Security should be the top priority of businesses especially when they are using remote solutions for their operations. Even a secure solution like Windows Virtual Desktop has to be protected from attacks using appropriate configuration options. The WVD also requires a DNS and infrastructure like any other Windows. Creating virtual networks can help in safe and secure access to these resources. In this blog, we will explain how to setup VPN On Azure WVD for tunneling traffic.
What Is Needed for Setting Up VPN on WVD?
To set up a VPN for WVD, you will need to configure a virtual network. Here are the prerequisites for the setup.
- An Azure subscription with access to Azure Active Directory.
- Cmdlets for Window PowerShell.
- Azure AD Connect for on-premises Azure integration.
- Global administrator access to the Azure subscription.
- Existing Active Directory or a new Azure-based domain controller.
What Are the Steps for WVD VPN Setup?
There are broadly five phases of using Azure WVD with a VPN.
Setting Up Azure WVD Tenant
You will first have to set up your WVD tenant before configuring the network and connecting your deployment with a VPN. Here is a summary of the steps if you have not already done so.
- Log in with the global user account into the Azure subscription.
Choose between Server App and Consent App depending upon the consent option you need to use.
- Enter the GUID credentials that you can find on the Azure portal.
Proceed with the permissions for WVD.
- Grant permission to an existing account to create WVD tenants.
On the Azure Portal, look for Windows Virtual Desktop in enterprise applications.
- Add users and permit them to create WVD tenants.
- Configure the appropriate PowerShell modules and set up the WVD tenant.
- As a part of the process of setting up the WVD tenant, you will define the RDS owner, create Azure desktop host pools, followed by app pools for desktop and remote applications.
Configuring Your Server on Azure
Once you have created the Windows Virtual Desktops, you will have to domain-join them. This is a Virtual Machine that acts as an Azure server.
- Create Virtual Machines from the Azure Portal and select an appropriate image for your use in the Instance Details.
Set up your admin account for the VM.
- Choose the type of Windows license that you will be using.
- Configure the disks as per your requirement.
- In the Networking option, the virtual network and the subnet you will be creating for this virtual machine’s interface will be used for accessing the Azure environment with WVD.
- Once the Virtual Machine is up, go to its Resources section and navigate to its Network interface.
- The IP Configuration must be made static in Private IP address settings.
- Add the newly created static IP in the DNS Server reference for the subnet. You will also need to add a second entry that can be a public DNS server of your choice.
- Change the Virtual network address space, default subnet, and Gateway subnet to an Azure reserved address.
Securing the Server With VPN
This virtual machine is now the server. It has to be secured with a Point-to-Site (P2S) VPN gateway.
- Type in “virtual network gateway” in the search on the Azure portal.
Use the virtual network/ subnet details used previously to create a new instance with a new Public IP address.
- Validate the creation of the virtual network gateway.
- Once the deployment succeeds, click on the newly created network gateway and navigate to “Point-to-site-configuration” under “Settings”.
- Add a private internet range (other than the Azure reserved range) in the address pool and add them as additional address space in the Virtual Network.
- Use PowerShell to create root and client certificates. Add the public certificate data in Point-to-site-configuration.
- Click on the Download VPN Client option once it is enabled after the changes are saved.
- Export the Point-to-Site Client certificate and P2SRootCert if you need to have to install it on a different machine.
- Install the VPN Client and the P2S Client certificate.
- Connect to Azure by clicking on the newly available VPN network on the client machine.
Configuring Server as Domain Controller
If you have successfully connected, you know that the virtual server you created can be connected securely. It can now be made into a Domain Controller.
- While ensuring that the Azure VPN Client is running, connect with the Azure Server VM that was previously configured using Remote Desktop.
- When you log in to the server for the first time, you might have to customize the machine with updates and changes.
- Install Active Directory Domain Services on a dedicated drive on which write caching is disabled and reboot the machine.
- Install the AD Connector on the newly promoted Domain Controller.
- Create an Organizational Unit (OU) for WVD machines and users.
- During the installation process, select “mail” and the “Continue without matching all UPN suffixes to verified domains” option on the “Azure AD sign-in configuration” screen.
- Select the WVD OU on the Domain/Filtering Screen.
Connecting WVD Machines with Domain Controller via VPN
Once the objects are synced, you can connect WVD instances.
- Create WVD machines using Azure Marketplace, PowerShell, or Azure Resource Manager template.
- You can connect each WVD secured with point-to-site VPN using Remote Desktop from any compatible device.
- Provide users access to resources in the host pool.
- Publish applications to Remote Application host pools.
- Now users with access can use the “Session Desktop” for a full Windows Virtual Machine or individual applications using the solution
Apps4Rent Can Help with VPN Setup for WVD
The legwork required for preparing a secure, scalable, and optimized infrastructure to setup VPN For Azure WVD is complex and challenging even for organizations with strong IT support. As a Tier 1 Microsoft CSP, Apps4Rent helps businesses adopt WVD and other Azure solutions with licenses, images, and consultation at promotional prices. Our Microsoft certified experts are available 24/7/365 via phone, chat, and email to help you with adopting Azure solution. Contact us today to know more.