Building a Basic Azure HomeLab for Testing Workspace ONE UEM


Quick and Dirty, No-Frills, Azure Lab

NOTE: This is still under construction but I wanted to share what I had so far…

Two things intersected for me this weekend: Issues with my current lab setup, and realization of some unused credits with my MSDN subscription. This led me down the path of building a basic Azure homelab for Workspace ONE UEM testing. My intent of this blog post is to document the process for myself to re-use, but I also invite your comments on how to improve the scenario. I realize this v1 lab lacks a lot of the frills (e.g. Availability Zones, redundancy, etc), but I really just wanted to get something stood up to try it out. I also hoped this could provide anyone in the same position a basic blueprint to get started.

As such, here’s the motivation:

  1. Set up a basic homelab that provides AD, DNS, IIS, and Unified Access Gateway.
  2. Keep the monthly spend below the MSDN Subscription Benefits.
  3. Set up M365 developer account to mock up mailboxes and Teams info.

Configuring Pre-Requisites

At a high-level, there are a few things I like to do to “dress up” my demo environments.

Custom Domain Name

Before starting, purchase a domain name for the demo. I use DreamHost because their site is far less cluttered than GoDaddy and they have a good API (which could be useful if you start adding LetsEncrypt certificates).

Microsoft 365 (e.g. Office 365) Developer Account

From within your MSDN subscription (if you’re doing it this way) or by signing up at the M365 Developer Program, you should be able to create an M365 sandbox. Once that is created, do the following:

  • Log-in with your M365 admin account
  • Click on the Admin panel
  • Expand Setup in the left NAV menu and click Domains
  • Click Add Domain and follow the wizard to add the various DNS records into your DNS Hosting provider.
  • Once the DNS records are validated, you’ll see the domain added in the list of Domains with a Healthy status.
  • Select the new custom domain and then click Set as Default

Optional M365 Branding

I also make some slight changes to the M365 branding to make it flow with the rest of my demo.

  • Log-in with your M365 admin account
  • Click on the Admin panel
  • Expand Setup in the left NAV menu and click Org Settings
  • Select the Organization Profile tab and click Custom Themes
  • Upload a custom logo image and modify the color scheme if desired. Click Save.

Configuring Necessary Azure-Hosted Infrastructure:

Azure Configuration High Level:

At a high level, I expect to create the following items in Azure:

  1. A single Resource Group for all the demo-related items
  2. A virtual network with 2 subnets (Internal and External) - Both as Address Pools behind the LB
  3. A Load Balancer with Public IP for Nat’ing
  4. One virtual machine on the Internal network with AD, DNS, IIS. I also plan to install the ACC and Access Connector
  5. One UAG appliance on the external network. This should be configured for Per-App Tunnel and allow devices to hit the IIS server (not exposed publicly)
  6. Backup of the DC VM as changes are made (restore to known good)
  7. DNS name for the load balancer (and also to be used in M365 for mailbox domains)

In each section, I’ll start from the “All Services” page in the Azure console.

Azure Resource Group:

  • Choose the General category, then select Resource Groups
  • Click Add
  • Complete the Basics tab:
    • Choose your Subscription (in my case Visual Studio Enterprise)
    • Enter a Resource Group Name (e.g. SWDemo-rg)
    • Choose a Region (e.g. East US 2)
  • Click Review + Create, then click Create

Azure Virtual Networks

  • Choose the Networking category, then select Virtual Networks
  • Click Add
  • Complete the Basics tab:
    • Choose your subscription and Resource Group (e.g. SWDemo-rg)
    • Enter Instance Name (e.g. SWDemo-vnet) and choose the same region (East US 2)
  • Click Next: IP Addresses and Complete the IP Addresses tab:
    • Ensure you have a */16- IP address space pre-filled (or add it). Example: 10.0.0.0/16
    • Click on *default- subnet (10.0.0.0/24) and change name to external subnet name (e.g. SWDemo-EXT) then click Save
    • Click Add Subnet and enter name for internal subnet (e.g. SWDemo-INT). Add new range (e.g. 10.0.1.0/24) and click Add
  • Click Next: Security
  • Complete the Security tab by accepting the defaults: Disabled, Basic, Disabled
  • Click on Review + Create
  • If validation passes, click Create

Azure Load Balancer:

  • Choose the Networking category, then select Load Balancers
  • Click Add
  • Complete the Basics tab:
    • Choose your subscription and Resource Group (e.g. SWDemo-rg)
    • Enter a name (e.g. SWDemo-lb) and choose the same region (East US 2)
    • Choose Type:Public and SKU:Standard
    • Create a new Public IP address, name it (e.g. SWDemo-PublicIP), and set it to *Static- assignment
    • Select the Zone Redundant availability zone
  • Click Review + Create, then click Create
  • Click Go To Resource when the deployment completes
  • Click Backend Pools and then Add
  • Complete the Backend Pool tab:
    • Enter a name for the pool (e.g. SWDemo-lb-pool)
    • Choose the virtual network you created
    • Click Add

Azure Compute (Virtual Machines)

  • Choose the Compute category, then select Virtual Machines
  • Click Add, then Virtual Machine
  • Complete the Basics tab:
    • Choose your subscription and Resource Group (e.g. SWDemo-rg)
    • Enter the VM name (e.g. SWDemoDC) and Region (East US 2)
    • Choose No infrastructure redundancy required and choose the Windows Server 2019 Datacenter image.
    • Set *Spot Instance- to No and set the size to Standard_B2ms
    • Enter administrator Username and Password
    • Choose Allow selected ports and enable RDP (3389)
    • Select the Azure Hybrid Benefit if eligible
  • Select Next: Disks and complete the *Disks- tab
    • Choose Premium SSD
    • Create and Attach a new disk: 64Gb Empty Disk
  • Select Next: Networking and complete the *Networking- tab
    • Choose the new Virtual Network and your internal Subnet.
    • Set Public IP to None (NAT through the load balancer) and ensure the IP is set to Static.
    • Set Load Balancing to Yes
    • Choose Azure Load Balancer and select the load balancer and pool created earlier
  • Select Next: Management and complete the *Management- tab
    • Set *Boot Diagnostics- to Off (and ensure the remainder of monitoring, identity, and Azure AD are Off)
    • Set *Enable Auto Shutdown- to On and select a time (enabling notification before shutdown)
    • Enable Backup and set the schedule for Weekly Backup (retaining 2 weeks of backups)
  • Select Next: Advanced and complete the *Advanced- tab
    • Set *VM Generation- to Gen 2
  • Click Review + Create and then Create

If the VM IP doesn’t set to Static, you can modify this in {VM} > Networking > {Interface} > IP configurations > {IP Address} > Change slider to Static.

NAT RDP via Load Balancer

  • Choose the Networking category, then select Load Balancers
  • Select the new Load Balancer and click Inbound NAT Rules
  • Click Add and complete Inbound NAT rule:
    • Enter a name (e.g. SWDemoDC-RDP) and choose the LB front-end IP
    • Choose RDP as the service
    • Change the port to 33389
    • Select the new Virtual Machine as the target VM
    • Select Custom Port Mapping and set the target port to 3389
  • Click Review + Create and then Create

Documentation: https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-standard-public-zonal-portal

NAT Outbound Access via Load Balancer

  • Choose the Networking category, then select Load Balancers
  • Select the new Load Balancer and click Outbound Rules
  • Click Add and complete Outbound rule:
    • Enter a name (e.g. SWDemoDC-Internet) and choose the LB front-end IP
    • Protocol: All
    • Backend Pool: SWDemo-lb-pool
    • Use the default port allocation
  • Click Review + Create and then Create

Documentation: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections

Configure Azure VM with ADDS, DNS, and IIS

  • Run the Roles & Features install wizard to add all 3 roles and accept the defaults.
  • Configure a new Forest and new Domain using the wizard after runnign the role install.
    • Use a publicly valid address space (e.g. yourdomain.com)
    • Purchase that same DNS name through Route53 or Dreamhost for easy compatibility with LetsEncrypt
  • Load the DNS Management console after installation completes and ensure the DNS entries were added by AD.
    • Zone should be AD-integrated.
  • Modify the default Domain Controller and Domain Server policies in Group Policy Management Console:
    • Computer Configuration > Policies > Windows Settings > Security Settings > Account Policys / Password Policy
    • Relax password age/length/history and complexity.
    • Apply the same changes to the default
    • Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
    • Set Auto-Update options for “DinnerTime” hours
  • Verify policies update by running gpupdate /force at the command line

Add Users and Groups to Active Directory

First Add the Users via Powershell Script. In the below script, you’ll need to modify a few things:

  • Find and replace the string value for the password assigned to every user
  • Find and replace all the domain names (yourdomain.com) with your own domain name value (the same domain name you’ll be setting up for email in O365)
  • FInd and replace all the LDAP Distinguished Name values (CN=Users,DC=yourdomain,DC=com) to align with your own Domain structure

Note the script includes Manager info to create a heirarchy for People Search in Hub Services

The Script:

Import-Module ActiveDirectory
Import-Module Microsoft.Powershell.Security
$pw = ConvertTo-SecureString -String YourPasswordHere! -AsPlainText -Force
New-ADUser -Name "Darth Sidious" -Surname "Darth" -GivenName "Sidious" -UserPrincipalName "ds@yourdomain.com" -SamAccountName "ds" -AccountPassword $pw -enabled $true -Company "DarkSide LLC" -Department "Sith" -title "Sith Lord" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "ds@yourdomain.com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Chancellor Palpatine" -Surname "Chancellor" -GivenName "Palpatine" -UserPrincipalName "cp@yourdomain.com" -SamAccountName "cp" -AccountPassword $pw -enabled $true -Company "LightSide LLC" -Department "Republic Senate" -title "Chancellor" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "cp@yourdomain.com" -manager "CN=Darth Sidious,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Darth Vader" -Surname "Darth" -GivenName "Vader" -UserPrincipalName "dv@yourdomain.com" -SamAccountName "dv" -AccountPassword $pw -enabled $true -Company "DarkSide LLC" -Department "Sith" -title "Sith Apprentice" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "dv@yourdomain.com" -manager "CN=Darth Sidious,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Darth Maul" -Surname "Darth" -GivenName "Maul" -UserPrincipalName "dm@yourdomain.com" -SamAccountName "dm" -AccountPassword $pw -enabled $true -Company "DarkSide LLC" -Department "Sith" -title "Sith Apprentice" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "dm@yourdomain.com" -manager "CN=Darth Sidious,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Mace Windu" -Surname "Mace" -GivenName "Windu" -UserPrincipalName "mw@yourdomain.com" -SamAccountName "mw" -AccountPassword $pw -enabled $true -Company "LightSide LLC" -Department "Jedi" -title "Jedi Master" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "mw@yourdomain.com" -manager "CN=Chancellor Palpatine,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Anakin Skywalker" -Surname "Anakin" -GivenName "Skywalker" -UserPrincipalName "as@yourdomain.com" -SamAccountName "as" -AccountPassword $pw -enabled $true -Company "LightSide LLC" -Department "Jedi" -title "Jedi Knight" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "as@yourdomain.com" -manager "CN=Mace Windu,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Obi-Wan Kenobi" -Surname "Obi-wan" -GivenName "Kenobi" -UserPrincipalName "ok@yourdomain.com" -SamAccountName "ok" -AccountPassword $pw -enabled $true -Company "LightSide LLC" -Department "Jedi" -title "Jedi Knight" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "ok@yourdomain.com" -manager "CN=Mace Windu,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
New-ADUser -Name "Ahsoka Tano" -Surname "Ahsoka" -GivenName "Tano" -UserPrincipalName "at@yourdomain.com" -SamAccountName "at" -AccountPassword $pw -enabled $true -Company "LightSide LLC" -Department "Jedi" -title "Jedi Padawan" -MobilePhone "470-247-5000" -OfficePhone "470-247-5000" -EmailAddress "at@yourdomain.com" -manager "CN=Anakin Skywalker,CN=Users,DC=yourdomain,DC=com" -PasswordNeverExpires $true -ChangePasswordAtLogon $false
 
New-ADGroup "Light Side" -GroupCategory Security -GroupScope Global
Add-AdGroupMember -Identity "Light Side" -Members at, ok, as, mw
New-ADGroup "Dark Side" -GroupCategory Security -GroupScope Global
Add-AdGroupMember -Identity "Light Side" -Members dm, dv, cp, ds 

Configure Required Agents/Connectors

  • Install Azure AD Connect and sync Users to AAD
    • License the Demo Users inside Office 365 Development Account
  • Install the Access Connector

Miscellaneous Configurations

CONFIGURE WORKSPACE ONE UEM/ACCESS

At the beginning, you’re probably best to just follow the getting started wizards and set up the following:

  • APNS
  • Connection to Workspace ONE Access
    • When complete, go to Settings > System > Enterprise Integration > Workspace ONE Access > Configuration and enable Certificate Provisioning
  • ACC and Directory
  • Apple Volume Purchase Licenses (Location Token from Apple Business Manager)
  • Apple Automated Enrollment and default Automated Enrollment Profile

Import Users and Groups to Workspace ONE UEM

  • Click on Accounts > User Groups > List View and click Add > Add User Group
  • Search the directory for your user group, and set the following options:
    • Auto Sync with Directory: Enabled
    • Auto Merge Change: Enabled
    • Add Group Members Automatically: Enabled
  • Click Save to save the group.
  • Select the group from the list view and click Sync to pull in the list of users
  • Browse to Accounts > Users > List View and you should see all your users

Configure Hub Services

Note, that anything you configure here will light up as you complete any pre-requisite configs in Workspace ONE Access.

  • Click on Groups & Settings > Configurations > Intelligent Hub
  • Set the Source of Authentication to Workspace ONE Access by clicking Configure and saving the change on the Enrollment Authentication settings page.
  • Enable the macOS (and Windows if you need it) Hub Catalog by clickign Configure in the Catalog Settings block, and then enabling the Hub Catalog (and disabling the legacy catalog). Be sure to Save the page.
  • Click Launch to configure the Intelligent Hub Settings:
    • App Catalog – arrange to your liking.

Workspace ONE UEM Certificate Provisioning with Access

  • Click Enable at Settings > System > Enterprise Integration > Workspace ONE Access > Configuration
  • Export the PFX and Log-In to Workspace ONE Access
  • Click on Identity and Access Management, click Manage and click on Authentication Methods
  • Click the pencil icon next to Certificate (Cloud Deployment)
    • Click Enable Certificate Adapter
    • Click Select FIle and browse to the downloaded PFX. Select OK to upload the PFX.
    • Change User Identifier Search to email | upn | subject
    • Enable Cert Revocation
    • Click Save
  • Note that Certificate (Cloud Deployment) has been enabled

See also