Empower Parallels RAS with Microsoft FSLogix Apps
Microsoft acquired FXLogix back in 2018. In March 2019, Microsoft announced that all FSLogix products can be used for free if you have one of the following licenses:
- Microsoft 365 E3/A3
- Microsoft 365 E5/A5
- Microsoft F1, Business
- Windows 10 Enterprise E3/E5
- Windows 10 Education A3/A5
- Windows 10 VDA per user
- Remote Desktop Services (RDS) client access license (CAL)
All of the above are accepted for using FSLogix, even without Software Assurance. However, SA is required if you run RDS hosts in Azure.
Because users of Parallels® Remote Application Server (RAS) already have an RDS CAL, they can use the great FSLogix features for free.
FXLogix is now called Microsoft FSLogixs and include the four main products:
- Office Container
- Profile Container
- App Masking
- Java Redirection
This blog post only covers the Office and Profile Containers. As a side note, I might cover App Masking in another post. App Masking can simplify application provisioning and reduce the number of golden images you need to build and maintain. With App Masking, you can install all the applications that your users may need into a single image and filter the areas of the operating system that the user can access by security groups. So, if users launch a full desktop in Parallels RAS, App Masking can help you provide licensed applications to specific users so you can maintain license usage easily.
Back to topic at hand, apart from any independent third-party profile management solution that can be used in the Parallels RAS environment, customers can make use of Microsoft’s roaming profiles, folder redirections or User Profile Disks (UPDs). The latter can be configured directly from the Parallels RAS Console. In addition to the mentioned methods, it is also possible to use FSLogix Containers with Parallels RAS. Having said that, the configuration needs to be done separately — currently it is not integrated into the Parallels RAS Console. That’s hopefully coming in the near feature.
Why introduce FSLogix Containers?
In nonpersistent remote desktop environments, users want to keep all user-related data and settings even if they switch between sites and session hosts. UPDs have some limitations which can affect the user experience in a bad way.
Profile Container contains the full feature set that can handle both user profile data and Office user data. Office Container only handles the Office-related user data.
FSLogix Profile Container can massively decrease logon times and improve session performance by encapsulating the entire profile, including registry, in a profile container that is instantly attached at logon. FSLogix Profile Container and “User Profile disk” have a lot of similarities, but Profile Container has some extra features that most users can benefit from:
- Office Container allows users to run modern workspaces with nearly full Office 365 integration on VDI and RDS in a nonpersistent high availability (HA) environment. That means you can store app data related to Office 365 like Windows Search, Microsoft Teams, Skype for Business, Outlook OST files and OneDrive for Business in the user profile. That’s not supported with UPD.
- The local profile experience for the app’s users launch. With the FSLogix filter driver, the apps act like they are running on a non-multisession environment, and data store in the local part of the user profile is also integrated in the user profile.
- Reduced I/O load on the file server/service hosting the user profile compared to UPD.
- Reduced user login duration.
FSLogix can be used in many combinations. FSLogix Profile Container in the full solution can handle both Office 365 data and normal user profile data. For a new installation, this might be the easiest and most simple to implement, because you can have it all in one profile solution.
FSLogix Profile Container and FSLogix Office Container can be used together if you want to separate the Office data from the user profile data. The user data is separated in two individual VHD/VHDX files.
FSLogix Office Container can also be used together with UPD. If you currently are using UPD together with Parallels RAS, this might be the easiest solution to give full Office 365 support to a current running installation without converting the UPD data to a FSLogix Profile Container. However, you will not get the full benefit of FSLogix technology.
If you want to migrate from a Citrix user profile or UPD to FSLogix Containers, some free scripts can be found on the internet. However, I haven’t tested them. Liquidware also has a more advanced solution for migrating.
Cloud Cache technology and storage
Cloud Cache is an additional FSLogix technology that provides incremental functionality to Profile Container and Office Container. It can be configured in both persistent and non-persistent based on the specific use cases. It acts as a buffer between the applications and the VHD container located on the network. In case of a short network outage, the Cloud Cache will be able to reconnect. If your setup includes multiple storage locations for user profile data—like example on-premises and an Azure site in Parallels RAS—the solution can automatically failover to online storage.
When the primary storage gets back online, the data will automatically be replicated back to the primary storage. In Azure, both Azure Page Blobs and Azure Premium Page Blobs can be used so you don´t need to deploy a file server in Azure, but that also is a possibility. On-premises, you can run it on NTFS and ReFS. ReFS is recommended for a newer OS. Cloud Cache doesn’t improve the user’s experience and performance but enables the user to have the same user profile in a hybrid environment with up to four storage points.
With the support of Azure as hypervisor coming in Parallels RAS 17.1, you may want to benefit from the ability to do implementations in Azure without file servers for user profile data to limit the costs.
With Parallels RAS 17.1, you can also build a cost-effective backup site that hosts the Parallels RAS environment in Azure along with RD Session hosts and/or VDIs. Then just enter the URL of the backup site in the secondary connection setting sting on the RAS Client. If the primary site is down, users will automatedly be redirected to the backup site. In case of more resources on session hosts, Parallels RAS will automatically provision on the fly and power on more hosts. Users will get the same experience if FSLogix Profile Container is used and user data is stored in both sites.
The next time users try to login again and the primary site is running, the user will automatically fallback. Even the profile data will be replicated back again. To optimize the costs of the backup site, the server that is supposed to run all the time can be prepaid to get a 40% discount on Azure. The rest runs on “pay as you go”—you only pay the storage when they are used and running.
In this guide, I will set up FSLogix Profile Containers together with Parallels RAS in a two-site setup. The primary site is on-premises and the failover site is on Azure. The on-prem site includes a file server and session-hosts servers running on Windows Server 2016. On Azure I will use Azure Page Blobs as secondary storage for FSLogix Profile Containers.
Azure files are also supported with Azure Active Directory Domain Service (AADDS), where you can benefit from the NTFS permissions on the store that hosts the containers. This will increase security but will also be more complex to deploy. For the scope of this blog, this won’t be covered.
Setting up FSLogix on Parallels RAS is similar to implementing FSLogix on Windows Virtual Desktop (WVD), as highlighted in both videos and user guides from Microsoft website as per links below. FSLogix is constantly developing, so you might also be able to find the newest information and guidelines there. WVD is focused on Windows 10 multi-session availability—but since Windows Server 2019 also is supported from Microsoft with Office 365, FSLogix´s Parallels RAS users can also benefit from the Office 365 experience, both in on-prem environments or on clouds like Azure or Amazon Web Services™ (AWS). Unlike with WVD, you are not limited to Azure.
Create a Primary Container store
Create a file share on the Windows server that is supposed to host the profiles. ReFS filesystem is recommended instead of NTFS if you are running on 2012R2 or newer OS.
Use the following permissions:
- CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
- SYSTEM – Full Control (Apply onto: This Folder, Subfolders and Files)
- Administrators – Full Control (Apply onto: This Folder, Subfolders and Files)
- Users – Create Folder/Append Data (Apply to: This Folder Only)
- Users – List Folder/Read Data (Apply to: This Folder Only)
- Users – Read Attributes (Apply to: This Folder Only)
- Users – Traverse Folder/Execute File (Apply to: This Folder Only)
Download FSLogix from the Microsoft site: https://docs.microsoft.com/en-us/fslogix/install-ht
If you are using Parallels RAS Templates, install the FSLogix software in the template. Consider just installing it on all the hosts you want to use the solution on. It’s not necessary to change any settings, as the hosts just run the FSLogixAppSetup.exe that matches the host 32- or 64-bit architecture.
The management of FSLogix can be done with ADMX Templates you will find with the installation files: https://docs.microsoft.com/en-us/fslogix/use-group-policy-templates-ht. You can also set manual registry keys to the host or set registry keys with group policy preferences. See the documentation for keys to set.
To use ADMX Templates, copy the Templates to PolicyDefinitions on a Domain Controller:
- Copy the ADMX file (FSLogixODFC?.?.admx) to %logonserver%\sysvol%userdnsdomain%\policies\PolicyDefinitions
- Copy the ADML file (FSLogixODFC?.?.adml) to %logonserver%\sysvol%userdnsdomain%\policies\PolicyDefinitions\en-US
In this example, I set the profile type with a reg key and the rest of the settings in group policies.
On the host, I set volumetype to vhdx. Default Is vhd.
Want to hear more about Parallels, FSLogix and Remote Desktop?
Carsten R. Anthonsen
One great feature IT admins often miss in UPD is the possibility to exclude or include admin accounts from using UPD. If you create a domain group, you can use them to manage which users get different types of profile configurations based on local groups on the hosts. During a migration run, you can have users on the same hosts with different profile solutions. After installing the app on the host, you will find the following local groups. With Group Policy Preferences, you can manage members of local group with domain group.
FSLogix ODFC Include List
FSLogix Profile Include List
Delete all member groups: enabled
Delete all member groups: enabled
In Group policy, I set the following config:
Enable search database in the profile to keep the server form rebuilding the Outlook search data on every logon. Se more details: https://docs.microsoft.com/en-us/fslogix/configure-search-roaming-ht
Set Outlook to use cache mode. Please note this might conflict if you disallow this with Outlook Group policies.
Enabled which means the Profile container is used.
In my example, I don´t set the VHD/ X location because I use Cloud Cache, so the location is set here. But if you don´t want to use Cloud Cache, you can set the location here for the share used for profiles. For example, \\servername\share
Azure storage (secondary failover) optional
On Azure, you now need to create a storage account. This is for testing, so I only do LRS replication to keep the cost down. You may also want to do some firewalling on the storage account, but this is not a part of this test environment. Set the Azure location that is closest to the host location.
- Log on to portal.azure.com.
- Go to “Add storage account.”
- Create Resource group.
- Select if you want standard or premium. (Premium is SSD.)
After the storage account is created, go to Access Keys under Setting. Copy the connection string to Notepad
Go to the Group policy editor
FSLogix. Cloud Cache.
Edit the Cloud Cache location.
In this example, my file server is called Server01. And share name is ProCont\containers
Multiple locations are separated with a semicolon.
Here the string will be like the following example. You need to change the server and share to match yours. Replace the connection string with your string. In this scenario, a local smb file share is used together with azure storage.
If you set the AccountKey with group policy, the keys can be found in the registry database on the hosts. This might be a security problem. You can also store the keys in the credential manager, so they are more protected: https://docs.microsoft.com/en-us/fslogix/configure-cloud-cache-tutorial
With the new Azure files, you can also protect Profile Containers with NTFS. This requires Azure Active Directory Domain Services (Azure AD DS). See more info:
Now we are ready to test the solution.
Try to log on to the session host with a test user and see if the profile VHD/X file is created and updated both on the on-prem file server and in your Azure storage account. To test the high availability, take one of the storage locations offline.
FXLogix – Get an overview
Windows Server 2019 support of Office 365
FXLogix – Cloud Cache Overview
FXLogix – Azure files storage
Parallels RAS ver 17.1 – Coming Soon