I’m on the my 3rd iteration of my EMS lab. Meaning, I had something up and running (twice) then tore it down to start over again learning from my mistakes…or in the most recent rebuild it was really to move several of the workloads I was running on premise to VM’s in Azure IaaS. More on that later…
The “Ultimate” EMS lab is going to try to emulate a real-world customer environment in most every way possible . You obviously want to be able to connect to the various services like Office 365, Intune, Azure Active Directory, enable SSO, mobile device management and such and also have the ability to enable some of the more advanced scenarios like lighting up MFA on premise scenarios and RemoteApp. The only EMS feature that I really don’t do anything with in my environment is FIM (Forefront Identity Manager). For the most part, that is really a completely different discussion and I am lucky to work with some really great SI Partners who have a lot of practical experience with FIM and identity management in general. So, when the conversations go down that path – we bring in the experts here.
Anyway, on the last pass through I took a bunch of notes and screenshots and figured I’d share as much as I can here. This isn’t really a step-by-step walkthrough guide covering all things EMS, but more of a resource guide pointing to places where you can get the right information and some of my own experiences, gotcha’s and such that hopefully save you a little bit of grief if you embark on this journey.
I’ll also link here the primary deck that I use to drive these conversations. I don’t like to show a bunch of slides, but I’ve found there are a handful that need to be used. Keep in mind, this deck is current feature/functionality wise as of the date of this blog post. I’ll try to remember to keep that link updated but if not, just back out to the main folder of the OneDrive site and search for content by date updated – it should get you the latest/greatest.
I would also point you to a YouTube channel I setup where I have recorded demo/walkthrough videos.
12 Minute EMS Demo: I recorded this video showing a very high level 12 minute walkthrough of the most common scenarios that get covered during these demos. In the following blog post, I’ll give you some ideas of how to build the same demos in your lab environment.
As it sits today (and by tomorrow this will likely be slightly different…adding/changing things as I go…) this is the 10k foot view of what I’m running in my EMS lab.
Run it in Azure – or – Keep it ‘On-Prem’?
The first time around, I ran everything ‘on-prem’. I have a nice HP Elitebook with an i7 CPU and 16GB of RAM. It was more than enough to do everything I needed (and I still use it as you can see in the diagram above – and it’s nice to have especially for the RemoteApp, Azure Application Proxy and other scenarios where you want to show what you can do with a site/branch connected to Azure). I installed Server 2012 R2 on the host, enabled Hyper-V and turned it into a DC. (I hate having my only DC in a self-contained lab like that as a VM…if the host reboots and the DC VM doesn’t start…you are hosed!) I ran all the VM’s in Hyper-V, including a RRAS VM that I used to pin up a site-to-site VPN to Azure. I also have the luxury of a reeeealy nice internet connection. I use ATT Gigapower at home and have a more than adequate pipe to run all of this as well as pin up a high performance VPN. I also have a small subnet of static IP’s so I was able to assign an IP to a Server 2012 R2 VM running RRAS to act as a VPN endpoint without having to worry about poking holes in the SOHO firewall. Also, many of the SOHO firewalls don’t pass GRE or other IP protocols required for VPN connections so many folks trying to get an on-premise setup going through their SOHO firewalls run into a bunch of problems. For fun, here’s the speed test for my home internet connection. 🙂
My 2nd iteration I moved a couple things to Azure but had ran into a weird problem trying to run AD and ADFS on the same D2 sized VM. Pretty much immediately after I had ADFS installed and configured just about every reboot would leave the login stuck at “please wait…” and I’d never actually get in. I could force a hard restart in the Azure portal but that would take forever and even then there was a percentage of time where the login would stick at “please wait…” or I’d get in but the ADFS service would stick at ‘starting…’. I thought there was just something weird going on in that setup but when I started the 3rd iteration and I setup that first VM exactly the same (AD and ADFS on the same box) and ran into the exact same issue. So, lesson learned there. I separated AD and ADFS and haven’t had any problems since. I never actually figured out what the technical problem was with this configuration – I just moved on. AD and ADFS is supported on the same server so it shouldn’t be an issue – there just must have been something with my exact configuration that was causing some problems. Either way, just an FYI…
The obvious advantage of running the core workloads in Azure (AD/ADFS/WAP) are fairly straightforward and really the same reasons any customer would want to run this stuff in the cloud. It’s highly available, great internet connectivity that’s not dependent on your home network connection being up, it’s easily accessible and it’s just nice having everything in the same spot when you are doing demos…if you are in the Azure portal you can get to everything. The downside I guess is that you have to pay for it on a monthly basis vs just using the internet connectivity you are already paying for at your house/office and using paid for resources like laptops or servers for the virtualization hosts.
I do run into situations from time to time where customers have blocked outbound access to RDP ports. If that’s the case, you could setup a RD Gateway host either in Azure or on-prem so that you can get RDP access via SSL. Another cool scenario to enable here would be to integrate the RD Gateway with the on-prem MFA to force a 2nd factor authentication against the RDS login. It’s a cool scenario to demo and can also be quite practical for the reasons previously mentioned. Here’s a link to the best guide that’s out there now on how to set this up:
I’ve also published a PPT presentation with screenshots showing what you need to configure to get this up and running as well.
For me, I have access to a couple Azure subscriptions (MSDN and a Microsoft Internal) and I had enough capacity to run 3 smallish sized VM’s just about 24X7 along with a VPN and a few other services without tapping out my capacity.
Here’s what I’m running in Azure:
- Domain Controller / IIS / MFA Server on an A3 sized VM. In additional to DC/DNS duties this VM runs IIS and hosts the Azure MFA User Portal, SDK and Mobile Site. I also setup a ADFS sample claims app here to do some testing/verification that I had ADFS setup correctly.
- ADFS/MFA Server on a D2 sized VM. This VM is really only running those two server services but it’s also the VM that I remote into to drive the demo. So, I have the consoles installed here, all the remote administration tools for AD, DNS, Hyper-V, etc… RDP shortcuts to all the other VM’s in the lab, Azure and Azure AD Powershell, etc… I also run Azure AD Connect from this VM as well.
- WAP Server on an A2 sized VM. This thing pretty much just does WAP. I had it on a A1 VM the first time around and it worked but it was dreadfully slow remoting into and trying to get anything done on it. Really though, once you get it setup you won’t do much here so you could get it setup with a bigger sized VM and then downsize it once you are ready to put it in production.
- Non-domain joined Windows 8.1 machine. I use this to run most of my end-user experience demos. From here I access the myapps.microsoft.com application portal and show how a user can connect to a “BYO” device and get access to corporate resources using their hybrid identity. I also show how a user can do a self-service password reset, the RemoteApp client experience, various MFA scenarios, etc…
A few things to note:
- Static IP’s. You’ll want to at least assing a static IP to the DC’s you have running in Azure. This is easy to do in the new portal.azure.com preview portal. Just dig into the VM and set the static IP. You can also do this via powershell as well.
- Or via the portal.azure.com preview portal:
- Before you get started provisioning VM’s in Azure you need to determine whether or not you are going to get a site to site VPN up and running. The reason for this is that you’ll need to provision the VM’s that you want to be able to communicate across the VPN into that virtual network. So, if you get everything up and running and then decide later that you want to create a VN for a VPN…you can’t just move the VM’s over. So, take that into consideration before you get started.
- Provision all the VM’s into the same cloud service? You can, but be aware that only a single VM in the same cloud service can sit on an endpoint. So, if you want to publish SSL for example on 2 of the 3 VM’s and you set them all up in the same cloud service – you won’t be able to. I figured I could get away with setting them all up in the same cloud service but just opted to create a unique one for each VM just in case I needed to open other endpoints at some point in the future.
What’s Running “On-Prem”?
- Well, everything else. 🙂
- Here’s what I setup:
- 2nd Domain Controller. If you do this, be sure to follow a guide like this – or something similar – that gets your replication right across multiple sites. If you don’t then your DC’s will be chattering across the VPN just like they were sitting in the same rack plugged into the same switch. Might not be a big deal to you, but if it is then you’ll want to get AD configured correctly. There’s also a helpful GUI tool to make sure your AD replication is working properly. I run it from time to time just to make sure that my DC’s are healthy and able to communicate across the WAN.
- SQL Server 2012. Need this for all kinds of things. Mainly for me it’s SCCM 2012 R2 that I have setup to drive an Intune hybrid configuration. But a lot of stuff needs SQL so might as well have it ready.
- SharePoint 2010: Nice demo for the Azure Application Proxy (and it needs that SQL Server…)
- RRAS Server: Windows Server 2012 R2 server running RRAS to pin up the VPN’s for site to site and the RemoteApp VPN. I authored a blog recently on how to get this setup in your environment – it’s dead simple with Server 2012 R2.
- Domain joined Windows 8.1 client machine. This is helpful to show SSO ‘behind the firewall’ scenarios. For customers who don’t have ADFS or haven’t used it – it’s nice to be able to show what SSO looks like for someone that’s on a domain joined machine or connecting behind the firewall.
- SCCM 2012 R2 with CU4. Not really much else configured here except for the connection to an Intune tenant. Make sure you have the latest/greatest cumulative update release for SCCM installed – at the time of this writing it’s CU4 for 2012 R2.
- Android x86 Emulator in Hyper-V.
It can be overwhelming trying to figure out where to start here. Here’s how I approached it.
- Get your O365, Intune, Azure AD Premium tenants all setup. Ideally, you’ll use the same Azure AD backend for everything. I started with O365, like most customers do.
- Provision an O365 E3 trial – take note of your global admin credential. It will be something like firstname.lastname@example.org.
- You really want to setup a custom domain name. Head over to GoDaddy or similar and get one. I grabbed getmobile.mobi and set all that up using O365. It’s nice because O365 has a direct tie-in to GoDaddy – so you just provide your GoDaddy credentials in the O365 admin portal and it goes out and provisions all the DNS records you need to get mail flowing. If you don’t get a custom domain you’ll probably have trouble getting the mail flow working properly.
- Now take that same credential and go login to the Intune portal and setup a trial there using the same credential. Now both will share the same Azure AD backend.
- Now in your Azure subscription go to the Azure Active Directory section and click on NEW and take all the defaults to create a new Azure AD tenant…EXCEPT…choose the option to add a directory that’s already been created so that you can bring it into the Azure portal for management.
- Now you’ll see the ‘yourcompany.onmicrosoft.com’ tenant in your Azure portal. You can now go to the license tab in the Azure AD tenant and enable AD Premium.
- It’s worth mentioning that you need to assign an AD Premium license to not only the users but also to the admins that are logging into the portal. If you don’t, then the admins will not be able to see the premium features available in the ‘configure’ tab for the directory.
- OK, now you have all your tenants setup using the same Azure AD backend. Now it’s time to build out the main components of the lab.
- Another cool by-product of this arrangement is that you can provision the licenses for all these services for each user in the O365 portal at one time.
Building out AD/ADFS/WAP
- Certificates: If you have access to a public signed certificate for your lab (say a wildcard or SSL cert) then it will make your life easier. I use DigiCert and create a handful of SSL certificates for my ADFS server, WAP and SCCM servers so that I don’t have to use self-signed certs or use the AD certificate services. If you don't then the guides below will help you understand what you need to have from a cert perspective but it’s one of those necessary evils that you have to have in place for this lab to work (The WAP can ONLY accept HTTPS traffic, for example) so there’s no way to work around it.
- Active Directory: Not much to say here – this process is pretty well documented and cut and dry. One thing I did though to make my life a bit easier was use the same internal AD domain as the internet domain name I acquired through GoDaddy. So, for me I use GETMOBILE.MOBI both inside and outside.
- SMTP Proxy Address: If you aren’t running Exchange on-prem or haven't gone through the AD schema prep for Exchange on-prem then you won’t be able to assign your O365 users a primary SMTP address that matches the custom domain you setup in O365/Azure AD. This causes problems sending email from your demo accounts because their primary SMTP is an xyz.onmicrosoft.com account which typically ends up with NDR’s. The way around this is to setup a proxy address for your demo users you synch up to Azure:
- UPN’s. Ugh…these can be a pain. To get your users to sync to the cloud there needs to be a matching UPN in on-prem AD. The easiest way most folks solve for this is to create a alternative UPN in the AD Domains and Trusts tool. This way it gets created automagically for all your users. For me, I don’t run into this because my local AD name matches my Azure AD custom domain so it just works.
- Azure AD Sync/AD Connect: Download the latest version of whatever sync tool is up to date at the time you are building your lab. As I author this – the latest “GA” tool is Azure AD Sync. However, the Azure AD Connect Public Preview 2 was just released and that’s what I’m using in my lab (I upgraded AAD Sync). The process here is very straightforward (the new AD Connect tool provides quite a few additional features that you may or may not want to use – including the ability to configure your ADFS/WAP servers. I’ll let you do the research here to figure out what’s the best tool for you.
- Once I get the tool installed I throw a few shortcuts on to my desktop.
- For AD Synch put a shortcut to the Sycn Manager Tool on the desktop for easy access. "C:\Program Files\Microsoft Azure AD Sync\UIShell"
- Once I get the tool installed I throw a few shortcuts on to my desktop.
- They also include a cmd file that allows you to do a full synch when needed vs waiting the 3 hours it takes on it’s own. This is great if you are adding some new users/changing things and need AAD updated immediately. I throw a shortcut to this out on my desktop as well. "C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"
- ADFS: There’s an exceptional lab guide HERE. Every time I’ve setup my lab I’ve used this guide and followed it step-by-step and everything works. One thing to note here – it’s a best practice to NOT name your ADFS server (as in the HOSTNAME) the same as federation service name you choose during the ADFS configuration process. It causes SPN issues, etc… that I won’t go into here. But suffice it say if you give your ADFS server a hostname of ADFS.DOMAIN.LOCAL then name the federation service something like STS or FS…not ADFS.
- Rhoderick proves another good ADFS setup guide here as well.
- Part 1: Setup of ADFS: http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx
- Part 2: Web Application Proxy Configuration: http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365_1320_part-2.aspx
- Part 3: Federating with O365 / SSO: http://blogs.technet.com/b/rmilne/archive/2014/04/30/how-to-install-adfs-2012-r2-for-office-365-part-3.aspx
- WAP: For WAP, I’d use the Part 2 of Rhoderick’s guide linked in the section above this one. It’s a pretty straightforward setup.
Lab Guides for Additional Scenario’s:
Here are some configuration guides/tips and tricks for some of the additional components that you’ll setup in your EMS lab:
- There are a few options here. In my lab, I brought the MFA Server down on-prem so that I could leverage the ADFS Adapter and light up additional MFA scenario’s for intranet/extranet, AD security group and device registration. You can also set this up and demo it from the cloud. Here’s a good guide detailing that process: http://blogs.technet.com/b/ad/archive/2013/10/10/getting-started-with-windows-azure-multifactor-authentication.aspx
- Dave Harris has a nice guide here on how to setup the MFA Server on-prem and get the mobile app working. http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/
- Here is the official Azure MFA Documentation. https://msdn.microsoft.com/en-us/library/azure/dn249471.aspx
- Azure RMS
- I show these primary scenarios around Azure RMS.
- How to enable RMS in O365, how to configure a new template in the Azure Portal along with the various options available, how to publish and then how the client connects to and can use the templates that get published.
- Securing an O365 SharePoint site using RMS. I enable RMS for a document library on a SharePoint site and show how anything that gets saved there automatically has a policy applied. So, if I download that and try to open it on a non-domain joined PC then it prompts for AD credentials to access.
- RMS Sharing. I detail the user experience of how someone can share RMS protected information with an external user. This isn’t possible using the Windows Server RMS services since it’s so tightly integrated with on premise AD. However, with the RMS Sharing (this service is really called RMS for Individuals) its easy to get setup so that anyone can share protected information. This is not an EMS feature – but it’s lit up using Azure AD on the backend and it’s a relevant demo – a lot of folks are trying to solve for this these days and to be able to do this for free is pretty compelling.
- EMS provides for some additional document tracking/management capabilities around RMS. I show these in the demo.
- I show these primary scenarios around Azure RMS.
- Microsoft Intune
- In my lab I have 2 Intune subscriptions configured. The first is a “Cloud Only” meaning that I have to connect to the Intune Admin Console online to configure the settings. The other in what’s referred to as Intune “Hybrid”, meaning I’ve connected SCCM 2012 R2 to the tenant using the Intune Connector in SCCM.
- I demo the common scenarios:
- device enrollment
- application management using the Office Apps with integrated Intune MAM
- policy configuration
- conditional access scenarios
- device management (selective wipe, etc…)
- UDM with SCCM 2012 R2
- It’s obviously helpful here to have an iPad / Android device for testing. I tried using the iPad emulator and didn’t have a great experience with that. So, I bought an iPad to drive the demos and it works great.
- I use an app called Reflector that allows me to share the iPad screen when I’m doing remote demos via Skype for Business with customers.
- I linked it above somewhere – but you can setup an Android device on a Hyper-V VM using bits from android-x86.org. Android x86 Emulator in Hyper-V
- If you have the ability to pin up a VPN then I’d highly recommend getting RemoteApp up and running. It’s well documented and pretty easy to get setup. http://azure.microsoft.com/en-us/documentation/articles/remoteapp-create-hybrid-deployment/
- The hybrid deployment allows you to publish the clients for LOB apps and the VPN ensures that they can connect to the backend servers on the other end of the VPN. In my lab, I’ve published things like the SCCM Management Console and SQL Server Management Studio to show how I can connect to those using my AD credentials and an iPad or a Windows 8.1 client.
- There is also an option to create an O365 RemoteApp Collection. This is nice if you have that O365 tenant already configured. You can assign O365 users to the collection and now they can connect to the RemoteApp client, use the Office applications and connect to and save content out to OneDrive for Business. This is a fun demo on an iPad.
- Azure Application Portal / SSO
- This is one of the most common scenarios and folks like to spend a lot of time here walking through the features in the portal (what do you get with AAD “Free” vs AAD Premium, etc…), how to setup the hybrid identity (Azure AD Connect), how to federate to various applications and make those accessible to the end users.
- I like to emphasize how it easy it is to add Azure AD Premium to those existing O365 customers. They just need to bring their Azure AD backend for O365 into the Azure portal for management (discussed in this blog post previously) and turn on the AD Premium license. Once they do that they have all kinds of additional scenario’s available to them.
- This demo changes frequently based on the new features that are showing up in preview in the Azure portal. I basically walk through the ‘configure’ tab in the AAD Premium tenant to show all the various features and how they work. So, things like Self-Service Password reset, Azure Application Proxy, etc…
- Salesforce.com – Sign up for the Salesforce.com developer program. You’ll get access to a tenant that you can then setup for federation using Azure. https://developer.salesforce.com/
- Here’s a hard link to the Salesforce.com SSO tutorial to get an idea of what you’ll do here. It’s a great demo showcasing how a customer can do all the SAML federation/SSO plumbing work in Azure. https://msdn.microsoft.com/en-us/library/azure/dn308593.aspx
- Azure Application Proxy
- It’s definitely worth getting this setup – and it’s easy to do. This is one of those features that not many folks know about and a lot of customers are very interested. The AAP started out as just a pretty simple reverse proxy with pass-through only capabilities – now it’s quite impressive with new capabilities being added constantly. You can setup the AAP to connect to whatever you want behind the firewall without the IT Admins having to touch an internet connected endpoint. I publish a default IIS page and SharePoint 2010 site behind my firewall and make that accessible via the myapps.microsoft.com portal.
- Azure Connect Health Service
- Awesome new service for Azure AD Premium customers. Check it out via the blog posting here. It’s a great demo to show customers running an ADFS/WAP infrastructure the tools available to monitor that environment (have to use the new preview Azure portal to configure this): http://blogs.technet.com/b/ad/archive/2015/01/29/azure-ad-conditional-access-and-azure-ad-connect-health-now-in-preview.aspx
- Self-Service Password Reset
- There’s not much to this one to setup – but it’s a great demo and a tool/resource that a lot of customers are very interested in. I show how you can force your users to setup a profile when they access the myapps.microsoft.com portal. They’ll need to update their phone number that the MFA service will use to contact them, an alternate email and security questions. From there, I just go out to the online password reset site and walk through the process of how a user would do a SSPR. https://passwordreset.microsoftonline.com/
- Cloud Application Discovery Tool
- Yet another awesome demo. Most customers are struggling trying to figure out how their end users are connecting to SaaS applications. The cloud app discovery tool can be quite helpful here.
- Log into https://appdiscovery.azure.com/ with a global admin account in your AAD tenant. Download the agent and install it on a computer that you actually use so that you get some relevant data. If you install the agent on a lab machine that you rarely use to browse the internet you won’t get a good demo experience. Then connect to the portal and show how the IT admins can see how folks are using SaaS applications and how they can quickly connect those in the Azure Portal.
Well, that’s all I can think of for now. I’ll promise to try to keep this up date the best that I can. If you have any questions or comments – please let me know!! Good luck!