RDP Web Access

From Project Homelab
Revision as of 17:01, 31 July 2020 by Travis (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

This is a brief article about configuring RD Web Access for your home lab

Pros and Cons

If you don't have MSDN this can cost a few hundred for a Windows License then around £25 for a 5 User TSCAL

Costs

Free if you have access to an MSDN license or happy with the 90/180 trials to learn

What will you need

  • About an hour maybe two depending on the speed of your environment
  • At least 2 VMs and a DC as a minimum
  • The same amount of spare IPs to VMs
  • Access to your router/firewall
  • Ideally a trust certificate
  • 1 public IP or a NAT from a load balancer

Use Cases

The use cases for this type of technology are for accessing your environment over standard SSL ports. This helps with locked down company environments as it doesn't rely on port 3389 for RDP

Solutions

Firstly I shall start by saying I have configured this as bare bones to limit the amount of resources I use on my environment and also what works for me. If you are studying for your MCSA I would suggest you build this out and include a RD Web Access server, RD Virtualization Host and a RD Connection Broker. I used my Gateway as a session broker as most my traffic would be coming from here.

Firstly start by getting your two new VMs up and running and ready to join to your domain (sys prepped, WSUS etc)

From here use any naming convention you want but I used

  • Corprdsgw01.domain.com - This will be your RD Gateway
  • Corprdssh011.domain.com - This will be where your session gets dropped onto

You will also need another machine for licensing, I usually opt for this on my secondary DC

Please note I will put notes in for alternative config if only using two machines. I couldn't do this as I already had an environment on this domain

I am also to happy to explain I do the configuration this way as it allows you to install .NET 3.5 if you are still using the old fat clients for your hyper-visors

Configuring the RD Gateway server

Start by logging into the Corprdsgw01 machine, within server manager select add roles



Press next and select Role-Based or Feature-based installation

Ensure you server is selected as you may already have these in a group

Within this window select 'Remote Desktop Services'

This following window allows you to install .NET 3.5 for older applications and web browsers

Select next on this window

Within this window select Remote Desktop Gateway Also select Remote Desktop Broker and Web Access if you only plan to have two machines


The system will now guide you through the NPS server roles. Keep these at the default for now but can help you lock down access going forward

Again follow the standard settings for IIS


Finally confirm the installation, once complete reboot the VM


Configuring the RD Session Host

Follow all the above sections for your RDS host but on this screen select Remote Desktop Session Host


Configuring the RD Session Host

Follow all the above sections for your License server but on this screen select Remote Desktop Licensing


Configuring the services to talk

Firstly I would suggest you ensure all the VMs have been rebooted. When logging in ensure you use a domain admin account for the next steps

Firstly start by clicking manage in the server manager and select Create Server Group

Within this window add your RDS boxes and license server

Click on your server group and then select Add Roles and Features

This time ensure you have selected Remote Desktop Services Installation

Select standard deployment

On this following screen select Session-Based desktop deployment and select next on the screen after


In the next screen select your session broker. If in the 2 VM scenario this should be your gateway server


In the next step as above if in a two VM scenario select your gateway server. If you didnt do it previously select install RD Web Access Role Image is for illustrative purposes

Finally select the confirmation screen and allow the restarts


Once this completes on the server you configured your group select the following option

If you have done things correctly you should now see the following screen, Press the RD Gateway + icon


In here select your RDS gateway server

You may get this error if you havent rebooted

In the FQDN type in your full domain name and if you have a split zone this will be the same internally. If you want to get access outside of course you will need to use your external domain name


Confirm the next two screen

Do the same for the License server

If you have done everything right you will now get the screen below

From the left bar select Collections

Once the menu is open select tasks and then create session collection

Select next to the following screen and appropriately name your RDS collection

Select your session host you create earlier

Apply a relevant group of people who you want to have access

If you have a file server you can create a profile disk

Select create to finish your collection

If require select your RDS group, tasks and then Publish RemoteApp

Assume you have already install the apps you want to access tick these to publish them

Confirm your selections


Testing your config

To try out your system go to the following url https://yourgw.yourdomain.com/RDWeb. For now you will need to accept the certificate issue

Try and log in of which you should see your apps

Select an app and you should now see the following screen, select connect. This is down to the fact you have not got a trusted certificate

Fingers crossed your app should appear



Securing your environment

This section will be updated when the certificates section has been populated.

Exposing this to the world....

I will update this shortly with a common UK router configuration as you will need to NAT some ports from the outside world.


Known Issues and Solutions

This is specifically to detail any issues with the technology being discussed, and how to resolve them. See the Intel NUC page for an example.

  • You may want to deliver several services or pages on port 443
    • Head over to my page about load balancing to learn more if you only have 1 public IP
  • Requires several servers or understanding a DMZ
    • Don't go for best practice but it may compromise security