Remove MS Remote Desktop support

[craddm]

✅ Checklist

• You have given your pull request a meaningful title (e.g. Enable foobar integration rather than 515 foobar).
• You are targeting the appropriate branch. If you're not certain which one this is, it should be develop.
• Your branch is up-to-date with the target branch (it probably was when you started, but it may have changed since then).
• You have marked this pull request as a draft and added '[WIP]' to the title if needed (if you're not yet ready to merge).
• You have formatted your code using appropriate automated tools (for example ./tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory> for Powershell).

⤴️ Summary

Removes support for MS Remote Desktop.

• NPS removed from SHM deployment
• Code relating to MSRDS removed from SRE deployment scripts
• MSRDS related documentation removed

NOTE: do not merge before Release 4.0.4 is complete

🌂 Related issues

Closes #1159

🔬 Tests

Deployed an SHM and Guacamole Tier 2 SRE successfully. Rebuilt docs locally.

[JimMadge]

LGTM this has cleared out a lot of code to support 🎉.

[JimMadge]

A few references to MSRDS remaining in the smoke tests README but that isn't a big deal, it is just an example SRE name.

[craddm]

A few references to MSRDS remaining in the smoke tests README but that isn't a big deal, it is just an example SRE name.

I found a few more in the security checklist, which I'm just fixing along with the linting issues, so I'll fix this one too.

[JimMadge]

❯ rg -i 'microsoft remote desktop'
docs/source/deployment/deploy_shm.md
40:- `Microsoft Remote Desktop`

docs/source/deployment/snippets/01_prerequisites.partial.md
19:- `Microsoft Remote Desktop`

docs/source/deployment/snippets/00_symbols.partial.md
23:- This indicates a command which you will need to run remotely on an Azure virtual machine (VM) using `Microsoft Remote Desktop`
24:- Open `Microsoft Remote Desktop` and click `Add Desktop` / `Add PC`

Oh, these are fine. This is the desktop app for connecting to remote windows machines.

[craddm]

❯ rg -i 'microsoft remote desktop'
docs/source/deployment/deploy_shm.md
40:- `Microsoft Remote Desktop`

docs/source/deployment/snippets/01_prerequisites.partial.md
19:- `Microsoft Remote Desktop`

docs/source/deployment/snippets/00_symbols.partial.md
23:- This indicates a command which you will need to run remotely on an Azure virtual machine (VM) using `Microsoft Remote Desktop`
24:- Open `Microsoft Remote Desktop` and click `Add Desktop` / `Add PC`

It's still necessary to use MS Remote Desktop to interact with the domain controllers

[JimMadge]

❯ rg -i 'microsoft rds'
deployment/common/Configuration.psm1
857:    # Remote desktop either through Apache Guacamole or Microsoft RDS

[JimMadge]

❯ rg 'RDS'
deployment/secure_research_environment/network_rules/sre-nsg-rules-guacamole.json
17:        "description": "Allow inbound http(s) connections from clients to RDS server. Note that http requests will be upgraded.",

deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1
41:    # RDS gateway

deployment/administration/SRE_Manage_VMs.ps1
30:        # May be able to simplify this further now that MSRDS is removed
33:        # Start all other VMs before RDS VMs so all services will be available when users can login via RDS

deployment/common/Configuration.psm1
508:        rg               = $shmConfigBase.dnsRecords.resourceGroupName ? $shmConfigBase.dnsRecords.resourceGroupName : "$($shm.rgPrefix)_DNS_RECORDS".ToUpper()
754:                sreArtifactsRDS = "sre-artifacts-rds"
755:                sreScriptsRDS   = "sre-scripts-rds"
857:    # Remote desktop either through Apache Guacamole or Microsoft RDS

deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{742211F9-1482-4D06-A8DE-BA66101933EB}/gpreport.xml
173:    <SOMName>DSGroup2 RDS Session Servers</SOMName>
174:    <SOMPath>DSGroup2.co.uk/DSGroup2 RDS Session Servers</SOMPath>

deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{0AF343A0-248D-4CA5-B19E-5FA46DAE9F9C}/gpreport.xml
165:    <SOMName>DSGroup2 RDS Session Servers</SOMName>
166:    <SOMPath>DSGroup2.co.uk/DSGroup2 RDS Session Servers</SOMPath>

docs/source/deployment/snippets/02_configuration.partial.md
25:  "inboundAccessFrom": "A comma-separated string of IP ranges (addresses or CIDR ranges) from which access to the RDS webclient is permitted. See tip default below for suggestion on how to set this.",
31:  "remoteDesktopProvider": "Which remote desktop provider to use. Either 'ApacheGuacamole' (recommended, tiers 0-3) or 'MicrosoftRDS' (tiers 2-3 only)",

tests/benchmark_shm.json
323:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",
837:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",
1351:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",

tests/benchmark_sre.json
771:                "Name": "RADIUS_Authentication_RDS_to_NPS",

tests/resources/sre_bluet1guac_full_config.json
1309:          "sreArtifactsRDS": "sre-artifacts-rds",
1310:          "sreScriptsRDS": "sre-scripts-rds"

tests/resources/sre_greent2guac_full_config.json
1362:          "sreArtifactsRDS": "sre-artifacts-rds",
1363:          "sreScriptsRDS": "sre-scripts-rds"

tests/resources/sre_bluet3guac_full_config.json
1309:          "sreArtifactsRDS": "sre-artifacts-rds",
1310:          "sreScriptsRDS": "sre-scripts-rds"

This one is worth changing

https://github.com/craddm/data-safe-haven/blob/562f9a3bc343af4533e855625b033148892c0b70/docs/source/deployment/snippets/02_configuration.partial.md?plain=1#L31

Another reference to "RDS" in the same file.

I'm not sure what the JSON files in the test directory or the DC desire state files mean. @jemrobinson?

[craddm]

❯ rg 'RDS'
deployment/secure_research_environment/network_rules/sre-nsg-rules-guacamole.json
17:        "description": "Allow inbound http(s) connections from clients to RDS server. Note that http requests will be upgraded.",

deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1
41:    # RDS gateway

deployment/administration/SRE_Manage_VMs.ps1
30:        # May be able to simplify this further now that MSRDS is removed
33:        # Start all other VMs before RDS VMs so all services will be available when users can login via RDS

deployment/common/Configuration.psm1
508:        rg               = $shmConfigBase.dnsRecords.resourceGroupName ? $shmConfigBase.dnsRecords.resourceGroupName : "$($shm.rgPrefix)_DNS_RECORDS".ToUpper()
754:                sreArtifactsRDS = "sre-artifacts-rds"
755:                sreScriptsRDS   = "sre-scripts-rds"
857:    # Remote desktop either through Apache Guacamole or Microsoft RDS

deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{742211F9-1482-4D06-A8DE-BA66101933EB}/gpreport.xml
173:    <SOMName>DSGroup2 RDS Session Servers</SOMName>
174:    <SOMPath>DSGroup2.co.uk/DSGroup2 RDS Session Servers</SOMPath>

deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{0AF343A0-248D-4CA5-B19E-5FA46DAE9F9C}/gpreport.xml
165:    <SOMName>DSGroup2 RDS Session Servers</SOMName>
166:    <SOMPath>DSGroup2.co.uk/DSGroup2 RDS Session Servers</SOMPath>

docs/source/deployment/snippets/02_configuration.partial.md
25:  "inboundAccessFrom": "A comma-separated string of IP ranges (addresses or CIDR ranges) from which access to the RDS webclient is permitted. See tip default below for suggestion on how to set this.",
31:  "remoteDesktopProvider": "Which remote desktop provider to use. Either 'ApacheGuacamole' (recommended, tiers 0-3) or 'MicrosoftRDS' (tiers 2-3 only)",

tests/benchmark_shm.json
323:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",
837:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",
1351:                "Name": "RADIUS_Authenitcation_RDS_to_NPS",

tests/benchmark_sre.json
771:                "Name": "RADIUS_Authentication_RDS_to_NPS",

tests/resources/sre_bluet1guac_full_config.json
1309:          "sreArtifactsRDS": "sre-artifacts-rds",
1310:          "sreScriptsRDS": "sre-scripts-rds"

tests/resources/sre_greent2guac_full_config.json
1362:          "sreArtifactsRDS": "sre-artifacts-rds",
1363:          "sreScriptsRDS": "sre-scripts-rds"

tests/resources/sre_bluet3guac_full_config.json
1309:          "sreArtifactsRDS": "sre-artifacts-rds",
1310:          "sreScriptsRDS": "sre-scripts-rds"

This one is worth changing

https://github.com/craddm/data-safe-haven/blob/562f9a3bc343af4533e855625b033148892c0b70/docs/source/deployment/snippets/02_configuration.partial.md?plain=1#L31

Another reference to "RDS" in the same file.

I'm not sure what the JSON files in the test directory or the DC desire state files mean. @jemrobinson?

Hm, with that one - the remoteDesktopProvider field in the config file - is it better to remove that completely from the example and provided configs? I'd still maintain a check of its value in the actual deployment scripts, so that anyone trying to run an old MSRDS config script on this version would be given a useful error message, but could otherwise set it up to set remoteDesktopProvider to ApacheGuacamole if it is not provided in the config.

[JimMadge]

Hm, with that one - the remoteDesktopProvider field in the config file - is it better to remove that completely from the example and provided configs? I'd still maintain a check of its value in the actual deployment scripts, so that anyone trying to run an old MSRDS config script on this version would be given a useful error message, but could otherwise set it up to set remoteDesktopProvider to ApacheGuacamole if it is not provided in the config.

If I understand, yes I think we can keep the variable and if we have a variable we should check that it is valid.

Removing all of this is probably unnecessary work. Also, like you said, it could be useful to prompt people to 'upgrade' and give a useful error message. We can make Guacamole the default though, so that you don't need to specify this in configuration files.

[jemrobinson]

I suggest making it a non-configurable option (ie. don't check for in in Configuration.psm1 but just set it to "ApacheGuacamole" there). This would remove it from the example configs but leave it in the full configs.

[craddm]

@JimMadge I think all your comments have been addressed now