Remote web access - Новости с мира ПК
Vvmebel.com

Новости с мира ПК
3 просмотров
Рейтинг статьи
1 звезда2 звезды3 звезды4 звезды5 звезд
Загрузка...

Remote web access

Remote Desktop Services Web Access в Windows Server 2008 R2

Сегодня еще раз хотелось бы поговорить о новой функции в Windows Server 2008 R2, которая называется Remote Desktop Web Access.

Страница входа в эту службу может выглядеть следующим образом:

Зайдя на данный сайт, мы увидим список приложений, которые были опубликованы с помощью RDS RemoteApps:

Приложения, показанные на картинке, установлены на наших серверах RDS с Windows Server 2008 R2 и опубликованы в Интернете с помощью сервера SBS v7 TS Gateway.

Существует возможность изменения внешнего вида страницы, хотя для этого необходимы небольшие навыки по работе с IIS и ASP. Так, помимо стандартных приложений, на своей странице Web Access мы разместили ссылки для связи с их собственными рабочими компьютерами и другими внутренними ресурсами, т.е. рабочее место пользователя (Remote Web Workplace) в SBS 2008 и SBS v7 можно перенастроить под ваши конкретные задачи.

Публикация RD Web Access

Во-первых, мы должны создать соответствующую A запись DNS для нашего хоста (например remotewebaps.winitpro.ru), а затем выпустить SSL сертификат с помощью оснастки IIS CSR на вашем сайте RDS Web Access.

На нашей Cisco SA 520 Gateway Security Appliance мы создали alias (псевдоним) для дополнительного IP адреса на WAN интерфейсе, а затем создали правило, перенаправляющее HTTPS трафик, приходящий на этот IP на внутренний ip-адрес нашего сервера RD Web Access.

Т.е. публикация приложений Remote Desktop в Интернет – достаточно тривиальная задача.

Ссылки Remote Web Workplace

На странице Remote Web Workplace мы разместили ссылки на rdp файлы приложений, к которым мы предоставляем доступ.

Для публикации приложений используется RemoteApp Manager на сервере Remote Desktop Services.

После того, как все необходимые приложения были опубликованы, мы генерируем для каждого из них rdp файл (для чего нужно щелкнуть правой кнопкой мыши по каждому их приложений). Далее я скопировал все rdp файлы в папку /Remote application на сервере SBS v7 (на SBS 2008 выполняется аналогично).

Пользователям в дальнейшем достаточно нажать на ссылку Outlook, аутентифицироваться и затем спокойно пользоваться приложением Outlook с удаленной системы. Создается иллюзия того, что пользователь работает с почтовым клиентом прямо со своей удаленной машины. Но мы то знаем, что на самом деле Outlook работает на сервере Remote Desktop Services (как установить Remote Desktop Services я уже писал ).

Пользователи также могут щелкнуть правой кнопкой мыши по ссылке и сохранить файл RDP на своем рабочем столе для последующего быстрого доступа к приложениям.

Есть еще один маленький нюанс. По умолчанию IIS не поддерживает работу с файлами, имеющими расширение RDP. Поэтому для корректной работы системы, необходимо добавить расширение rdp в настройки MIME Types в IIS в следующем формате:

Записки Web-разработчика

Терминальный сервер на Windows Server 2012 в рабочей группе

Вы еще не знакомы с Windows Server 2012? Мне вот уже «посчастливилось» настраивать на нем терминальный сервер. Честно говоря, совершенно не понятно зачем было пихать новый ленточный интерфейс в сервер — логика Microsoft последнее время не поддается объяснению.

Но это не самое страшное. Отныне, для установки роли терминального сервера необходимо поднимать домен. Вот такого сюрприза я не ожидал… домен мне не нужен в принципе. Настройка домена занимает не много времени, но зачем плодить сущности там, где они не нужны.

Однако всё оказалось решаемо, пусть и с некоторыми дополнительными действиями, о которых узнал c technet.microsoft.com.

Настраиваем роль терминального сервера на WinServer 2012 без поднятия домена

Принципиальных отличий в установке Windows Server 2012 от Windows Server 2008 R2 нет, потому этот этап пропустим. Замечу, что операционная система прекрасно ставится с флешки, на которую был записан образ (давно уже не использую CD/DVD — медленно и нудно). Перейдем непосредственно к установке роли RDS на сервере.

Для этого запустим Диспетчер серверов (Server Manager), и перейдем в поле Локальный сервер (Local Server)

Далее запускаем мастер добавления ролей и компонентов, где выбираем тип установки Установка ролей или компонентов (Role-based or feature-based installation)


Производить установку всех компонент роли RDS можно сразу, но на Technet, для лучшего понимания процесса, советуют разделить этот процесс на два этапа. Последуем этому совету и мы.

Первой установим компоненту Лицензирование удаленных рабочих столов(Remote Desktop Licensing)

После завершения процесса, запускаем Диспетчер лицензирования удаленных рабочих столов (RD Licensing Manager), в котором активируем наш сервер лицензий и устанавливаем пакет терминальных лицензий (например: Windows Server 2012 — RDS Per User CAL, 5 шт.).

Никаких новшеств здесь нет, а потому описывать подробно данный процесс не стану (возможно раскрою тему в одной из будущих статей — жду ваших предложений и комментариев).

Весь процесс активации и установки пакета лицензий на себя берет мастер, наша задача правильно выбрать программу лицензирования, тип лицензий, количество и т.д.

Вторым этапом устанавливаем компоненту Узел сеансов удаленных рабочих столов (Remote Desktop Session Host).

После установки этой компоненты у нас появится Средство диагностики лицензирования удаленных рабочих столов (RD Licensing Diagnoser), которое сообщит нам ошибку об отсутствии сервера, раздающего терминальные лицензии (скриншота с ошибкой к сожалению не сделал, приведен уже работающий вариант сервера).

Стоит заметить, что в оснастке отсутствуют инструменты управления, которые были в Windows Server 2008 R2, т.е. возможности добавления сервера лицензий нет.

Настраиваем локальные политики для серверов находящихся в рабочей группе

Осталось самое интересное. Исправить данную ситуация не сложно — достаточно настроить всего две локальные политики. В строке терминала пишем gpedit.msc и изменяем соответствующие ключи.

Конфигурация компьютераАдминистративные шаблоныКомпоненты WindowsСлужбы удаленных рабочих столовУзел сеансов удаленных рабочих столовЛицензирование — Использовать указанные серверы лицензирования удаленных рабочих столов (добавляем имя нашего сервера)
Конфигурация компьютераАдминистративные шаблоныКомпоненты WindowsСлужбы удаленных рабочих столовУзел сеансов удаленных рабочих столовЛицензирование — Задать режим лицензирования удаленных рабочих столов (выбираем тип лицензий)
Англоязычный вариант:
Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostLicensing — Use the specified Remote Desktop license servers (добавляем имя нашего сервера)
Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostLicensing — Set the Remote licensing mode (выбираем тип лицензий)

Читать еще:  Офис 365 visio

Установка компоненты — Remote Desktop Web Access

Если, в качестве клиента требуется использовать браузер, устанавливаем дополнительную компоненту Remote Desktop Web Access. Тутвообще все просто, нужно лишь разрешить мастеру добавить то, что он хочет, в частности IIS. После окончания установки, на клиентской машине в браузере сервер должен ответить и показать страницу Remote Web Access.

Duo Authentication for Microsoft Remote Desktop Web on Windows 2012 and Later

Contents

Related

Feedback

Was this page helpful? Let us know how we can make it better.

Duo integrates with Remote Desktop Web Access (previously Terminal Services) to add two-factor authentication to RD Web logons, complete with inline self-service enrollment and Duo Prompt.

Overview

Duo Authentication for Microsoft Remote Desktop Web Access adds two-factor authentication protection to RD Web portal browser logons. When logging on to the RD Web portal, users receive the Duo enrollment or authentication page after primary authentication.

Remote applications may no longer be launched from the «RemoteApp and Desktop Connections» app feed after Duo is installed on your RD Web server.

Before you begin deploying Duo in your RDS environment, please read our Duo 2FA for Microsoft Remote Desktop Services overview to understand the capabilities and limitations of the different deployment options.

If you want to enforce two-factor authentication for all your clients, you should ensure that they must connect through RD Web Access with Duo and/or RD Gateway with Duo. If clients can establish a direct connection to your RD Connection Broker and/or Session Host(s), then they may be able to bypass two­-factor authentication. Block direct RDP access to these hosts to mitigate the potential for bypass.

Deployment Tip

Set your application’s «New user policy» to «Allow Access» while testing. Enrolled users receive the Duo authentication prompt, while all other users are transparently let through.

Then (when you’re ready) change the «New user policy» to «Require Enrollment.» This forces all your users to authenticate to Duo (or enroll) after RD Web logon.

Prerequisites

Make sure to complete these requirements before installing Duo Authentication for RD Web.

Check your server version. These instructions are for installing Duo Authentication for RD Web on Windows Server 2012 and later.

Make sure you have installed .NET Framework 4.5. You can do this, for example, by running the following PowerShell commands:

Also make sure you have installed ASP.NET 4.5 support for IIS. The PowerShell commands for this are:

Ensure that the IIS Management Scripts and Tools feature is turned on as well. PowerShell example:

This application communicates with Duo’s service on TCP port 443. Firewall configurations that restrict outbound access to Duo’s service with rules using destination IP addresses or IP address ranges aren’t recommended, since these may change over time to maintain our service’s high availability. If your organization requires IP-based rules, please review this Duo KB article.

First Steps

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate the entry for Microsoft RD Web in the applications list. Click Protect to the far-right to configure the application and get your integration key , secret key , and API hostname . You’ll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
  4. Download the Duo Authentication for Remote Desktop Web Installer Package. View checksums for Duo downloads here.

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don’t share it with unauthorized individuals or email it to anyone under any circumstances!

Installation

Launch the Duo Security installer MSI from an elevated command prompt (right-click «Command Prompt» and select the «Run as Administrator» option). Accept the license agreement and continue.

Enter the integration key, secret key, and API hostname from the properties page of the «Microsoft RD Web» application you created earlier.

If you leave the «Bypass Duo authentication when offline» box in the Duo installer checked, then your users will be able to logon without completing two-factor authentication if the Duo Security cloud service is unreachable. If that box is unchecked then all RD Web login attempts will be denied if there is a problem contacting the Duo service.

Duo for RD Web sends a user’s Windows sAMAccountName to Duo’s service by default. To send the userPrincipalName to Duo instead, check the Use UPN username format box.

If you enable the UPN username format option, you must also change the properties of your RD Web application in the Duo Admin Panel to change the «Username normalization» setting to None. Otherwise, Duo drops the domain suffix from the username sent from RD Web to our service, which may cause user mismatches or duplicate enrollment.

If you only have one Windows Server instance running the Remote Desktop Web Access role, select the option to automatically generate a new key. However, if you have multiple servers running RD Web Access role then you should manually generate a random string at least 40 characters long, and use the same string as the session key during installation on each of the servers.

For example, you could use the following PowerShell commands to generate a suitable session key:

  • Complete the Duo installation. The Duo installer stops and then restarts IIS services on your RD Web server automatically.
  • Test Your Setup

    To test your setup, log into Remote Desktop Web Access. Duo’s enrollment or login prompt appears after you enter your username and password:

    If you plan to permit use of WebAuthn authentication methods (security keys, U2F tokens, or Touch ID), Duo recommends enabling hostname whitelisting for this application and any others that show the inline Duo Prompt before onboarding your end-users.

    Читать еще:  Как вставить фото в майкрософт офис

    With Duo installed on only the RD Web server, when you launch a RemoteApp there is no additional two-factor authentication verification. If your session host is configured to use RD Gateway we recommend installing Duo on your RD Gateway server as well. See the RD Web and RD Gateway instructions.

    If you installed Duo Authentication for both RD Web and RD Gateway, you receive an additional Duo authentication request via push or phone call when you launch a RemoteApp.

    Updating Duo for RD Web

    You can upgrade your Duo installation over the existing version; there’s no need to uninstall first.

    Download the most recent Duo RD Web Installer Package and run the MSI from an elevated command prompt. View checksums for Duo downloads here.

    Follow the on-screen prompts to complete the upgrade installation. Note that the installer restarts IIS services.

    Troubleshooting

    Need some help? Take a look at the RDS Frequently Asked Questions (FAQ) page or try searching our RDS Knowledge Base articles or Community discussions. For further assistance, contact Support.

    Try Duo For Free

    With our free 30-day trial you can see for yourself how easy it is to get started with Duo’s trusted access.

    Case Studies

    Hear directly from our customers how Duo improves their security and their business.

    eBooks

    Learn more about a variety of infosec topics in our library of informative eBooks.

    Redirect to the Remote Web Access pages (/RDWeb)

    If you have published Remote Desktop Web Access out of the box, and you visit
    http(s):// , you’ll be presented with the IIS welcome page:

    To prevent this you need to redirect the root to /RDWeb.

    On the RD Web Access server(s) open Internet Information Services (IIS) Manager (it’s under Administrative Tools).
    Expand the tree and click Default Web Site, then open the “HTTP Redirect” app:

    Fill in the redirect path, don’t forget to check “Only redirect requests to content in this directory”, and click apply.

    That’s it. No need to reset IIS. This is tested to be working on Windows 2012 and Windows 2012 R2 versions of RD Web Access.

    As an added bonus, HTTP requests are redirected to HTTPS as well.

    Share this:

    Like this:

    Related

    25+ years experience in Microsoft powered environments. Enjoy automating stuff using powershell. In my free time (hah! as if there is any) I used to hunt achievements and gamerscore on anything Xbox Live enabled (Windows Mobile, Windows 8, Windows 10, Xbox 360 and Xbox One). Recently I picked up my Lego addiction again.

    27 comments on “ Redirect to the Remote Web Access pages (/RDWeb) ”

    HTTP to HTTPS redirect is not happening for me. Can you please explain how to make it so?

    Hi Momo,
    On IIS, the website that holds the /rdweb app, right-click the website and check “Bindings”. Make sure port 80 is listed for that website. If the website is listening on both 80 and 443, http to https redirection will happen with the settings described in this post.

    Yes, it’s listening on both 80 and 443. But for some reason redirect is not happening.
    What else could be causing it not to work in your opinion?

    What do you see when you access the root page on port 80? The IIS page, or page not found?

    Hi,
    I had the same issue as Momo, https redirect works perfectly, however i discovered today http redirect was pointing me back to the default IIS page.

    However, I fixed it by doing the following. This will use the default.asp page in the root directory to do the HTTP to HTTPS, along with URL redirect.

    1. Make sure HTTP redirect is disabled (if it was set from the instructions above, following code works for both HTTP and HTTPS)
    2. Create a default.asp page with the following code

    3. Paste the default.asp into c:inetpubwwwroot directory

    4. click Default Web Site, then open the “Default Document” icon

    5. Move Default.asp to the top of the tree.

    Hi David,
    Sorry for the late reply, was on vacation 🙂
    Thanks for this, that should work as well.
    However,
    If the IIS redirect is not working, something is amiss. Although your solution works, it’s a workaround for the problem which then still exists.

    Had same issue with HTTPS was working but HTTP was not, I was able to back out the change do it again makeing sure to click apply in the top right corner this time and it worked

    Hi,
    I have setup my RDS 2012 R2 with separate servers, like RD gateway, RD web, RD SH, RD connection broker.

    I have my rdweb role on the gateway server as well so am able to access resourses INTERNALLY and EXTERNALLY.

    My Issue when i remove that RD web Role from Gateway server,am getting error 404 and so i have followed the above steps(HTTP REDIRECT) on my RDweb server(Individual server).

    Is Rd Gateway should have rd web role, if not what else has to be done to achieve the access.

    Hi Mahe,
    Make sure that when you removed the RD WA role from the RD GW server, that your deployment recognizes the remaining RD WA role on the other server. You can see this in the deployment overview. Also, as a best practice, if you separate the roles, use different certificates for the roles.
    And to answer your question: RD GW can go perfectly fine on a separate server, you don’t need to have RD WA on that same server.

    Hello Arjan. Thank you very much for your work. I followed your steps and everything works perfectly. I have a quick question though. I noticed that under Default Web Site the Rpc and RpcWithCert virtual subdirectories are also inheriting the redirection. Do we want this behavior? Is it ok if the remote desktop client tries to reach https://gate.company.com/rpc and is being redirected to RDWeb instead?

    Читать еще:  Обновить офис 2020 бесплатно

    I believe the redirection only works when a user tries to enter the root folder (like https://gate.company.com). Any subfolders in the root do not get redirected, that’s why I put the check in “only redirect..”

    Its possible to use a federate authentication (for example Shibboleth) to autenticate users in rdweb?

    Hi Andre,
    No there is not 🙁

    I can access https://fqdn/rdweb on my internal network, but not externally. I can see the traffic get through my firewall, but it times out if coming from outside the network.

    Any thoughts? Thank you!

    Hi Adam,
    I’d check routing from the webaccess / gateway server back to the internet, windows firewall on the webaccess / gateway server. Make sure the server has just 1 IPv4 address.. Maybe, if webaacess and gateway roles are on the same server, modify your RAP to allow all computers and your CAP to allow all users, just to check. Other than that I don’t have any quick tips.

    You are a lifesaver! I’ve been tearing my hair out trying to figure why I couldn’t get RDWeb connecting via 443 (would work fine with 3389) and this ended up solving it! I had previously set up a single instance 2012 RDS instance and never had this problem, but now I’m setting up a high availability cluster in 2016 and just couldn’t get 443 working.

    Thank you for this post! I completely forgot about redirecting and was fighting this for a better part of a day when I finally decided to ask Dr. Google. This worked perfectly.

    And another note. This also worked for RDS 2016

    I tried this before on my 2012 R2 deployment whereby web access and gateway roles were on the same server. I may have done it wrong, but setting the redirect meant the gateway service stopped working.

    Is this expected to work when both roles are on the same server using the above settings?

    Hi James,
    I’m using the exaxt same thing on my 2016 webaccess/gateway server and have been using it on 2012r2 before upgrading, so yes, it worxx as advertised.

    Perfect thank you. Will give it another go.

    I completed the change as outlined, but HTTPS redirection was working and HTTP redirection was not. I had configured SSL on the site and needed to uncheck ‘Require SSL’ in order for HTTP to HTTPS redirection to work properly.

    Not sure if anyone else has found this, but I suspect some update recently has disabled this redirect for us. I now have to re-enable it again.

    Good write-up, I am regular visitor of onesite, maintain up the excellent operate, and It is going to be a regular visitor for a lengthy time.

    I had the same issue of HTTP to HTTPS redirect not working. In my case, I was not forwarding port 80 on my firewall (duh). Figured I would post in case it helps someone else.

    Remote Desktop Web Access – Connection Error

    KB ID 0001141В

    Problem

    ElevenВ days! That’s how long it took to fix this, after seven days, I bit the bullet and logged a call to Microsoft. I spent hours on the phone to the Remote Desktop Team, The Web Application Proxy Team, and the Networking Team. I replicated the error by building a complete new domain, PKI, ADFS, Remote Desktop Deployment and Web Application Proxy Server. Then today I got a call from the ‘Connectivity Team’ who had it fixed in about 45 minutes.

    Symptoms:

    I had the entire deployment built in VMware, and it was deployedВ behind a Cisco ASA 5510, (it was a proof of concept for a client). The Web Application Proxy was in a DMZ. All this was sat on my test bench, and I was remote VPN connected. To test, I was using a Windows 10 client that was running on my laptop, (in VMware Fusion). I had all the public DNS names in the remote clients ‘Hosts file’.

    Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator forВ assistance.

    After trying to get a rid of this error Microsoft asked me to put another client in the DMZ, and try connecting though the Web Application Proxy from there. Then I got this error;

    Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

    Solution

    I had the remote Desktop Web Access, and the Remote Desktop Gateway roles installed on the same server, (which is fine). You will notice if you look at the examples I posted above, that the URL for web access was https://remote.smoggyninja.com (1), and the Gateway is set to rdg.smoggyninja.com (2), both these resolved to the public IP address of the Web Application Proxy. Then on the Web Application proxy they resolved to the internal IP address (192.168.100.114 set in the servers hosts file).

    This was the problem! Simply changing the advertised name of the Remote Desktop Gateway serverВ from ‘rdg‘ to ”remote‘, fixed all the problems.

    Launch Server Manager > Remote Desktop Services > Collections > > Tasks > Edit Deployment Properties > RD Gateway > Change > Apply.

    Related Articles, References, Credits, or External Links

    Special thanks and kudos toВ NathanaГ«l Stassart who tested the whole concept for me, and stayed engaged in the Microsoft Forum.

    голоса
    Рейтинг статьи
    Ссылка на основную публикацию
    Adblock
    detector