Hello Everyone,
In this post, I will explain how to configure console connect features in Windows Azure Pack.
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - INTRODUCTION - Part 1, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Components & Deployment Types- Part 2, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Complete Setup Deployment Requirement - Part 3, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - WAP Architecture (STANDALONE & HIGH AVAILABILITY) - Part 4, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - WAP Components Sizing - Part 5, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Installation & Configurations - Part 6, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Integration process with SPF and SCVMM & Post Configurations - Part 7, Click Here!
To see Microsoft Windows Azure Pack (PRIVATE CLOUD - WAP) - Tenant Portal Login overview & Configure Public Access - Part 8, Click Here!
Let'start with understanding the concept of Console Connect for Tenant Virtual Machines...
To configure Console Connect in Windows Azure Pack, You have to:
Copied in SCVMM VM:
NOTE: CN stands for Certificate Name. Self-Signed Certificate created with Enhanced Key Usage (eku 1.3.6.1.5.5.7.3.2 is for Client Authentication Object Identifier) is Client Certificate that’s why extension used is “.cer”.
Open Certificate console using "mmc" in Run Windows, login as local user, expand Personal & see certificate created from above command:
Click Next:
Give path & Click Next:
Click Finish:
Follow same steps and choose "Yes, export the private key" and click next:
Select below option & Click Next:
Give Password & click next:
Give Path & Click Next:
Click Finish:
Exported certificate in Folder:
Configuration is completed on SCVMM.
Repeat same steps on all Hosts.
Click Next:
Click Next:
Click Install:
Click on Open:
This is how You configure & connect Virtual Machine via Console Connect on Windows Azure Pack.
CONFIGURE CONSOLE CONNECT:
To configure Console Connect in Windows Azure Pack, You have to:
- Install & Configure Remote Desktop Service on separate machine (Click Here to see how to install & configure Remote Desktop Service!).
- Create & configure required certificates on SCVMM, all Hosts & Remote Desktop Gateway Server.
Configuring Certificates on SCVMM Servers
Copy and paste the "makecert.exe" file in C Drive from WAP
VM.
NOTE: “Makecert.exe” is used for creating Self-signed certificate.
This can be downloaded from Internet or can be used from WAP Server from above
mentioned path.
User can also use Domain Certificate if Root CA Server is
available.
Path in WAP VM is: "c:\Program Files (x86)\Windows Kits\8.0\bin\x64"
Copied in SCVMM VM:
Open command prompt as Administrator, Go to path of
"makecert.exe" file and run the below mentioned command:
Makecert -n "CN=Remote Console Connect" -r -pe -a sha256 -e
01/01/2050 -len 2048 -sky signature -eku 1.3.6.1.5.5.7.3.2 -ss My -sy 24
"RemoteConsoleConnect.cer”.
NOTE: CN stands for Certificate Name. Self-Signed Certificate created with Enhanced Key Usage (eku 1.3.6.1.5.5.7.3.2 is for Client Authentication Object Identifier) is Client Certificate that’s why extension used is “.cer”.
Open Certificate console using "mmc" in Run Windows, login as local user, expand Personal & see certificate created from above command:
Now, Export this certificate 2 times because we need to use this certificate for:
- Public Certificate (.cer) for SCVMM Server, Host and RDG Server .
- Private Certificate (.pfx) with Private Key, i.e. With secure password because this password will be used when You will import certificates on Host and RDG Server for authentication.
Export the certificate with extension (.cer):
Click Next:
Click Next:
Give path & Click Next:
Click Finish:
Exported Certificate in folder:
Now, Export certificate with extension (.pfx) with private key and
password:
Follow same steps and choose "Yes, export the private key" and click next:
Select below option & Click Next:
Give Password & click next:
Give Path & Click Next:
Click Finish:
Exported certificate in Folder:
Now, we need to import .pfx file in VMM database using Set-SCVMMServer
cmdlet.
Open the
SCVMM powershell module as administrator and execute below commands:
$mypwd = ConvertTo-SecureString "PASSWORD" -AsPlainText –Force
NOTE: Password is for the “.pfx” certificate which was given at the time
of exporting certificate with private key.
$cert = Get-ChildItem .\RemoteConsoleConnect.pfx
NOTE: “RemoteConsoleConnect.pfx” is the name of “.pfx” certificate.
$VMMServer = 'SCVMM_SERVER_FQDN_NAME'
NOTE: “SCVMM_SERVER_FQDN_NAME” is the name of Your VMM Server
Set-SCVMMServer -VMConnectGatewayCertificatePassword $mypwd
-VMConnectGatewayCertificatePath $cert -VMConnectHostIdentificationMode FQDN
-VMConnectHyperVCertificatePassword $mypwd -VMConnectHyperVCertificatePath
$cert -VMConnectTimeToLiveInMinutes 2 -VMMServer $VMMServer
NOTE: For the VMM server, we load the pfx into
the VMM database so that VMM doesn’t need to rely on the certs being in the
cert store of node. You shouldn’t need to do anything on the VMM server
except import the pfx into the VMM database using Set-SCVMMServer cmdlet. The
VMM server is responsible for creating tokens.
NOTE: This above added certificate in VMM DB will be automatically
added to all Nodes which are added in SCVMM and if any node is added then need
to either install this certificate manually on the node or repeat the above
scripts step.
Now, Go to SCVMM Console and refresh all host so that SCVMM can install
".pfx" certificate in personal certificate store of all host.
After completing this step, you can check if Certificate is installed
on Hyper-V host in local computer as shown below:
Configuration is completed on SCVMM.
Configuring certificates on the Hyper-V hosts:
Now, Next part is critical so before proceeding, please confirm if any
VM is running on Hyper-V Host. This is because we are using self-signed
certificate and for that after installing public key of certificate to Trusted
Root Certification Authority Certificate Store, we need to reboot the Hyper-V
Host.
Before proceeding to reboot, first keep the host as maintenance mode
and wait till all VMs moves to another node. Then after confirmation reboot the
host.
Now, Start proceeding:
We have to install public key certificate to Trusted Root
Certification Authority Certificate Store in all hyper-v host as shown below.
Open Windows Powershell prompt as Administrator and Run below command
on hyper-v host:
Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
-FilePath "C:\RemoteConsoleConnect.cer"
Now Restart SCVMM Agent Service and then cross-check if certificate is
installed successfully or not:
To check if certificate is installed or not, run below command:
dir cert:\localmachine\My\ | Where-Object {$_.subject -eq
"CN=Remote Console Connect"}
Repeat same steps on all Hosts.
Configure Certificates on Remote Desktop Gateway Server:
Copy and paste "RDGatewayFedAuth" setup file from SCVMM dumb
as shown below:
Why different VM is used for RDG Server?
RDG server will be used as a federated
authentication server for only Console Connect Option in WAP. In order to support federated
authentication, VMM has a VMM Console Connect Gateway which is located at “DLayout.EVAL\amd64\Setup\msi\RDGatewayFedAuth”.
This gateway needs to be installed at RDG Server.
What will happen
if that VM is dead?
- User won’t be able to get access to console connect.
- For RDG in HA, we can create a new RDG server as Secondary Server with load balancer between both and all required certificates needed to be installed same as in primary server.
Install this file RD Server:
Click Next:
Click Next:
Click Install:
Add certificate in local machine with public key as show below:
Import-Certificate -CertStoreLocation cert:\LocalMachine\My -Filepath
"C:\RemoteConsoleConnect.cer"
--- for personal store
Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
-Filepath "C:\RemoteConsoleConnect.cer" ---
for trusted root store
Run below
Commands:
$Server = "RDG_SERVER_FQDN"
$Thumbprint = "COPY THUMPRINT FROM ABOVE CERTIFICATE INSTALLED"
//This
thumbprint is for above installed certificate which can be copied from
certificate properties via mmc console.
$TSData = Get-WmiObject -computername $Server -Namespace "root\TSGatewayFedAuth2"
-Class "FedauthSettings"
$TSData.TrustedIssuerCertificates = $Thumbprint
$TSData.Put()
This is all done at Remote Desktop Server End.
NOTE: This was failed because "RDGatewayFedAuth" setup file
was not installed. After installing the command completed successfully.
WAP
Configuration:
Open Admin Site, go to VM cloud, click edit and provide FQDN of RDG
Server as shown below:
Now tenants are able to view console from tenant site.
Open tenant site and login with tenant user credentials:
Click on connect and then click on console option, Click on Tick Mark:
Click on Open:
Download of RDP file is completed so now again click open:
Below is the console of the VM named as “TESTVM01”:
What are the requirements to use this feature for different network machines:
- Port “883” must be opened from VLAN ID for different network segment to RDG Server.
- RDG Server certificate must be installed on client machine in trusted root certificate authority (See below: How to install certificate on client machine).
- DNS Name resolution must be configured for RDG Server. If DNS resolution is not done then Client has to enter the RDG Server details in Host File of client machine (See below: How to enter Host File entry for RDG Server on Client Machine).
- If Client machine is using base OS as Windows 7 with SP1 then need to install update KB2830477 on client machine (Click Here!).
How to install certificate on client machine:
- Copy &
paste the RDG certificate to client machine.
- Open
"Run" window & type "mmc".
- Click on "File"
& then click "ADD/Remove Snapin".
- A small window
will open and from there select "certificate" & click
"add".
- Choose
"Computer Account", Click "OK", select "Local
Machine", click "Finish" & then "OK"
- Expand
"Certificates" & then Expand "Trusted Root Certificate
Authority".
- Right click on
"Certificate", Select "All Task" & Click on
"Import".
- Click
"Next", Give "RDG Certificate Location", Click 2 times
"NEXT" & then click "Finish".
- Certificate
will get installed on client machine.
How to enter Host File entry for RDG Server on Client Machine Open notepad as administrator:
- Open "Hosts" file in notepad from location:
"C:\Windows\System32\drivers\etc"
- Enter the RDG Server details as: RDG_SERVER_IP_Address
RDG_SERVER_FQDN
- Save the "Hosts" file & close it.
NOTE: Certificate used for RDG
Server is Self-Signed Certificate which will expire in one year. So after one
year, New RDG Server Certificate needs to be created on RDG Server &
install it on RDG Server itself and on all client machines. Certificate
can also be created through internal CA Authority using web template and then
can be exported/imported on RDG Server & on all client machines.
Steps
to create Self-Signed Certificate for RDG Server:
- Open IIS Manager on RDG Server.
- Click on Server Certificates.
- Click on “Create Self-Signed certificate”.
- Give Name for the certificate & click on create.
- Install the certificate in personal store.
- Export the certificate & distribute to client.
This is how You configure & connect Virtual Machine via Console Connect on Windows Azure Pack.
This completes my Windows Azure Pack series... Now it's time to upgrade skill & share new series for Microsoft Azure Stack... Keep supporting... Azure Stack series in coming soon!!!
Share Your feedback or any query!!!
Happy Reading!!!
If You like my post then follow my updates:
Join my Facebook group for updates on trending technologies/technical references/issues etc:
This information is meaningful and magnificent which you have shared here about the Microsoft Windows Azure. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. I would like to thanks for sharing this article here. cloud backup solutions for small business in USA
ReplyDeleteThank you for your post, I look for such article along time, today i find it finally. this post give me lots of advise it is very useful for me. private rdp
ReplyDeleteFor what reason do these bitcoins have esteem? It's quite basic. They've advanced into something that many individuals need and they're in restricted gracefully. In spite of the fact that the framework keeps on turning out bitcoins, this will stop when it arrives at 21 million, which was intended to occur in about the year 2140. bitcoin mixer
ReplyDeletehttps://saglamproxy.com
ReplyDeletemetin2 proxy
proxy satın al
knight online proxy
mobil proxy satın al
QHF8O