RDP Web Access

From Open Homelab
Jump to: navigation, search

Introduction

This is a brief article about configuring RD Web Access for your home lab

Pros and Cons

If you don't have MSDN this can cost a few hundred for a Windows License then around £25 for a 5 User TSCAL

Costs

Free if you have access to an MSDN license or happy with the 90/180 trials to learn

What will you need

  • About an hour maybe two depending on the speed of your environment
  • At least 2 VMs and a DC as a minimum
  • The same amount of spare IPs to VMs
  • Access to your router/firewall
  • Ideally a trust certificate
  • 1 public IP or a NAT from a load balancer

Use Cases

The use cases for this type of technology are for accessing your environment over standard SSL ports. This helps with locked down company environments as it doesn't rely on port 3389 for RDP

Solutions

Firstly I shall start by saying I hav configured this as bare bones to limit the amount of recourses I use on my environment and also what works for me. If you are studying for your MCSA I would suggest you build this out and include a RD Web Access server, RD Virtualization Host and a RD Connection Broker. I used my Gateway as a session broker as most my traffic would be coming from here.

Firstly start by getting your two new VMs up and running and ready to join to your domain (sys prepped, WSUS etc)

From here use any naming convention you want but I used

  • Corprdsgw01.domain.com - This will be your RD Gateway
  • Corprdssh011.domain.com - This will be where your session gets dropped onto

You will also need another machine for licensing, I usually opt for this on my secondary DC

Please note I will put notes in for alternative config if only using two machines. I couldn't do this as I already had an environment on this domain

I am also to happy to explain I do the configuration this way as it allows you to install .NET 3.5 if you are still using the old fat clients for your hyper-visors

Configuring the RD Gateway server

Start by logging into the Corprdsgw01 machine, within server manager select add roles


Rdsguide1.png


Press next and select Role-Based or Feature-based installation

Rdsguide2.png

Ensure you server is selected as you may already have these in a group

Rdsguide3.png

Within this window select 'Remote Desktop Services'

Rdsguide4.png

This following window allows you to install .NET 3.5 for older applications and web browsers

Rdsguide5.png

Select next on this window

Rdsguide6.png

Within this window select Remote Desktop Gateway Also select Remote Desktop Broker and Web Access if you only plan to have two machines

Rdsguide7.png


The system will now guide you through the NPS server roles. Keep these at the default for now but can help you lock down access going forward

Rdsguide8.png Rdsguide9.png

Again follow the standard settings for IIS

Rdsguide10.PNG Rdsguide11.PNG


Finally confirm the installation, once complete reboot the VM

Rdsguide12.PNG


Configuring the RD Session Host

Follow all the above sections for your RDS host but on this screen select Remote Desktop Session Host

Rdsguide12.PNG


Configuring the RD Session Host

Follow all the above sections for your License server but on this screen select Remote Desktop Licensing

Rdsguide12.PNG


Configuring the services to talk

Firstly I would suggest you ensure all the VMs have been rebooted. When logging in ensure you use a domain admin account for the next steps

Firstly start by clicking manage in the server manager and select Create Server Group

Rdsguide15.PNG

Within this window add your RDS boxes and license server

Rdsguide16.PNG

Click on your server group and then select Add Roles and Features

Rdsguide17.PNG

This time ensure you have selected Remote Desktop Services Installation

Rdsguide18.PNG

Select standard deployment

Rdsguide19.PNG

On this following screen select Session-Based desktop deployment and select next on the screen after

Rdsguide20.PNG Rdsguide21.PNG


In the next screen select your session broker. If in the 2 VM scenario this should be your gateway server


Rdsguide22.PNG

In the next step as above if in a two VM scenario select your gateway server. If you didnt do it previously select install RD Web Access Role Image is for illustrative purposes

Rdsguide23.PNG

Finally select the confirmation screen and allow the restarts


Rdsguide24.PNGRdsguide24.PNGRdsguide26.PNGRdsguide27.PNG

Once this completes on the server you configured your group select the following option

Rdsguide28.PNG

If you have done things correctly you should now see the following screen, Press the RD Gateway + icon


Rdsguide29.PNG

In here select your RDS gateway server

Rdsguide30.PNG

You may get this error if you havent rebooted

Rdsguide31.PNG

In the FQDN type in your full domain name and if you have a split zone this will be the same internally. If you want to get access outside of course you will need to use your external domain name


Rdsguide32.PNG

Confirm the next two screen

Rdsguide33.PNGRdsguide34.PNG

Do the same for the License server

Rdsguide35.PNGRdsguide36.PNG

If you have done everything right you will now get the screen below

Rdsguide37.PNG

From the left bar select Collections

Rdsguide38.PNG

Once the menu is open select tasks and then create session collection

Rdsguide39.PNG

Select next to the following screen and appropriately name your RDS collection

Rdsguide40.PNGRdsguide41.PNG

Select your session host you create earlier

Rdsguide42.PNG

Apply a relevant group of people who you want to have access

Rdsguide43.PNG

If you have a file server you can create a profile disk

Rdsguide44.PNG

Select create to finish your collection

Rdsguide45.PNG

If require select your RDS group, tasks and then Publish RemoteApp

Rdsguide46.PNGRdsguide47.PNG

Assume you have already install the apps you want to access tick these to publish them

Rdsguide48.PNG

Confirm your selections

Rdsguide49.PNGRdsguide50.PNG


Testing your config

To try out your system go to the following url https://yourgw.yourdomain.com/RDWeb. For now you will need to accept the certificate issue

Rdsguide51.PNGRdsguide52.PNG

Try and log in of which you should see your apps

Rdsguide53.PNG

Select an app and you should now see the following screen, select connect. This is down to the fact you have not got a trusted certificate

Rdsguide54.PNG

Fingers crossed your app should appear

Rdsguide55.PNG



Securing your environment

This section will be updated when the certificates section has been populated.

Exposing this to the world....

I will update this shortly with a common UK router configuration as you will need to NAT some ports from the outside world.


Known Issues and Solutions

This is specifically to detail any issues with the technology being discussed, and how to resolve them. See the Intel NUC page for an example.

  • You may want to deliver several services or pages on port 443
    • Head over to my page about load balancing to learn more if you only have 1 public IP
  • Requires several servers or understanding a DMZ
    • Don't go for best practice but it may compromise security