Skip to main content
Creating an Advanced Deployment
F
Written by Fegeins Louis
Updated over a week ago

Overview

The CAS Deployment Wizard helps you configure the settings required for a new Cloud Desktop deployment within a matter of minutes. The wizard includes two modes:

  • Guided: the guided mode is used to create Basic, Standard, and Enterprise deployments. The wizard walks you through several screens and presents a limited number of options to configure your new deployment.

  • Advanced view: the Advanced view is used to create Advanced deployments. The wizard presents all settings on a single page, lets you configure virtually every aspect of your new deployment, and enables advanced deployment options such as using alternate GCP credentials or existing VPC networks.

For details on configuring a Basic, Standard, or Enterprise deployment using Guided mode, please refer to this article: Using the CAS Deployment Wizard.

Before Using the Deployment Wizard

When preparing to create your CAS deployment, it is important to understand the different types of deployments and the options you can configure for each. Please carefully review CAS Deployment Types and Sizing and other articles in the Planning Your Deployment section.

The table below provides a summary of the additional configuration available in Advanced deployments.

Parameter

Basic, Standard, and Enterprise Deployments

Advanced Deployments

Operating System

  • Windows Server 2019 using Google public images

  • All VMs configured as Shielded VMs for greater security

  • Windows Server 2019, 2016, or 2012 R2, using Google public images or your custom GCP images

  • Option to use Shielded or non-Shielded VMs

  • Select different OS images for your RDS infrastructure and your domain controllers (if applicable)

Providing Google Cloud Credentials

  • OAuth authentication for the current user

  • OAuth authentication for the current user

  • Upload a JSON key for preconfigured credentials

Networking options

  • Create a new VPC network

  • Create a new VPC network

  • Use an existing VPC network in the same project

  • Use an existing shared VPC network

GCP Regions and Zones

  • CAS automatically selects two zones in each GCP region that is added to the deployment

  • User can manually specify the zones to use in each GCP region

Infrastructure Redundancy

  • Infrastructure roles are deployed based on the redundancy defined for each deployment size

  • User can specify whether to enable redundancy for each infrastructure role: RD Broker, RD Gateway, and domain controllers (if applicable)

Launching the CAS Deployment Wizard

  1. Log in to the itopia CAS Admin Portal with an account that has Organization Owner permissions.

  2. If you have not yet created any CAS deployments, you will be prompted to create a new deployment on the Portal homepage. Click the Create Deployment button to launch the wizard.

  3. If you have existing deployments, selecting All Deployments from the left-hand menu. In the All Deployments window that appears, click the Create button to launch the wizard.

mceclip2.png

Completing the Wizard

The wizard will walk you through several screens to configure the basic parameters for your CAS deployment. You can leave the wizard and return to it at any time, CAS will save your progress as you go along, and no billable resources are created in your GCP project until you complete the wizard. If you are creating the first deployment in the organization, the wizard will reappear as soon as you log into the CAS Admin Portal. If you have other deployments, the unfinished deployment will appear in your list of Deployments with an empty status icon; click on the deployment to resume the Deployment Wizard.

mceclip0.png

NOTE: Clicking Cancel in the Deployment Wizard will delete your unfinished deployment! If you delete the deployment at any time before completing the wizard, you will not incur any charges in Google Cloud, but you will lose your progress and will need to restart the Deployment Wizard from the beginning.

Deployment Name and ID

The wizard will first prompt you to provide a Deployment Name and, optionally, a Deployment ID.

  1. Provide a Deployment Name. The Deployment Name is used in your CAS Admin Portal to let you quickly pick the right deployment.

  2. Provide a Deployment ID, or select Auto-generate ID. The Deployment ID is prepended to every resource that CAS creates for your deployment such as VMs (and Windows server names), VPC networks, and firewall rules. The Deployment ID is also part of the default external address for your deployment, which is the URL your users can use to access the RD Web Portal and RD Web Client; you can update the external address after you create the deployment, but you cannot change the Deployment ID or rename the resources. You can allow CAS to auto-generate a unique ID for you, or you can provide your own ID consisting of 3-8 alphanumeric characters.

  3. Click Next.

Deployment Size

The Deployment Size screen lets you select the type of deployment to create. In this article, we will discuss the options available for Advanced deployments; for information on creating Basic, Standard, or Enterprise deployments, please refer to the article Using the CAS Deployment Wizard.

For information on the Deployment types available in CAS, please review CAS Deployment Types and Sizing.

  1. Specify the Number of Users for your deployment. This number is used by CAS to determine resource sizing (CPU and RAM) of the VMs for your infrastructure servers and Session Hosts. You can change the VM sizes at any time after the deployment is created, although you might incur a brief downtime as servers are reconfigured with their updated sizing.

  2. For the deployment size, choose Advanced.

  3. Click Next.

Advanced View

Choosing an Advanced Deployment will display the Advanced view of the Deployment Wizard. In this view, all settings are presented on a single page and additional configuration options are available. This article will walk through each section of the Advanced view.

Connect to Google

As a first step, CAS must connect to a Google Cloud project . You can either log in to your Google account using OAuth and select a GCP project in which you have Owner permissions, or you can upload the JSON key of a GCP service account that has Owner permissions on the desired project.

  • Let us configure it: Click the Sign in with Google button and sign into your Google account. The wizard will display a list of GCP projects to which you have permissions. Select the appropriate GCP project. CAS will create a service account in the GCP project and will use that for the provisioning and ongoing administration of resources in the GCP project.

  • Use this service account: If you (or your GCP administrator) has pre-created a service account for CAS to use, you can generate an access key and configure CAS to use that account. Generate the access key in JSON format, and then upload the key. CAS will determine the GCP project from the key, and will use that service account for the provisioning and ongoing administration of resources in the GCP project.

VPC Network

Choose whether to create a new VPC network or use an existing VPC network. Depending on the option you choose, the configuration settings will differ.

  • Create a new VPC network: CAS will create a new VPC network in the GCP project and attach all VMs to that network. You can specify the subnet(s) to use in the Regions section of the wizard (see below).

  • Use an existing VPC network in this project: CAS will list the VPC networks that already exist in the GCP project. Select the appropriate VPC network from the dropdown menu

  • Use an existing VPC network in another project (Shared VPC): CAS will walk you through the necessary steps to create a shared VPC (if it is not already configured) and to configure it for use with your CAS deployment. Click Configure and follow the steps below.

NOTE: If you choose to use an existing VPC network, CAS can only be deployed into the GCP regions that have subnets in that VPC. Therefore, make sure to create a subnet in each GCP region that you want to include in your CAS deployment. If the region has more than one subnet defined, CAS will ask you which subnet to use in the Regions section of the wizard (see below).

Configure a Shared VPC

If you choose to use a Shared VPC, CAS will require some additional configuration. When you click Configure, the Shared VPC Configuration window will appear.

  1. Specify the VPC host project ID.

  2. Specify the VPC network name.

  3. Provide a PES subnet. The Proxy Execution Service (PES) is a resource created in itopia's system. CAS generates a unique PES for each deployment and configures it on a VPC network within itopia's GCP project; CAS then configures a VPC peering connection between the PES VPC and your deployment's VPC. When your deployment creates a new VPC, CAS automatically selects a small subnet for the PES VPC; however, when your deployment uses an existing VPC, CAS prompts you to specify a subnet for the PES VPC. This subnet should be unused anywhere in your routable network to ensure there are no conflicts between the PES VPC and your existing network infrastructure.

  4. Click Next.

  5. Follow the steps to create the Shared VPC and to grant access to the CAS service account. If you have already created the Shared VPC and shared it with this GCP project, you can skip steps 1-3.

  6. Click Next.

  7. CAS will verify that the service account has the appropriate permissions to the Shared VPC and will generate a Cloud Shell Script to configure the Shared VPC for the CAS deployment. This includes creating the VPC peering for PES and creating firewall rules to allow CAS and RDS functionality. Copy the script to a temporary location (such as Notepad)

  8. In a new browser tab, log in to the GCP Admin Console and launch a Cloud Shell session. Instructions can be found here.

  9. Paste the script you copied in Step 7 into the Cloud Shell window. Make sure that all commands in the script execute successfully. NOTE: the final command in the script may not automatically execute if you did not copy/paste the line break; in the Cloud Shell, press your [ENTER] key to make sure that all commands are executed.

  10. Return to the CAS Deployment Wizard and click Save.

Deployment Regions

Select the GCP regions in which your CAS deployment will be created. CAS supports single-region and multi-region deployments, using any GCP regions globally. Note that when deploying into multiple regions, CAS will provision infrastructure resources such as RDS VMs, Active Directory domain controllers (or the managed AD instance), and public IPs into each region; this will incur higher GCP compute costs. For help deciding how to use GCP regions for your deployment, refer to the article Key Decision Points.

  1. Click the Add Region button.

  2. In the Select a GCP Region dropdown, choose the GCP region you wish to add to the deployment.

  3. The first region you add will automatically be set as the Primary region; when adding multiple regions, you can use this checkbox to change which region is configured as the Primary. In a multi-region deployment, the primary region acts as a hub for Active Directory replication; otherwise, this setting has little effect.

  4. If you are creating a new VPC network, provide a VPC subnet (in CIDR format) for the region; if you are using an existing VPC network that has multiple subnets in the region, select the desired subnet from the dropdown. itopia recommends a minimum /24 subnet for each region to support approximately 250 VMs; however, depending on the size of your deployment, you may wish to use larger subnets.

  5. To specify which zones to use, enable Manually select zones and choose Zone 1 and Zone 2 from the dropdown lists. CAS provisions your GCP resources into two zones in each region. In some cases, you may wish to designate the zones if, for example, you wish to use GPU-accelerated instances that are only available in specific zones.

  6. Repeat steps 1-5 to add additional regions to your deployment.

Active Directory

CAS Cloud Desktop deployments require a Microsoft Active Directory domain. The CAS wizard lets you either create a new domain using traditional Windows Active Directory domain controllers or the Google Managed Service for Microsoft Active Directory, or to use an existing Active Directory domain. For more information, review the article Requirements for a Deployment.

Choose the option for configuring Active Directory for your CAS deployment:

  • New Domain - Microsoft Active Directory: CAS will provision Windows Server VMs in each region, install the Active Directory Domain Services role, and create a new Active Directory forest and trust. You will specify the domain details on the following page.

  • New Domain - Google Managed Service for Microsoft Active Directory: CAS will create a new instance of the Google Managed AD service in Google Cloud. You will specify the domain details on the following page.

  • Existing Domain - Microsoft Active Directory: CAS will provision Windows Server VMs in each region, install the Active Directory Domain Services role, and promote the servers as additional domain controllers in your existing Active Directory domain. You will specify the domain details on the following page.

Depending on the option you selected, follow the instructions in the appropriate sub-section below.

New Domain - Microsoft Active Directory

CAS will ask you to provide some basic details for your new Active Directory domain. These details will be used to create a new Active Directory forest and domain.

NOTE: If you plan to configure a Trusted AD model, be sure to use unique values for the new domain that do not conflict with your existing domain, or with any domains with which your domain has an existing trust relationship.

  1. Provide a Domain DNS name. The Domain DNS name (also called the fully qualified domain name or FQDN) is the long-form name of your domain. If you have an existing public DNS name for your organization (such as contoso.com), you may use the same domain for this internal name; however, be aware that you may need some additional DNS configuration to allow your users to access your public website. To avoid this potential conflict, use a non-public top-level domain such as contoso.ad or contoso.local.

  2. Provide a Domain NETBIOS name. The Domain NETBIOS name is the short-form name of your domain. In most organizations, the NETBIOS name is the first part of the Domain DNS name; for example, if your Domain DNS name is contoso.ad, your Domain NETBIOS name would typically be contoso.

  3. Provide a Default UPN suffix for users. The user principal name (UPN) suffix for user accounts is part of the username that your users will have. In most organizations, the UPN suffix will match the email domain of the organization, so that users can have a unified username and email address; for example, if your email domain is contoso.com, you can set your UPN suffix to contoso.com so that your usernames will resemble username@contoso.com.

New Domain - Google Managed Service for Microsoft Active Directory

CAS will ask you to provide some basic details for your new Active Directory domain. These details will be used to create a new instance of Google Managed Service for Microsoft Active Directory (Google Managed AD).

NOTE: If you plan to configure a Trusted AD model, be sure to use unique values for the new domain that do not conflict with your existing domain, or with any domains with which your domain has an existing trust relationship.

  1. Provide a Domain DNS name. The Domain DNS name (also called the fully qualified domain name or FQDN) is the long-form name of your domain. If you have an existing public DNS name for your organization (such as contoso.com), you may use the same domain for this internal name; however, be aware that you may need some additional DNS configuration to allow your users to access your public website. To avoid this potential conflict, use a non-public top-level domain such as contoso.ad or contoso.local.

  2. Provide a Domain NETBIOS name. The Domain NETBIOS name is the short-form name of your domain. In most organizations, the NETBIOS name is the first part of the Domain DNS name; for example, if your Domain DNS name is contoso.ad, your Domain NETBIOS name would typically be contoso.

  3. Provide a Default UPN suffix for users. The user principal name (UPN) suffix for user accounts is part of the username that your users will have. In most organizations, the UPN suffix will match the email domain of the organization, so that users can have a unified username and email address; for example, if your email domain is contoso.com, you can set your UPN suffix to contoso.com so that your usernames will resemble username@contoso.com.

  4. CAS will check whether your GCP project has the API enabled for using Google Managed AD. If it does not, enable the API and click the Retry button to let CAS validate that the API is now enabled.

Existing Domain - Microsoft Active Directory

CAS will ask you to provide some details of your existing Active Directory domain. Please consult your organization's Active Directory team for the correct settings for these values.

NOTE: Using an Extended Active Directory requires additional configuration before the deployment can be provisioned. The domain extension process will also make several changes to your existing AD domain, including: creating additional Active Directory sites, promoting additional domain controllers, and possibly upgrading your AD schema (if you are deploying domain controllers with a newer version of Windows Server than your existing domain controllers). Please make sure you fully understand the impact of an Extended Active Directory before proceeding. For more information, please review Active Directory in CAS Deployments.

  1. Provide the Default UPN suffix for users. The user principal name (UPN) suffix for user accounts is part of the username that your users have in your current domain. The UPN is the portion of the username after the "@" symbol.

  2. Provide your Domain DNS name. This is the fully qualified domain name (FQDN) of your existing Active Directory domain.

  3. Provide a DNS server IP address. Provide the IP address of a DNS server that hosts the Active Directory DNS zone for your existing domain. This IP address must be reachable from the VPC network that will be created for your CAS deployment.

  4. Provide an Enterprise Admin username and password. The Enterprise Admin credentials are only used during the initial configuration of your extended domain to promote the domain controllers in your CAS deployment. The credentials are not stored and are not used after the initial creation of the domain. You can create a temporary account with Enterprise Admin credentials and then delete it after the CAS deployment has been provisioned.

Domain Controllers

Regardless of the Active Directory option you choose, you will need to provide the configuration for the domain controllers that will be provisioned for your CAS deployment.

  1. Select the Operating system for the domain controllers. If you are deploying into an existing domain and the operating system you select for your CAS domain controllers is newer than the version on your existing domain controllers, CAS will attempt to automatically run the prerequisite adprep.exe utility to upgrade your domain to support the new OS version. This includes extending the AD schema and upgrading various objects in the forest and domain, but CAS does not attempt to change the domain functional level or forest functional level of your AD environment.

  2. Select the VM instance type for your domain controller VMs.

  3. Specify the System disk size and select the Disk type.

  4. Select the number of Domain controllers per region. CAS will provision a minimum of 1 domain controller in each GCP region included in your deployment; however, you may wish to provision additional domain controllers for high availability and/or load balancing.

RDS Infrastructure

CAS will ask you to configure each aspect of your Remote Desktop Services (RDS) infrastructure.

  • Select the Operating system for RDS Servers. The operating system version for your RDS infrastructure does not need to match the operating system for your domain controllers. In most cases, itopia recommends using the latest version of Windows Server for your RDS infrastructure.

The subsections below will discuss configuring specific components of the RDS infrastructure. Note that the configuration specified below applies to each region in a multi-region deployment.

RD Brokers

The RD Broker role is responsible for monitoring the status of RD Session Host servers (created as part of each Collection Pool), accepting user connections, and rerouting them to the appropriate Session Host server.

  1. Choose the option for the RD Broker role:

    • Deploy redundant RD Broker servers (HA Config): In each region, CAS will configure two VMs running the RD Broker role in high availability mode. CAS will also provision a Google Cloud SQL instance in each region for hosting the Connection Broker Database.

    • Deploy a single RD Broker server: In each region, CAS will configure a single VM running the RD Broker role.

    • Install the RD Broker role on the first Session Host: In each region, CAS will install the RD Broker role on the first Session Host server of the first Collection Pool. When selecting this option, you cannot delete the first Collection Pool, and the first Collection Pool cannot be configured as a Dedicated Collection Pool.

  2. Configure the VM instance type for your RD Broker VMs. If you choose to install the RD Broker role on the first session host, this option will not be available.

  3. Configure the System disk size and select the Disk type.

RD Gateways and RD Web

The RD Gateway role allows users to securely connect to their Cloud Desktops over HTTPS (TCP/443) over the Internet. Without this role, users can only connect on the standard RDP port (TCP/3389), which is less secure. If you do not deploy the RD Gateway role, your deployment will not be accessible to users over the Internet; you must configure network routing to your VPC network using a VPN or interconnect, and users can only access their Cloud Desktops from your internal (private) network.

The RD Web role hosts the RD Web Portal and the RD Web Client. This role is required for an RDS deployment, and is installed on the same VMs as the RD Gateway servers. If you do not deploy RD Gateway servers, this role is installed on the RD Broker servers instead.

  1. Choose the option for the RD Gateway and RD Web roles:

    • Deploy redundant RD Gateway servers: In each region, CAS will configure two VMs each running the RD Gateway and RD Web roles and will provision a Google Cloud Load Balancer to direct HTTPS traffic from the Internet to both servers.

    • Deploy a single RD Gateway server: In each region, CAS will configure a single VM running the RD Gateway and RD Web roles. The server will be configured with a public IP address to permit HTTPS traffic from the Internet.

    • Don't deploy RD Gateway servers: CAS will not deploy the RD Gateway role. The Cloud Desktop environment will not be accessible from the Internet.

  2. Configure the VM instance type for your RD Gateway VMs. If you do not deploy the RD Gateway role, this option will not be available.

  3. Configure the System disk size and select the Disk type. If you do not deploy the RD Gateway role, this option will not be available.

File Server

In order to store persistent user profiles and create network shares and mapped drives, CAS requires an SMB file share. The deployment wizard will ask you to select whether to create a dedicated Windows File Server VM in each region, use a NetApp Cloud Volume managed file share, or create the file shares on a Session Host in each region.

  1. Choose the type of file share you would like to use in your deployment:

    • Microsoft Windows File Server: A dedicated file server will be provisioned in each GCP region included in your deployment.

    • NetApp Cloud Volumes Service (CVS): CAS will create a NetApp Cloud Volume instance in each region. Cloud Volume is a managed service that provides SMB file shares without the need to manage a Windows File server. CAS will check whether your GCP project has the API enabled for using NetApp Cloud Volumes; if it does not, enable the API and click the Retry button to let CAS validate that the API is now enabled. NOTE: Due to limitations in Google Cloud, you cannot use NetApp Cloud Volumes if you are using Google Managed Service for Microsoft Active Directory.

    • Create a file share on the first Session Host in each region: CAS will not create a dedicated file server. Instead a secondary "data disk" will be attached to the first Session Host of the first Collection Pool in each region, and the file shares will be created on this disk. NOTE: this will prevent you from deleting the first Session Host or Collection Pool from your deployment.

First Collection Pool

As a final configuration task, the deployment wizard will collection some information about the first Collection Pool to create in the environment.

  • Provide a Collection Pool name. The Collection Pool name is used in the CAS Admin Console to identify the Collection Pool. Your users may also see this name when accessing the RD Web Portal or the RD Web Client.

Collection Type

  • Select a Collection Type:

    • Shared Collection: Users can connect to any Session Host in the Collection Pool each time they log in, and multiple users can have simultaneous session on each Session Host (in accordance with the CAS Deployment Types and Sizing). After the deployment is created, you can configure the Collection Pool to use only single-session Session Hosts.

    • Dedicated Collection: Users are assigned a dedicated Session Host server and can only access that server each time they log in. Session Hosts are single-session; that is, there is one Session Host VM created for each user.

Collection Regions

  • Choose the Regions in which to create the Collection Pool. You can select one or more regions that you enabled earlier in the Advanced view. You must select at least one region.

Profile Persistence

  • Select the configuration for Profile Persistence:

    • Users have persistent profiles: CAS will install and configure FSLogix Profile Containers on Session Hosts. User profile containers will be stored on the file share configured earlier in the wizard, and their profile will be loaded on any Session Host to which they connect.

    • Users have non-persistent profiles: CAS will not install or configure FSLogix Profile Containers, and Session Hosts will be configured to delete the local user profile each time a user logs out.

    • Do not configure user profiles: CAS will not install or configure FSLogix Profile Containers and will not enable profile deletion. Users will have a separate, local profile on each Session Host they connect to. This option is only recommended if you are configuring an third-party roaming profile solution.

Stackdriver Monitoring

CAS allows you to install the Google Stackdriver Monitoring and Logging agents on each VM in your deployment; this will enable detailed utilization and log analytics in the GCP Console. To install each of the agents on all VMs in your CAS deployment, check the appropriate box.

Confirm Deployment

CAS will display an estimated cost for the GCP compute resources for your deployment.

  1. To see how the pricing for your deployment will be affected as you add (or remove) users, change the Number of Users value and click Recalculate.

  2. If everything looks correct, check the confirmation box.

  3. Click Finish.

CAS will begin provisioning the resources in your GCP project and performing its automated configuration. The process can take between 1-3 hours or possibly longer if you're deploying to many regions. You can review the status of your deployment from the CAS Admin Console dashboard.

NOTE: If you are using an Extended Active Directory configuration, CAS will pause the provisioning after the VPC network is created; you must configure network connectivity to your existing Active Directory environment and then resume the provisioning process from the CAS Admin Console dashboard.

Next Steps

Once your deployment is created, continue on to the post-deployment tasks, configure a custom OS image for your Collection Pools, and add or import users into CAS.

Did this answer your question?