Windows Azure Pack – RDS Gateway for VM Clouds

The RDS Gateway is useful for VM Clouds in the Windows Azure Pack to connect to Virtual Machine that have no connection to the network. Thanks to RDS gateway, VMs can be managed from console mode and tenants can always have access to VMs even if a network issue occurs.

N.B : The above schema comes from this TechNet article.

The above schema describes how RDS Gateway works with the VM Cloud’s infrastructure. VMM is trusted by RDS Gateway and Hyper-V hosts. The Windows Azure Pack is connected to SPF and can interact with VMM across SPF.

When a tenant click on “Console” in The Windows Azure Pack, a token is asked to Virtual Machine Manager across SPF. This token is signed by a certificate on VMM. Next an RDP file is generated and sent to the tenant browser. Then a connection is opened on the RDS Gateway. This last verify if the token is signed by VMM and to finish the connection is opened on the Hyper-V host (which verify also the token signature). From here, a connection to the VM is opened.

Because RDS Gateway is a critical component for customers, it should be deployed in high availability. So to try that, I have implemented RDS gateways in high availability in my lab.

Architecture Overview

I have two RDS Gateways called VMWAP07-WEB01 and VMWAP08-WEB02. These servers are members of an NLB Load-Balancing called Cluster-WEB. The RD Gateway farm endpoint is rds.home.net. I have one Virtual Machine Manager called vmvmm01.home.net. The Windows Azure Pack is connected to RDS Gateway on the rds.home.net endpoint.

Prerequisites

To follow this topic, you should have the following prerequisites:

  • An enterprise Certificate Authority (cf this topic);
  • Two servers to host RDS Gateway;
  • A working Windows Azure Pack installation (cf this topic);
  • A working VM Clouds infrastructure (cf this topic);
  • A certificate for server authentication (used by RDS Gateway) per server member of the RDS Gateway farm. The certificate should be as below:

RDS Gateway installation

Role installation

On the servers that host the RDS gateway role, open Service Manager and Add Roles and Features. When you have to select the server role, choose Remote Desktop Services. A little further, select Remote Desktop Gateway.

Role configuration

Next open the RDS Gateway console. Right click on the server name and select Properties.

In SSL Certificate, import the server authentication certificate (cf. prerequisites).

If as me you want RDS Gateway in high availability, click on Server Farm. Type the server name that you want to add to the farm and click Add. If you have an error, be sure that ports are opened. You can find information about firewall in this topic.

Install the RD Gateway Console Connect

Next you have to install the RD Gateway Console Connect on each member of the RDS Gateway farm. For that, mount the ISO of Virtual Machine Manager 2012 R2 and run the below MSI:

On the welcome screen, click on next.

Accept the license agreement and click on next.

Choose a location to install the RD Gateway Console Connect.

To run the installation, click on install.

Repeat this procedure for each member of the RDS gateway farm.

Network Load Balancing

To make RDS Gateway highly available, I have installed an NLB cluster. Below the configuration of this cluster:

To finish I have created a DNS alias called rds.home.net on cluster-web.home.net.

Certificate preparation

A certificate is needed to establish de trust between VMM, RDS Gateways and Hyper-V hosts. This part describes how to configure the certificate template and to enroll certificate.

Create the certificate template

Open the certificate template console and duplicate the Workstation Authentication template.

Specify a name for your template. I have also changed the validity period to 2 years.

Next on Request Handling tab, I have selected the Allow private key to be exported.

On Cryptography tab, I have set the minimum key size to 4096. Next in Providers, you have to choose Microsoft Enhanced RSA and AES Cryptographic Provider. If you don’t choose this CSP, the process will fail (and in Windows Azure Pack you will receive a json file instead of the RDP file).

In Subject Name tab, Select supply in the request.

In Security tab, be sure that your servers and you can make enrollment. To simplify, you can add the group Domain Computers. Click on apply and close the certificate template console.

In the Certification Authority console, right click on Certificate Templates, New and Certificate Template to Issue.

Select the template and click OK.

Make the enrollment

On the VMM Server, open a mmc and add the Local Certificate computer console. Navigate to Personal and right click on Certificates. Select All Tasks and Request New Certificate…

On request certificates screen, select the template that you have just created and click on Click here to configure settings.

In Subject Name, choose Common Name as type. In value I have specified rds.home.net which is the VIP of my RDS Gateway Load-balancer.

In Alternative name, I have added these DNS values:

  • cluster-web.home.net (Cluster Name)
  • vmwap07-web01.home.net (First node name)
  • vmwap08-web02.home.net (second node name)

Click on apply and click on Enroll.

Certificate deployment

Export the certificate as PFX

Once the enrollment is finished, you should have a certificate as mine. Select this certificate, right click and select All Tasks and Export.

Select Yes, export the private key and click on next.

Uncheck Include all certificates in the certification path if possible and click on next.

Specify a password and click on next.

At the end of the export of the certificate, I have c:\temp\rds.home.net.pfx file.

Repeat the above procedure without exporting the private key. So at the end of this process I have a c:\temp\rds.home.net.cer certificate file.

Import certificate to VMM database and Hyper-V hosts

On the VMM server run the below script. In this way, VMM is able to deliver and sign token to authenticate and authorize access to the VM across the Hyper-V host.

## Variables
# Path to PFX file
$MyPFX = Get-ChildItem "c:\temp\rds.home.net.pfx"
# Password of the PFX
$PWD = Read-Host –AsSecureString
# VMM FQDN server name.
$VMM = "vmvmm01.home.net"
## Main Code
Set-SCVMMServer -VMMServer $VMM `
                -VMConnectHostIdentificationMode FQDN `
                -VMConnectGatewayCertificatePath $MyPFX `
                -VMConnectGatewayCertificatePassword $PWD `
                -VMConnectHyperVCertificatePath $MyPFX `
                -VMConnectHyperVCertificatePassword $PWD `
                -VMConnectTimeToLiveInMinutes 1

Get-SCVMHost -VMMServer $VMM | Read-SCVMHost

Import certificate to RDS Gateway

Next, copy the certificate that you have exported in CER file format on each node of the RDS Gateway farm. On RDS Gateway, double click on certificate to run the import wizard.

To be sure, I select to place the certificate in Personal.

Repeat this procedure for each node that is a member of the RDS Gateway farm.

Add certificate to trusted issuer certificate

Now RDS Gateway has to trust the issuer certificate. For that, open the certificate and copy the thumbprint as below:

Next, run the below script on each node of the RDS Gateway farm. Don’t forget to change variables J.

## Variables
# Server FQDN
$Server = "VMWAP07-WEB01.home.net"
# Certificate Thumbprint
$certTP = "29bb885fabce87586ae87ce7ff8fbe91a49b9e0c"
## Main code
$RDSSet = Get-WMIObject -ComputerName $Server -NameSpace "root\TSGatewayFedAuth2" -Class "FedAuthSettings"
$RDSSet.TrustedIssuerCertificates = $CertTP
$RDSSet.Put()

Windows Azure Pack configuration

Now you can add the RDS Gateway to the Windows Azure Pack. Navigate to your VMM properties and add the RDS Gateway Endpoint (mine is rds.home.net).

Don’t forget to check the box Connect to the console of virtual machines in the hosting plan configuration as below:

Test of the console mode

To test the console mode, I select a VM that has no network connection. Next I click on connect and console.

Your browser should ask you to download an RDP file. Click on open. After a warning I can connect to the VMRED01 by console. J

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

18 comments

  1. Hi Romain, great post. On your “Create the certificate template” step you did not specify the server this was completed on, I’m assuming it was your enterprise Certificate Authority?

    • Hi Chris,

      Indeed. Or you can reproduce these steps on any servers while the certificate authority console is installed 🙂

      • Thanks! I’m at “Add certificate to trusted issuer certificate” running your script- and getting the following error in PS: “The property ‘Trusted Issuer Certificates’ cannot be found on this object.”
        I was able to import successfully and even tried this script but received the same error message:
        $Server = “ENTER_RD_GATEWAY_SERVER_FQDN”

        $Thumbprint = “PASTE_CERTIFICATE_THUMBPRINT_VALUE_HERE”

        $TSData = Get-WmiObject -computername $Server `
        -NameSpace “root\TSGatewayFedAuth2” `
        -Class “FedAuthSettings”

        $TSData.TrustedIssuerCertificates = $Thumbprint

        $TSData.Put()

        any suggestions would be appreciated.

  2. A restart resolved my issue, thank you! Yes, RDG was installed as administrator in PS.

  3. Hi, not able to open azure portal now… getting error “The Portal is having trouble connecting to the configuration database. Please verify that SQL authentication is enabled and that the database is accessible from teh portal machine.

    • I don’t understand. You have had a SQL problem when you have added the RDS Gateway ?

      • actually problem was in my system as it was installed on 8gb laptop and distributed in three servers (dc, db+vmm, wap+spf) on hyper-v. SQL engine getting stop everytime, due to lack hardware performance. Now i built it on single machine express installation, but face single and major problem that not able to make public my galleries after imported on wap all the time. I know that problem is not related to realted to this topic but it would be great if you could help me to solve gallery problem.

        • Hi,

          You can find my E-mail address in contact page. Please send me log and screenshots to describe your problem.

          Thank you 🙂

          • I am going to use high-end machine to configure all setup again and let you know if I face any problem.
            Many thanks

  4. Hello Romain
    Are you still monitoring this. I am having some issues and could use your help

  5. Hi Romain,
    Thank you for the article. I have an error when executing the RDSSet.Put() :
    Exception calling “Put” with “0” argument(s): “Invalid parameter ”
    At line:5 char:1
    + $RDSSet.Put()
    + ~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

    the restart of the service and the server don’t resolve. Can you help please ?

  6. I am getting this error , failed to download RDP. Kindly help me on this.

  7. In case you get a “cookie was rejected by the Remote Desktop Gateway server”, then reboot the VMM, it solved my problem.

    Futhermore, if you get the “Invalid parameter” error after pasting running $RDSSet.Put() then check that no odd characters were pasted from the powershell code above. The $certTP part had a question mark in the beginning of the string in my case.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Windows Azure Pack – Authenticate tenants with AD FS

By default, Windows Azure Pack provides an Authentication site for tenants. This authentication site can ...

Windows Azure Pack – Website gallery issue

I had an issue with the WebSite Gallery in my Windows Azure Pack installation. When ...

Windows Azure Pack – PowerShell tenant API

Thanks to the Public Tenant API hosted on public services tier, the tenants can use ...