OakLeaf Systems: Installing Remote Desktop Services on a Windows Azure Virtual Machine running Windows Server 2012 RC

Tuesday, June 12, 2012

Installing Remote Desktop Services on a Windows Azure Virtual Machine running Windows Server 2012 RC

•• Updated 7/30/2012 with added:

Link to Windows Server Azure 2008 R2 Remote Desktop Services (5-User Client Access License), US$749.00 from the Microsoft Store
“Fast Publish” note and publication date to Microsoft server software support for Windows Azure Virtual Machines below
Link to Microsoft Volume Licensing Brief: Licensing Microsoft Server Products in Virtual Environments (*.docx)

• Updated 7/21/2012 with the following Microsoft licensing restrictions (sent to me in an email message by a Microsoft employee), which preclude use of Remote Desktop Services and Remote Web Access with Windows Azure Virtual Machines:

Virtualized Desktop Services fall under the terms of the Windows Server Licensing Agreement. Unless you are an Independent Software Vendor (ISV) using SPLA[*] licensing to provide a SaaS based service, Windows Server does not include License Mobility to Public Clouds, and as a result Virtualized Desktop Services are not licensable on Windows Azure and other Public Clouds because of restrictions under the Windows Server License Agreement. Virtualized Desktop Services include Remote Desktop Services (RDS), Remote Terminal Services, and related third party offerings (example given - Citrix XenDesktop).

* Service Provider Licensing Agreement, see:

In addition, see Microsoft Support Services Article ID 2721672: Microsoft server software support for Windows Azure Virtual Machines, which contains the following lists:

Windows Server 2008 R2 and later versions are supported for the following roles:

Active Directory Domain Services

Active Directory Federation Services

Active Directory Lightweight Directory Services

Active Directory Rights Management Services

Application Server

DNS Server

Fax Server

Network Policy and Access Services

Print and Document Services

Web Server (IIS)

Windows Deployment Services

Windows Server Update Services

File Services

The following features are not supported on Windows Azure Virtual Machines: BitLocker, Failover Clustering and Network Load Balancing.

•• Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

•• Article ID: 2721672 - Last Review: June 19, 2012 - Revision: 2.0

RDS and related services aren’t included in the supported list but aren’t listed as non-supported features.

I am investigating this issue and will update this post when I learn anything more.

Contents:

Prerequisites and Resources for Creating a Windows Azure Virtual Network
Installing Remote Desktop Services
Installing the Optional Application Server Role
Completing the Roles and Features Installation

This tutorial describes how to install Remote Desktop Services (RDS) on a Windows Azure Virtual Machine (WAVM). This is the first stage of creating a Windows Azure Virtual Network (WAVN) that connects to an on-premises Windows network and uses Windows Azure Active Directory (WAzAD) to provide single sign-on (SSO) for an enterprise’s Active Directory domain admins and users. My Standing Up a Windows Server 2012 RC Virtual Machine in the New Windows Azure Management Portal Preview tutorial of 6/7/2012 describes how to install the WAVM.

•• Update 6/12/2012 3:30 PM PDT Microsoft’s Jason Chen reported in a message that Cisco’s ASA 5500 Adaptive Security Appliance series are supported by a script accessible in the Windows Azure Portal:

• Update 6/12/2012 8:30 AM PDT: Fixed two bad links; added a comment about hardware VPN device cost and links to more information about setting up the WAVN, as well as activating and configuring RDS Licensing Services in step 18 below.

Prerequisites and Resources for Creating a Windows Azure Virtual Network

Creating a WAVN between a WAVM and an on-premises domain controller requires a hardware VPN appliance. When this tutorial was written, only the following Cisco and Juniper VPN routers and gateways were supported with installation scripts that were written and tested by the Windows Azure team:

Cisco Systems	Juniper Networks
ASA 5500 Series ••	SRX 201 Router
ASR 1001	SRX 1400 Router
ASR 1004	J Series Routers
ASR 1006	ISG Series Routers
ISR 2921	SSG Series Routers ••
ISR 3925
ISR 3945 E

•• Note: The least costly supported VPN device is a member of Cisco’s ASA 5500 Adaptive Security Appliance series, the ASA5505-BUN-K9 device, which is $324 with 10 bundled IPSec and 2 bundled SSL user sessions (25 max.) from an Amazon.com affiliate. The current version of the Supported VPN devices list doesn’t include Juniper’s SSG series routers.

For more information about supported VPN devices, see the Windows Azure Team’s About VPN Devices for Virtual Network topic, which begins:

You can link your Windows Azure Virtual Network to an on-premises network via a site-to-site VPN connection, as illustrated in Example 1. Creating a secure VPN connection requires coordination between the person who will configure the VPN device and the person who will create the Management Portal configuration. This coordination is required because the Management Portal requires IP address information from the VPN device in order to start the VPN connection and create the shared key, which then must be exported in order to configure the VPN gateway device and complete the connection.

• Sample configuration scripts are available for many, but not all, VPN devices. See Supported VPN devices for the device list. If your VPN device is represented in the list of supported devices, you can download the corresponding sample configuration script to help configure the device. If you don’t seen your VPN device represented in the list, your device still may work with Windows Azure Virtual Network. See Untested VPN devices for more information.

Example 1

Screenshot of VPN device

The above page includes links to Windows Azure Virtual Network and Networks topics.

You can learn more about RDS from TechNet’s Remote Desktop Services topic, which includes subtopics for:

Each RDS client must have RDS Client Access License (CAL). RDS CALs cost about $380 for a pack of five.

• MSDN’s Establish a Site-to-Site VPN Connection topic explains the process for setting up the WAVN with a supported VPN device.

Installing Remote Desktop Services

The following steps describe how to install, but not configure, Remote Desktop Services for Windows Server 2012 RC:

1. Connect to the server with a Remote Desktop Connection, open Server Manager’s Dashboard, click the Add Roles and Services link, and select the destination server and click Next to open the Select Server Roles window:

• Note: You might want to install Windows Server Update Services also because Windows Azure doesn’t handle OS updates for WAVMs.

2. Optionally mark the Application Server and then mark the Remote Desktop Services checkbox(es) to open the following Select Role Services dialog:

3. Mark the Remote Desktop Connection Broker checkbox. Checking the Remote Desktop Gateway opens the Add Roles and Features Wizard dialog:

4. Click the Add Features button to continue, and mark the Select Role Service’s window’s Remote Desktop Licensing checkbox to open the dialog for required features:

5. Click the Add Features button and click the Remote Desktop Session Host check box to open the associated Add Features dialog

6. The server is running in a virtual machine, so if you mark the Remote Desktop Virtualization Host check box and click Add features in this dialog:

You receive the following Validation Error message and the Remote Desktop Virtualization Host service won’t install:

7. Mark the Select Role Service’s window’s Remote Desktop Web Access checkbox to open the dialog for required features:

8. Click Add Features to return to the Select Role Services window:

Installing the Optional Application Server Role

9. Click Next to open the Application Server window:

10. Click Next to open the dialog for Web Server (IIS) installation:

11. Click Add Features to open the dialog for HTTP Activation installation:

12. Click Add Features to open the dialog for TCP Activation installation:

13. Click Add Features to return to the Select Role Services window:

14. Click Next to open the Network Policy and Access Services window:

15. Click Next to open the Select Role Services window:

Completing the Roles and Features Installation

16. Click Next to open the Confirm Installation Selections window:

17. Scroll to view the list of roles and services to be installed and click Install to begin the process:

18. After a few minutes, feature installation will complete. You receive a warning that you must configure Remote Desktop Licensing, but no indication of how to do so or where you can find more information about the subject.

• Note: You have a minimum 90-day grace period to activate and configure the RDS Licensing Service. For more information, see the Configuring Remote Desktop Licensing TechNet topic, which advises:

If a license server is not activated, the license server can only issue temporary RDS Per Device CALs, which are valid for 90 days, or RDS Per User CALs.

Clients have a 120-day grace period to register their Client Access License (CAL).

19. When you select Remote Desktop Services in the navigation pane, you receive this notice:

• This message indicates that you must start the WAVN and connect your on-premises domain controller before you can configure the license server. As noted earlier, MSDN’s Establish a Site-to-Site VPN Connection topic explains the process for setting up the WAVN with a supported VPN device.

Stay tuned for details of managing Remote Desktop Services.