Solved

Deploy Remote Desktop Connection (RDP) Internal and External

Posted on 2013-01-25
7
1,922 Views
Last Modified: 2013-04-08
We have setup a new RDS Server on Server 2008 R2, and am looking to deploy internally to AD Computers with a pre-configured RDP file.

I have looked at RD Web Access and RemoteApp as a possible solution to secure Port 3389 to outside world, but also need to work out how our Mac OS X Users.

The thought was that we could make the same RDP file above or pre-configured on Mac OS X to Mac OS X Users, and also make a similar file available to External Windows Users. Internally we are using Group Policy to deploy RDP file to ALl Users Desktop.

Any suggestions on above?

I am also interested to know how to use RDPSign correctly - I have followed http://technet.microsoft.com/en-us/library/cc753982(v=ws.10).aspx#BKMK_examples but keep getting an error "Unable to use the certificate specified for signing"

I suppose also it would be good to know how I can lock the RDP file down so a User can not modify the options.
0
Comment
Question by:Flipp
  • 4
  • 3
7 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 38823553
For the step by step RemoteApp [1], it is good to see through this. It touches those you have queried about ...MacOSX also has RDP client [2]
[1] http://technet.microsoft.com/en-us/library/cc730673.aspx
[2] http://www.microsoft.com/mac/remote-desktop-client

For securing RDP, pls check out this [3] that focus on couple of key pts
[3] http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Primarily, NLA should be turned on to protect against malicious user and malware attempts. Couple of crypto level to note as well. If you want to use RD Web Access to make RemoteApp programs available to computers over the Internet, you should look into RD Gateway [4] as it helps you secure remote connections to terminal servers on your corporate network. Note that in such case using the gateway, it is running RDP over HTTPS (port 443) as FW typically block 3389.

[4] http://technet.microsoft.com/en-us/library/cc771530.aspx

For the RDPSign error, pls check
-Make sure that the thumbprint that you are using contains no spaces or capitals.
-Make sure that you are logged on as administrator
-Make sure that you have the certificate installed in the trusted root certificates and that the private key is in there as well
-After removing the spaces in your thumbprint, make sure the first character is not a question mark. If so, delete it!

Suggest you see the configuring of digital signed .RDP file in [5] and via GPO.
[5] http://technet.microsoft.com/en-us/library/cc754499.aspx
[6] http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=3

Locking the RDP file, I suggest this as well. And if you are not using self signed cert, you already is a niche higher. The below touches more other factor to lock down. Assuming here is the PKI you have internally is reliable ....
http://www.sepago.de/e/nicholas/2012/06/14/3-measures-to-make-your-remote-desktop-deployment-more-secure
0
 
LVL 6

Author Comment

by:Flipp
ID: 38823596
Thanks for the reply .... question on (1) ...... so are you saying I should add 'Remote Desktop Connection' as a RemoteApp OR setup a pre-configured RDP as a RemoteApp?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 38823625
Since you need RemoteApp, either way is alright but I see RD web access is better if we can just go w/o RDP file, all through web connection...eg. TS Web Access includes the Remote Desktop Web Connection feature, which allows users to connect from a Web browser to the remote desktop of any server or client computer where they have Remote Desktop access.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 6

Author Comment

by:Flipp
ID: 38823642
So connecting to <server>/rdweb from a Mac I am unable to use any RemoteApps or Remote Desktop. Message from Safari is:

OS Version Not Supported
RD Web Access does not support this operating system. To see a list of supported operating systems, click here.

If you are running Windows XP or Windows Server 2003, you can obtain the latest service pack from the Windows Update Web site.

If you upgrade to Windows XP SP2 or Windows Server 2003 SP1, you must also install the Remote Desktop Connection 6.0 client update. You can learn about this update and download the installation package by visiting this website.

And if I use Mac's Remote Desktop Client, I then have to open port 3389 - I would rather tighten up and use RDWeb over 443 but have a number of Mac Users who still can't connect. All postings I can see confirms that Mac OS is not supported as one of the fundamentals is the requirement of an ActiveX Control - which is not supported.

Looks like I am clearing out RD Web Access and TS Gateway from Server and sticking with Remote Desktop Connection Host :(
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 38824021
Looks like remoteapp for MAC OSX is still not ready...though below mentioned other beta client going to support that...

http://apple.stackexchange.com/questions/63231/is-there-any-mac-os-software-really-supporting-windows-remoteapp

Just a note for traffic to be fully on 443 only, you will need to have RD gateway. The RD Web Access eventually still need the 3389 when the remote client start the session...see this for more info

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/521b9d38-bcaa-40db-9a7f-f392d1615d1c
0
 
LVL 6

Author Comment

by:Flipp
ID: 38936214
I am still working on this one and will come back to you.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 39060633
Sorry for delay on this one ..... there has been an issue outside of this topic which is delaying a test of this answer.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now