Nerdio for Azure: Quick Start Guide


Applies to: Nerdio For Azure (NFA) Managed Service Partners (MSPs)


This quick start helps you understand basic terminologies used in setting up and using Nerdio for Azure (NFA) accounts: 


Quotas

Azure subscriptions have a core quota limit imposed by Microsoft (https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits). All Azure subscriptions have quotas by VM series. Ensure that your subscription has sufficient core quota to provision a new NFA account. If it doesn’t, please request an increase from Microsoft or your CSP provider (https://docs.microsoft.com/en-us/azure/azure-supportability/resource-manager-core-quotas-request). You can find more information about core quotas while provisioning an NFA account:

CoresQuota.PNG


Global admins

Both Azure and Microsoft 365 subscriptions require a user account with global admin privileges to integrate with Nerdio.  Additionally, for Azure, the account being used with Nerdio needs to be an owner in the subscription.  It is best, but not required, to use a user account that has @tenant.onmicrosoft.com as its domain. If such a user account doesn’t exist you can create one in the Azure portal, make it a global admin and assign it the Owner role on the Azure subscription (https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator).

 

Nerdio Tip
  • Both Azure and Microsoft 365 Subscriptions require an account with global admin privileges to integrate with Nerdio
  • A change or removal of global admin users that were part of Nerdio provisioning will impact the operation of the Nerdio Admin Portal (NAP).
  • Note that Microsoft Defender ATP (Advanced Threat Protection), and the "Interactive Logon Message" setting is currently incompatible with Nerdio For Azure.  ATP blocks Nerdio's remote powershell scripts from contacting your servers, and Interactive Logon stops servers from auto-login. These processes are critical for the automated functionality provided exclusively by Nerdio.

 


Production vs non-production

Specifically for trials and proof of concept environments, we strongly recommend procuring an Microsoft 365 trial subscription.  These subscriptions are free for 30 days and typically include the appropriate licensing to have the best and most secure POC or trial experience.  Additionally, we highly recommend being a signed partner before moving a prospect or client into production environment with Nerdio.  The resources that are available to our partners provide exceptional value to ensure customers have a smooth and successful transition into Azure.  


Resource Group (RG)

A resource group is a container that holds related resources for an Azure solution. In Azure, you logically group related resources such as storage accounts, virtual networks, and virtual machines (VMs) to deploy and manage them.  The default resource group name for NFA is “NerdioRG”, although you can change this default name during provisioning on the Add NFA Account screen.

Nerdio Tip
  • Anything in the resource group that was created by Nerdio should not be removed. Everything that is in there is needed.

Migration methods

Two methods of migrating workloads and desktops into Nerdio

  • Greenfield
    • A new Nerdio for Azure deployment always starts out as Greenfield, meaning that it is completely independent of anything that existed previously both in Azure or on-prem and cannot interfere with any production environment.  Once the new NFA environment is provisioned and tested, it can be “plugged” into an existing production environment by using the Hybrid AD feature (see below) or users can be imported into the Greenfield AD from an existing AD or Microsoft 365 Microsoft Entra ID. Every common directory migration path can be accommodated with NFA.
    • Importing users from Microsoft 365 - https://help.nerdio.net/hc/en-us/articles/115003067071-How-do-I-import-users-from-Microsoft-365-
  • Hybrid AD

Whitelabel

  • Logo
    • The height of the logo image will be constrained to a maximum of 65 px.
      Also, it is recommended to use an image with a 120 px width and transparent background (png is the preferred format).
  • Site icon (favicon)
    • The height of the favicon image will be constrained to a maximum of 16 px.
      Also, it is recommended to use an image with a 16 px width and transparent background.
  • App name
    • Nerdio Admin Portal will be accessible at http://AppName.adminportal.pro and RDP files will be pointing at rdsXXXX.adminportal.pro (where XXXX is a unique Nerdio account ID that gets assigned during provisioning of a new account)

Once the white-label setup is complete, remember to toggle the ON button. Once you have toggled this feature, please log out and then back in to leverage the newly activated feature. whitelabelenable.JPG

More info - How do I Whitelabel Nerdio Manager?


Domains and AD

  • By default, the Active Directory (AD) domain in a new Nerdio deployment is called nerdio.int.  This can be changed during the provisioning process on the Add NFA Account screen.  Once set, this AD forest name cannot be changed.
  • An existing Active Directory (e.g. on-prem) is referred to as "external AD" as it is outside of Nerdio. And is also referred to as “on-prem AD”, “existing AD” or “EAD”.
  • Before you integrate an existing AD with Nerdio ensure that the Microsoft 365 environment is configured to synchronize with the existing AD using the ADConnect tool from Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express)

Note* - It is important to make sure you change the default domain from nerdio.int to your domain before you get too far in the provisioning process. 


Suggestions for best practice in a Nerdio environment

  • Microsoft 365 user imports and settings
    • Create a user in M365 to have as a test import
      • Make them the same as the most critical user (groups, security and use case)
    • Only after a successful single user test should a bulk import be considered
      • Make sure to include a simple password reset as part of the test
    • Use the bulk tool to assist with password management
    • Nerdio can manage a users Microsoft 365 Multi-factor Authentication setting
      • If this feature was not enabled prior to Nerdio, we highly recommend enabling that feature post go-live

Uninstalling/Removing Nerdio

It is very typical to have proof of concepts and trial environments that have reached end of life and need to be destroyed.  The following items should be observed when a Nerdio tenant needs to be destroyed.

  • Do not make any changes in Azure or M365 with permissions and global admins that are specific to Nerdio - this will impede the destroy process
    • In order for Nerdio to effectively remove its services and components, the global admins need to remain available during the destruction of the specific tenant
  • Nerdio during the destroy process has options available to leave existing subscription items intact.
    • Only a trial Microsoft 365 subscription should be considered for full destruction
    • If a production Microsoft 365 subscription was provisioned with Nerdio, please ensure you select the appropriate options during the destruction process.

Step by step details on how to destroy an existing Nerdio tenant.


Dynamic vs. Static Azure Internet Gateways

  • By default, unless a public IP has been assigned to a virtual machine in the LAN, all internet traffic will routed through dynamic Azure gateways within the same region
  • In order to create a static internet gateway for a virtual machine, Pool or RDS host/collection, a public IP must be added via Networking > Firewall > Public IPs
    • Adding a public IP on the LAN of the resource will statically assign that IP as the internet gateway
    • Going to a web browser and typing "what is my IP" will confirm the host/session is using the IP assigned in the Firewall > Public IP section of Nerdio specific to that resource
  • User cases for assigning a static IP assignment to a resource could be:
    • Access listing SaaS applications in different cloud solutions or networks
    • Improving performance for end users within Pools or RDS hosts
    • Integrating with third party web content providers
  • AVD Pool outgoing traffic can be assigned a static Public IP by carefully following the instructions in this article

 Note: The components mentioned below should not be changed to ensure functionality within the NFA environment:

 

Administrator on DC01

Do not change the password or disable the domain administrator DC01 in the Nerdio environment.  This particular account is used to manage communication between the environment and the Nerdio Admin Portal. Please contact support if you have a security or process concerns as a change to this account will affect the operation of the Nerdio environment.


AD Organizational Units (OUs) in Nerdio AD
      • Nerdio is always provisioned with a brand-new Active Directory (AD) forest, fully configured and optimized for a cloud IT deployment. The name of the Nerdio AD is nerdio.int, but it can be changed during the provisioning process
      • Nerdio stores all user and group objects in an OU called “Users and Groups”.  The Nerdio Admin Portal (NAP) will have visibility of items inside of this OU or any of its sub-OUs
      • You can create your own OUs within Active Directory to assign group policies & manage resources like users, computers or groups, etc.  However, be sure that all sub-OUs are created under “Users and Groups” OU

RDS CALs (Does not apply to AVD accounts)

  • RDS licensing has been applied to the environment to allow for immediate temporary use
  • Partners are responsible for purchasing and applying RDS CALs to the Nerdio environment

System Objects OUs

Do NOT make any changes to objects within the “System Objects” OU in AD.  Doing so can cause the Nerdio Admin Portal to lose connectivity with the environment.


Group Policy Objects 

Do NOT make any changes to the default Group Policy Objects.  The default GPOs were created to maintain and provide value across multiple areas and features in a Nerdio environment.  These default GPOs follow Microsoft Best Practices and are aligned with maintaining a secure and fully functioning environment.

Overview of default Group Policies used in NFA


VPN

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.  Azure recommends route-based VPN connections (IKEv2) but support for policy based connections is available (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps).

 

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.