Solved

Deploy Remote Desktop Connection (RDP) Internal and External

Posted on 2013-01-25
7
1,892 Views
Last Modified: 2013-04-08
We have setup a new RDS Server on Server 2008 R2, and am looking to deploy internally to AD Computers with a pre-configured RDP file.

I have looked at RD Web Access and RemoteApp as a possible solution to secure Port 3389 to outside world, but also need to work out how our Mac OS X Users.

The thought was that we could make the same RDP file above or pre-configured on Mac OS X to Mac OS X Users, and also make a similar file available to External Windows Users. Internally we are using Group Policy to deploy RDP file to ALl Users Desktop.

Any suggestions on above?

I am also interested to know how to use RDPSign correctly - I have followed http://technet.microsoft.com/en-us/library/cc753982(v=ws.10).aspx#BKMK_examples but keep getting an error "Unable to use the certificate specified for signing"

I suppose also it would be good to know how I can lock the RDP file down so a User can not modify the options.
0
Comment
Question by:Flipp
  • 4
  • 3
7 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 38823553
For the step by step RemoteApp [1], it is good to see through this. It touches those you have queried about ...MacOSX also has RDP client [2]
[1] http://technet.microsoft.com/en-us/library/cc730673.aspx
[2] http://www.microsoft.com/mac/remote-desktop-client

For securing RDP, pls check out this [3] that focus on couple of key pts
[3] http://www.windowsecurity.com/articles-tutorials/misc_network_security/Securing-Remote-Desktop-Services-Windows-Server-2008-R2.html

Primarily, NLA should be turned on to protect against malicious user and malware attempts. Couple of crypto level to note as well. If you want to use RD Web Access to make RemoteApp programs available to computers over the Internet, you should look into RD Gateway [4] as it helps you secure remote connections to terminal servers on your corporate network. Note that in such case using the gateway, it is running RDP over HTTPS (port 443) as FW typically block 3389.

[4] http://technet.microsoft.com/en-us/library/cc771530.aspx

For the RDPSign error, pls check
-Make sure that the thumbprint that you are using contains no spaces or capitals.
-Make sure that you are logged on as administrator
-Make sure that you have the certificate installed in the trusted root certificates and that the private key is in there as well
-After removing the spaces in your thumbprint, make sure the first character is not a question mark. If so, delete it!

Suggest you see the configuring of digital signed .RDP file in [5] and via GPO.
[5] http://technet.microsoft.com/en-us/library/cc754499.aspx
[6] http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx?PageIndex=3

Locking the RDP file, I suggest this as well. And if you are not using self signed cert, you already is a niche higher. The below touches more other factor to lock down. Assuming here is the PKI you have internally is reliable ....
http://www.sepago.de/e/nicholas/2012/06/14/3-measures-to-make-your-remote-desktop-deployment-more-secure
0
 
LVL 6

Author Comment

by:Flipp
ID: 38823596
Thanks for the reply .... question on (1) ...... so are you saying I should add 'Remote Desktop Connection' as a RemoteApp OR setup a pre-configured RDP as a RemoteApp?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 38823625
Since you need RemoteApp, either way is alright but I see RD web access is better if we can just go w/o RDP file, all through web connection...eg. TS Web Access includes the Remote Desktop Web Connection feature, which allows users to connect from a Web browser to the remote desktop of any server or client computer where they have Remote Desktop access.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 6

Author Comment

by:Flipp
ID: 38823642
So connecting to <server>/rdweb from a Mac I am unable to use any RemoteApps or Remote Desktop. Message from Safari is:

OS Version Not Supported
RD Web Access does not support this operating system. To see a list of supported operating systems, click here.

If you are running Windows XP or Windows Server 2003, you can obtain the latest service pack from the Windows Update Web site.

If you upgrade to Windows XP SP2 or Windows Server 2003 SP1, you must also install the Remote Desktop Connection 6.0 client update. You can learn about this update and download the installation package by visiting this website.

And if I use Mac's Remote Desktop Client, I then have to open port 3389 - I would rather tighten up and use RDWeb over 443 but have a number of Mac Users who still can't connect. All postings I can see confirms that Mac OS is not supported as one of the fundamentals is the requirement of an ActiveX Control - which is not supported.

Looks like I am clearing out RD Web Access and TS Gateway from Server and sticking with Remote Desktop Connection Host :(
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 38824021
Looks like remoteapp for MAC OSX is still not ready...though below mentioned other beta client going to support that...

http://apple.stackexchange.com/questions/63231/is-there-any-mac-os-software-really-supporting-windows-remoteapp

Just a note for traffic to be fully on 443 only, you will need to have RD gateway. The RD Web Access eventually still need the 3389 when the remote client start the session...see this for more info

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/521b9d38-bcaa-40db-9a7f-f392d1615d1c
0
 
LVL 6

Author Comment

by:Flipp
ID: 38936214
I am still working on this one and will come back to you.
0
 
LVL 6

Author Closing Comment

by:Flipp
ID: 39060633
Sorry for delay on this one ..... there has been an issue outside of this topic which is delaying a test of this answer.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now