Certification Authorities is selected, as shown in Figure 17-7, and then click Next.
Figure 17-7. Adding Your Certificate to the Trusted Root Certification Authorities Policy
Step 14. Click Finish to import the certificate.
Save your GPO and apply it to the OU in the Active Directory where the computer accounts are located. The next time those computers refresh their group policies, they will download the certificate and install it in their own Trusted Root Certification Authorities store.
Configuring Remote Desktop Web Access for Azure RemoteApp Distribution
The next step is to use a signed certificate for your published applications.
First, request a certificate from your organization’s CA. The process is the same as the Requesting Certificates procedure outlined in Chapter 7. Request a computer certificate for your RD Session Host where the applications are published. You then need to export the certificate using Steps 2–6 in the preceding procedure, but on Step 4 you must select the Personal
Information Exchange–PKCS #12 option and export the private key. You will be asked for a password to secure the private key, as shown in Figure 17- 8. After you have the .PFX file saved to disk, you can use it to sign your RemoteApp applications.
Figure 17-8. Requirement to Supply a Password When Exporting a Certificate with a Private Key
Use the following procedure to sign your published RemoteApps using this .PFX certificate.
Step 1. From Server Manager, select Remote Desktop Service, then Overview. This displays the screen shown previously in Figure 17-3.
Step 2. From the top of the Deployment Overview section, click Tasks and then select Edit Deployment Properties to display the Deployment
Properties dialog. Select Certificates. The page shown in Figure 17-9 is displayed.
Figure 17-9. RemoteApp Deployment Properties Dialog Allowing You to Add Private Key Certificates to the Services
Step 3. Select the RD Connection Broker–Publishing service, and then click Select Existing Certificate.
Step 4. Click the Browse button to locate the .PFX file you saved, enter the private key password, and then click OK.
Step 5. On the Deployment Properties dialog, click Apply.
Step 6. After the configuration is saved, the RD Connection Broker–
Publishing displays Trusted in the Level column, as shown in Figure 17-10.
Figure 17-10. Certificate from Your CA Added to the RD Connection Broker–Publishing, Showing It Is Trusted
Your RemoteApp applications are now signed. When users access the application, they will no longer get a scary message about an unknown publisher. Instead, as shown in Figure 17-11, your own domain is shown as the publisher, and users know they can trust your application.
Figure 17-11. After Installing Certificates and Enabling a Trust, Your Applications Are Signed and Trusted
Subscribing to Azure RemoteApp and Desktop Connections Feeds To use Azure RemoteApp, or RemoteApp in an on-premises environment, users of Windows 10 PCs need to install the RemoteApp client. The client can be downloaded from https://www.microsoft.com/en-us/cloud-
platform/azure-remoteapp-client-apps, but if you are deploying RemoteApp
in your organization, you should deploy the client to Windows computers using your management solution, such as System Server Configuration Manager (SCCM), Microsoft Intune, or other means. The Windows client is supported on Windows 7 and later computers.
On Windows 10, downloading the client from the Microsoft site presents the confirmation shown in Figure 17-12. Click Install to install the application.
Figure 17-12. Downloading and Installing the RemoteApp Client on Windows
Use the following procedure to configure the Azure RemoteApp client and subscribe to desktop connection feeds.
Step 1. On the Azure RemoteApp welcome page, shown in Figure 17-13, click Get Started.
Figure 17-13. Running the Azure RemoteApp Client for the First Time
Step 2. From the Microsoft Azure sign-in page, provide your Azure AD credentials, and then click Sign In.
Step 3. The Azure RemoteApp client is displayed, as shown in Figure 17-14.
The applications that you have published are now available on the Start menu of the computer.
Figure 17-14. After Sign In to Azure RemoteApp, the Client Loads Your Applications to the Start Menu of the Local Computer
Step 4. Access the Start button, and click the application to run it. It will run as if the application was locally installed on the computer.
With RD Web Access, users can also sign in to the RemoteApp URL using a web browser to access their applications, as shown in Figure 17-15.
Typically, users need to sign in with their domain credentials on the website.
However, you can implement Single Sign On (SSO) for your users of the RD Web Access interface by installing a trusted certificate for the RD Web
Access server.
Figure 17-15. Accessing RemoteApp Applications Using a Web Browser and the RD Web Access Service
The procedure is the same as described previously, but instead of adding the certificate to the RD Connection Broker–Publishing, add the certificate to the RD Connection Broker–Enable Single Sign On. Users can then access the RD Web Access URL and will automatically be authenticated.
Microsoft Azure RemoteApp
You have learned a few of the features of Microsoft Azure. Recall, for instance, managing user groups and attributes from Chapter 13, “Microsoft Intune.” Azure is integrated with Microsoft’s other cloud offerings, including Office 365 and Intune.
Azure provides a lot of capabilities for distributing mobile apps to user
computers and devices. The Azure App Service platform enables app hosting for mobile apps that you develop, and can speed development and
deployment of those apps for mobile devices and phones. These services are out of scope of this chapter and the 70-697 exam. The type of services
covered here is based on Remote Desktop Services, part of the Microsoft Virtual Desktop Infrastructure (VDI), which provides users a way to run full- featured desktop applications remotely using their computer or mobile
device.
Configuring RemoteApp and Desktop Connections Settings
The hub of connections to RemoteApp and other RDS services is the RD Connection Broker. The Connection Broker can be on the same server as the RDS server or on another server in the network. For high availability, you can configure multiple, load-balanced Connection Broker servers, and the connections coming in will be distributed so that no one server gets too overloaded with connection requests. If one Connection Broker goes down, you still have one or more available to handle requests.
You can leverage the Microsoft Azure platform to configure a high-
availability RD Connection Broker cluster, using an Azure SQL Database as the back-end. Follow this procedure to configure a highly available
Connection Broker configuration in Microsoft Azure. The details of these steps are beyond the scope of this text and the exam, but we outline the high- level process in the following procedure.
Step 1. Create two Azure virtual machines (VMs) with Microsoft Server 2016.
Step 2. Configure load balancing between the servers. Your load-balancing configuration can use Azure Load Balancer (if your RDS services will also be hosted in Azure) or Windows Server 2016 Software Load Balancer if you will be using on-premises servers.
Step 3. Create a new Azure SQL Database.
Step 4. Install Microsoft ODBC Driver 13.1 for SQL Server on both VMs you created in Step 1.
Step 5. Create the RDS 2016 environment with one Connection Broker. In the Connection Broker topology, select Configure High Availability.