Traditional remote access solutions were primarily based on using on-premises gear such as firewalls with VPNs or terminal service servers accessible via RDP.
As companies migrate to cloud computing, a wide range of new affordable services and technologies are becoming available. In this blog, we will take a look at a particular customer scenario, that of a professional services firm that uses specialized software and that has a workforce distributed over several locations but which still needs access to a centrally located file store.
The customer is a small professional services firm. The company is situated in a very expensive city where office space rents out at a premium. Traffic congestion is extremely bad and adds considerable stress, time and expense for employee. There is one main office with about 50% of the staff along with smaller branch offices with up to five staff each located about 50 miles (80 kilometres) apart.
Staff uses specialized software, which is version specific to calendar year such as tax preparation software. Due to the fact that the software is version specific to calendar year and clients have the need to go back up to 10 years in time, there are many editions of the software required on each desktop.
The company has no full time IT support staff.
The company’s owners want the staff to be completely untethered from the office. The option to work from home or anywhere else is no longer considered a luxury but rather a requirement. This has been brought to light by the current COVID-19 pandemic in which many local and national governments have mandated employees either work from home or the business must completely shut down in order to slow the spread of the virus.
Security considerations are of paramount importance to the reputation of the business.
Current IT Systems:
The main office has a Windows 2016 domain, a file server and an application that runs on a SQL server backend. The office is secured by a tier one vendor firewall which has VPN access capabilities.
Branch offices are connected via site-to-site VPN.
Remote workers can dial-in using a point to site VPN client.
File access across the VPN is slow because the file protocol used by Windows Server, SMB, is not designed for a WAN. The greater the network latency the worse the file access performance is.
Email is via on-premises Exchange Server 2016
Office Productivity Apps
Migrate to Microsoft 365. This will provide cloud based access to office files using productivity apps such as Excel, PowerPoint and Word. Using Office 365 groups provides a centralized file store (A SharePoint document library) accessible over the Internet with permissions configured via group membership. Email will be migrated online to Exchange Online services.
Microsoft 365 provides a secure and highly available email system with built-in spam protection. Mail can be accessed anywhere using the Outlook client assuming there is Internet access. SharePoint libraries via Office 365 groups will replace the central file server. Access to files will be over HTTP rather than SMB resulting in superior performance because HTTP is optimized for WANs.
Specialty Software on each Desktop
The idea of having to manage each office desktop with at least 10 versions of specialty software is a daunting task. Accessing software project files securely is considered essential. The company has mandated that specialty software be accessible from anywhere regardless of local device.
The proposed solution is Windows Virtual Desktop
Windows Virtual Desktop is a new service offering from Microsoft in Azure public cloud. The staff will be able to log on to a secure portal maintained by Microsoft that can either present a complete desktop to the user or selected applications.
Compared to traditional Remote Desktop services, Windows Virtual Desktop needs only minimal hosts
For example, a typical traditional system would require, a pool of virtual machines (VMs) running on at least two different hypervisor hosts, a Gateway server, a web access server and a load balancer to load balance across the VM pool.
If we were to just migrate these services to the cloud (lift and shift), considerable expense would be incurred for all the VMs required. A VM for each pool member or alternatively remote desktop session servers, the web access server, the gateway server and the load balancer. For authentication, 2 domain controllers would also be required.
Using Windows Virtual Desktop, the Windows Virtual Desktop provides the Web access service, gateway and load balancer eliminating at least 3 VMS, in addition to all the administrative work to maintain those VMs, such as security patching OS upgrades, etc.
Windows Virtual desktop can also make use of Azure marketplace image VMs with software pre-installed. In this case, an image of Windows 10 multi-user with Office 365 is available from the Azure Marketplace.
First, create a VM from the Windows 10 Multi-user image with Office 365. Then installing on that virtual machine, all the specialized software that is required for each calendar year, then capturing that VM as a custom image, you can then build a scalable host pool with all the required software pre-installed.
The Host pool can be scaled to add more VMs whenever the need arises. In this way you only pay for what you need. If there is a peak in demand, the pool can be quickly scaled up using the previously created custom image.
A requirement of the company was to be 100 percent cloud based. The Office365 subscription will include an Azure Active Directory (AAD) Tenant which provides single sign on to the office portal. But what about accessing the Windows Virtual Desktop VM host pool? These machines will still need a Kerberos based logon. There is an Azure service-based solution for this as well in lieu of using domain controllers. The service is Azure Active Directory Domain Services (AAD DS). This service will create an AD DS Forest based on the AAD tenant. There is no need to manually create users, since they are automatically synchronized from AAD. The only requirement for user logon to work via Kerberos is that after AAD DS has been set up, the users will have to change their passwords in AAD. This generates a password hash that synchronizes to AAD DS and is used for Kerberos based logons.
For the company described in our scenario, we would only need about 3 VMs (SKU: Standard_DS3_V2) to service about 100 users. Compare that to at least 2 domain controllers, 3 sessions servers, 2 each of Web access servers, gateways and load balancers all running in their own availability set (3 VMs with Windows Virtual Desktop and AAD DS versus 11 VMs in a lift and shift scenario).
To further enhance the system, for disaster recovery (DR), services such as Azure Site Recovery could be employed to replicate our host pool to another location. As you can see from this short discussion, Azure may provide a compelling reason to move to the cloud for remote access depending on your business situation. Learn more about Microsoft Training and Virtual Desktop at https://www.fastlaneus.com/microsoft-infrastructure