Remote Desktop Services – Full Desktop Sessions vs Start Program Automatically vs RemoteApp/RDWeb

FULL DESKTOP SESSIONS:   The most common method of using Remote Desktop Services (RDS) in Windows Server 2016 or Windows Server 2019 is using full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open programs (usually in simultaneous, multi-user mode – i.e. split MS Access application where each user has their own front-end), save and share files, open MS Office documents (if Office is installed), etc.   Users can share files with other users through the use of public folders.  Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iPhone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp/RDWeb.  A RDS setup with full desktop sessions can be setup within a few hours.

START PROGRAM AUTOMATICALLY UPON LOGON:  If you want some (or all) users to only open one particular program/application when logging into the server and don’t want to provide a full desktop session, you can set this up within each individual user’s profile settings in the environments tab under properties.  This is easy to setup and you can do it on a user-by-user basis.  Starting with Windows Server 2016, there is a registry key that must be set for this to work so please contact Riptide Hosting to change this registry key.   Using this will make it so your application will open automatically when a user logs into the server and when they close the application the entire session will close without ever providing a desktop session.  This option may works if you have a single program for users to access and don’t want to provide a desktop session.  This option probably will not work well for you if you have multiple applications, need users to save or share files, or export files to Excel, etc. (then you would want to have full desktop sessions).  Contact us for a few screenshots on this option.   For example, in the Environment tab of the particular user’s properties, enable the box by “start the following program at logon” and in the “program file name” field, use a path similar to this which would start a MS Access Application:  “C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE” “C:\users\xxx\xxx.mdb or .accde”

REMOTEAPP/REMOTEWEB:  RemoteApp/RDWeb is a RDS role that can be installed separately where users login to a website (https://yourdomainname/rdweb or https://yourIPaddress/rdweb) and only see applications that you have published to them.  RemoteApp/RDWeb is a great role to use when you don’t want to provide a desktop session, but it is much more complex to setup and requires the server to be connected to a domain (either domain joined or install the Active Directory Domain Services (ADDS) role on the server), and that you install the RD Connection Broker role and the RD Web Access role.  If you install the ADDS role on the same/single server, you must install ADDS before you install the RDS roles (RD Session Host, RD Gateway, RD Connection Broker, RD License Server, and RD Web Access).   With RemoteApp you will want to install trusted SSL certificates for use with all RDS roles.  Historically RemoteApp did not work particularly good for MAC users and browsers beyond Internet Explorer (due to ActiveX requirements) but these limitations have gone away in newer versions Windows Server.  With RemoteApp/RDweb, you would access your applications through a website at: https://IPADDRESSorFQDN/rdweb.  We recommend you use an IT consultant/firm for setting up RemoteApp/RDWeb that has done it before and we can provide referrals if needed.

FULL DESKTOP SESSIONS WITH GROUP POLICIES:  If you want to provide full desktop sessions but want to lock down what users can see or do more than what is provided by default, you can setup group policies that affect non-administrators users.  Here is an old blog post on doing this on a workgroup server (if your server is domain joined, you can do this through the domain controller): https://www.riptidehosting.com/blog/how-to-create-group-policies-in-server-2012r2-that-only-affect-specified-users/    Setting up group polices is a very powerful method to locking down the server for regular users.  That said, this is relatively complex and easy to accidently lock yourself out so we would recommend you have us take a snapshot first before applying group policies.

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won’t force a reboot, it is typically a good idea to reboot the server after this step.Installing RD Gateway

2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to “RD Gateway Manager”.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).RD Gateway Manager

3. In RD Gateway Manager, expand tree and go to policies.  Create a “Connection Authorization Policy” (CAP) for which users can login to the gateway and a “Resource Authorization Policy” (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to “user group membership”.  For RAP1, under Network Resource, you should change selection to “allow users to connect to any resource” since this is a single server setup.  You can modify these policies later to be more specific and restrictive. RDGW CAP

4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on “create and import certificate”, change certificate name to the IP address “xxx.xx.xxx.xx” of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won’t need to install self-signed cert on each local PC/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months – if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.

Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.RDGW properties SSL tab

5. At this point, all items in RD Gateway Manager status should be showing as green / green check marks.RDGW status

6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type “automatic” instead of “automatic (delayed)” and make sure it is started/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.Change RDGW service to automatic

Connecting to RDGW from your local PC

  1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.
  2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.
  3. Before connecting, going to the Advanced tab
  4. Click on Settings box under Connect from Anywhere
  5. Select “use these gateway settings”
  6. Enter IP address of the server for Server Name
  7. Uncheck the box to “Bypass RD gateway server for local addresses”
  8. Check the box to use same credentials for RD gateway server and remote computer since same server in this exampleLocal Connection Client Gateway settings
  9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button – redirecting local drives uses bandwidth/resources so only do it when needed)
  10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking “save as” and give it a useful name.
  11. When you connect, you may first get a warning message that says “The publisher of this remote connection can’t be identified. Do you want to connect anyway? OR “the identity of the remote computer cannot be verified. Do you want to connect anyway?” You can click the box to “don’t ask me again for connections to this computer” if you don’t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.
  12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.
  13. If you try to connect and you get a message “This computer can’t verify the identity of the RD Gateway XXXXX….” and it won’t connect, it is because you are using a self-signed certificate and haven’t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, then double click it on your local PC, select “install certificate” and select “Local Machine” store location and select this specific location “Trusted Root Certificate Authorities” (don’t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.
  14. If you are have trouble logging in, try typing username as servername\username so WIN-XXXXXX\Administrator or ServerX\Dan etc.

Turn off port 3389 to internet to force traffic to use port 443/RDGW

  1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the “Public” box so the rule doesn’t apply to the public profile.RDGW firewall rules
  2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
  3. You can modify/disable other Remote Desktop inbound firewall rules if needed too.

Additional Notes:

See different post on how to purchase and install a SSL certificate from a trusted CA. http://www.riptidehosting.com/blog/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh/

MS Access Error Query is Corrupt from November 12, 2019 Office Updates

The November 12, 2019 Microsoft Office updates introduced a bug in MS Access where users are seeing errors like this “Query is corrupt”.  Microsoft has acknowledged the bug and says a fix will be out with the updates on December 10.  See link here from Microsoft for more information:

https://support.office.com/en-us/article/access-error-query-is-corrupt-fad205a5-9fd4-49f1-be83-f21636caedec

To fix the issues in the meantime, you can uninstall the application Office Update for Access 2010, 2013 or 2016 as follows:

Office 2010: Description of the security update for Office 2010: November 12, 2019(KB4484127)
Office 2013: Description of the security update for Office 2013: November 12, 2019 (KB4484119)
Office 2016: Description of the security update for Office 2016: November 12, 2019 (KB4484113)

To uninstall the update in Windows Server 2016, go to Settings, Windows Update, Update History, click hyperlink toward top of page for Uninstall Updates, search for KB noted above, uninstall.  Even though it doesn’t require a reboot, we recommend you reboot your server after the uninstall.

Next you will want to disable automatic Windows Updates so the same buggy update does not get automatically installed again.  If you are a Riptide Hosting client, contact us to disable automatic updates which varies depending on which Windows Server OS you are on.  If you disable automatic updates temporarily (under MS releases the fix by December 10 according to the link above), you need to remember to enable them to keep your system secure and up-to-date.  If you are a Riptide Hosting client, please contact us before disabling automatic updates. 

Advantages to using Riptide Hosting SPLA Microsoft Licenses

Advantages to using Riptide Hosting SPLA Microsoft Licenses

Most customers use our Microsoft licensing (Windows Server, Office, SQL Server, Remote Desktop Services – RDS) provided under the SPLA program (Service Provider Licensing Agreement) on a monthly basis rather than purchasing their own MS Volume Licenses.  (Windows Server CAL licenses are not required with our SPLA licensing which are required under regular MS Volume Licensing).

Using our Microsoft SPLA licensing eliminates upfront fees and makes it easy to increase and decrease licenses each month.

If you own Microsoft Volume Licenses, you can use our Dedicated Hardware Server offering and transfer your own licenses but depending on which licenses you own and how many users you have, it may still be cheaper to utilize our virtual servers/VMs with our SPLA licenses.  Contact us to review options and pricing.  We discuss the advantages to using SPLA licenses below.

SPLA LICENSES — Advantages to using our MS Licensing under SPLA:

  • Pay monthly with no commitment (versus Volume Licenses which may be 1-3 year term)
  • Pay for exactly the number of licenses you need today, not more (for user based licensing (i.e. RDS SALs/user licenses, Office SALs), we can increase the number of licenses easily so you can only license what is needed)
  • For Windows Server under SPLA, no additional Windows Server CALs are needed (you still need RDS SALs if applicable).
  • Upgrade rights (similar to software assurance) are included– You can upgrade to the latest version.
  • No large upfront payment like if you purchase perpetual MS Volume Licenses.
  • No minimum purchase – Can increase user licenses in increments of one user. (Some volume licensing programs have a minimum purchase or minimum points)
  • You cannot install or use your own licenses for SQL Server, RDS, Office or Office 365 on our Virtual Servers due to Microsoft licensing restrictions.
  • Example Pricing:
    • Windows Server licensing is included in our base server cost
    • RDS user licenses are $8.99 per user per month
    • SQL Server Standard is $316/mo per 4 cores versus retail pricing of approx. $7,500 per 4 cores plus add Software Assurance annually.

VOLUME LICENSES — Advantages to using/purchasing your own Volume Licensing

  • If measuring over a long-term period, perpetual volume license may cost less than monthly SPLA license (but you have a long-term agreement with large upfront fee, plus you have to purchase Software Assurance separately, as well as Windows CALs on top of Windows Server).
    **If you end up needing fewer licenses you will still pay for all the licenses you purchased.
  • SQL Server Standard and Enterprise can be very expensive (often times as much as the underlying server cost!) and if you have already purchased these licenses you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.
  • If you have a large number of users and already have your own Office licensing (or Office 365 plan that will work on a server or terminal server), then you may want to use them to save money, although you are required to use our Dedicated Hardware Server hosting to use your own licensing.

VIRTUAL SERVER HOSTING — Virtual Server Environment at Riptide Hosting:

  • SPLA licenses only. You must license SQL Server, RDS and Office through us (SPLA) in our VM environment.  You cannot use your own licensing of SQL Server, RDS, Office, or Office 365 on our VMs.
  • Lower entry costs, VMs start at $100/month
  • Best for VMs with fewer resources (less than 25 users, less than 200 GB space, less than 8g RAM and 4vCPU)
  • Less expensive full image backup options with quick restores
  • May be less expensive to use our SPLA licenses on a VM with full image backup, even in scenarios where you have your own licensing.

DEDICATED SERVER HOSTING — Dedicated Hardware Server Environment at Riptide Hosting:

  • You can use our SPLA licenses or use your own Volume Licenses. Where the server hardware is fully dedicated to you, the outsourcing language within Microsoft Product Terms applies.
  • Best when you need significant resources (greater than 25 users, more than 200 GB disk space, more than 8g RAM and 4vCPU).
  • Our Dedicated Servers start around $300/month. Compare this to AWS Dedicated Instances or AWS Dedicated Hosts that start at over $1k per month and you have to bring all your own licensing.
  • Requires more expensive full server image backup options due to much higher disk space provided.
  • Only hosting offering we provide that allows you to use your own SQL Server, RDS, Office, or Office 365 licenses. Even if you have your own licensing, make sure it can be use on a remote hosted server.  For example, Office 365 Business Plans won’t work on a Windows Server with Remote Desktop Services because Office 365 Business doesn’t include Pro Plus.

RDS — Remote Desktop Services (RDS) Licensing Notes:

  • We get asked a lot of questions about RDS licenses and here are some of our most common discussions.
  • Many hosting providers don’t even offer the ability to license RDS SALs through them and require you to have your own licenses. If you are using Remote Desktop Services (RDS), make sure you understand whether your hosting provider can provide the required licenses or not.  **If you can only login with two accounts then they did not provide you licensing for RDS access other than for maintenance.
  • The RDS CALs/SALs are not part of the Windows Server OS licensing and are applied separately. Riptide Hosting provides RDS SALs on a monthly basis (with no long-term commitment) at $8.99 per user. For example, AWS doesn’t offer RDS user licensing.  You have to buy them from MS and then bring them to AWS via License Mobility which requires that you maintain active Software Assurance on the RDS CALs and go through a MS license verification process.
  • Microsoft only provides RDS user licenses on a per-unique-end-user basis. There is no concurrent licensing model available from Microsoft for RDS.  All users, regardless of actual usage, require a license. 

Windows Server and SQL Server Licensing Notes:

  • SQL Server is licensed per core but with a minimum of 4 cores per VM or per processor.
  • Windows Server is also now licensed per core (starting with Windows Server 2016)
  • SQL Server comes in multiple editions: Express (free), Web (through SPLA only; for publicly accessible web pages, etc.), Standard, Enterprise. Contact us for differences and monthly SPLA pricing.

Disable Internet Explorer Enhanced Security Configuration

Windows Server comes with Internet Explorer (you are also free to download another browser of your choice such as Chrome or Firefox). Internet Explorer Enhanced Security Configuration (IE ESC) is a security feature that can be enabled or disabled.  If enabled, when you open IE you will see something like this “Internet Explorer Enhanced Security Configuration is enabled” and when you type in a website, you may see a popup with “Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration”. According to Microsoft, IE ESC  “reduces the exposure of your server to potential attacks from Web-based content”.   IE ESC will typically block your ability to download programs or applications to the server.

If you need to temporarily disable this feature, you can do so using the following steps:

  1. Open “Server Manager” – click on the icon that looks like a ‘tower computer with toolbox next to it’ in taskbar next to the start button
  2. In Server Manager, go to the “local server” section in left side menu.
  3. Next, look for “IE Enhanced Security Configuration” in the right column, click on the OFF hyperlink.
  4. Here you can disable Internet Explorer Enhanced Security Configuration for “Administrators” or “Users” or Both. This is where you can enable IE ESC too.  Usually the new settings will take place when you close out the existing IE sessions and reopen the browser; otherwise reboot the server for the changes to take effect.

To protect your hosted remote desktop server (terminal server), we recommend security measures such as anti-virus, backing up your data, requiring strong / complex passwords, etc. We also offer Veeam full server image backup that goes beyond just file/folder backup. Our licensing is monthly with no long-term commitment.