Step-by-Step: RemoteApp Hybrid Deployment–Part 1

Hello Folks,

Lately we looked at several steps needed to setup your infrastructure in order to have Microsoft Azure as a transparent part of your existing environment.

To get more information and to increase your Azure skills, I highly recommend you take advantage of the Microsoft Virtual Academy modules for Azure.

Hybrid Deployment

The cloud deployment model is an ideal way to provide access to a standard office productivity app suite. In contrast, the hybrid deployment model offers significantly more customization: Apps, OS, and settings are under your control.

You own the template image and manage it directly through the Azure Portal. The apps run in a domain-joined environment, with full access to your on-premises network and data. Through integration with Azure AD, users use their corporate credentials to logon.

Four key concepts play an important role in the Azure RemoteApp’s hybrid deployment model:

  • Hybrid Networking
  • Hybrid Management
  • Custom Template Images
  • Federated Identity

In part 1 we will create the RemoteApp service, create and upload our custom image and finally publish the apps we loaded on that image.  In my case I kept it simple and created an image with 2 small apps on it

  • putty
  • Audacity

However, this is the perfect method to deploy your Line of Business (LOB) to the cloud so all your users can access them wherever they are on whatever device they may be using.

In part 2 next week we’ll connect that services with a federated directory synced with our local AD.

Create a RemoteApp service

This is the easy part.

1- In the Azure portal, click the “+’' sign in the action barre, select App Services, RemoteApp, Create with VPN.  Give it a name in may case I called it ContosoApps


2- Once created, you’ll notice in the “all Items” section of the portal that it’s listed with “Input Required


The next sections will cover those input requirements

Link to a virtual network

The first input needed is to connect our RemoteApp deployment is to link it to our network.  The second is t get the configuration script for my gateway and the third is get the key for the shared secret the gateways will use to encrypt the tunnel.


1- By clicking The “link a remoteapp virtual network” it starts the dialogue box to create a new virtual network that we will link to our on local datacenter.


2- I gave mine the name “contosoapps” and located it in the East US datacenter.



3- I selected as the virtual network address space (it’s the next logical space in my overall design as deployed in the Step-by-Step: Multi-Site Azure VPN post).  and defined the IP address space of my local datacenter network.


4- In the next page we need to setup the DNS that will be used in that virtual network and the IP address of the public end of my edge device (if you don’t mind I’ll hide that part).  I set it to Dynamic routing. before closing the wizard.


5- clicking the “get script” will download the configuration script for our edge device.


6- Once the script is downloaded, click “get key” to get the IP address of the gateway in our virtual network and the shared key we will be using.


7- Ok.  we have the script, we have the key and the ip address of the gateway in azure.  but since we already have RRAS setup on our edge device we don’t need the whole script.  we only need the following lines

# Add and configure S2S VPN interface
-Protocol IKEv2`
-AuthenticationMethod PSKOnly`
-NumberOfTries 3`
-ResponderAuthenticationMethod PSKOnly`
-Name` #<-- Azure Gateway IP Address of the RemoteApp Virtual Network
-Destination` #<-- Azure Gateway IP Address of the RemoteApp Virtual Network
-IPv4Subnet @("")`
-SharedSecret <replace this part with the key> #<-- Shared Key to the Gateway

# Restart the RRAS service
Restart-Service RemoteAccess

# Dial-in to Azure gateway
Connect-VpnS2SInterface -Name

and we end up with our local datacenter connected to the RemoteApp virtual network that the wizard create for us earlier.


8- Finally, the last part of the networking configuration.  We will define what domain the virtual machine created by the template will join.


9- The Wizard will ask for the Domain Name (Provide the name of your domain to join the RD Session Host servers.). The Organizational Unit Name (This is an optional field. Provide the name of your organizational unit to join the RD Session Host servers. ) and the Service Account User Name (Provide the user name of a service account that has permission to add computers to the domain.)


The networking is complete.

Link a template image

Azure RemoteApp uses a Windows Server 2012 R2 template image to host all the programs that you want to share with your users. To create a custom RemoteApp template image, you can start with an existing image or create a new one.  I created a new one.

The requirements for the image that can be uploaded for use with Azure RemoteApp are:

  • It must be on a VHD file (VHDX files are not currently supported).
  • The VHD can be either fixed-size or dynamically expanding. A dynamically expanding VHD is recommended because it takes less time to upload to Azure than a fixed-size VHD file.
  • The disk must be initialized using the Master Boot Record (MBR) partitioning style. The GUID partition table (GPT) partition style is not supported.
  • The VHD must contain a single installation of Windows Server 2012 R2. It can contain multiple volumes, but only one that contains an installation of Windows.
  • The Remote Desktop Session Host (RDSH) role and the Desktop Experience feature must be installed.
  • The Encrypting File System (EFS) must be disabled.
  • The image must be SYSPREPed using the parameters /oobe /generalize /shutdown (DO NOT use the /mode:vm parameter).

10- I created that VM on my local Windows 8.1 pro machine and clicked the “link a RemoteApp template image” item in the menu.


11- in the wizard I selected “upload a new template image


12- Ensure you have an up-to-date version of the Azure PowerShell module installed. Enter the name of the template you want to use. the location for it.


13- The next screen will provide the script needed and the command to be run in PowerShell.


14- Ensure that the script is in the same directory as the location you’re in when running the command


executing the provided command will start the script and it will prompt you for the location and name of the image. It will confirm that it meets the requirements and it will perform the upload.  (This can take a LOOONNG time depending on the size if the image and your internat pipe.)


It will provision an image based on the template and once complete you can publish any application installed on that image.


Publish an Application

The last section of part 1 is going to publish the applications we need.

15- Click on “publish RemoteApp programs” and follow the wizard.


16- Select the apps you want to publish and click the check mark.


17- The Apps selected will be listed in the portal under “RemoteApp programs



That’s is for tonight.  It’s 2 AM and I need to get to bed. Smile

The upload on my residential connection took a lot longer than I expected.

Next week we will complete the Hybrid deployment by linking the Active directory in our datacenter to the one in Azure and configuring user access.

Until then, I highly recommend you take advantage of the Microsoft Virtual Academy modules for Azure.



Pierre Roman | Technology Evangelist
Twitter | Facebook | LinkedIn

Comments (0)

Skip to main content