How to I Configure RDS for a terminal serverices farm in Windows 2008?
11:20 PMDNS configuration
- For DNS this assumes that an Active Directory forest is installed
and configured to support this installation. As such you will need to
ensure that the DNS suffix is referenced accordingly for internal names
versus what may be used externally.If you are stuck into a DNS split
brain configuration, you MUST ensure the records match accordingly for
the access levels you are providing for so that:
- Internal DNS names resolve correctly for whatever is being configured
- External DNS names referenced for the RD Web Server are accessible for external clients and are valid to the external facing IP Address used for the connection
- Create round robin records that are A record matches to the RDS servers in the backend cluster
- RD01P => tsfarm.companydnsname.com => 10.0.0.101
- RD02P => tsfarm.companydnsname.com => 10.0.0.102
- Additional Nodes => tsfarm.companydnsname.com => Next IP Address in range preferably sequential
- Creation of individual A records for each server used in the setup (By default, DDNS should get this if enabled and the client is set to register on login)
SSL Certificate Configuration
- For an RD Web Server configuration to work externally, all records that are being referenced for the initial Web Address connection must be valid
- For the RD Gateway connection configured for the same which MUST be accessible externally the certificate used to validate the gateway connection MUST be valid if you are specifying a specific RD Gateway server to use for the RD connection; You can choose the "Automatically detect RD Gateway server settings" but should that not work you need to have a valid SSL certificate that the client can confirm else you will get an SSL error and won't be able to connect.
- OPTIONAL: You can sign the RDP sessions in the RDS configuration but in order to prevent any references to download an untrusted root certificate you should procure server certificates from an external CA provider. Else, you can create steps to have the end user install the certificate local to their system to bypass that error or to check the box to ignore the same for subsequent sessions.
Active Directory Security Group Creation
- Creation of Remote Desktop CAP Access group => Grants access for
AD users and groups to the RDS farm; This SHOULD NOT have any computer
objects in here
- Remote Desktop CAP Access group added to the Remote Desktop Users local group on all WA and RD servers
- This should include any user that is not defined as an administrator here for access to the RDP sessions on the system
- Creation of Remote Desktop RAP Access group => Grants access for
AD computers to the RDS farm; This SHOULD NOT have any users or groups
in here
- Remote Desktop RAP Access group added to the TS Web Computers local group on the local group for each WA server containing the TS Web Computers local group
- This should include any computer that is configured as a session host and is allowed to access the RDP session of the server (namely any system acting as a gateway serve or RD Session Host backend)
Server Configuration
- Install the following roles on all WA Server:
- Remote Desktop Web Access
- Remote Desktop Gateway
- Remote Desktop Connection Broker
- Remote Desktop Session Host
- Install the following roles on all RDS servers:
- - Remote Desktop Session Host
- - Remote Desktop Connection Broker
- Install the following role on the main AD server
- - Remote Desktop Terminal Licensing => Install to directory other than C:\Windows
- - Ensure the environment which should be in the same subnet to avoid firewall ports being blocked to it
WA Server Configuration (Detailed):
- For the Authentication Method choose "Do not require Network Level Authentication"
- For the Licensing Mode configure the option for "Per User"
- For the User Groups add the following groups for the "Select User Groups Allowed to Access To This RD Session Host Server": Administrators (Default), Remote Desktop CAP Access group
- For the Configure Client Experience accept the defaults
- Install Self Signed certificate
- For CAP and RAP Authorization policies configure the following:
- RD Gateway User Groups => Administrators (Default), Remote Desktop CAP Access group
- RD CAP Policy (TS_CAP_01) => Choose Password checkbox
- RD RAP Policy (TS_RAP_01) => Choose "Allow users to connect to computers in the following group:" and select the Remote Desktop RAP Access group
- Network Policy and Access Services => Accept the defaults
- Web Server (IIS) => Accept the defaults
Tools that show installed once complete:
- RemoteApp Manager
- RD Session Host Server Tab
- Server Name: gateway.companydnsname.com
- RDP Port: 3389 (default)
- Check the "Show a demote desktop connection to this RD Session Host server in RD Web Access"
- Do not allow users to start unlisted programs on initial connection
- Select the option "Do not allow users to start unlisted programs on initial connection
- RD Gateway
- Select "Automatically detect RD Gateway server settings"
- OPTIONAL: You can configure a specific name here for load balancing but it REQUIRES a valid certificate on the name to resolve else the connection will not work; Default to the option above if this does not work as expected
- Digital Signature
- OPTIONAL: To help bypass the multiple security warnings displayed when connecting into these hosts, procure a valid SSL certificate from an externally trusted provider to avoid having to load a certificate per end user machine; Do not select this option if you plan on using a self-signed certificate
- Custom RDP Settings
- #*** Uncheck all checkboxes and choose the settings you want namely "Clipboard"
#Remote Desktop Connection
- #*** Uncheck all checkboxes and choose the settings you want namely "Clipboard"
- Configure this by right-clicking the Remote Desktop Connection Manager icon and choosing properties
- Connection Settings
- Display Name: Enterprise Remote Access
- Connection ID: gateway.companydnsname.com
- RD Web Access
- Server Name: Enter in server name of RD Web Access server namely "wa01p.companydnsname.com"
- On the sub object called RemoteApp Sources configure the following:
- RemoteApp Sources: enter in the machine that has the RD Web Access server role namely "wa01p.companydnsname.com"
- RD Session Host Server Tab
- RD Gateway Manager
- Right-Click the WA server object and choose "Properties"
- Server Farm
- Add the RD gateway server farm member: gateway.companydnsname.com
- Server Farm
- Select the Connection Authorization Policies folder to create a CAP Access policy:
- General Tab
- Name the policy "TS_CAP_01"
- Check the box to enable the policy
- Requirements
- Check the "Password" box; Uncheck the "Smart Card" box
- User Group Membership
- Add to the User group membership list: Remote Desktop CAP Access, BUILTIN\Administrators
- Remote from the User group membership list: Domain Users
- Client Computer Group Membership
- Add to the list: Remote Desktop RAP Access
- Remove from the list: Domain Users
- Timeouts (Optional)
- Enable Idle (120 minute) and Session (480 minute) timeouts, if appropriate
- General Tab
- Select the Resource Authorization Policies folder to create a RAP Access policy:
- General Tab
- Name the policy "TS_RAP_01"
- Check the box to enable the policy
- User Groups
- Add to the list: Remote Desktop RAP Access
- Remove from the list: Domain Users
- Network Resource
- Add to the Select an Active Directory Domain Services network resource group: Remote Desktop RAP Access
- General Tab
- Right-Click the WA server object and choose "Properties"
- RD Session Host Configuration => Configure licensing settings for RCAL's and the RD Connection Broker Settings
- Licensing Tab:
- Select "Per User"
- Assign license server to appropriate resource by clicking on the Add button and selecting the correct server source
- RD Connection Broker:
- Click on Change Settings and Dedicated farm redirection
- Choose Farm member and fill in the following:
- RD Connection Broker server name: wa01p.companydnsname.com
- Farm name: tsfarm.companydnsname.com
- Once the above is configured click OK to go back to the previous screen and configure the following:
- Select IP Address to be used for reconnection: Check the default IP Address
- Choose Farm member and fill in the following:
- Click on Change Settings and Dedicated farm redirection
- Licensing Tab:
- Remote Deskop Services Configuration => No configuration needed here as this just shows the active sessions on the local host
- Web Server (IIS)
- Go to the default.aspx file under the \RDWeb\pages\ folder and modify the setting "ShowDesktops" to "false"
- In the Local Users and Groups section for:
- Session Broker Computers add the following: Remote Desktop RAP Access group
- TS Web Access Computers add the following: Remote Desktop RAP Access group
- Remote Desktop Users add the following: Remote Desktop CAP Access group
==========================
RD Server Configuration (Detailed):
- #* For the Authentication Method choose "Do not require Network Level Authentication"
- For the Licensing Mode configure the option for "Per User"
- For user groups to be able to access this RD Session Host server enter in: Administrators (Default), Remote Desktop CAP Access group
- For Client Experience accept the defaults
- Web Server (IIS) => Accept the defaults
Tools that show installed once complete:
- RemoteApp Manager => Leave as is as this is not configured on the RD servers
- Remote Desktop Connection Manager => Leave as is as this is not configured on the RD servers
- RD Session Host Configuration => Configure licensing settings for RCALS and the RD Connection Broker Settings
- Licensing Tab:
- Select "Per User"
- Assign license server to appropriate resource by clicking on the Add button and selecting the correct server source
- RD Connection Broker:
- Click on Change Settings and Farm Member
- Choose Farm member and fill in the following:
- RD Connection Broker server name: gateway.companydnsname.com
- Farm name: tsfarm.companydnsname.com
- Once the above is configured click OK to go back to the previous screen and configure the following:
- Participate in Connection Broker Load-Balancing: Checked
- Relative weight of this server in the farm: 100
- Select IP Address to be used for reconnection: Check the default IP Address
- Choose Farm member and fill in the following:
- Click on Change Settings and Farm Member
- Licensing Tab:
- Remote Desktop Services Manager => No configuration needed here as this just shows the active sessions on the local host
- In the Local Users and Groups section for:
- Session Broker Computers add the following: Remote Desktop RAP Access group
- TS Web Access Computers add the following: Remote Desktop RAP Access group
- Remote Desktop Users add the following: Remote Desktop CAP Access group
0 comments