Horizon Cloud on Azure Checklist Guide

Hello, I am back with the 2nd post on Horizon Cloud on Azure.  I have been scheduled for my first Proof-of-Concept with a customer on Horizon Cloud in Azure but before I can start I need to gather information about the customers Azure environment. You will have the customer create a few objects in Azure so the deployment can go smoothly.

FYI: I know that you have never had a situation when you went to start a project and found that you did not have the required [insert need here].  I refinished a bathroom last year and even had a comprehensive checklist, but I still made weekly daily hourly runs to HomeDepot, Lowes and Menards.  No matter what someone else tells you, if you did not validate it yourself before hand then you will spend hours looking for someone to grant you permissions to AD because your AD person is out the day you need them.

[As I ran through the Checklist and searching for the required information I started to become much more comfortable with the Azure Portal.]

What I like to do is schedule a pre-call with the customer to define the What’s, Why’s, How’s, Who’s and exit success before even scheduling an actual PoC.  I have already done this with my customer and we defined the use case(s), who is part of the PoC and what is their responsibility along with what is considered success.  I like to define the length of the PoC especially since Azure charges by the minute for the resources in use. One last thing collected was the assumptions list.

I then schedule a call to gather the requirements before we can start the deployment using the provided Pre-Req Checklist document. Setup Checklist at this link

The following document can be used for a how-to complete the Requirements CheckLists.  Please open the checklist to become familiar with it and follow along.  This document is not formatted to describe why you need the information but what is needed and where it is located in the Azure portal.

  • The time required to complete and validate the prerequisites will vary on access to the Azure Portal and the permissions your customer has.
  • The time it took me to validate this information in my Portal was about 1 – 2 hours.  This excludes the creation of Azure AD Domain Services.
12/05/2017
Version 1.01
Contributors: Mark Richards

Horizon Cloud Pre-Req Setup Checklist

Please find the original Setup Checklist at this link

Horizon Cloud Control Plane Requirements

Check the box(es) if you can complete the steps below

Welcome Email

The customer will be sent a Welcome email that will give them the required information needed to login to their Horizon Cloud plane.

Logon to Horizon Cloud

Have the customer logon using their My VMware account credentials to validate they have access.

  1. Enter email address
  2. Enter password

Microsoft Azure Subscription Requirements

See Steps 1-5 below and check the boxes as the requirements are met. Use the documentation to help complete the configuration steps in Azure 

The customer should be able to logon to their Azure portal to complete the steps.

1: Minimum Microsoft Azure capacity for Horizon Cloud infrastructure in addition to expected Desktop/App workload

To determine if the customer has enough compute please do a quick check to validation there are enough vCPUs

In the Azure portal:

  1. Click on Subscriptions
  2. Click on Usage + quotas
  3. Change the drop down to Show all
  4. Change the drop down to your specific Azure region
  5. Click on the Services and unselect the All, then click the filter items, Total Regional vCPUs, Standard Av2 Family vCPUs, Standard Dv2 Family vCPUs, and Standard F Family vCPUs
  6. Make sure you have greater than 18 vCPUs available for Total Regional vCPUs

2: Service principal and authentication key created

 

You need to create the required service principal by creating an application registration.

In the Azure Portal:

  1. Click on Azure Active Directory
  2. Click on App registrations
  3. Click New application registration

2a: Create new application registration

  1. Enter a unique but description Name Hnz-Cloud-Principal
  2. Choose Web app / API for the Application type
  3. Enter http://localhost:8000 in the Sign-on URL field
  4. Click Create

2b: Create new application registration

  1. Click on the Principal app you created in the step above
  2. Save the Application ID value for later use
  3. Click on Keys
  4. Enter a Description for the key Hzn-Cloud-Key1
  5. Choose a Duration Never expires
  6. Enter a password value VMware1!
  7. Click Save
  8. After you save the Value will be converted to a seed key.  Save the Key value for later use
Saved values
Application ID: 4e43b4ad-5a84-4169-acb5-83d239aa69b7
Key ID: x1SZLY3V2CSRjYzOvYlYJ3RBmaMxsDxnfSmh0Yed/FQ=

3: Service principal assigned Contributor role at the subscription level

You need to add the Horizon Principal application to the Contributor role. If you miss this step then your deployment will fail as you try to add capacity to your Horizon Cloud plane.

In the Azure Portal

  1. Click on Subscriptions
  2. Click on Access control (IAM)
  3. Click on Add
  4. Choose the Contributor Role in the drop down
  5. Search on you principal app name Hzn
  6. Select your Principal app name
  7. Click Save
  8. Validate your Principal App has been added to the Contributor role

4: Required resource providers registered in Microsoft Azure subscription.

You need to make sure that the required resource providers are registered

In the Azure portal

  1. Click on Subscriptions
  2. Click on Resource providers
  3. Check that the following resources are registered
Microsoft.Compute
microsoft.insights
Microsoft.Network
Microsoft.Storage
  1. Click Register on any of the required resources that need to be registered

5: Microsoft Azure subscription ID, directory ID, application ID and key identified.

Please see Step 2b above for the Application ID and Key ID that you saved

  1. Click on Subscriptions
  2. Click on Overview
  3. Copy your Subscription ID value
  4. Click on Azure Active Directory
  5. Click on Properties
  6. Copy you Directory ID value
Required values

Subscription ID: 102xxxxx-xxxx-xxxx-xxxx-xxxxxxxxx4a6f
Directory ID: cf6bc291-4cf2-xxxx-bea8-40398ae3649b
Application ID: 4e43b4ad-xxxx-4169-acb5-83d239aa69b7
Key ID: x1SZLY3V2CSRjYzOvYlYJ3RBmaMxsDxnfSmh0Yed/FQ

Network Requirements

 

See Step 1 below for more detail and check the boxes as the requirements are met.

  1. You need 3 non-overlapping subnets reserved in CIDR format (these will be created on VNet during Horizon Cloud deployment)
  • Management subnet - /28 minimum [10.0.1.0/24]

  • Tenant subnet - /28 minimum with a /24 preferred based on the number of RDS servers. [10.0.2.0/24]
  • DMZ subnet - /28 minimum when Unified Access Gateway is deployed [10.0.3.0/24]

For the NTP servers address you can leverage a public server or the customers pre-configured servers

  • time-a-g.nist.gov 129.6.15.28
  • time-b-g.nist.gov 129.6.15.29
  • time-c-g.nist.gov 129.6.15.30
    1. You need accessible DNS servers either public or internal

    Note that steps 5-7 are optional and only required if you need external access to Horizon Cloud Apps

    1. You will need an external host name for the Horizon service.  ie. hzn.customer.onmicrosoft.com
    2. The customer must create a public DNS record for the host name above
    3. Customer must create an SSL certificate in PEM format.  You need Key+Server+CA all added to a single PEM format file.

1: Microsoft Azure Virtual Network (VNet) created in desired Microsoft Azure region with applicable address space to cover required subnets.

You need to create a VNET in the Azure portal for the Horizon node to deploy to and configure.  Note that you need enough address space to allow for 3 non-overlapping subnets reserved in CIDR format (created on VNet during Horizon Cloud deployment)

  1. Click on Virtual networks
  2. Click on Add
  3. Give your VNET a unique name hzn-net
  4. Enter your Address space 10.0.0.0/22
  5. Choose an Existing or Create a new Resource Group
  6. Choose your Azure Location
  7. Enter the name of your subnet
  8. Enter the Address range of that subnet 10.0.0.0/24
  9. Click Create

1a: VNET Peering if required

If your Active Directory is on a separate VNET, then you need to establish VNET peering between the two.

In the Azure Portal you need to peer your Horizon VNET to your AD VNET.

  1. Click on Virtual networks
  2. Click on your Horizon VNET you created hzn-net
  3. Click on Peerings
  4. Click Add
  5. Give a Name like hnz-net-peer-to-infra-net
  6. Choose the VNET that includes your Active Directory Service, infra-net
  7. Click on the Allow forwarded traffic
  8. Click on the Allow gateway transit
  9. Click Ok

1b: VNET Peering if required

If your Active Directory is on a separate VNET, then you need to establish VNET peering between the VNETs.

In the Azure Portal you need to peer your AD VNET to your Horizon VNET.

  1. Click on Virtual networks
  2. Click on your Active Directory VNET that exist infra-net
  3. Click on Peerings
  4. Click Add
  5. Give a Name like infra-net-peer-to-hzn-net
  6. Choose the VNET that includes your Active Directory Service
  7. Click on the Allow forwarded traffic
  8. Click on the Allow gateway transit
  9. Click Ok

1c: DNS servers

You need to make sure that the new Virtual Network you created points to your DNS or Active Directory.

  1. Click on Virtual networks
  2. Click on the VNET you created hzn-net
  3. Click on DNS servers
  4. Choose Custom
  5. Add your DNS server(s).  My Domain Controller is my DNS at 192.168.1.4
  6. Click Save

Active Directory Requirements

See Step 2, 6-7 below for more detail and check the boxes as the requirements are met.

  1. Validate with the customer that they have one of the following.
- On-Prem AD that is connected via VPN
- Azure AD Domain Services (This is NOT Azure Active Directory)
- An Active Directory Server VM running in Microsoft Azure
  1. Create a standard User in Active Directory for Domain Binds (see note about permissions in the checklist)
  2. Create another standard User in Active Directory for Auxiliary Domain Binds
  3. Create an account in Active Directory that has permissions to Join
Required permissions:
- Create Computer Objects
- Delete Computer
- Objects
- Write All Properties

2: Validate the domain functional level

Open Active Directory Computers and Users

  1. Find the Domain and right click
  2. Click on Properties
  3. See the Functional Level which must be either Windows Server 2012 R2 or Windows 2016

6: Active Directory groups

You need to create 2 Active Directory groups Horizon Cloud Administrators and Horizon Cloud Users.  This should be self explanatory.

  1. Click on the OU that you want the groups
  2. Click on the new group icon
  3. Give your Horizon Cloud Administrator‘s group name
  4. Click Ok
  5. Click on the new group icon
  6. Give your Horizon Cloud Users group name
  7. Click Ok

6a: Horizon Cloud administrative group membership

You need to add the Domain Bind and Aux Domain Bind users that you created in step 3 and 4 to the Horizon Cloud Administrator group you just created.

  1. Double-Click on your Horizon Cloud Administrator’s group
  2. Click the Members tab
  3. Click Add
  4. Enter the name’s to search on
  5. Click Check Names
  6. Select the users required, domain bind, aux domain bind and domain join users
  7. Click Ok
  8. Click Ok

7: Active Directory organizational unit(s) (OU) for RDS session-based desktops and/or published applications

You should create a specific OU for the RDS servers, this will allow you to create targeted Group Policies and User Environment Manager settings

  1. Right click on the Parent OU
  2. Click on New
  3. Choose Organizational Unit
  4. Enter a Name for your OU like Horizon Cloud RDS
  5. Click OK
 

Ports and Firewall Requirements

You need to validate that the required ports are open and that no Network Security Groups (NSG) are denying traffic.

  1. See Step 1 below to validate ports are open on the Active Directory Server and VNET
    1. You may also need to check any Windows Server firewalls to validate the ports are open
  2. TrueSSO is optional but may be required if using Workspace.  If deployed, check step 1 and validate that 32111 TCP is open
  3. The Horizon protocols firewall rules for external access will be defined in a automated deployed NSG
  4. The Horizon protocols for internal access need to be defined on any edge gateways between Azure and the customers network.  This is optional and only required if the customer will connect to the Horizon resources from the backhaul or Express Connect

1: Network Security Group

  1. Click the Network security groups
  2. Review the Lists
  3. If there is a Security Group for your AD server then click it to review
  4. Click on Overview
  5. Review the Inbound Security rules
  6. Review the Outbound Security rules

Horizon Cloud Base Image and Farms

Validate the customer has the required VM Configurations available

1: Minimum Microsoft Azure capacity for Horizon Cloud infrastructure in addition to expected Desktop/App workload

To determine if the customer has the required VM Configurations

In the Azure portal:

  1. Click on Subscriptions
  2. Click on Usage + quotas
  3. Change the drop down to Show all
  4. Change the drop down to your specific Azure region
  5. Click on the Services and unselect the All, then click the filter items, Standard Dv2 Family vCPUs, and Standard NV Family vCPUs
  6. Validate they are available in the list

Licensing Requirements

  1. Validate with the customer that they have their own licensing or they will be using an Azure CAL license.

 Conclusion

Please note that you and your customer should have a comfortable understanding of what Horizon Cloud on Azure is and why you are completing the checklist.

I mainly created the document for myself so I knew exactly what and why I needed the information.  Look for the PoC deployment guide coming soon.

-thanks Mark

 

 

Advertisements