Jaa


How To Create Windows Server for Remote Desktop (RDP) To Be Used While Port 3389 is Blocked-Azure VM Step-By-Step PLUS Anywhere Access Configuration

You could of course manually configure RDP to listen on different ports to allow connection from other standard or non-standard ports.  In my case, I need to be able to RDP to an Azure Virtual Machine from a local school or customer office where the IT department has blocked port 3389.  There is a new Virtual Machine Type in the Azure Image Gallery called “Windows Server Essentials Experience Windows Server 2012 R2”.  This machine already has Windows Server Essentials Experience role enabled so it is a simple matter to configure everything so someone can connect with HTTPS (via VPN) to an RDP Server.  We will leverage this image for this Step-By-Step post.  By default when you create a new machine the Windows Server Essentials Experience is not “configured” for Anywhere Access (VPN) functionalities and you have to Remote Control to the server to configure it.  Therefore, I will be leveraging an artificial [Magic] “port swap” by managing end points for the server using the Azure End Points Configure screen to configure Windows Server Essentials Experience. These procedures will work for Windows Server 2012 R2 Datacenter as well.  You only need to use the Essentials image if you need Anywhere Access (VPN) connectivity.   Anywhere Access basically gives you the capability to VPN over HTTPS.

image

OR… If you want to do Essentials…

  image

 


Prerequisite

I am assuming you already have an Azure account but if you do not, you can always get a free trial from https://aka.ms/IaaS

Use your Microsoft account or your organization account to sign in to the Microsoft Azure Management Portal

Sign in to the Microsoft Azure Management Portal by using your Microsoft account or your organizational account


Create Network

Before we can create the virtual machine, we need to setup some infrastructure.  First is the Network.

In the lower left corner of the screen, click New. In the navigation pane, click Network services, and then click Virtual Network. Click Custom Create to begin the configuration wizard. 

On the Virtual Network Details page, enter the following information.

noteNote:   For more information about the settings on the details page, see the Virtual Network Details section in Configuring a Virtual Network using the Management Portal.

In the Name box, type a name for the virtual network (for example, GuruNetwork).

In the Location drop-down list, select an existing Location.  Click the Next arrow.

Skip the DNS Servers and VPN Connectivity page.

On the Virtual Network Address Spaces page, enter the following information, and then click the checkmark on the lower right to configure your network.

Type the starting IP address and CIDR (address count), such as 10.0.0.0/24.

noteNote:   We recommend that the address count of the network and the subnet are equal or larger than /24 (256).

SNAGHTML1e94f273

 

noteNote:  

 

 


Create a Storage Account

In the taskbar, click New, click Data Service, click Storage, and then click Quick Create.

In the quick create form, do the following: In the URL box, type a unique URL (for example, gurustorage). In the Location/Affinity Group drop-down list, select the same affinity group as the virtual network (for example, East US 2).

Ensure that the Enable Geo-Replication check box is selected. (However, if you don’t want geo-replication for your storage account, clear the Enable Geo-Replication check box.)

Click the checkmark to create your virtual storage account.

noteNote:   It can take a while for the storage account to be created. To check the status, you can monitor the notifications in the status bar of the Management Portal. After the storage account has been created, your new storage account shows an Online status, and it is ready to use.

image

 


Create Virtual Machine

In the taskbar, click New.

In the navigation pane, click Compute, click Virtual Machine, and then click From Gallery to launch the Create a Virtual Machine Wizard.

On the Virtual Machine Operating System Selection screen, select Windows Server Essentials Experience on WS 2012 R2 as the platform image.

On the Virtual machine configuration page, enter the following information:

In the Virtual Machine Name box, type a unique virtual machine name. For example, GuruTS.

In the New user name box, type a user name. In the New Password box, type a strong password.

Leave the Tier at Standard

In the Size drop-down list, select A2 (2 cores, 3.5 GB memory) , which supports >5 – 200 client computers. If you want the virtual machine to support less than 5 client computers, you can select Small (1 core, 1.75 GB memory) .

In the Confirm Password box, type the password again.

noteTip: Write down the user name and password because these are the credentials that you will use to sign in to your new virtual machine.

 

image

 

Click the Right Arrow to move to the next screen in the Wizard.

On the Virtual machine configuration page, enter the following information:

For Cloud Service, select Create a new cloud service. Keep the automatically generated cloud service DNS name, or specify a new one.

In the Region/Affinity Group/Virtual Network drop-down list, select the virtual network that you created earlier (for example, GuruNetwork).

Leave the default selection for Virtual network subnets, or select a different subnet as needed.

In the Storage Account field, select the storage that was created in the previous step (for example, GuruStorage).

On the Virtual machine configuration page, add two new endpoints as follows: Click to expand the dropdown list in the new line below PowerShell, and then select HTTP. Verify that the protocol is TCP, and that the public port and the private port are 80.

noteNote:   The Media Streaming feature does not work if Port 80 is not enabled.

Click to expand the dropdown list in the new line below HTTP, and then select HTTPS. Verify that the protocol is TCP, and that the public port and the private port are 443. Click the checkmark to begin the virtual machine creation.

noteNote:  

It can take a while for the virtual machine to deploy. You can monitor the status of the virtual machine deployment in the status bar of the Management Portal.

image

Click the Right Arrow to move to the next screen in the Wizard.

On the Last page of the wizard I would leave on Install the VM Agent and turn on Microsoft Antimalware since this is a machine we will be remote controlling into.

image

Then click the Check Mark in the lower right corner and wait for the server to complete before moving on to the next step!


A Bit of MAGIC!!!

Once your machine is completed you can move on to the Magic that will allow us to connect to the server even if outbound RDP is not open.  DO NOT CONTINUE until the machine is successfully created.

Click Virtual Machines in the Left Navigation, then click on your new server (example GuruTS)

Click ENDPOINTS

image

if you did not add your endpoints for HTTP and HTTPS you can do it now by click the plus sign image

We need to change the endpoint configuration for Remote Desktop from the current port to a standard port that is likely allowed from the school network.  To do this …

click Remote Desktop then click the Edit Button on the bottom image

For our first test, we will try port 8080 which is a standard port that most companies (and schools) will have open.

Change the Public Port to 8080 then (leave the private port at 3389)

image

click the checkmark

It may take a minute or so for this change to take effect.  Once done, you can try to connect to the server.  You should have success. 

If this does not work, try deleting the HTTP endpoint (80) and changing the RDP endpoint public port to 80.  You will have to change it back once you configure Essentials on the server.

 


Connect to Virtual Machine

In the left pane, click Virtual Machines, and then select the virtual machine that you created in the previous step.

On the command bar, click Connect.

Click Open to use the Remote Desktop protocol file that was automatically created for the virtual machine.

Click Connect to proceed with the connection process.

In the ComputerName\user name box, type .\<username> , where username is the name of the administrative account on the virtual machine that you created earlier, and then click OK.

Click Yes to verify the identity of the virtual machine.

You can now work with the virtual machine just as you would with any other server.

image


Configure Windows Server Essentials Experience Role [If you used the Essentials Image]

Connect to the virtual machine, and then double-click the readme.url on the desktop to review its content.

The Configure Windows Server Essentials Wizard automatically opens. If it doesn’t open automatically, open Server Manager, in the notification bar, click the flag, and then click Configure Windows Server Essentials.

Configure the Windows Server Essentials similar to an on-premises server. You can either configure it as a new domain controller, or as a domain member of an existing domain. For more information, see the “Deploying the Windows Server Essentials Experience role in Windows Server 2012 R2 Standard and Datacenter Editions” section in Install and Configure Windows Server 2012 R2 Essentials.

noteNote When you create a network administrator account, avoid using the same name as the virtual machine user name. This is because the virtual machine user name is automatically converted into a network administrator user name and you cannot have duplicate account names on a server. During configuration, the server restarts automatically.

After the Windows Server Essentials Experience role is configured, connect to the virtual machine running this role by using the administrator account that you created earlier

The Windows Server Essentials Experience role configuration creates a Dashboard shortcut on the server desktop. Double-click this shortcut to launch the Windows Server Essentials Dashboard.  However, it will not work until you finish configuring Essentials. 

noteNote

If you get an error message that states the Windows Server Essentials Dashboard cannot be opened until the server configuration is complete, please wait for a few minutes, and then try to open the Dashboard again.

image

From Server Manager there should be a notification that Post Deployment Configuration is needed.

image

Click Configure Windows Server Essentials

You can then click on Task Details to see what is happening

note IMPORTANT NOTE: You may have to minimize your Task Details and your Server Manager screen to see the popup window Configure Windows Server Essentials

Click Next on the first page of the Configure Windows Server Essentials Wizard

Enter your Company Name and Internal Domain Name. Then click Next

image

Enter Network Administrator Account Username and password

noteNote:   (This should be different from your Azure Administrator Account)

image

then click Configure

This could take a long time to configure (30 mins or so) Your computer will reboot during the process.  Give it a couple minutes after disconnecting before you try to connect again.

 

Setup Anywhere Access [If you used the Essentials Image]

In general, the use of Routing and Remote Access (RRAS) functionality for routing and as a VPN gateway within a virtual network is not supported in Azure. However, the use of RRAS functionality on an Azure virtual machine is supported only for the scenario that is specified within this document.

Anywhere Access helps you set up VPN connections and Remote Web Access to Windows Server Essentials Experience. To enable Anywhere Access in Azure, you need to:

  1. Make sure that both port 80 and port 443 are accessible on your virtual machine. If you haven’t done so while creating the virtual machine, you can add them from the virtual machine management portal, on the Endpoints tab by using the Add button on the app bar on the bottom of the page.  NOTE: if you used port 80 for your RDP, you will need to change that in order to setup Anywhere Access.
  2. After the endpoints are configured, you can set up VPN connections and Remote Web Access by using the Set up Anywhere Access Wizard in the Dashboard. The steps are the identical to the on-premises setup except that you must select the Skip router setup option on the first page of the wizard. Otherwise, router configuration errors are reported. You can safely ignore the router-related warnings.
  3. Configure the Routing and Remote Access service (RRAS) server to use a static pool of IP addresses to allocate to remote clients. For more information, see Configure the Way RRAS Assigns IP Addresses to VPN Clients to create a static IP address pool.

    ImportantImportant

    • Make sure that the size of the pool is large enough to allocate IP addresses for all the clients that might concurrently connect to the server. For example, if there are 100 clients that might access the server through VPN connections at the same time, the number of addresses should be larger than 100.
    • Make sure that the static IP addresses are within the virtual subnet address space that you created earlier in Step 5 of Create a virtual network. The range of the pool should avoid conflict with IP addresses that are reserved for the virtual machines in this subnet. For example, if the virtual subnet IP addresses are 10.0.0.4 – 10.0.0.254, and you have less than 100 clients, you can configure the pool as 10.0.0.150 to 10.0.0.254.

    noteNote

    In the virtual machine running Windows Server 2012 R2, install the RRAS Microsoft Management Console (MMC) snap-in as follows:

    1. Open Windows PowerShell, type mmc, and then press ENTER.
    2. In the Microsoft Management Console, click File/Add/Remove Snap-in…
    3. From the available snap-in list, select Routing and Remote Access, click Add, then click OK.
    4. Expand the RRAS snap-in under the Console Root.
    5. Right-click Server Status, and then click Add Server.
    6. Keep the This computer radio button selected, and then click OK.
    7. To create a static IP address pool, follow the guidance in Configure the Way RRAS Assigns IP Addresses to VPN Clients.
  4. After you run the Set up Anywhere Access Wizard, you can ignore the following error messages: “Anywhere Access to your server is blocked” and “There may be more than one router on your network.”