It has always been part of the Microsoft vision: your users can work anywhere, on any device, on anything, and it will all be secure, synchronized, and responsive. But the execution on this vision has heretofore unfortunately had many holes in it: with Microsoft not playing nice in the licensing department, how was anyone to offer a truly mobile Windows desktop on a cost effective basis without actually paying for a device that ran Windows?
Those days may be over as Microsoft Azure RemoteApp comes to the forefront. Let’s take a look at this new service, how to get started with it, and what it means for the enterprise AND for the consumer space.
What is Microsoft Azure RemoteApp?
Do you remember the OnLive saga? Allow me to whisk you back to January 2012, where, at the Consumer Electronics Show, OnLive announced their service called OnLive Desktop, which was essentially a dedicated Windows 7 virtual machine, containing an installation of Microsoft Office, that you could log into from iPads and Android devices. This of course immediately set off alarm bells within Microsoft, as Windows 7 is not licensed to be used in a service provider setting like that—only Windows Server 2008, appropriately covered by a service provider licensing agreement, or SPLA, was permitted here. Threats ensued and the company quickly switched to a Windows Server-based deployment to settle these issues. But since then, no one has attempted to make Windows applications as a service and market it to the general public—at least no company of which I am aware. (For its part, OnLive Desktop is still around, only for tablets, and is working on clients for PCs, Macs, and your television.)
Essentially, Microsoft Azure RemoteApp is OnLive Desktop done straight from the horse’s mouth: a desktop application as a service offering, although I hope I did not coin an unfortunate nickname just then. The preview program now starts out with your traditional Microsoft Office 2013 applications, like Word, Excel, PowerPoint, Access, and Outlook, but you can also just log into a Windows desktop and use Internet Explorer and more.
The advantages are numerous:
- Instead of investing in a fixed capacity Remote Desktop Services or Terminal Services deployment, including the associated volume licenses required to operate Office applications in this capacity, you can simply purchase the service from Microsoft and pay as you use the service—you can scale up as needs require, or scale down as demand wanes, without having to buy hardware to satisfy your peak capacity but having much of that capacity unused over time.
- Your IT department can outsource this service to Microsoft, at least in one of the Azure RemoteApp deployment models, as they will have all the responsibility of scheduled and ad-hoc maintenance, software patching, security updates, hardware maintenance, and more. You will always be using the latest version of the software with essentially no further action on your part or the part of your IT administrators.
- You can use this service to finally enable a productive experience for your users who have brought their own personal devices to work or prefer to use those alternative platforms like iOS and Android when they are traveling or at home. Even on, say, an iPad, your users can work in native Microsoft Office and use your own line of business application or homegrown programs without the cost of porting them natively to these alternative platforms.
Cloud-Only and Hybrid Deployments
There are two deployment methods for Microsoft Azure RemoteApp that offer a couple of different levels of responsibility and control. Depending on your need for either complete outsourcing or a healthy extension of your existing investments, you can choose from:
- Cloud only deployments. In this model, Azure RemoteApp hosts services independently of any services you currently offer to your user base from resources in your own datacenters. Microsoft manages the service, including patching the applications, providing security updates, managing the virtual workloads hosting the applications, and more, so all you need to do is provision the service and use it. Starting a new instance is simply a matter of a few clicks. The whole enchilada is guarded from malware by the Microsoft hosted antimalware service, which is a part of the offering and enabled at no additional charge or license requirement.
- A hybrid deployment lets you control which applications, which operating systems, and which settings are enabled as part of the service. In this scenario, you create the template image from which the service is offered and you upload it into Microsoft Azure. This image is joined to your on premises domain and identities are synchronized (when passwords are passed between the two copies of the directory and kept in sync) or federated (where ADFS passes secure tokens back and forth to enable access but your enterprise passwords never leave your on premises directory) with your local directory via Azure Active Directory. This means your existing user credentials will work fine for your template image and application offerings even though the actual hosting of the image and the service is done in Microsoft’s datacenters.
Getting Started and Testing Out the Service
It is fairly easy to get started using Azure RemoteApp, especially in a cloud only deployment. Here is how to set up your first instances of the service in either of the two supported modes.
Setting Up Microsoft Azure RemoteApp in Cloud Only Mode
- Sign up for a subscription to Microsoft Azure.
- From the New menu in the lower left hand corner, select App Services, then select Remote App.
- Choose the Quick Create option.
- In the right hand pane, enter a simple, friendly name to help you identify this instance within the Azure management console, choose a service region closest to where either you or your users are geographically located on the planet, and then choose the template image from which this service instance should be created. As mentioned, during the preview phase, only the pre-created Windows Server 2012 R2 image along with Microsoft Office Professional Plus 2013 is available for cloud only deployments.
- Click the Create RemoteApp Service link.
The automated processes will then provision the service and you’ll be notified via a status update on the lower half of the Azure management console when the provisioning is complete and the service is ready to use. In my testing, this provisioning process took about eight minutes to complete.
When the service is provisioned, you need to assign users and give them permission to access the service. This involves either setting up Windows Azure Active Directory synchronization with your on premises servers, or having your users set up and configure a Microsoft account, the name of which you then give to the Azure RemoteApp service which will use it for authentication and authorization purposes. On the RemoteApp dashboard within the Azure management console, click the Configure User Access button. You then enter your users’ e-mail addresses, the accounts are matched up via whatever service applies, and then choose the individual programs those users will be able to access over the Azure RemoteApp connection.
How do you manage available programs? From the same RemoteApp dashboard within the Azure management console, click the Public RemoteApp Programs link, and you’ll be taken to a list of all of the programs that are configured for that particular Azure RemoteApp service instance. During the preview, you get Word, Excel, PowerPoint, Outlook, OneNote, Project, and Visio, as well as some true dyed in the wool programs like Paint (yes, the one that’s been around for ages) and Calc, the Windows system calculator. These are on the portal for test purposes.
Once all of your users are set up, direct them to http://www.remoteapp.windowsazure.com to download the RemoteApp Client—it is a click-to-run simple installation and available for Windows, Mac OS X, iOS, and Android platforms. They then accept a little invitation that is presented to them upon logging in and can then use the apps as they would any other desktop application—except those applications are running in the Azure datacenter and the visuals are being shipped over the remote desktop protocol.
Setting Up Microsoft Azure RemoteApp in Hybrid Deployment Mode
Recall you will want to use hybrid mode to deploy your own operating system images, custom applications and home grown programs, and in general integrate more with your own on premises network. Since these images and the applications that run on them are domain joined, they have full security trimmed access to your regular network. This is accomplished by creating virtual networks that act as site to site VPNs. (We have covered how to set up site to site VPNs with Windows Azure in a previous article on Computerworld.com, so I will not repeat those instructions here.)
On top of these VPNs, Microsoft has created “VNets,” or virtual networks, that contain some performance improvements to make application usage seem more consistent over the VPN link. You give information to the VNet configuration manager like the cloud address space, your on premises address space, the IP address of your VPN router, and the DNS server for those local on premises addresses, and Azure handles the rest of the configuration.
Once this is set up, and you have created instances of the service using the instructions in the previous section, Azure RemoteApp will let you join the virtual machines running Remote Desktop Services Session Host (the old Terminal Services role, if you are familiar with Windows) to your local domain so not only do you get Group Policy object replication and system management agents touching your Azure hosted applications, but you can install control software installation from a single console. All you need to do to enable this functionality is create a separate organizational unit (OU) within Active Directory that will contain only Azure RemoteApp VMs, and create a service account that has privileges to join machines to your domain. Keep in mind, however, that since these machines are under your control, you maintain the responsibility for patching them and otherwise maintaining them—unlike the cloud only deployment, where the applications and attendant maintenance are taken care of by Microsoft as part of the service.
For custom images, you simply create new virtual machines on premises that are based on Windows Server 2012 R2 with the Remote Desktop Session Host role installed. You can then set them up and install applications as you wish. The Azure management portal has a UI where you can upload, resume uploading, and delete custom images and manage those images’ links to the various Azure RemoteApp instances that you have set up.
Pricing and Availability
Currently, the Azure RemoteApp service is free to use because it is in preview—essentially a no-cost public beta. By default, the service will be licensed per instance, where you get 10 users per service instance and to scale up, you simply add more service instances. You can get access to Azure RemoteApp in the US East and West, Europe North and West, and Asia Pacific East and Southeast service regions, and the preview is available today.
The Last Word
One thing Windows and Office has lacked for a long time is a way to be productively remotely on non-Windows machines, and particularly on mobile devices. Azure RemoteApp looks to solve that problem, and the preview release has promising potential, albeit with some significant limitations in terms of image flexibility at this time of this writing. The eventual success and adoption of the service will depend largely on how Microsoft prices the service and whether the company will consider allowing license portability between enterprise service agreement entitlements and the Azure RemoteApp service so customers are not essentially double charged for access to software they may have already paid for. But from a purely technical standpoint, there is not much not to like about this service and you should make plans to evaluate it, as I believe it will play a big role in accessing desktop applications from anywhere in the future.
This article originally appeared, with edits, at Computerworld.