Deploying Remote Desktop Services with itopia Cloud Automation Stack on Compute Engine

By: Katarina Ondrejovicova, Customer Success Manager; Karin Kelley, Content and Communications Specialist; itopia

This tutorial shows you how to use itopia Cloud Automation Stack (CAS) to deploy and manage Windows Remote Desktop Services (RDS) integrated with various Google Cloud services, such as Compute Engine, Cloud Billing, Cloud Deployment Manager, Cloud Load Balancing, Cloud VPN, and BigQuery.

Objectives

  • Deploy RDS to Google Cloud
  • Manage RDS deployment
  • Manage VM instances
  • Create a Cloud VPN tunnel
  • Integrate with BigQuery

Costs

This tutorial uses the following billable components of Google Cloud:

  • Compute Engine
  • Instance operating system
  • Standard storage, SSD storage, and snapshot storage
  • Networking bandwidth
  • Cloud VPN
  • Static IP quotas

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

Before you begin

  1. In the Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

Key terms

Default and custom networks
Google Cloud creates a default network for all deployments with the 10.128.0.0/9 network, which it then subdivides into smaller /20 subnets. In the event that you are already using one of those /20 networks or even the larger /9 subnet locally, you can create a custom network through itopia CAS.
Google Cloud site
The first site deployed on Google Cloud is the site geographically closest to the on-premises site. The site link to this site has the lowest cost between all of the sites deployed to Google Cloud.
Google Cloud site connectivity
By default, regardless of the region, all sites are interconnected because of the default network created for each project and route. Google Cloud creates a 10.128.0.0/9 subnet, breaks it up into smaller /20 subnets for each region, and creates a route to allow all communication between the larger /9 network.
Region
An independent geographic area that consists of zones.
Remote Desktop Deployment on Google Cloud
Each site with a remote desktop deployment consists of redundant remote desktop gateways, remote desktop session hosts, a remote desktop broker, and a file server. To provide additional redundancy, the remote desktop gateways are load balanced by Cloud Load Balancing.
Remote Desktop Services
CAS supports RDS, which lets admins take control of and manage remote computers or virtual machines over a network connection. RDS makes the entire desktop accessible to a remote client machine that supports Remote Desktop Protocol (RDP).
Site
A site consists of redundant domain controllers. Each site is deployed in a different geographical region in Google Cloud and all redundant instances are deployed in different zones within the same region.
Site and subnets
Google Cloud automatically creates a network for each site, depending on the region selected. That network also serves as the AD replication subnet for that site.
Zone
A deployment area within a region. Deploying in multiple zones ensures that you maintain necessary fault-tolerance levels.

Extended Active Directory multi-region RDS deployment

If you have multiple sites located in different continents, countries, or states, you can deploy in a single domain with your environment in a datacenter, close to your physical location. You can then replicate AD changes across all sites because of your centralized domain.

Your users benefit from a multi-region RDS deployment due to lower latency. By getting servers closer to your users, their experience improves because they can download a Remote Desktop Protocol (RDP) file that is preconfigured for every location. If your user connects from a different location, they are automatically redirected to the gateway server that's closest to their current location. The gateway forwards the connection to their default broker/session host server.

The following architectural diagram illustrates this approach for a deployment:

Architecture of a multi-region RDS deployment

  • The on-premises site is the AD site from which CAS is extending the domain. Your existing infrastructure is used to create new domain controllers in Google Cloud. The Flexible Single Master Operations (FSMO) roles are located in this site.
  • Google Cloud regions are used for each AD replication site. Regions are selected during the deployment process and secondary domain controllers are created in different zones of each region.

    • AD site replication links are created and costs are calculated based on geographical proximity to the on-premises AD and to other sites.
    • Either an interconnect with your site or Cloud VPN is required in order to connect the on-premises site to the Google Cloud replication sites.

Deploying RDS to Google Cloud

You can add a deployment with extended AD and launch it to Google Cloud. A deployment is a business IT environment that you migrate to Google Cloud.

  1. In the itopia menu, click All deployments.

  2. To add a new deployment, click the Plus icon.

  3. In the Deployment field, enter Remote desktop deployment. The deployment code is auto-generated.

  4. To create the deployment, click Remote Desktop Services (w/ Active Directory), and then click Create.

    Remote desktop deployment button

  5. In the Active Directory section, select the following Windows infrastructure settings.

    1. To extend an existing domain, click Existing Domain.

    2. Provide your** Domain admin username** and Domain admin password.

    3. To connect to your environment, in the DNS Server IP field, enter your AD server internal IP address, and then click the Plus icon.

    4. From the Operating System drop-down list, select 2016 for a Windows 10 user experience.

    5. To synchronize the database with the extended primary domain controller, enable the Secondary Domain Controller to create a backup domain controller server that you can schedule to turn on for 2 hours a day.

  6. In the Remote Desktop Services (w/ Active Directory) section, select the following settings, and then click Next.

    1. In the **Username suffix **field, enter example.org.

    2. In the External DNS field, enter a domain or subdomain you own.

    3. In the Estimated No. of users field, enter the number of users that you expect to create for this deployment. For the purposes of this tutorial, enter 5.

    4. Enable the following instances:

      • Dedicated File Server. No user sessions are hosted in the server, only data.
      • RD Gateway. Configured for security purposes.
      • Redundant Gateway. Deploys another server with the gateway role and configures Cloud Load Balancing.
      • Dedicated RD Broker. Configures a dedicated server with broker role.
      • User Profile Disk. Technology used to configure user profiles.

    Settings of the Remote Desktop Services

  7. To connect your Google Cloud account, click Authenticate. In the Email field, enter your email address that you used to subscribe to Google Cloud and itopia.

    Authentication button for Google Cloud access

  8. In the Google Cloud Project section, in the Name of new project field, enter Remote desktop project, and then click Create.

  9. itopia automatically validates your permissions for the Compute Engine API, the Cloud Billing API, and the Deployment Manager API and checks your public IP quota.

    1. For each API, click Enable. In the new Google Cloud window that opens, click Enable.

    2. In itopia, click the Refresh button for each API to confirm that the change is saved.

    3. If you need to increase your public IP quota, click Increase. In the new Google Cloud window that opens, click Upgrade.

    4. In itopia, click the Refresh button for the quota to confirm that the change is saved.

    Permissions validation for Google Cloud APIs

  10. To add multiple regions, in the Google Cloud Regions section, select the region closest to your physical location from the drop-down list, and then click the Plus icon to add the region to your deployment. For a list of datacenter locations and zones, see Cloud Locations.

    Google Cloud region selection

  11. In the Google Cloud Regions section, to modify the resource configuration for each instance, click the Pencil icon. For the purposes of this tutorial, leave the default amount of resources in all the instances. To add optional instances, such as app, web, or database servers, click the Plus icon.

    Edit instances for Google Cloud regions

  12. In the GCP Configuration window, verify your settings, select the Authorization checkbox, and then click Deploy.

Connect your RDS deployment to Google Cloud servers

When you save your configuration in itopia, the Google Cloud servers are automatically deployed and configured.

If you have interconnect, your existing domain is automatically extended to Google Cloud. If you don't have interconnect, you need to create a VPN between your local site and Google Cloud so the configuration can finish successfully.

The automatic server configuration is complete when you receive an email with your server admin credentials.

In addition to the automatic server configuration, you need to add your DNS A record, add your RDS license number, and upload your SSL certificate to finish connecting to your servers using RDP.

  1. In the itopia menu, click Tasks.

  2. In the list of tasks, select Upload the SSL certificate in .pfx format, and then click the Complete icon. In the new window that opens, upload the SSL certificate in .pfx format and enter the password.

  3. In the list of tasks, the Create a DNS A Record task lists the DNS name and IP where the DNS record should point to. Follow the instructions provided by your web hosting company to create a DNS A record for your subdomain that resolves to your server IP address.

  4. Select the Create a DNS A Record task and click the Complete icon.

  5. In the list of tasks, select Add RDS license configuration for [YOUR_SERVER_IP_ADDRESS], and then click the Complete icon. In the new window that opens, enter your RDS license number.

Managing your RDS deployment

After you connect your RDS deployment to Google Cloud, you can manage your deployment. Add your first user as a test, and then run the network discovery tool to start managing user permissions, apps, VM shares, instances, and more.

Add a user

When you access the Users module, a message displays advising you that you have users in local AD that aren't created in Google Cloud. You can import all users or select individual users to import into Google Cloud.

For the purposes of this tutorial, you create a new user and test your connection to Google Cloud.

  1. In the itopia menu, go to Cloud Desktop > Users.

  2. Click Create user.

  3. In the New User window, complete the following fields, and then click Next.

    • First name: Test
    • Last name: User
    • Email: testuser@example.org
    • Username: testuser
    • Phone: (800) 555-0123
    • Department: Testing
  4. In the Applications section, click Next.

  5. In the Security groups section, click Done.

    You can also import a list of users and manage their statuses.

Run the Network Discovery tool

Use the Network Discovery tool to detect workstations, servers, network nodes, and apps on your network to manage them via RDS.

Before you start the network discovery, complete the following prerequisite steps:

  1. Log in with your domain admin credentials

  2. Successfully ping all devices on the network.

  3. Allow traffic through your firewall for the following ports:

    • TCP: 1801, 135, 2101, 2103 and 2105.
    • UDP: 3527 and 1801.
  4. Meet the minimum requirement of a 64-bit operating system.

  5. Temporarily disable antivirus and firewall block.

The discovery process only takes 5-10 minutes to set up, but when you start it can take anywhere from 20 mins to a few hours to complete, depending on the number of network nodes.

Follow these steps to download and run the Network Discovery tool:

  1. Download the Network Discovery tool from itopia.

  2. In the Discovery PC window, complete the following steps, and then click Download.

    1. From the Select Framework drop-down lists, select your NET framework.

    2. From the Select Architecture drop-down lists, select 64 bits.

  3. Open the downloaded file.

  4. In the Discovery wizard, accept the terms and conditions, and then click Next.

  5. In the Company Information section, enter your deployment's email domain that you used to create the deployment in itopia. Enter the domain without the @ symbol.

  6. In the Network Information section, complete the following steps, and then click Next.

    1. From the Select your site drop-down list, select the site you want to discover.

    2. Select the Use Windows sessions credentials checkbox.

    3. If you have one subnet, select the Run the discovery process in the same subnet where I am checkbox. Otherwise, in the Network subnets field, enter your additional subnets.

  7. While the discovery process runs, watch the Searching for network progress bar to track the progress. When the process finishes, the discovered data is automatically copied to itopia. In the Congratulations, you have successfully completed the discovery process! section, click Close.

    itopia CAS also has a PC Discovery tool that accomplishes the same task for a single workstation, but it requires a user to complete the discovery process.

Manage user permissions

You can manage user permissions with security groups and upload them from your domain to Google Cloud. Some security groups are automatically added by the domain, so you cannot use those names. For a list of reserved names, see the list at the end of the Security Groups article in the itopia documentation.

After creating a deployment with extended on-premises AD, you have the option to import security groups to Google Cloud.

  1. In the itopia menu, go to Cloud Desktops > Security Groups.

  2. Click Add Security Groups.

    Add security groups button

  3. In the Name field for the security group, type Test group and select the Test User checkbox to add the user you created to the group.

  4. Click Save.

Manage access to apps

In itopia, you can manage your apps, track the installation progress of apps, track license keys, delete apps, and restrict user access to apps. For more information, see apps.

For the purposes of this tutorial, you restrict access to the Google Chrome app to the same user identity as before. By default, after you install an app, it's available to all users.

  1. In the itopia menu, go to Cloud Desktops > Applications.

  2. To add an app, click the Plus icon. Enter Google Chrome as the name of the app and 2018 as the version.

  3. Go to Cloud Manager > Instances and connect to the session host server with your admin credentials. Install Google Chrome on the server.

  4. Go to Tasks and complete the installation task for Chrome.

  5. Go to Cloud Desktops > Applications and select the Google Chrome checkbox, and then click the Edit icon.

  6. Select the Test User checkbox, and then click Save.

  7. To restrict access to Chrome, select the Google Chrome checkbox, and then click Settings.

  8. Enable the Restricted button.

  9. In the Path field, enter the file path for Google Chrome executable, and then click Save.

    Now, only testuser has the Google Chrome shortcut on their desktop.

Manage access to folders and files

After deploying a new environment, your users cannot access any files or folders on the data server.

In this section, you share a subfolder in the D:\Customer Data folder with the testuser user.

  1. In the itopia menu, go to Cloud Desktop > Folders/Shares.

  2. On the Folders directory tab, click the Customer data folder to highlight it, and then click the Plus icon to add new folder.

  3. Type the name as Test folder and click Save.

  4. On the Shares tab, click the Plus icon.

  5. In the Add share window, complete the following fields, and then click Save.

    1. In the Name field, enter Test Share.

    2. In the Letter field, enter the drive letter you want to share. Enter G.

    3. In the Path field, click the Magnifying Glass icon and browse for the D:\Customer Data\Test folder.

    4. In the Users/Groups section, select the Testuser checkbox.

Managing VM instances

You can add new VM instances anytime in itopia to automatically create them in Google Cloud. You can add your app servers, web servers, SQL server, or any other server that doesn't host user sessions. Manage your Google Cloud VM instances in itopia by allocating resources to instances, scheduling instance uptime, and scheduling snapshots.

The following table shows the instances deployed by default, as well as optional instances. In addition, it highlights the resources allocated by the autoscaler for each instance.

Instance name Instance description Category Number of users Allocated resources
[REM]PDC Primary domain controller Default 1 CPU
5.5 GB RAM
50 GB storage
[REM]FBU File, broker, or session host server Default 0-7 2 CPU
7.5 GB RAM
8-15 4 CPU
15 GB RAM
16-25 4 CPU
26 GB RAM
[REM]USS User Session Host Server Default 26 and more 4 CPU
13 GB RAM
With 26 or more users, a new USS instance is created with 4 CPU and 13 GB RAM on both instances.
[REM]SDC Secondary domain controller Optional
[REM]RDG1 Remote desktop gateway Optional 1 CPU
3.8 GB RAM
[REM]RDG2 Redundant gateway Optional 1 CPU
3.8 GB RAM
[REM]BRK Dedicated broker Optional 1 CPU
3.8 GB RAM
[REM]DFS Dedicated file server Optional 1 CPU
3.8 GB RAM
[REM]FSB File server Optional Custom instance type or resource settings allocated when the instance is added.
[REM]APP App, web, or database server Optional Custom instance type or resource settings allocated when the instance is added.

Add resources to an instance

Through the CAS management console, you can change resources for a VM instance, such as RAM or CPU. You can either select a different instance type or you can customize the instance, where you can allocate as much RAM and CPU as needed.

When you customize instances, consider the following:

  • If you make server changes directly in Google Cloud, you can affect the functionality of itopia.
  • If you add RAM and CPU to a session host instance, first disable autoscale.
  • If you add a new disk or increase disk size, a reboot isn't required, but make sure you extend the volume in the instance.

To customize an instance, follow these steps:

  1. In the itopia menu, go to Cloud Manager > Instances.

  2. To edit an instance, select the PDC checkbox, and then click Edit.

  3. In the Edit App window, modify the following fields, and then click Save.

    1. From the Instance type drop-down list, select Custom.

    2. In the Cores vCPU field, enter 2.

    3. In the Memory GB field, enter 7680.

    4. Select the Force update checkbox to apply the changes immediately by rebooting the instance.

Start an instance and create an admin connection

After launching your deployment, you can connect to your instances through RDP to install apps or make any other manual configurations in the server.

  1. In the itopia menu, go to Cloud Manager > Instances.

  2. To start an instance, select the server's checkbox, and then click the Start icon.

  3. To download an RDP file, click the Download icon.

  4. Save the file to use for connecting to the server.

  5. Open the RDP file.

  6. In the Remote Desktop Connection window, enter the admin credentials you previously received by email.

    You can have one terminal server connection open at a time. Use the RDP file whenever you want to connect to the server.

Schedule an instance uptime

Google Cloud bills on a per-second basis for compute resources, and only when they are on. By leveraging the itopia uptime server instance scheduling, you can reduce your overall cloud infrastructure cost.

For example, if your company works during regular business hours, you can schedule server instances to turn on at 8 AM and to turn off at 8 PM, thus reducing the amount of hours consumed in a month by half. It's recommended that you have three separate schedules.

Schedule your environment uptime

In this section, you schedule server uptime for your environment for all instances except for the PDC and SDC servers.

  1. In the itopia menu, go to Cloud Manager > Server uptime.

  2. To add a schedule, click the Plus icon.

  3. In the Name field, enter Business Hours and in the Description field, enter 8 AM - 8 PM.

  4. In the Available Servers section, select all of the server instances and click > to move all instances to the Selected Servers section, except for the PDC and SDC servers that will have separate schedules.

  5. In the Schedule calendar, drag the instances' start and end times. Begin at 8 AM and end at 8 PM. You can manually adjust the selected times by using the Time spin boxes.

  6. In the Time window, click Save.

  7. In the Schedule window, click Save.

Schedule your Primary Domain Controller (PDC) uptime

Follow the steps in schedule your environment uptime. Use the same process to create a separate schedule for your PDC server, but turn it on 5 minutes before the rest of the servers so all the services can start successfully. For the purposes of this tutorial, schedule the PDC server from 7:55 AM to 8 PM.

  1. In the Name field, enter PDC Hours.

  2. In the Description field, enter 7:55 AM - 8 PM.

  3. In the Available Servers section, select the PDC server instance, and then click Save.

Schedule your Secondary Domain Controller (SDC) uptime

Follow the steps in schedule your environment uptime. Use the same process to create a separate schedule for your SDC server. To save resources and to keep the server up to date, schedule it to turn on for two hours every day, from 6 PM to 8 PM. During the SDC uptime, it syncs with your PDC server.

  1. In the Name field, enter PDC Hours.

  2. In the Description field, enter 6 PM - 8 PM.

  3. In the Available Servers section, select the SDC server instance, and then click Save.

Schedule a snapshot

A snapshot is an exact copy of your instances at a point in time that is used to back up a full image of your persistent disks across different Google Cloud datacenter locations. Compute Engine stores multiple copies of each snapshot redundantly, across multiple locations, with automatic checksums to ensure the integrity of your data.

You can create schedules for your snapshot automation for each instance. The system takes a snapshot for you at a selected time and frequency. You can specify the number of snapshots (retention) you need. When the number of snapshots exceeds your retention criteria, the system deletes them, starting with the oldest one.

  1. In the itopia menu, go to Cloud Manager > Snapshots.

  2. To create a new snapshot, click the Plus icon.

  3. In the Add plan window, complete the following fields, and then click Save.

    1. In the Name field, enter all instances.

    2. In the Description field, enter backup of all VM instances.

    3. In the Retention field, enter 30. This represents the number of snapshots itopia retains before the system starts deleting the oldest snapshot.

    4. From the Frequency drop-down list, select Daily.

    5. In the Time spinboxes, enter 9 AM.

    6. In the Available Servers section, select all of the server instances and click > to move all instances to the Selected Servers section.

  4. To view your scheduled snapshot, click the Plans tab.

Creating a Cloud VPN tunnel

Cloud VPN extends your on-premises network to Google's network. In itopia, you can configure the Cloud VPN for your deployment.

  1. In the itopia menu, go to Cloud Manager > VPNs.

  2. To configure a new VPN, click the Plus icon.

  3. In the Name field, enter test VPN.

  4. In the Description field, enter VPN tunnel for tutorial.

  5. To add the new tunnel, click the Plus icon.

  6. In the Tunnels window, complete the following fields, and then click Save.

    1. In the Remote peer IP address field, enter your deployment's public IP address. You can only use static IP addresses.

    2. In the IKE version field, enter an IKE cipher. IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.

    3. Copy the values in the Shared secret field. Save this unique key for your records.

    4. In the Remote Network IP ranges field, enter the range of your peer network, which is on the other side of the tunnel from the Cloud VPN gateway you're configuring.

    5. The Local IP ranges field is automatically populated according to your internal IP subnet. These ranges are routed through the tunnel.

  7. After setting up the VPN, open the firewall rules between your on-premises network and the Google network.

Integrating itopia and BigQuery

Integrate itopia with your billing and BigQuery to get insight in to your billing costs:

  • Find the cost per project per month/day.
  • Analyze Google Cloud product and project costs.
  • Track the trends of your Google Cloud costs.

You can analyze data when the export is set up. You are unable to view data prior to integrating itopia with BigQuery. To set up your Cloud Billing integration, first you need to enable BigQuery billing export, and then you configure BigQuery in itopia.

  1. Export your billing data to BigQuery.

  2. In the itopia menu, go to Insights > GCP Billing > Configure BigQuery.

  3. To add the integration, click Add to BigQuery.

  4. In the Email field, enter your email address that you used to subscribe to Google Cloud and itopia.

  5. From the Billing Project drop-down list, select the same billing project where you created your dataset when you enabled BigQuery. itopia automatically validates your permissions for the project, the Cloud Billing API, and the BigQuery API.

  6. Enable Export Billing, and then from the Dataset drop-down list, select the dataset where you exported your billing data into. Click Save.

    After you set up the integration, the system might take up to 24 hours to update the data, depending on when you created the BigQuery export and configured the integration with itopia. The database updates once a day, at midnight, Pacific Standard Time.

  7. When the data is synced, to review the data, go to Insights > GCP Billing.

  8. Filter the data by the following values:

    • Start and end dates
    • Deployments
    • Products
    • Services

Cleaning up

To avoid incurring charges to your Google Cloud Platform account for the resources used in this tutorial:

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to the Manage resources page

  2. In the project list, select the project you want to delete and click Delete .
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting the resources

If you want to keep the Google Cloud project you used in this tutorial, delete the individual resources.

Delete instances

  1. In the Cloud Console, go to the VM Instances page.

    Go to the VM Instances page

  2. Click the checkbox for the instance you want to delete.
  3. Click Delete to delete the instance.

Delete snapshots

  1. In the Google Cloud Console, go to the Snapshots page.

    GO TO THE SNAPSHOTS PAGE

  2. Click the checkbox next to the snapshots you want to delete.

  3. Click the Delete button at the top of the page to delete the snapshots.

Delete external IP addresses

  1. In the Google Cloud Console, go to the External IP addresses page.

    GO TO THE EXTERNAL IP ADDRESSES PAGE

  2. Click the checkbox next to the IP addresses you want to delete.

  3. Click the Delete button at the top of the page to delete the external IP addresses.

Delete Cloud VPN tunnels

  1. In the Google Cloud Console, go to the Cloud VPN page.

    GO TO THE CLOUD VPN PAGE

  2. Click the checkbox next to the Cloud VPN tunnels you want to delete.

  3. Click the Delete button at the top of the page to delete the Cloud VPN tunnels.

Delete images

  1. In the Google Cloud Console, go to the Images page.

    GO TO THE IMAGES PAGE

  2. Click the checkbox next to the images you want to delete.

  3. Click the Delete button at the top of the page to delete the images.

Delete firewall rules

  1. In the Cloud Console, go to the Firewall Rules page.

    Go to the Firewall Rules page

  2. Click the checkbox for the firewall rule you want to delete.
  3. Click Delete to delete the firewall rule.

Delete deployments

  1. In the Google Cloud Console, go to the Cloud Deployment Manager page.

    GO TO THE DEPLOYMENT MANAGER PAGE

  2. Click the checkbox next to the deployments you want to delete.

  3. Click the Delete button at the top of the page to delete the images.

What's next

  • Try out other Google Cloud Platform features for yourself. Have a look at our tutorials.
Was this page helpful? Let us know how we did:

Send feedback about...