Category Archives: Windows Server 2019

Remote Desktop Services – Full Desktop Sessions vs Start Program Automatically vs RemoteApp/RDWeb

FULL DESKTOP SESSIONS:   The most common method of using Remote Desktop Services (RDS) in Windows Server 2016 or Windows Server 2019 is using full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open programs (usually in simultaneous, multi-user mode – i.e. split MS Access application where each user has their own front-end), save and share files, open MS Office documents (if Office is installed), etc.   Users can share files with other users through the use of public folders.  Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iPhone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp/RDWeb.  A RDS setup with full desktop sessions can be setup within a few hours.

START PROGRAM AUTOMATICALLY UPON LOGON:  If you want some (or all) users to only open one particular program/application when logging into the server and don’t want to provide a full desktop session, you can set this up within each individual user’s profile settings in the environments tab under properties.  This is easy to setup and you can do it on a user-by-user basis.  Starting with Windows Server 2016, there is a registry key that must be set for this to work so please contact Riptide Hosting to change this registry key.   Using this will make it so your application will open automatically when a user logs into the server and when they close the application the entire session will close without ever providing a desktop session.  This option may works if you have a single program for users to access and don’t want to provide a desktop session.  This option probably will not work well for you if you have multiple applications, need users to save or share files, or export files to Excel, etc. (then you would want to have full desktop sessions).  Contact us for a few screenshots on this option.   For example, in the Environment tab of the particular user’s properties, enable the box by “start the following program at logon” and in the “program file name” field, use a path similar to this which would start a MS Access Application:  “C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE” “C:\users\xxx\xxx.mdb or .accde”

REMOTEAPP/REMOTEWEB:  RemoteApp/RDWeb is a RDS role that can be installed separately where users login to a website (https://yourdomainname/rdweb or https://yourIPaddress/rdweb) and only see applications that you have published to them.  RemoteApp/RDWeb is a great role to use when you don’t want to provide a desktop session, but it is much more complex to setup and requires the server to be connected to a domain (either domain joined or install the Active Directory Domain Services (ADDS) role on the server), and that you install the RD Connection Broker role and the RD Web Access role.  If you install the ADDS role on the same/single server, you must install ADDS before you install the RDS roles (RD Session Host, RD Gateway, RD Connection Broker, RD License Server, and RD Web Access).   With RemoteApp you will want to install trusted SSL certificates for use with all RDS roles.  Historically RemoteApp did not work particularly good for MAC users and browsers beyond Internet Explorer (due to ActiveX requirements) but these limitations have gone away in newer versions Windows Server.  With RemoteApp/RDweb, you would access your applications through a website at: https://IPADDRESSorFQDN/rdweb.  We recommend you use an IT consultant/firm for setting up RemoteApp/RDWeb that has done it before and we can provide referrals if needed.

FULL DESKTOP SESSIONS WITH GROUP POLICIES:  If you want to provide full desktop sessions but want to lock down what users can see or do more than what is provided by default, you can setup group policies that affect non-administrators users.  Here is an old blog post on doing this on a workgroup server (if your server is domain joined, you can do this through the domain controller): https://www.riptidehosting.com/blog/how-to-create-group-policies-in-server-2012r2-that-only-affect-specified-users/    Setting up group polices is a very powerful method to locking down the server for regular users.  That said, this is relatively complex and easy to accidently lock yourself out so we would recommend you have us take a snapshot first before applying group policies.

Purchasing and Installing a Trusted SSL Certificate to use for RDGW & RDSH

Below are general steps to purchase/install a Trusted SSL Certificate for use with Remote Desktop Gateway (RDGW) and Remote Desktop Session Host (RDSH) that are installed on the same/single server in workgroup mode.  We created this based on using a Trusted SSL Cert from GoDadddy.  Our clients can ask for a more detailed tutorial of this process too.

1. Assumes you have already installed the RDSH and RDGW roles on the remote Windows Server.

2. You need to have the subdomain/url/domain name that you will purchase the ssl cert for to forward to the IP address of the server.  In this example, we want “RDP.widgets.com” to point to IP address of the server xxx.xxx.xxx.xxx. You already own the domain name for widgets.com (which can be any domain name you own through a registrar like GoDaddy).

Go to the parent domain name in GoDaddy, click on Manage DNS, go to zone file section and click “add record”.  Add “A (Host)” record type and add “RDP” (or whatever you are using in front of the domain name) which will make it be “RDP.widgets.com” and the IP address of the remote server.  Click ok/save and after a few minutes you will be able to ping the full name/url and it should return the IP address of the remote server.

We have tried to use Let’s Encrypt (free certs expiring every 60 days) but found it difficult to use with Windows IIS at the time.

3. Create Certificate Request on the remote Windows Server using IIS Manger

Open IIS Manager on remote Windows Server, in the left side pane under connections, click on your server name.  In the middle window, double-click “server certificates” icon which will open the server certificates screen showing your currently used self-signed cert.  In the far right screen under actions, click “create certificate request”.

Fill out the appropriate fields including, Common name (use the exact name of the url you are requesting for the ssl cert – i.e. “RDP.widgets.com”), Organization and Organization unit could be your legal name, State should be spelled out and not abbreviated, and County can be US.  We recommend changing the bit length to 2048 for crypto.  Create filename for CSR (CSR=certificate signing request) which will be saved in c:\windows\system32 unless you specify full path in the file name request.

4. Purchase SSL Cert at GoDaddy by inputting CSR info

Go back into your GoDaddy account. Purchase a SSL cert (we did DV type in this example) at GoDaddy ($79.99/yr although may be able to find discount code for year 1).  After purchase go back into GoDaddy account to SSL cert and press “setup”. 

Click on New Certificate, then choose “Input a CSR” (you will use the CSR you generated on the remote server via IIS Manager).  Do not select “Domain hosted with GoDaddy”.  Type in domain/url field for what you want the SSL cert to issued for, for example “RDP.widgets.com”. 

Copy in the CSR text from the file you created on the remote server, using the entire text including “—-BEG…—- and —-END…—-” characters.  Select the default GoDaddy SSL algorithm.

You will see the SSL Cert fields change to pending verification and you will have to wait approximately 20 minutes for it to change to ready/certificate issued.

5. Download SSL Cert from GoDaddy and copy it to remote server and install it in IIS Manager

Click download, choose IIS (Windows) and it will download the .zip file with certificate.  Copy this .zip file to the remote server and extract it.

Go back into remote Windows Server, IIS manager, the server certificates icon/section and click on “complete certificate request” under actions.

Attach the security cert from the godaddy zip file and create friendly name (the friendly name is just to identify the certificate).  You can put it in the personal store.  For our example, we were able to skip doing anything with the intermediate cert and only had to attach the actual security cert.  In order to attach the security cert, we had to change the file type selection dropdown to show all files. Press OK and exist IIS manager.  Make sure you keep track of the ssl cert expiration date so you renew/reinstall prior to that date otherwise you will be locked out of the remote server.

6. Modify settings on remote Windows Server in RD Gateway Manager to use new SSL cert

Open Remote Desktop Gateway Manager, then properties and the SSL Cert tab.  Click on existing cert from personal store and select your new SSL cert.  Press Import, which will restart Gateway services and your current connection will be disconnected.  You will then have to connect with the new url/ssl cert name in your local RDP connection client. 

Go back to your local RDP connection client (shortcut on desktop if you created that previously) and change IP address in computer name field (general tab) and gateway name (advanced tab) from IP address to the url/ssl cert/fqdn you created – for example, “RDP.widgets.com”

7. Modify setting on remote Windows Server for RD Session Host to use new SSL cert (if needed)

If you see the warning that certificate name doesn’t match and isn’t from a trusted CA, then it is because the new GoDaddy cert isn’t being used for the RDSH (it is being used for RDGW but not RDSH even though they are both on the same server) and the self signed cert is still being used for the RDSH.  This seems to almost always happen in our experience.    (Note: this warning is different than then the “unknown publisher” warning you may see because you are using a custom rdp connection file shortcut…for the “unknown publisher” warning you can click “don’t ask me again…” if you don’t want to see that message again.)

To fix this, use powershell (run as admin) below to change the certificate used for RDSH (NOT GW) to the GoDaddy SSL cert you purchased.  Type each line separately below exactly as shown except the thumbprint info in row 3 will need to be added after the row 1 info has generated (after the first line/row is entered, you will see the thumbprint for the new ssl cert which you will need to enter for line 3 between the “”). 

Get-ChildItem “Cert:\LocalMachine\My”

$PATH = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices)

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash=”ENTER-THUMBPRINT-HERE“}

Next try to connect again and you should not see the Certificate error message anymore.

Lastly, some clients have noted that they had to enter username as SERVERNAME\username when connecting via rdp connection client, so if you are still having issues, try that method in the rdp file too.

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won’t force a reboot, it is typically a good idea to reboot the server after this step.Installing RD Gateway

2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to “RD Gateway Manager”.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).RD Gateway Manager

3. In RD Gateway Manager, expand tree and go to policies.  Create a “Connection Authorization Policy” (CAP) for which users can login to the gateway and a “Resource Authorization Policy” (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to “user group membership”.  For RAP1, under Network Resource, you should change selection to “allow users to connect to any resource” since this is a single server setup.  You can modify these policies later to be more specific and restrictive. RDGW CAP

4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on “create and import certificate”, change certificate name to the IP address “xxx.xx.xxx.xx” of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won’t need to install self-signed cert on each local PC/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months – if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.

Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.RDGW properties SSL tab

5. At this point, all items in RD Gateway Manager status should be showing as green / green check marks.RDGW status

6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type “automatic” instead of “automatic (delayed)” and make sure it is started/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.Change RDGW service to automatic

Connecting to RDGW from your local PC

  1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.
  2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.
  3. Before connecting, going to the Advanced tab
  4. Click on Settings box under Connect from Anywhere
  5. Select “use these gateway settings”
  6. Enter IP address of the server for Server Name
  7. Uncheck the box to “Bypass RD gateway server for local addresses”
  8. Check the box to use same credentials for RD gateway server and remote computer since same server in this exampleLocal Connection Client Gateway settings
  9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button – redirecting local drives uses bandwidth/resources so only do it when needed)
  10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking “save as” and give it a useful name.
  11. When you connect, you may first get a warning message that says “The publisher of this remote connection can’t be identified. Do you want to connect anyway? OR “the identity of the remote computer cannot be verified. Do you want to connect anyway?” You can click the box to “don’t ask me again for connections to this computer” if you don’t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.
  12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.
  13. If you try to connect and you get a message “This computer can’t verify the identity of the RD Gateway XXXXX….” and it won’t connect, it is because you are using a self-signed certificate and haven’t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, then double click it on your local PC, select “install certificate” and select “Local Machine” store location and select this specific location “Trusted Root Certificate Authorities” (don’t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.
  14. If you are have trouble logging in, try typing username as servername\username so WIN-XXXXXX\Administrator or ServerX\Dan etc.

Turn off port 3389 to internet to force traffic to use port 443/RDGW

  1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the “Public” box so the rule doesn’t apply to the public profile.RDGW firewall rules
  2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
  3. You can modify/disable other Remote Desktop inbound firewall rules if needed too.

Additional Notes:

See different post on how to purchase and install a SSL certificate from a trusted CA. http://www.riptidehosting.com/blog/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh/

How to Install VPN server on Windows Server 2019

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important.  There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.

STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019

  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
  2. Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next.  Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot). Installing Remote Access VPN-1Installing Remote Access VPN-2
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.Open the Getting Started Wizard
  4. Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode) Open the Getting Started Wizard-Deploy VPN only selection
  5. Right click on Server name and select “configure and enable routing and remote access” Configure RRAS-1Configure RRAS-2
  6. Select “Custom configuration” Configure RRAS-3
  7. Select “VPN access” only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules. Configure RRAS-4Configure RRAS-5Configure RRAS-6
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below: Configure RRAS-7
  9. Next, open “Network and Sharing Center” and click on “change adaptor settings”.  Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made). Ethernet adaptor propertiesEthernet adaptor properties-2
  10. Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”.  You need to do this for each user you want to allow VPN access to the server.Change User Properties Dial-In to Allow Access
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): Windows Firewall Inbound Rule PPTP GRE L2TP SSTP
  12. Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.

SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)

  1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”.  Select “Use My Internet Connection”Setup VPN connection on Local PC
  2. Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
  3. Enter description name for connection, then create.
  4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
  5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click “Connect”
  6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.

VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”.  (you may have to disconnect and reconnect before this change will apply)Local PC VPN connection - uncheck use default gateway

ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE

Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method.  You should properly test any changes made.

  1. Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.
  2. First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server.  If it isn’t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) RAS interface must be changed to Private ProfileRAS interface must be changed to Private Profile-2RAS interface must be changed to Private Profile-3
  • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
    • “Remote Desktop Services – User Mode (TCP-In)”
    • “Remote Desktop Services – User Mode (UDP-In)”
    • “Remote Desktop – User Mode (TCP-In)”
    • “Remote Desktop – User Mode (UDP-In)”

and turn it off for Public Profile.  You could/should also modify other rules affecting the public profile to restrict access to private profile only. Adjust inbound firewall rules to exclude public profile

  • Now it is time to connect and test your changes.
  • Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active.  You shouldn’t be able to RDP to the public IP address.  You should test all scenarios after deployment.

Congratulations, Now your PPTP VPN should be setup and working!

OPTIONAL STEPS TO SETUP/CONFIGURE L2TP:

The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).

How to enable L2TP/IPsec VPN and disable PPTP protocol

Configure L2TP with preshared key:

  1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.L2TP preshared key on server settings
  2. The preshared key is something that is the same for all users
  3. Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.L2TP preshared key on local PC VPN connection settings
  4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. Disable PPTP ports
  5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.