Remote Desktop Services – Full Desktop Sessions vs Start Program Automatically vs RemoteApp/RDWeb

FULL DESKTOP SESSIONS:   The most common method of using Remote Desktop Services (RDS) in Windows Server 2016 or Windows Server 2019 is using full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open programs (usually in simultaneous, multi-user mode – i.e. split MS Access application where each user has their own front-end), save and share files, open MS Office documents (if Office is installed), etc.   Users can share files with other users through the use of public folders.  Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iPhone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp/RDWeb.  A RDS setup with full desktop sessions can be setup within a few hours.

START PROGRAM AUTOMATICALLY UPON LOGON:  If you want some (or all) users to only open one particular program/application when logging into the server and don’t want to provide a full desktop session, you can set this up within each individual user’s profile settings in the environments tab under properties.  This is easy to setup and you can do it on a user-by-user basis.  Starting with Windows Server 2016, there is a registry key that must be set for this to work so please contact Riptide Hosting to change this registry key.   Using this will make it so your application will open automatically when a user logs into the server and when they close the application the entire session will close without ever providing a desktop session.  This option may works if you have a single program for users to access and don’t want to provide a desktop session.  This option probably will not work well for you if you have multiple applications, need users to save or share files, or export files to Excel, etc. (then you would want to have full desktop sessions).  Contact us for a few screenshots on this option.   For example, in the Environment tab of the particular user’s properties, enable the box by “start the following program at logon” and in the “program file name” field, use a path similar to this which would start a MS Access Application:  “C:\Program Files (x86)\Microsoft Office\Office16\MSACCESS.EXE” “C:\users\xxx\xxx.mdb or .accde”

REMOTEAPP/REMOTEWEB:  RemoteApp/RDWeb is a RDS role that can be installed separately where users login to a website (https://yourdomainname/rdweb or https://yourIPaddress/rdweb) and only see applications that you have published to them.  RemoteApp/RDWeb is a great role to use when you don’t want to provide a desktop session, but it is much more complex to setup and requires the server to be connected to a domain (either domain joined or install the Active Directory Domain Services (ADDS) role on the server), and that you install the RD Connection Broker role and the RD Web Access role.  If you install the ADDS role on the same/single server, you must install ADDS before you install the RDS roles (RD Session Host, RD Gateway, RD Connection Broker, RD License Server, and RD Web Access).   With RemoteApp you will want to install trusted SSL certificates for use with all RDS roles.  Historically RemoteApp did not work particularly good for MAC users and browsers beyond Internet Explorer (due to ActiveX requirements) but these limitations have gone away in newer versions Windows Server.  With RemoteApp/RDweb, you would access your applications through a website at: https://IPADDRESSorFQDN/rdweb.  We recommend you use an IT consultant/firm for setting up RemoteApp/RDWeb that has done it before and we can provide referrals if needed.

FULL DESKTOP SESSIONS WITH GROUP POLICIES:  If you want to provide full desktop sessions but want to lock down what users can see or do more than what is provided by default, you can setup group policies that affect non-administrators users.  Here is an old blog post on doing this on a workgroup server (if your server is domain joined, you can do this through the domain controller): https://www.riptidehosting.com/blog/how-to-create-group-policies-in-server-2012r2-that-only-affect-specified-users/    Setting up group polices is a very powerful method to locking down the server for regular users.  That said, this is relatively complex and easy to accidently lock yourself out so we would recommend you have us take a snapshot first before applying group policies.

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019

Installing the Remote Desktop Gateway Role (RDGW) on Windows Server 2019 to force RDP over HTTPS (port 443) instead of port 3389.

Installing Remote Desktop Gateway (RDGW) Role on Windows Server 2019

In this example, we had already installed the RD Session Host (RDSH) and RD License Server roles previously on the server.  This server is in workgroup mode and not joined to a domain.  Steps below are used to install the RDGW role on a single server (installing RDGW also installs IIS) so all three roles (RDSH, RDlic, RDGW) are installed on the same server. If you are already licensing RDS with RDS user licenses, there is no additional cost to installing the RD Gateway Role (other than if you purchase a trusted SSL certificate).

  1. Go to Server manager, add roles & features, role-based or feature-based installation, select existing server, in Server roles expand Remote Desktop Services and select Remote Desktop Gateway, click through everything else as defaults. It will take about 5 minutes to install. Although it won’t force a reboot, it is typically a good idea to reboot the server after this step.Installing RD Gateway

2. Next go to Server Manager, Remote Desktop Services, Servers, click on server name and right click into properties and to “RD Gateway Manager”.  (note: in RDS, Overview, you will see a message about needing to be logged in as domain user to manage servers and collections – to have this functionality you need to be connected to a domain instead of in workgroup mode, we are proceeding with workgroup mode only below).RD Gateway Manager

3. In RD Gateway Manager, expand tree and go to policies.  Create a “Connection Authorization Policy” (CAP) for which users can login to the gateway and a “Resource Authorization Policy” (RAP) for what resources can be accessed.  For example, we created policies called CAP1 and RAP1 and used defaults for most everything.  For CAP1, you probably want to add Remote Desktop Users and Administrators to “user group membership”.  For RAP1, under Network Resource, you should change selection to “allow users to connect to any resource” since this is a single server setup.  You can modify these policies later to be more specific and restrictive. RDGW CAP

4. For SSL cert (go back to RD Gateway Manager, Properties), create a self-signed cert by going to properties, SSL tab, create self-signed cert, click on “create and import certificate”, change certificate name to the IP address “xxx.xx.xxx.xx” of the server in the certificate name field.  Copy the self-signed cert to your local PC because you will need it in order to login through the gateway (all users will need it).  If you use a trusted SSL cert from CA then you won’t need to install self-signed cert on each local PC/client like you will with a self signed certificate.  Take note of the self-signed certificate expiration date which should be in 6 months – if you decide to continue to use a self-signed certificate, you will need to generate a new cert before the expiration date.

Note: using a self-signed certificate will require you to install the certificate on each client device.  It is recommended to use a trusted cert (instead of self-signed cert) where you would need to purchase the SSL cert from a company like GoDaddy and it will be in the name of a URL/domain instead of IP address.RDGW properties SSL tab

5. At this point, all items in RD Gateway Manager status should be showing as green / green check marks.RDGW status

6. Go to Services and change the Remote Desktop Gateway Service (service name is TSGateway) to be startup type “automatic” instead of “automatic (delayed)” and make sure it is started/running.  This will allow gateway service to start quicker upon a server reboot otherwise you may get a message that the gateway service is unavailable when trying to log in until you wait several minutes for the service to start.Change RDGW service to automatic

Connecting to RDGW from your local PC

  1. 7Open the Remote Desktop Connection client on your local PC and expand all field by clicking show options.
  2. On the general tab, make sure computer name field is the IP address of the server.  You will be entering the IP address on both the General tab and the Advanced tab using the same IP address since the RDSH server and the RDGW server are the same server in this example.
  3. Before connecting, going to the Advanced tab
  4. Click on Settings box under Connect from Anywhere
  5. Select “use these gateway settings”
  6. Enter IP address of the server for Server Name
  7. Uncheck the box to “Bypass RD gateway server for local addresses”
  8. Check the box to use same credentials for RD gateway server and remote computer since same server in this exampleLocal Connection Client Gateway settings
  9. Press OK, go back to local resources tab and select what local devices should be redirected (typically printers and clipboard should be redirected, but not local drives under the more button – redirecting local drives uses bandwidth/resources so only do it when needed)
  10. Go to general tab, decide if you want credentials to be allowed to be saved, and save the customized rdp file as a shortcut on your desktop by clicking “save as” and give it a useful name.
  11. When you connect, you may first get a warning message that says “The publisher of this remote connection can’t be identified. Do you want to connect anyway? OR “the identity of the remote computer cannot be verified. Do you want to connect anyway?” You can click the box to “don’t ask me again for connections to this computer” if you don’t want to see this message every time, and continue.  This message typically happens because you are using a rdp shortcut on your local desktop that you customized or because you are using a self-signed certificate.
  12. Connect and you will get a message to enter your credentials which will be used for both RDSH and RDGW, select whether to remember credentials or not.
  13. If you try to connect and you get a message “This computer can’t verify the identity of the RD Gateway XXXXX….” and it won’t connect, it is because you are using a self-signed certificate and haven’t put a copy of the certificate in your trusted root certificate authorities on your local PC.  So go back on the server and copy the cert from the users\username\documents\certname.cer folder of server to you local PC/desktop, then double click it on your local PC, select “install certificate” and select “Local Machine” store location and select this specific location “Trusted Root Certificate Authorities” (don’t do automatic location).  THIS WILL HAVE TO BE DONE ON ALL LOCAL PCs TO CONNECT WHEN USING SELF-SIGNED CERTS.
  14. If you are have trouble logging in, try typing username as servername\username so WIN-XXXXXX\Administrator or ServerX\Dan etc.

Turn off port 3389 to internet to force traffic to use port 443/RDGW

  1. Next, turn off the four inbound Windows firewall rules for Remote Desktop for port 3389 FOR PUBLIC PROFILE (Remote Desktop – User Mode (TCP-In) and (UDP-In) and Remote Desktop Services – User Mode (TCP-In) and (UDP-In).  Click into the firewall rule, go to the advanced tab, and uncheck the “Public” box so the rule doesn’t apply to the public profile.RDGW firewall rules
  2. RDP Traffic then should go over port 443 from the outside to the server and then 3389 internal to the server.  You can test this by trying to login via RDP without Gateway settings.
  3. You can modify/disable other Remote Desktop inbound firewall rules if needed too.

Additional Notes:

See different post on how to purchase and install a SSL certificate from a trusted CA. http://www.riptidehosting.com/blog/purchasing-and-installing-a-trusted-ssl-certificate-to-use-for-rdgw-rdsh/

How to Install VPN server on Windows Server 2019

Windows Server 2019 has a built-in VPN server role that can be added to the server OS at no charge. The below method will setup PPTP VPN using Windows Authentication so it is password based and strong/complex passwords are still very important.  There are other protocols such as L2TP/IPSec, certificate authentication, etc. which can result in a stronger security setup depending on your needs and environment. Toward the end of this document we will show you how to enable L2TP with preshared key and disable PPTP if you want to do that. This post will detail how to setup the VPN role on a Windows server, how to setup the VPN connection client on your local Windows PC, how to disable RDP and other protocols from using the public profile in the Windows firewall, and finally how to extend the VPN setup to LT2P. There is no additional cost for installing the VPN/RRAS role on Windows Server.

STEPS TO INSTALL VPN SERVER ROLE ON WINDOWS SERVER 2019

  1. Log on to Windows Server 2019 using the Administrator account or an account with administrative rights.
  2. Open Server Manager, Dashboard, “Add Roles and Features” wizard, next, then select “role-based or feature-based installation”, next, select your server, next, then on select server roles screen select “Remote Access”, on select features screen can use defaults and press next.  Under Remote Access Role Services select only “DirectAccess and VPN (RAS)” (select to add the features that are automatically selected) and leave the other options of Routing and Web Application Proxy unchecked, next, leave defaults under the Web Server Role Services, next, Click Install (takes a few minutes to install but usually doesn’t require a reboot). Installing Remote Access VPN-1Installing Remote Access VPN-2
  3. At the top bar of Server Manager, you will see a yellow triangle can click on it to select “Open the Getting Started Wizard” or click on “Remote Access” in the left window and click on more in the right windows to get the “Open the Getting Started Wizard”.Open the Getting Started Wizard
  4. Select “Deploy VPN only” (may take up to 1 minute to open) (note: If you deploy DirectAccess, this option requires the server to be connected to a domain – not workgroup mode) Open the Getting Started Wizard-Deploy VPN only selection
  5. Right click on Server name and select “configure and enable routing and remote access” Configure RRAS-1Configure RRAS-2
  6. Select “Custom configuration” Configure RRAS-3
  7. Select “VPN access” only, then Finish, Start Service.  Windows Firewall should automatically open the necessary ports (or you might see message below telling you to manually open the firewall rules). And press OK by message reminding you to open/enable firewall rules. Configure RRAS-4Configure RRAS-5Configure RRAS-6
  8. Go back to Routing and Remote Access by going to Server Manager, Tools (dropdown near upper right corner of server manager), select “Routing and Remote Access”.  Then right click on the server name and select properties.  Then go to IPv4 tab to add static IP address pool in IPv4 tab – see screenshots below: Configure RRAS-7
  9. Next, open “Network and Sharing Center” and click on “change adaptor settings”.  Right click on the ethernet adaptor, highlight the “Internet Protocol Version 4 TCP/IPv4” row, click on properties, advanced and add a secondary IP Address which is private IP in the same subnet as pool above – in this example, used 192.168.0.20 (this will be the IP address you can use to RDP to the server after the VPN connection is made). Ethernet adaptor propertiesEthernet adaptor properties-2
  10. Next, adjust settings for each user you want to be able to VPN to the server by going to Computer Management, Local Users and Groups, Users, and right click on the individual User and enter Properties.  Go to “Dial-In” tab and change “Network Access Permission” section to “Allow Access” (instead of “control access through NPS network policy”.  You need to do this for each user you want to allow VPN access to the server.Change User Properties Dial-In to Allow Access
  11. Open Windows Firewall rules for PPTP (PPTP requires both PPTP-In and GRE-In) and other VPN protocols if you might use them (L2TP or SSTP): Windows Firewall Inbound Rule PPTP GRE L2TP SSTP
  12. Usually it is a good idea to reboot server at this point even if it doesn’t ask for a reboot.

SETUP VPN CONNECTION ON LOCAL PC (to connect loca PC to offsite server via VPN)

  1. On your local PC, Go to Control Panel, Network and Internet, Network and Sharing Center, and “Setup a new connection or network” and then “Connect to a workplace / setup a VPN” or “Add a VPN connection”.  Select “Use My Internet Connection”Setup VPN connection on Local PC
  2. Enter IP address of server you will connect to – this is a public IP address (not private IP address you setup above 192.168.x.x)
  3. Enter description name for connection, then create.
  4. Then go to your VPN connection by clicking start icon and typing VPN, or going to notifications and clicking VPN
  5. Click on the VPN Connection you just setup and press connect.  Enter Username and Password on next screen and click “Connect”
  6. You can adjust setting (security settings and other) by going back to the Connection and entering properties (go to change adaptor settings, find connection, right click for properties where you can change settings to match VPN settings on the server if needed.).  Also you can change VPN settings on the server.

VERIFY THIS AND UNCHECK THE BOX BY “USE DEFAULT GATEWAY ON REMOTE NETWORK” OTHERWISE ALL YOUR TRAFFIC INCLUDING WEB BROWSING WILL GO THROUGH THE REMOTE SERVER WHICH WILL LESSEN YOUR PERFORMANCE. NOTE:   If you can no longer access the internet on your local machine once the VPN connects, you can change this by going to the networking tab in Properties of the VPN Connection, highlight the TCP/IPv4 row, click Properties, click Advanced, and uncheck “use default gateway on remote network”.  (you may have to disconnect and reconnect before this change will apply)Local PC VPN connection - uncheck use default gateway

ADJUSTING FIREWALL RULES TO TURN OFF RDP ACCESS (PORT 3389) ON PUBLIC PROFILE

Note: there are many adjustments you can make to the Windows Firewall and this is just one example/method.  You should properly test any changes made.

  1. Make sure you are logged in via RDP via VPN to the private IP (192.168.0.20 in this example) first before changing these rules below.
  2. First make sure the RAS interface on the server is set to private firewall profile in “network and sharing center” on the server.  If it isn’t (and most likely it is set to public so you will have to change it), change it as follows:  gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Network List Manager Policies and assign “RAS (Dial In) Interface” to a Private Network Profile. (alternative method– start, secpol, network list manager policies, right click on RAS Interface, network location tab, change it to private) RAS interface must be changed to Private ProfileRAS interface must be changed to Private Profile-2RAS interface must be changed to Private Profile-3
  • Next, Open Windows Firewall with Advanced Security and modify 4 x Inbound Rules,
    • “Remote Desktop Services – User Mode (TCP-In)”
    • “Remote Desktop Services – User Mode (UDP-In)”
    • “Remote Desktop – User Mode (TCP-In)”
    • “Remote Desktop – User Mode (UDP-In)”

and turn it off for Public Profile.  You could/should also modify other rules affecting the public profile to restrict access to private profile only. Adjust inbound firewall rules to exclude public profile

  • Now it is time to connect and test your changes.
  • Connect to the server via VPN first, then you can RDP to the server using the private IP (192.168.0.20 in example above) when VPN is active.  You shouldn’t be able to RDP to the public IP address.  You should test all scenarios after deployment.

Congratulations, Now your PPTP VPN should be setup and working!

OPTIONAL STEPS TO SETUP/CONFIGURE L2TP:

The steps above will create a “point-to-point tunneling protocol” (PPTP) VPN connection and will open the Windows Server firewall for PPTP, L2TP and SSTP (or you manually enabled these rules) although L2TP & SSTP require additional configuration to work.   You can increase security by implementing L2TP or SSTP.  One example is L2TP with “pre-shared key” where you enter a pre-shared key in RRAS properties on the security tab (on server) and then also enter the pre-shared key on the client PC VPN connection.  When you connect, the windows VPN client on the PC will show if connected as PPTP or L2TP.  In security options on the PC VPN client, you can select which protocol to use if more than PPTP has been setup on the server.  If you are using L2TP instead of PPTP, you can then turn off PPTP on the Windows Server and also disable the PPTP firewall rule (see below).

How to enable L2TP/IPsec VPN and disable PPTP protocol

Configure L2TP with preshared key:

  1. First may sure the Windows Firewall inbound rules on the server allow L2TP (if you had only enabled the inbound firewall rules for PPTP and GRE earlier, you should also enable L2TP now).  Open RAAS Management Console, right click on server name, and go to properties.  Go to security tab and enable the checkbox by “allow custom IPsec policy for L2TP/IKEv2 connection” and create/enter a complex password in the “preshared key” field.L2TP preshared key on server settings
  2. The preshared key is something that is the same for all users
  3. Now disconnect your current PPTP session and reconnect using L2TP/preshared key settings in your local connection client.  Go to you local VPN network adaptor settings and adjust accordingly.L2TP preshared key on local PC VPN connection settings
  4. Now login to server and disable PPTP by clicking on ports, right click to properties, highlight the PPTP row and uncheck the top two boxes to disable PPTP. Disable PPTP ports
  5. Last, disable Windows firewall rules for PPTP and GRE if only using L2TP.