Remote Desktop Service on Server 2008 R2 – Part3

 

RD Web Access

eploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by-Step Guide

Updated: October 12, 2010

Applies To: Windows 7, Windows Server 2008 R2

About this guide

RemoteApp and Desktop Connection allows administrators to provide a set of resources, such as RemoteApp programs and virtual desktops, to their users. Users can connect to RemoteApp and Desktop Connection in two ways:

• From a computer running Windows® 7. When set up, resources that are part of RemoteApp and Desktop Connection appear in the Start menu under All Programs in a folder called RemoteApp and Desktop Connections.
• From a Web browser by signing in to the website that is provided by RD Web Access. In this case, a computer that is running Windows 7 is not required.

This step-by-step guide walks you through the process of setting up a working RemoteApp source that is accessible by using Remote Desktop Web Access (RD Web Access). During this process, you will deploy the following components in a test environment:

• A Remote Desktop Connection Broker (RD Connection Broker) server
• A Remote Desktop Web Access (RD Web Access) server

This guide also explains how to configure Single Sign On so that users are only prompted once for credentials. When you deploy Single Sign On, consider the following certificate requirements:

• The certificate must be trusted explicitly or from a trusted root certificate.
• The certificate name or the Subject Alternative Name must match the fully-qualified domain name of the server.
• The certificate must support Server Authentication or Remote Desktop Authentication Extended Key Usage.
• Indirect certificate revocation lists are not supported.
• Certificate revocation checks are performed by default.
• When you use CredSSP, you can turn off certificate revocation checks by configuring the following registry entry to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
• When you use Transport Layer Security (TLS), you can turn off certificate revocation checks by configuring the following registry entries to a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck

==============================================================
==============================================================

 

Configure the RD Session Host server (RDSH-SRV)

To configure the server RDSH-SRV, you must:

• Configure a certificate used to digitally sign the RDP file.
• Add the thumbprint of the certificate used to digitally sign the RDP file to the Default Domain Group Policy setting by using the Group Policy Management Console (GPMC).

First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager. This procedure assumes that you have already imported a certificate into the Personal certificate store of the computer account.

To configure a certificate used to digitally sign the RDP file

1. Log on to RDSH-SRV as CONTOSO\Administrator.

2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.

3. Under the Overview section, click Change next to Digital Signature Settings.
   

4. Select the Sign with a digital certificate check box.

5. Click Change.

6. On the Confirm Certificate page, select the appropriate certificate, and then click OK.
   

7. Click OK to close the RemoteApp Deployment Settings dialog box.

Finally, you must add the thumbprint of the certificate used to digitally sign the RDP file to the Default Domain Group Policy setting. This is required so that the trusted publisher warning dialog box is not shown to the user each time the RemoteApp program is started.

To add the certificate thumbprint to the Default Domain Group Policy setting

1. Log on to CONTOSO-DC as CONTOSO\Administrator.

2. Open the GPMC. To open the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.

3. Expand Forest: contoso.com, expand Domains, and then expand contoso.com.

4. Right-click Default Domain Policy, and then click Edit.

5. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.
   

6. Double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.
   

7. Select the Enabled option.

8. In the Comma-separated list of SHA1 trusted certificate thumbprints box, type the certificate thumbprint used to digitally sign the RDP file, and then click OK.
   

Configure the client computer (CONTOSO-CLNT)

To configure the client computer CONTOSO-CLNT, you must:

• Import the digital certificate used by RDSH-SRV to the Trusted Root Certification Authorities certificate store of the computer account.

Import the digital certificate used by RDSH-SRV to the Trusted Root Certification Authorities certificate store of the computer account on CONTOSO-CLNT.

To import a digital certificate to the Trusted Root Certification Authorities certificate store

1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.

2. Click Start, and then click Run.

3. Type mmc and then click OK.

4. Click File, and then click Add/Remove Snap-in.

5. In the Available snap-ins box, click Certificates, and then click Add.

6. Select the Computer account option, click Next, and then click Finish.

7. Click OK.

8. Expand Certificates (Local Computer).

9. Right-click Trusted Root Certification Authorities, point to All Tasks, and then click Import.

10. On the Welcome to the Certificate Import Wizard page, click Next.

11. Click Browse.

12. Click Personal Information Exchange (*.pfx, *.p12) to filter the file results to show only PFX and P12 files.

    Important

    You must import a PFX certificate file that includes the private key.

13. Navigate to the folder where the certificate is located, click the certificate, and the click Open.

14. Click Next.

15. In the Password box, type the password for the PFX file, and then click Next.

16. Click Next, and then click Finish.

 

Configure the RD Web Access server (RDWA-SRV)

To configure the RD Web Access server by using Windows Server 2008 R2, you must:

• Install Windows Server 2008 R2.
• Configure TCP/IP properties.
• Join RDWA-SRV to the contoso.com domain.
• Install the RD Web Access role service.
• Add the thumbprint of the certificate used for the RD Web Access server to the Default Domain Group Policy setting by using the GPMC.

Next, install the RD Web Access role service by using Server Manager.

To install the RD Web Access role service

1. Log on to RDWA-SRV as CONTOSO\Administrator.

2. Click Start, point to Administrative Tools, and then click Server Manager.

3. Under the Roles Summary heading, click Add Roles.

4. On the Before You Begin page, click Next.

5. On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.
   

6. On the Remote Desktop Services page, click Next.

7. On the Select Role Services page, select the Remote Desktop Web Access check box.

8. Review the information about adding Web Server (IIS) and the Remote Server Administration Tools, click Add Required Role Services, and then click Next.
   

9. On the Web Server (IIS) page, click Next.
   
   

10. On the Select Role Services page, click Next.
    

11. On the Confirm Installation Selections page, click Install.
    

12. After installation is complete, click Close.
    

Finally, you must add the thumbprint of the RD Web Access server certificate to the Default Domain Group Policy setting. This is required so that the trusted publisher warning dialog box is not shown to the user each time the RemoteApp program is started.

To add the certificate thumbprint to the Default Domain Group Policy setting

1. Log on to CONTOSO-DC as CONTOSO\Administrator.

2. Open GPMC. To open GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.

3. Expand Forest: contoso.com, expand Domains, and then expand contoso.com.

4. Right-click Default Domain Policy, and then click Edit.

5. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

6. Double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.

7. Select the Enabled option.

8. In the Comma-separated list of SHA1 trusted certificate thumbprints box, type the certificate thumbprint used to digitally sign the RDP file, and then click OK.

You have set up the CONTOSO domain. Now you can proceed to Step 2: Installing and Configuring RemoteApp.

==============================================================
==============================================================

Next, assign a RemoteApp source on the RD Web Access server (RDWA-SRV).

To assign a RemoteApp source on RDWA-SRV

1. Log on to RDWA-SRV as CONTOSO\Administrator.

2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration.

3. Click Continue to this website (not recommended).
   

   Important

   This guide uses a self-signed certificate for the RD Web Access server. Self-signed certificates are not recommended in a production environment. You should use a certificate that is trusted from a certification provider when deploying RD Web Access in a production environment.

4. In the Domain\user name box, type CONTOSO\Administrator.

5. In the Password box, type the password that you specified for CONTOSO\Administrator, and then click Sign in.

6. On the Configuration page, click An RD Connection Broker server.
   

7. In the Source name box, type rdcb-srv and then click OK.
   

Finally, you must add a RemoteApp source on the RDCB-SRV computer by using Remote Desktop Connection Manager.

To add a RemoteApp source by using Remote Desktop Connection Manager

1. Log on to RDCB-SRV as CONTOSO\Administrator.

2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.

3. Click RemoteApp Sources, and then in the Actions pane, click Add RemoteApp Source.

4. In the RemoteApp source name box, type rdsh-srv and then click Add.

==============================================================
==============================================================

Step 3: Verifying RemoteApp Functionality

Updated: October 12, 2010

Applies To: Windows 7, Windows Server 2008 R2

To verify the functionality of a RemoteApp program deployment, log on as Morgan Skinner and connect to the RemoteApp program by using Remote Desktop Web Access (RD Web Access).

To connect to the RemoteApp program

1. Log on to CONTOSO-CLNT as Morgan Skinner (CONTOSO\mskinner).

2. Click Start, point to All Programs, and then click Internet Explorer.

3. In the Address bar, type https://rdwa-srv.contoso.com/RDWeb and then press ENTER.

4. Click Continue to this website (not recommended).

   Important

   This guide uses a self-signed certificate for the RD Web Access server. Self-signed certificates are not recommended in a production environment. You should use a certificate that is trusted from a certification provider when deploying RD Web Access in a production environment.

5. In the Domain\user name box, type CONTOSO\mskinner.

6. In the Password box, type the password that you specified for Morgan Skinner, and then click Sign in.

   Note

   In you receive a prompt asking you to install the Microsoft Remote Desktop Services Web Access Control, clickRun Add-on, and then click Run.

7. Click Calculator, and then click Connect.

8. When prompted, enter the credentials for Morgan Skinner, and then click OK.

You have successfully deployed and demonstrated the functionality of a RemoteApp program by using the simple scenario of connecting to Calculator by using RD Web Access. You can also use this deployment to explore some of the additional capabilities of personal virtual desktops through additional configuration and testing.