Almost a year ago I wrote a blog on the Beta of Windows Azure for Windows Server.
It was a very promising solution, but also had some shortcomings from a Service Provider perspective. I summed up a couple of requirements or nice to haves at the end of that blog
- TCP Endpoints
- Site to site VPN
- VM Networks
- Remote in to VM RDP Gateway with single sign on
- Change owner of existing virtual machines
- Change SPF Registration URL and credentials
A lot of great work has been done since the RTM version of Windows Azure Services for Windows Server. Not only have they implemented all these requirements for Service Providers, but they even pushed the envelope by implementing a lot of other great features. Because all these new functionalities deserve an easier and more clear name, the product is renamed to Windows Azure Pack.
Microsoft has released the Preview bits for Windows Azure Pack for download through the Web Platform Installer that can be downloaded here.
In the previous version (Windows Azure Services for Windows Server) the only way to connect to a virtual machine was by using the Remote Desktop Protocol and connect directly to the IP address of the virtual machine. This required that the virtual machine was running, RDP in the guest OS was enabled, firewall exclusions for RDP were in place and the virtual machine had a public IP address. This public IP address would then be injected in to an RDP file when a tenant used the connect button from the Service Management Portal.
If one of these requirements for connecting to the virtual machine was not met, you were unable to connect in to the virtual machine. You probably can think of some situations where this would be the case.
One of the great new features in Windows Azure Pack is console connect. This feature allows you to connect to a virtual machine through the underlying host. This enables you to connect to the virtual machine as you are used to by using VMConnect from the Hyper-V Manager console, but then over SSL without direct access to the host.
So no matter if your virtual machines has a private IP address, no IP address, a crashed operating system or no operating system at all, you are able to connect to it and take the required steps to resolve these issues. To connect to a virtual machine with Console Connect in the Preview version of Windows Azure Pack it is required that the client that initiates the Console Connect session is running Windows 8.1 Preview.
There are some limitations to Console Connect when you compare it the a default Remote Desktop connection. It is not possible to use clipboard, sound, printer redirection and drive mapping.
There are a lot of folks out there trying the Preview bits and having a hard time to get this configured. After a chat with the Program Manager for this feature we agreed that the steps to get Console Connect configured can be described in this blog post. Please take note that these step will change in the RTM for Windows Azure Pack, where the host management for Console Connect is moved to System Center Virtual Machine Manager 2012 R2.
Console Connect leverages the Remote Desktop Gateway feature in Windows Server 2012 R2. In essence you are connecting to a host that will in turn present the screen/keyboard/mouse functionality (optionally through a Remote Desktop Gateway). This requires some proper security measures to enforce that a tenant can only access his own virtual machines and not the virtual machines from another tenant or even worse connect to the host from the management domain.
To enforce these security measures, support for claims based authentication in Windows Server 2012 R2 Hyper-V is leveraged. Windows Azure Pack and System Center Service Provider Foundation 2012 R2 authenticate and authorize access to virtual machines and provide a token that the Hyper-V host uses to grant access to a single virtual machine. Certificates are used to create a trust relationship between the Hyper-V hosts and System Center Service Provider Foundation 2012 R2. The certificate allows claims tokens issued by System Center Service Provider Foundation 2012 R2 to be accepted by the Hyper-V hosts.
In addition to the security measures with claims based authentication the configuration of the Remote Desktop Gateway will limit its functionality to be used only for console access to virtual machines and unable to be used for other purposes.
For this blog I’m using a lab environment. In this lab environment System Center Virtual Machine Manager 2012 R2 and the Windows Server 2012 R2 Hyper-V clusters are located in a management domain. Windows Azure Pack is installed in a DMZ in a separate domain. The Remote Desktop Gateway is deployed in the same domain as Windows Azure Pack. The two environments are separated by a firewall. If you have a smaller lab environment with a single domain and all the Azure Pack components installed on a single host (express installation) the steps for configuring Console Connect will be the same except for the location of some objects. I will assume that you have Windows Azure Pack already up and running.
The steps for configuring Console Connect for Windows Azure Pack preview, can be divided into the following parts.
- Service Provider Foundation
- Hyper-V hosts
- Remote Desktop Gateway (only required for access from the internet)
- Windows Azure Pack