Solved

Deploy Remote Desktop Connection (RDP) Internal and External

Posted on 2013-01-25
7
2,049 Views
Last Modified: 2013-04-08
We have setup a new RDS Server on Server 2008 R2, and am looking to deploy internally to AD Computers with a pre-configured RDP file.

I have looked at RD Web Access and RemoteApp as a possible solution to secure Port 3389 to outside world, but also need to work out how our Mac OS X Users.

The thought was that we could make the same RDP file above or pre-configured on Mac OS X to Mac OS X Users, and also make a similar file available to External Windows Users. Internally we are using Group Policy to deploy RDP file to ALl Users Desktop.

Any suggestions on above?

I am also interested to know how to use RDPSign correctly - I have followed http://technet.microsoft.com/en-us/library/cc753982(v=ws.10).aspx#BKMK_examples but keep getting an error "Unable to use the certificate specified for signing"

I suppose also it would be good to know how I can lock the RDP file down so a User can not modify the options.
0
Comment
Question by:Flipp
  • 4
  • 3
7 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 38823553
For the step by step RemoteApp [1], it is good to see through this. It touches those you have queried about ...MacOSX also has RDP client [2]
[1] http://technet.microsoft.com/en-us/library/cc730673.aspx
[2] http://www.microsoft.com/mac/remote-desktop-client

For securing RDP, pls check out this [3] that focus on couple of key pts
[3] http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Primarily, NLA should be turned on to protect against malicious user and malware attempts. Couple of crypto level to note as well. If you want to use RD Web Access to make RemoteApp programs available to computers over the Internet, you should look into RD Gateway [4] as it helps you secure remote connections to terminal servers on your corporate network. Note that in such case using the gateway, it is running RDP over HTTPS (port 443) as FW typically block 3389.

[4] http://technet.microsoft.com/en-us/library/cc771530.aspx

For the RDPSign error, pls check
-Make sure that the thumbprint that you are using contains no spaces or capitals.
-Make sure that you are logged on as administrator
-Make sure that you have the certificate installed in the trusted root certificates and that the private key is in there as well
-After removing the spaces in your thumbprint, make sure the first character is not a question mark. If so, delete it!

Suggest you see the configuring of digital signed .RDP file in [5] and via GPO.
[5] http://technet.microsoft.com/en-us/library/cc754499.aspx
[6] http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=3

Locking the RDP file, I suggest this as well. And if you are not using self signed cert, you already is a niche higher. The below touches more other factor to lock down. Assuming here is the PKI you have internally is reliable ....
http://www.sepago.de/e/nicholas/2012/06/14/3-measures-to-make-your-remote-desktop-deployment-more-secure
0
 
LVL 6

Author Comment

by:Flipp
ID: 38823596
Thanks for the reply .... question on (1) ...... so are you saying I should add 'Remote Desktop Connection' as a RemoteApp OR setup a pre-configured RDP as a RemoteApp?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 38823625
Since you need RemoteApp, either way is alright but I see RD web access is better if we can just go w/o RDP file, all through web connection...eg. TS Web Access includes the Remote Desktop Web Connection feature, which allows users to connect from a Web browser to the remote desktop of any server or client computer where they have Remote Desktop access.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:Flipp
ID: 38823642
So connecting to <server>/rdweb from a Mac I am unable to use any RemoteApps or Remote Desktop. Message from Safari is:

OS Version Not Supported
RD Web Access does not support this operating system. To see a list of supported operating systems, click here.

If you are running Windows XP or Windows Server 2003, you can obtain the latest service pack from the Windows Update Web site.

If you upgrade to Windows XP SP2 or Windows Server 2003 SP1, you must also install the Remote Desktop Connection 6.0 client update. You can learn about this update and download the installation package by visiting this website.

And if I use Mac's Remote Desktop Client, I then have to open port 3389 - I would rather tighten up and use RDWeb over 443 but have a number of Mac Users who still can't connect. All postings I can see confirms that Mac OS is not supported as one of the fundamentals is the requirement of an ActiveX Control - which is not supported.

Looks like I am clearing out RD Web Access and TS Gateway from Server and sticking with Remote Desktop Connection Host :(
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 38824021
Looks like remoteapp for MAC OSX is still not ready...though below mentioned other beta client going to support that...

http://apple.stackexchange.com/questions/63231/is-there-any-mac-os-software-really-supporting-windows-remoteapp

Just a note for traffic to be fully on 443 only, you will need to have RD gateway. The RD Web Access eventually still need the 3389 when the remote client start the session...see this for more info

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/521b9d38-bcaa-40db-9a7f-f392d1615d1c
0
 
LVL 6

Author Comment

by:Flipp
ID: 38936214
I am still working on this one and will come back to you.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 39060633
Sorry for delay on this one ..... there has been an issue outside of this topic which is delaying a test of this answer.
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question