HAProxy Configuration for Remote Desktop Services

Remote Desktop Services can be a touchy subject for some, but I find the solution to work well.  When the need to provide external access arises I will typically use HAProxy to, you never would have guessed it, proxy the traffic to the appropriate places.  It has proven to be rock solid in its performance, and offers decent logging when issues arise.  Please note that there should be additional security measures taken to secure this, so don’t just drop it in and think you’re done.

A lot of the configuration options are simply taken from the HAProxy documentation.  I do suggest taking some time and reading through a lot of the common options to help fine tune your config.  Before I drop the my “template” config, let’s do a quick overview of what it contains (though I will have comments in the config).  First things first, I set up the built in stats page.  This is very useful and I don’t see much reason not to set it up.  I then redirect port 80 traffic (http) to port 443 (https/SSL).  Next up is to proxy any https/SSL traffic in to the RDS server.  Finally, we proxy the RDP traffic through and we’re good to go!

 

Adding Additional Azure AD Domain to AD FS with Azure AD Connect

As time continues to drag on, companies may add domains that they wish to federate with the same tenant.  This such situation happens quite frequently in my business, so I figure it makes good content for a post.  This is going to be a pretty short and quick one, so I am going to assume that your new domain is already added to the O365 tenant and as a UPN suffix in AD.

As you can likely tell by now, I do a lot of work with hybrid environments using Azure AD Connect.  That being said, we’ll start today by opening Azure AD Connect and selecting the “Add an additional Azure AD domain” from the options presented.

The rest is pretty simple.  Throw in your O365 Global Admin creds, then your Domain Admin creds, and select the domain you wish to add.  It’ll take a second and wha-lah you are 50% done.

Now open up your AD FS Management console on your AD FS server.  Expand Trust Relationships, select Relying Party Trusts, right click Microsoft Office 365 Identity Platform, and select Edit Claim Rules.

Under Issuance Transform Rules, select Issue issuerid when it is not a computer account and select the Edit Rule option.

In the Custom rule section you will see something similar to the following:

Find your domain section, and simply follow the convention to add an additional domain (domain3 in the following example):

Click your way out and you are all set!  Do note that if you do not add the domain to the rule as described above, users will receive an error similar to:

AADSTS50107: Requested federation realm object ‘user@domain.com’ does not exist.

ADFS User Sign-In Customization

I’m not going to lie to you, like most of my posts this is just a reference for myself but hey maybe one of you stalkers of the interwebs didn’t know how to do this.  Anywho there is a whole bunch of customizations that you can make to the ADFS sign-in page with simple PowerShell one liners, all of which can be found at this page (and its linked pages).  Me, I’m just going to highlight the few that I do.

Change the Company Logo:

Change the Illustration (the wallpaper-like image on the left side):

Customize the Update Password Page Description:

Add Help Desk Link:

There are many other things you can customize by following the link at the beginning of the post, but these are the ones I like to set.  That’s it for this one!

Copy AD User Group Membership to Another User

Had the guy on my service desk that handles all of the user creation come to me recently with this request.  Well when I say recently it was like a month or two ago, but you know how things go.  Anyhow I threw this script together rather quickly to copy the group membership of one AD user to another.  The basic breakdown is I ask for admin creds, prompt for what customer we’re dealing with so I know what DC to point to, specify the source user you want to copy, specify the target user you want to copy to, and finally confirm you’re sure that’s what you wanna do.  Simple!