Windows Services to automatic

Set-Service -Name bfe -StartupType Automatic

Set-Service -Name dhcp -StartupType Automatic

Set-Service -Name dnscache -StartupType Automatic

Set-Service -Name IKEEXT -StartupType Automatic

Set-Service -Name iphlpsvc -StartupType Automatic

Set-Service -Name netlogon -StartupType Manual

Set-Service -Name netman -StartupType Manual

Set-Service -Name nsi -StartupType Automatic

Set-Service -Name termService -StartupType Manual

Set-Service -Name MpsSvc -StartupType Automatic

Set-Service -Name RemoteRegistry -StartupType Automatic

Step8: Setup Remote Desktop registry

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server’ -name “fDenyTSConnections” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDenyTSConnections” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “PortNumber” -Value 3389 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “LanAdapter” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “UserAuthentication” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SecurityLayer” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “fAllowSecProtocolNegotiation” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveEnable” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “KeepAliveInterval” -Value 1  -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “KeepAliveTimeout” -Value 1 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services’ -name “fDisableAutoReconnect” -Value 0 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fInheritReconnectSame” -Value 1 -Type DWord -force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “fReconnectSame” -Value 0 -Type DWord –force

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp’ -name “MaxInstanceCount” -Value 4294967295 -Type DWord –force

Remove-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’ -name “SSLCertificateSHA1Hash” –force

Step9: Setup Firewall

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Enable-PSRemoting -force

 Set-NetFirewallRule -DisplayName “Windows Remote Management (HTTP-In)” -Enabled True

Set-NetFirewallRule -DisplayGroup “Remote Desktop” -Enabled True

Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -Enabled True

Step10: Check VM disk on next boot

Chkdsk /f

Step11: Set the Boot Configuration Data (BCD) settings

 bcdedit /set {bootmgr} integrityservices enable

 bcdedit /set {default} device partition=C:

 bcdedit /set {default} integrityservices enable

 bcdedit /set {default} recoveryenabled Off

 bcdedit /set {default} osdevice partition=C:

 bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

 #Enable Serial Console Feature

 bcdedit /set {bootmgr} displaybootmenu yes

 bcdedit /set {bootmgr} timeout 5

 bcdedit /set {bootmgr} bootems yes

 bcdedit /ems {current} ON

 bcdedit /emssettings EMSPORT:1 EMSBAUDRATE:115200

Step11: Setup Crash dump

# Setup the Guest OS to collect a kernel dump on an OS crash event

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name CrashDumpEnabled -Type DWord -force -Value 2

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name DumpFile -Type ExpandString -force -Value “%SystemRoot%\MEMORY.DMP”

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\CrashControl’ -name NMICrashDump -Type DWord -force -Value 1

#Setup the Guest OS to collect user mode dumps on a service crash event

$key = ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps’

if ((Test-Path -Path $key) -eq $false) {(New-Item -Path ‘HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting’ -Name LocalDumps)}

New-ItemProperty -Path $key -name DumpFolder -Type ExpandString -force -Value “c:\CrashDumps”

New-ItemProperty -Path $key -name CrashCount -Type DWord -force -Value 10

New-ItemProperty -Path $key -name DumpType -Type DWord -force -Value 2

Set-Service -Name WerSvc -StartupType Manual

Step12: Verify that the Windows Management Instrumentations (WMI) repository

winmgmt /verifyrepository

Step14: Do not remove or modify access for the following accounts

  • Administrators
  • Backup Operators
  • Everyone
  • Users

Step13: Install Azure VM Agents

Install the Azure VMs Agent.

Step14: Setup Pagefile to different location

Set-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management’ -name “PagingFiles” -Value “D:\pagefile.sys” -Type MultiString –force

Generalise Golden Image

  1. Boot a PC into Audit Mode. When Windows boots into Audit Mode, System Preparation Tool will appear on the desktop. You can choose to either close the System Preparation Tool window or allow it to remain open.
  2. Customize Windows by adding drivers, changing settings, and installing programs. Do not install any Microsoft Store apps using the Microsoft Store.
  3. Run Sysprep. %WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

Convert disk using Hyper-V Manager

  1. Open Hyper-V Manager and select your local computer on the left. In the menu above the computer list, click Action > Edit Disk.
  2. On the Locate Virtual Hard Disk screen, locate and select your virtual disk.
  3. On the Choose Action screen, and then select Convert and Next.
  4. If you need to convert from VHDX, select VHD and then click Next.
  5. If you need to convert from a dynamically expanding disk, select Fixed size and then click Next.
  6. Locate and select a path to save the new VHD file to.
  7. Click Finish.
  8. You can do the same using PowerShell Convert-VHD –Path c:\test\MY-VM.vhdx –DestinationPath c:\test\MY-NEW-VM.vhd -VHDType Fixed

Export Windows 10 Enterprise VHD

  1. On Hyper-V Manager, right-click the virtual machine and select Export.
  2. Choose where to store the exported files, and click Export.
  3. When the export is done, you can see all exported files under the export location.

Upload VHD to Azure Blob Storage

You can also upload a VHD to your storage account using one of the following:

  • AzCopy
  • Azure Storage Copy Blob API
  • Azure Storage Explorer Uploading Blobs
  • Storage Import/Export Service REST API Reference
  • PowerShell

Use the Add-AzVhd cmdlet to upload the VHD to a container in your storage account.

$rgName = “myResourceGroup”

$urlOfUploadedImageVhd = “https://mystorageaccount.blob.core.windows.net/mycontainer/myUploadedVHD.vhd”

Add-AzVhd -ResourceGroupName $rgName -Destination $urlOfUploadedImageVhd

    -LocalFilePath “C:\Users\Public\Documents\Virtual hard disks\myVHD.vhd”

Create a managed image from the uploaded VHD

$location = “Australia East”

$imageName = “Windows10EntGoldImage”

$imageConfig = New-AzImageConfig -Location $location

$imageConfig = Set-AzImageOsDisk -Image $imageConfig -OsType Windows -OsState Generalized -BlobUri $urlOfUploadedImageVhd -DiskSizeGB 20

New-AzImage  -ImageName $imageName -ResourceGroupName $rgName –Image $imageConfig

Create the VM

New-AzVm -ResourceGroupName $rgName  -Name ” VM1″ -ImageName $imageName -Location $location -VirtualNetworkName “myVnet” -SubnetName “mySubnet” -SecurityGroupName “myNSG” -PublicIpAddressName “myPIP” -OpenPorts 3389

Deploy Windows Virtual Desktop Host Pool from the Azure Managed Image.

Use the below KBs to create Windows Virtual Desktop host pool.

KB1 and KB2. Follow the KBs except when selecting an image select Managed Image you created using above how to. 

Forrester Reaserch Rates Server Hosted Virtual Desktop

Forrester Research Inc evaluates and rates server hosted virtual desktops. Forrester identified seven contenders in desktop virtualization platform. The following are the outcome of Forrester Research on VDI providers.

Product Evaluated:

  • Citrix XenDesktop 7.6
  • Wyse vWorkspace 8.5
  • Listed BoXedVDI 3.2.1
  • Nimboxx Verde 8.x
  • Oracle Global Desktop 5.2
  • VMware View 6.1

Selection Criteria:

Capture2

Scores:

Capture3

Results:

Capture

Credit: Forrester.com

How to deploy VDI using Microsoft RDS in Windows Server 2012 R2

Remote Desktop Services is a server role consists of several role services. Remote Desktop Services (RDS) accelerates and securely extends desktop and applications to any device and anyplace for remote and roaming worker. Remote Desktop Services provide both a virtual desktop infrastructure (VDI) and session-based desktops.

In Windows Server 2012 R2, the following roles are available in Remote Desktop Services: 

Role service name Role service description
RD Virtualization Host RD Virtualization Host integrates with Hyper-V to deploy pooled or personal virtual desktop collections
RD Session Host RD Session Host enables a server to host RemoteApp programs or session-based desktops.
RD Connection Broker RD Connection Broker provides the following services

  • Allows users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops.
  • Enables you to evenly distribute the load among RD Session Host servers in a session collection or pooled virtual desktops in a pooled virtual desktop collection.
  • Provides access to virtual desktops in a virtual desktop collection.
RD Web Access RD Web Access enables you the following services

  • RemoteApp and session-based desktops Desktop Connection through the Start menu or through a web browser.
  • RemoteApp programs and virtual desktops in a virtual desktop collection.
RD Licensing RD Licensing manages the licenses for RD Session Host and VDI.
RD Gateway RD Gateway enables you to authorized users to connect to VDI, RemoteApp

For a RDS lab, you will need following servers.

  • RDSVHSRV01- Remote Desktop Virtualization Host server. Hyper-v Server.
  • RDSWEBSRV01- Remote Desktop Web Access server
  • RDSCBSRV01- Remote Desktop Connection Broker server.
  • RDSSHSRV01- Remote Desktop Session Host Server
  • FileSRV01- File Server to Store User Profile

This test lab consist of 192.168.1.1/24 subnets for internal network and a DHCP Client i.e. Client1 machine using Windows 8 operating system. A test domain called testdomain.com. You need a Shared folder hosted in File Server or SAN to Hyper-v Cluster as Virtualization Host server. All RD Virtualization Host computer accounts must have granted Read/Write permission to the shared folder. I assume you have a functional domain controller, DNS, DHCP and a Hyper-v cluster. Now you can follow the steps below.

Step1: Create a Server Group

1. Open Server Manager from Task bar. Click Dashboard, Click View, Click Show Welcome Tile, Click Create a Server Group, Type the name of the Group is RDS Servers

2. Click Active Directory , In the Name (CN): box, type RDS, then click Find Now.

3. Select RDSWEBSRV01, RDSSHSRV01, RDSCDSRV01, RDSVHSRV01 and then click the right arrow.

4. Click OK.

Step2: Deploy the VDI standard deployment

1. Log on to the Windows server by using the testdomain\Administrator account.

2. Open Server Manager from Taskbar, Click Manage, click Add roles and features.

3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.

4. On the Select Installation Type page, click Remote Desktop Services scenario-based Installation, and then click Next.

clip_image002

5. On the Select deployment type page, click Standard deployment, and then click Next. A standard deployment allows you to deploy RDS on multiple servers splitting the roles and features among them. A quick start allows you to deploy RDS on to single servers and publish apps.

clip_image004

6. On the Select deployment scenario page, click Virtual Desktop Infrastructure, and then click Next.

clip_image006

7. On the role services page, review roles then click Next.

clip_image008

8. On the Specify RD Connection Broker server page, click RDSCBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image010

9. On the Specify RD Web Access server page, click RDSWEBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image012

10. On the Specify RD Virtualization Host server page, click RDSVHSRV01.Testdomain.com, click the right arrow, and then click Next. RDSVHSRV01 is a physical machine configured with Hyper-v. Check Create a New Virtual Switch on the selected server.

clip_image014

11. On the Confirm selections page, Check the Restart the destination server automatically if required check box, and then click Deploy.

clip_image016

12. After the installation is complete, click Close.

clip_image018

 

 

Step3: Test the VDI standard deployment connectivity

You can ensure that VDI standard deployment deployed successfully by using Server Manager to check the Remote Desktop Services deployment overview.

1. Log on to the DC1 server by using the testdomain\Administrator account.

2. click Server Manager, Click Remote Desktop Services, and then click Overview.

3. In the DEPLOYMENT OVERVIEW section, ensure that the RD Web Access, RD Connection Broker, and RD Virtualization Host role services are installed. If there is an icon and not a green plus sign (+) next to the role service name, the role service is installed and part of the deployment

clip_image020

 

Step4: Configure FileSRV1

You must create a network share on a computer in the testdomain domain to store the user profile disks. Use the following procedures to connect to the virtual desktop collection:

  • Create the user profile disk network share
  • Adjust permissions on the network share

Create the user profile disk network share

1. Log on to the FileSRV1 computer by using the TESTDOMAIN\Administrator user account.

2. Open Windows Explorer.

3. Click Computer, and then double-click Local Disk (C:).

4. Click Home, click New Folder, type RDSUserProfile and then press ENTER.

5. Right-click the RDSUSERPROFILE folder, and then click Properties.

6. Click Sharing, and then click Advanced Sharing.

7. Select the Share this folder check box.

8. Click Permissions, and then grant Full Control permissions to the Everyone group.

9. Click OK twice, and then click Close.

Setup permissions on the network share

1. Right-click the RDSUSERPROFILE folder, and then click Properties.

2. Click Security, and then click Edit.

3. Click Add.

4. Click Object Types, select the Computers check box, and then click OK.

5. In the Enter the object names to select box, type RDSVHSRV01.Testdomain.com, and then click OK.

6. Click RDSVHSRV01, and then select the Allow check box next to Modify.

7. Click OK two times.

Step5: Configure RDSVHSRV01

You must add the virtual desktop template to Hyper-V so you can assign it to the pooled virtual desktop collection.

Create Virtual Desktop Template in RDSVHSRV01

1. Log on to the RDSVHSRV01 computer as a Testdomain\Administrator user account.

2. Click Start, and then click Hyper-V Manager.

3. Right-click RDSVHSRV01, point to New, and then click Virtual Machine.

4. On the Before You Begin page, click Next.

5. On the Specify Name and Location page, in the Name box, type Virtual Desktop Template, and then click Next.

clip_image022

6. On the Assign Memory page, in the Startup memory box, type 1024, and then click Next.

clip_image024

7. On the Configure Networking page, in the Connection box, click RDS Virtual, and then click Next.

clip_image026

8. On the Connect Virtual Hard Disk page, click the Use an existing virtual hard disk option.

clip_image028

9. Click Browse, navigate to the virtual hard disk that should be used as the virtual desktop template, and then click Open. Click Next.

clip_image030

10. On the Summary page, click Finish.

Step6: Create the managed pooled virtual desktop collection in RDSVHSRV01

Create the managed pooled virtual desktop collection so that users can connect to desktops in the collection.

1. Log on to the RDSCBSRV01 server as a TESTDOMAIN\Administrator user account.

2. Server Manager will start automatically. If it does not automatically start, click Start, type servermanager.exe, and then click Server Manager.

3. In the left pane, click Remote Desktop Services, and then click Collections.

4. Click Tasks, and then click Create Virtual Desktop Collection.

clip_image031

5. On the Before you begin page, click Next.

6. On the Name the collection page, in the Name box, type Testdomain Managed Pool, and then click Next.

clip_image033

7. On the Specify the collection type page, click the Pooled virtual desktop collection option, ensure that the Automatically create and manage virtual desktops check box is selected, and then click Next.

clip_image035

8. On the Specify the virtual desktop template page, click Virtual Desktop Template, and then click Next.

clip_image037

9. On the Specify the virtual desktop settings page, click Provide unattended settings, and then click Next. In this step of the wizard, you can also choose to provide an answer file. A Simple Answer File can be obtained from URL1 and URL2

10. On the Specify the unattended settings page, enter the following information and retain the default settings for the options that are not specified, and then click Next.

§ In the Local Administrator account password and Confirm password boxes, type the same strong password.

§ In the Time zone box, click the time zone that is appropriate for your location.

11. On the Specify users and collection size page, accept the default selections, and then click Next.

12. On the Specify virtual desktop allocation page, accept the default selections, and then click Next.

13. On the Specify virtual desktop storage page, accept the default selections, and then click Next.

14. On the Specify user profile disks page, in the Location user profile disks box, type \\FileSRV01\RDSUserProfile, and then click Next. Make sure that the RD Virtualization Host computer accounts have read and write access to this location.

15. On the Confirm selections page, click Create.

Step8: Test Remote Desktop Services connectivity

You can ensure the managed pooled virtual desktop collection was created successfully by connecting to the RD Web Access server and then connecting to the virtual desktop in the Testdomain Managed Pool collection.

1. Open Internet Explorer.

2. In the Internet Explorer address bar, type https://RDSWEBSRV01.Testdomain.com/RDWeb, and then press ENTER.

3. Click Continue to this website (not recommended).

clip_image039

4. In the Domain\user name box, type TESTDOMAIN\Administrator.

5. In the Password box, type the password for the TESTDOMAIN\Administrator user account, and then click Sign in.

6. Click Testdomain Managed Pool, and then click Connect.

Relevant Configuration

Remote Desktop Services with ADFS SSO

Remote Desktop Services with Windows Authentication

RDS With Windows Authentication

Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Step1: Configure the SharePoint server

1. On the server running SharePoint Products and Technologies, open the SharePoint Central Administration tool.

2. In the SharePoint 2013 Central Administration tool or in the SharePoint 2010 Central Administration tool, under System Settings, click Configure alternate access mappings.

3. On the Alternate Access Mappings page, in the Alternate Access Mapping Collection list, click Change Alternate Access Mapping Collection, and then on the Select an Alternate Access Mapping Collection dialog box, select the application that you want to publish.

4. On the Alternate Access Mappings page, click Edit Public URLs.

5. On the Edit Public Zone URLs page, in a zone box that is not yet defined, such as the Internet zone, enter the URL of the same public host name that you entered in the Public host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). Make sure that the URL includes the protocol, according to the trunk type.

6. For example, if you are publishing an application via an HTTPS trunk that resides in the domain xman.com, and the application’s public host name that you entered in Forefront UAG is Portal, enter the following URL: https://Portal.xman.com.

7. When you have finished, click Save.

8. On the Alternate Access Mappings page, click Add Internal URLs, and then on the Add Internal URLs page, do the following:

9. In the URL protocol, host and port box, enter the URL that you assigned in the Farm host name box when you added the SharePoint web application to the Forefront UAG trunk (described in Configuring Forefront UAG settings). For example: http://PortalExternal.xman.com.

10. In the Zone list, click the same zone in which you defined the public host name (in step 5 of this procedure), and then click Save.

Step2: Create a New trunk

Right Click on HTTPS Application, Click New Trunk, Select Portal Trunk, Click Next

clip_image002

Type SharePoint 2010 on the Trunk Name, Type FQDN of SharePoint, Type IP address of external NIC, Click Next

clip_image004

On the Authentication Page, Click Add, Select DC, Click Next

clip_image006

Select SharePoint.xman.com.au certificate from drop down, Click Next. Don’t worry about certificate screen shot. this is a test environment.

clip_image008

Select Use Forefront UAG Access Policies, Click Next

clip_image010

Select Default and Click Next

clip_image012

Click Finish.

clip_image014

clip_image016

Step3: add SharePoint web applications to the trunk.

In the Forefront UAG Management console, click the trunk to which you want to add the application, and then in the Applications area, click Add.

In the Add Application Wizard, on the Select Application page, click Web, and then in the list, click Microsoft Office SharePoint Server 2013, Microsoft SharePoint Server 2010, or Microsoft Office SharePoint Server 2007.

clip_image018

clip_image020

On the Select Endpoint Policies page, select the relevant SharePoint download and upload policies. These policies have been designed specifically for use with published SharePoint applications.

clip_image022

On the Web Servers page, do the following:

In the Addresses box, enter the internal host name of the server running SharePoint Products and Technologies. If your SharePoint server is load balanced, use the load-balanced URL instead of a server name. Make sure that you enter a fully qualified domain name.

In the Paths box, you can optionally define one or more paths on which the application resides, by double-clicking an empty line and entering a path. Note that the path must start with a slash.

In either the HTTP Port box or the HTTPS Port box, enter the port on which the SharePoint server is configured to listen.

In the Public host name box, enter a public host name of your choice for the SharePoint web application.

Select the Replace host header with the following check box, and in the Farm host name box, enter a URL of your choice that will be used to differentiate the internal host name of the application from its public host name. Make sure that the URL includes the domain in which the trunk resides (the domain of the trunk appears on the Web Servers tab, to the right of the Public host name box). For example, if the public host name of the application is HRPortal and the trunk resides in the domain xman.com, enter the following replacement host header: HRPortalExternal.xman.com.

clip_image024

clip_image026

On the Authentication page, do the following:

To allow rich client applications, such as Microsoft Word or Microsoft Excel, to authenticate directly to the SharePoint application without authenticating to the portal, select the Allow rich clients to bypass trunk authentication check box.

To use Office Forms Based Authentication (MSOFBA), select the Use Office Forms Based Authentication for Office client applications check box.

clip_image028

On the Portal Link page of the wizard, if required, configure the portal link for the application.

If you are publishing Microsoft SharePoint Server 2010, make sure that the Open in a new window check box is selected.

clip_image030

clip_image032

When you have completed the wizard, click Finish.

The Add Application Wizard closes, and the application that you defined appears in the Applications list.

clip_image034

clip_image036

On the toolbar of the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate.

After the configuration is activated, the message “Forefront UAG configuration activated successfully” appears.

Step4: Configure Mobile devices Access for SharePoint

When end users access a SharePoint 2010 site from a mobile device using the Office Mobile client, to allow the device to download documents from a SharePoint site, you must make the following URL set changes:

1. In the Forefront UAG Management console, open the Advanced Trunk Configuration dialog box, and click the URL Set tab.

2. In the URL list, scroll to InternalSite_Rule54, and in the Methods column, add the HEAD method.

3. In the URL list, scroll to SharePoint14AAM_Rule47, and in the Methods column, add the HEAD method.

4. On the Advanced Trunk Configuration dialog box, click OK, and then activate the configuration.

5. When end users open an Excel file on a SharePoint site from their mobile device, the file opens correctly. If they then go to a different SharePoint site, the first time they try to open an Excel file it may not open as expected; end users must click the file again to open it.

Install and Configure Forefront UAG 2010 Step by Step

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Experience Mobile Browsing Using UAG 2010

Part 7: Publish FTP using UAG 2010

Part 8: Publish Application Specific Host Name using UAG 2010

Part 9: FF UAG 2010 Patching Order

Part 10: Publish Lync 2013 Using UAG 2010

Forefront UAG Overview:

Forefront Unified Access Gateway 2010 (UAG) provides secure remote endpoint connections to corporate resources for employees, partners, and vendors on both computer and mobile devices. UAG provides many benefits. the following is the extract from http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

  • Empowers employees, partners, and vendors to be productive from virtually any device or location through integrated SSL VPN capabilities.
  • Delivers simple and secure access optimized for applications such as SharePoint, Exchange, and Dynamics CRM.
  • Extends networking connectivity with Windows Direct Access to existing infrastructure and legacy applications.
  • Protects IT assets through fine-grained and built-in policies that provide access to sensitive data based on identity and endpoint health.
  • Easily integrates with Active Directory and enables a variety of strong authentication methods.
  • Limits exposure and prevent data leakage to unmanaged endpoints.

Assumptions:

The following servers is installed and configured in a test environment.

image 

Systems Requirements:

Option

Description

Virtual Machine Name

DC1TVUAG01

Memory

8GB

vCPU

1

Hard Disk 1

50GB

Hard Disk 2

50GB

Network Adapter

2

Guest Operating System

Windows Server 2008 R2

Service Pack Level

SP1

Software Requirement:

Version

Microsoft Forefront Unified Access Gateway 2010

Service Pack Level

SP3

Forefront UAG automatically installs and uses the following Windows Server 2008 operating system features:

  • Microsoft .NET Framework 3.5 SP1
  • Windows Web Services API
  • Windows Update
  • Microsoft Windows Installer 4.5
  • SQL Server Express 2005
  • Forefront TMG is installed as a firewall during Forefront UAG setup
  • The Windows Server 2008 R2 DirectAccess component is automatically installed.

The following roles and features are installed by Forefront UAG, and are required for Forefront UAG to function properly.

  • Network Policy Server
  • Routing and Remote Access Services
  • Active Directory Lightweight Directory Services Tools
  • Message Queuing Services
  • Web Server (IIS) Tools
  • Network Load Balancing Tools
  • Windows PowerShell

Supported Browser Clients:

Browser

Features

Firefox

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Endpoint Quarantine Enforcement

Internet Explorer

Endpoint Session Cleanup

Endpoint detection

SSL Application Tunneling

Socket Forwarding

SSL Network Tunneling (Network Connector)

Endpoint Quarantine Enforcement

Supported Mobile Devices:

Device Name

Features

Windows Phone

Premium mobile portal

iOS: 4.x and 5.x on iPhone and iPad

Premium mobile portal

Android: Phone 2.3; Tablet 3.0; Phone 4.0; Tablet 4.0

Premium mobile portal

Service Account for Active Directory Authentication:

Service Account

Privileges

Password

xman\SA-FUAG

Domain Users

Password set to never expired

Domain Joined Forefront UAG:

The Forefront UAG server will be a member of XMAN domain to achieve the following benefits.

  • Add the server to an array of Forefront UAG servers at a later date.
  • Configure the server as a Forefront UAG DirectAccess server at a later date.
  • Deploy single sign on using Kerberos constrained delegation to forward session credentials to backend published servers requiring authentication.
  • Publish the File Access application via a Forefront UAG trunk.
  • Provide remote clients with access to the internal corporate network using SSTP.

Antivirus Exclusion:

Version

Paths

Processes

Forefront UAG 2010

UAG installation folder (may be changed during installation)
%ProgramFiles%\Microsoft Forefront Unified Access Gateway

Forefront UAG DNS-ALG Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\DnsAlgSrv.exe

Forefront UAG Monitoring Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\MonitorMgrCom.exe

Forefront UAG Session Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\SessionMgrCom.exe

Forefront UAG File Sharing
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\ShareAccess.exe

Forefront UAG Quarantine Enforcement Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagqessvc.exe

Forefront UAG Terminal Services RDP Data
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\uagrdpsvc.exe

Forefront UAG User Manager
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\UserMgrCom.exe

Forefront UAG Watch Dog Service
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\WatchDogSrv.exe

Forefront UAG Log Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlerrsrv.exe

Forefront UAG SSL Network Tunneling Server
%ProgramFiles%\Microsoft Forefront Unified Access Gateway\whlios.exe

Forefront UAG Placement:

The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

There are advantages to place the Forefront UAG server between a frontend and backend firewall, as follows:

  • Intranet content, such as servers published by Forefront UAG, can be isolated in the perimeter network and separated from corporate content intended for internal access only.
  • Integrity of the content in the corporate network is retained.
  • Securely publish backend applications and access infrastructure servers, such as authentication servers, as required.
  • Hide corporate network infrastructure from perimeter and external threat.

Scenario#1

image

Perimeter Port Requirement:

To allow remote endpoints to access the published application behind a frontend cloud router, the following traffic must be allowed through the frontend firewall:

  • HTTP traffic (port 80)
  • HTTPS traffic (port 443)
  • FTP Traffic (Port 21)
  • RDP Traffic (Port 3389)

Backend Port Requirement

Since XMAN infrastructure servers are located in the internal network, the following ports are required by Forefront UAG for authentication and publishing purpose.

Infrastructure server

Protocol

Port

Direction

Domain controller

Microsoft-DS traffic

TCP 445

UDP 445

From UAG to DC

 

Kerberos authentication

TCP 88

UDP 88

From UAG to DC

 

LDAP

TCP 389

UDP 389

From UAG to DC

 

LDAPS

TCP 636

UDP 636

From UAG to DC

 

LDAP to GC

TCP 3268

UDP 3268

From UAG to DC

 

LDAPS to GC

TCP 3269

UCP 3269

From UAG to DC

 

DNS

TCP 53

UDP 53

From UAG to DC

Exchange, SharePoint, RDS

HTTPS

TCP 443

From external to internal server

FTP

FTP

TCP 21

From external to internal server

Scenario#2

In this scenario no NAT or internal firewall rules are needed but not a best practice and not a great firewall design.

image

UAG Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated UAG network name. The following binding order will be maintained within Windows operating systems:

· First in Order- UAG internal adapter connected to the trusted network.

· Second in Order- UAG external adapter connected to the untrusted network.

The following are the network configuration for UAG server.

Option

IP Address

Subnet

Default Gateway

DNS

Internal Network

10.10.10.2

255.255.255.0

Not required

10.10.10.1

External Network

192.168.1.1

255.255.255.0

192.168.1.254

Not required

Important! External Network can be assigned public IP if UAG server isn’t placed behind frontend router/firewall. In an edge configuration UAG external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Based upon Microsoft practices, the configuration shown below is a tried and tested approach that can be used as part of a Forefront UAG deployment. Extract from Recommended Network Adapter Configuration for Forefront UAG Servers

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and UAG wizard/console names. For example:

  • UAG adapter connected to the trusted network: Internal Network
  • UAG adapter connected to the untrusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the TMG Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a Forefront UAG array.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

Internal Network (Highest)
External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

clip_image005

Configuration Step 4 – Run the UAG Network Interfaces Wizard:

You should now run the UAG Network Interfaces wizard, and assign the network adapters to their respective Internal and External connection types/roles.

clip_image007

Important! As you have configured the default gateway on the External Network adapter, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network adapter but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; these will consequently be inherited by TMG and allow correct traffic flow.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose

Public Host Name

Public IP Address

Exchange

webmail.xman.com.au

203.17.x.x

SharePoint

sharepoint.xman.com.au

203.17.x.x

RDS

remote.xman.com.au

203.17.x.x

FTP

ftp.xman.com.au

203.17.x.x

Scenario#1 Firewall Rules consideration

External NAT Rules

The following NAT rules will be added into perimeter network to publish application and services through Forefront UAG.

Rule(s)

Description

Source IP

Public IP Address

(Destination IP Address)

Port

NAT Destination

Status

1

Exchange

Any

203.17.x.x

443

10.10.10.2

Forward

2

SharePoint

Any

203.17.x.x

443

10.10.10.2

Forward

4

RDS

Any

203.17.x.x

443

10.10.10.2

Forward

5

FTP

Any

203.17.x.x

21

10.10.10.2

Forward

Internal Firewall Rules

The following firewall rules will be added into internal network firewall to allow communication from UAG server to application servers and domain controller:

Rules

Description

Source IP

Port

TCP & UDP

NAT Destination

Destination

Status

1

Exchange

10.10.10.2

TCP 443

Not Required

10.10.10.3

Forward

2

SharePoint

10.10.10.2

TCP 443

Not Required

10.10.10.4

Forward

4

RDS

10.10.10.2

TCP 443

Not Required

10.10.10.5

Forward

5

FTP

10.10.10.2

TCP 21

Not Required

10.10.10.6

Forward

6

Client

10.10.12.0/24

10.10.13.0/24

TCP 443

TCP 21

Not Required

10.10.10.2

Forward

7

Domain Controller

10.10.10.2

445, 88, 53

389, 636

3268, 3296

Not Required

10.10.10.1

Forward

Understanding Certificates requirements:

Forefront UAG supports wildcard certificates at the domain level and sub-domain level. Wildcard certificates in the form *.xman.com.au are supported. In addition the SAN certificate can specify the required host names.

Launch Certificate Manager

1. Click to open the Certificate Manager Microsoft Management Console (MMC). Using Certificate Manager, you can import a certificate into the IIS Certificate store, as follows:

2. On the Action menu of Certificate Manager, click All Tasks, and then click Import.

3. Follow the instructions in the Certificate Import Wizard.

Common Name

Subject Alternative Name

Certificate Issuer

RDS.xman.com.au

Verisign/Digicert

webmail.xman.com.au

autodiscover.xman.com.au

Verisign/Digicert

ftp.xman.com.au

Verisign/Digicert

sharepoint.xman.com.au

Verisign/Digicert

Understanding Properties of Trunk

  • Trunk name: Specify the name of the trunk. This name is assigned to the Web site that is created in IIS running on the Forefront UAG server. Within the set of HTTP connections and HTTPS connections, each trunk name must be unique. The trunk name cannot contain the public host name.
  • Public host name: Specify the host name used by client endpoints to reach the Web site. The host name must contain at least two periods.
  • IP address: Specify the external IP address used to reach the published Web application or portal.
  • Array Member: If the Forefront UAG server is part of an array, click the server entry in the IP address column, and select the external IP address of this array member.
  • HTTP/HTTPS port: Specify the port for the external Web site.

UAG trunks will be configured within Forefront Unified Access Gateway (UAG) to publish applications and services. The following topics describe a list of trunks and its advanced configuration.

image

Advanced Trunk Configuration for SharePoint: The following changes should be made in advanced trunk configuration to allow mobile devices to communicate with UAG server for rich application:

URL List

Methods

Allow Rich Content

InternalSite_Rule54

HEAD

Checked

SharePoint14AAM_Rule47

HEAD

Checked

Published Applications and Services:

image 

Install Forefront UAG:

Insert the en_forefront_unified_access_gateway_2010_with_sp1_x64_dvd_611549.iso file to a Hyper-V server as media, and run Setup from the Forefront UAG folder.

Ensure that the Network List Service (Netprofm) and the Network Location Awareness (NlaSvc) services are running, before beginning the Forefront UAG installation. To begin installation, double-click Setup.hta.

clip_image009

On the Welcome page of Setup, do the following:

clip_image011

Click Install Forefront UAG to begin Forefront UAG Setup. When running Setup, you can customize the installation folder location, if required. Do not install Forefront UAG from a network share.

clip_image013

clip_image015

clip_image017

Restart the Server.

clip_image019

Initial Configuration Using Getting Started Wizard

clip_image021

In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

On the Define Network Adapter Settings page, in the Adapter name list do the following:

To configure the adapter connected to the external network, click the External column. On the Define External Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required. Note that it is not recommended to configure DNS on the external adapter.

To configure the adapter connected to the internal network, click the Internal column. Adapter settings are displayed in the Adapter properties list. On the Define Internal Network IP Address Range page, verify the address ranges associated with the internal network adapter. You can add, edit, or remove ranges, as required.

After running the Network Configuration Wizard, click Define Server Topology to open the Server Management Wizard. On the Select Configuration page, do the following:

If you are running Forefront UAG on a single server, click Single server.

If you want to join this server to an array of Forefront UAG servers, click Array member. The Array Management Wizard opens, which enables you to join the server to an array, and manage other array settings. For help on running this wizard, see Implementing an array and load balancing design. For more information about planning an array design, read the Array planning guide.

After running the Network Configuration Wizard, click Join Microsoft Update to open the Server Configuration Wizard. On the Use Microsoft Update for Forefront UAG page, Click Use Microsoft Update when I check for updates if your corporate update policy uses Microsoft Updates. Note that an Internet connection is required both to opt in for updates and receive them. Forefront UAG updates will only be available after the RTM release.

If you are installing Forefront UAG with SP1, on the Customer Experience Improvement Program page of the wizard, Click No, I do not want to participate if you do not want to participate in the program.

Configure Remote Desktop (RDP) to Forefront UAG

After installation, you might want to manage Forefront UAG remotely. To manage Forefront UAG using a remote desktop connection, you must do the following:

Ensure that remote desktop is enabled on the Forefront UAG server.

Ensure that the computer from which you want to manage Forefront UAG is added to the Forefront TMG Remote Management Computers computer set.

To do this, open the Forefront TMG Management console from the Start menu.

1. In the console tree, click the Firewall Policy node. Right Click New, Click Access Policy, Type Name: RDP Access Policy.

2. On the Rule Action, Click Allow, Click Next

3. On the Selected Protocols, Click Add, Select RDP Server from all protocol, Click Next

4. On the Source tab, Click New, Click new, Click Computer, Add name and IP address of the computer, Click next

5. On the destination page, Click new, Click computer, add name and IP address of UAG server, Click Next, Click Finish and Apply changes.