Deploying Remote Desktop Web Access with Remote Desktop Connection Broker (RDS Pt2)

For this exercise, you will need a suitable certificate infrastructure in place. Some thought is needed. We will be deploying our remote desktop service to internal domain clients so certificate revocation checks should work by default. Consider the following certificate requirements:

• The certificate must be trusted explicitly or from a trusted root certificate.
  
• The certificate name or the Subject Alternative Name must match the fully-qualified domain name of the server.
  
• The certificate must support Server Authentication or Remote Desktop Authentication Extended Key Usage.
  
• Indirect certificate revocation lists are not supported.
  
• Certificate revocation checks are performed by default.
  
• When you use CredSSP, you can turn off certificate revocation checks by configuring the following registry entry to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
  
• When you use Transport Layer Security (TLS), you can turn off certificate revocation checks by configuring the following registry entries to a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck

The last two points are not necessary to configure. What I recommend is constructing a certificate template based on Web Server (I seem to always use this!). The subject name should be set to be 'supplied in the request' and the remote desktop session host (RDSH) server should be listed on the ACL with enroll and read permissions. Also allow the private key to be exported. When the RDSH server makes the request from the CA using certificate snapin, you can supply the internal DNS name and external DNS names using the subject alternative name. Don't forget to supply the correct CRL locations on the CA itself BEFORE you make the certificate request. You might need to add a new CRL location perhaps to a DMZ web server. I will write a post on this later.

Once the RDSH server has a certificate do the following:
First, configure a certificate used to digitally sign the RDP file by using RemoteApp Manager.

To configure a certificate used to digitally sign the RDP file

1. Log on to SRV1 as Domain\Administrator.
   
2. Click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
   
3. Under the Overview section, click Change next to Digital Signature Settings.
   
4. Select the Sign with a digital certificate check box.
   
5. Click Change.
   
6. On the Confirm Certificate page, select the appropriate certificate, and then click OK.
   
7. Click OK to close the RemoteApp Deployment Settings dialog box.

You must add the thumbprint of the certificate used to digitally sign the RDP file to the Default Domain Group Policy setting. This is required so that the trusted publisher warning dialog box is not shown to the user each time the RemoteApp program is started.

To add the certificate thumbprint to the Default Domain Group Policy setting

1. Log on to a domain controller as Domain\Administrator.
   
2. Open the GPMC. To open the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management.
   
3. Expand Forest: compulinx.local, expand Domains, and then expand compulinx.local
   
4. Right-click Default Domain Policy, and then click Edit.
   
5. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.
   
6. Double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers.
   
7. Select the Enabled option.
   
8. In the Comma-separated list of SHA1 trusted certificate thumbprints box, type the certificate thumbprint used to digitally sign the RDP file, and then click OK.
 

Configure the domain joined client computer (Windows 7)

To configure the client computer, you must:Import the digital certificate used by RDSH server to the Trusted Root Certification Authorities certificate store of the computer account. You must import a PFX certificate file that includes the private key. I export the certficate first to a shared location and then import on the client machine using the certificate snapin.

 

Configure the RD Connection Broker server (RDCB server)

On a separate member server, install the RD Connection Broker role service. Import the digital certificate used by RDSH server to the Personal certificate store of the computer account (remebering to import a PFX certificate like you did above). Configure a certificate used to digitally sign the RDP file.

To configure a certificate used to digitally sign the RDP file

1. Open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.
   
2. Under the Virtual Desktops: Resources and Configuration heading, click Specify next to Digital Certificate.
   
3. On the Digital Signature tab, select the Sign with a Digital Certificate check box.
   
4. Click Select.
   
5. In the Confirm Certificate dialog box, click the certificate that you want to use for signing the RDP files, and then click OK.
   

Configure the RD Web Access server (RDWA server) 

On a separate member server, install the RD Web Access role service.You will need to obtain a certificate for this server like you obtained a certificate for the RDSH server. You can duplicate the 'Web Server' template as before,making sure the ACL is correct etc. 
Add the thumbprint of the certificate used for the RD Web Access server to the Default Domain Group Policy setting by using the GPMC as also done above under the configuration of RDSH server.