Module 3 – Remote Desktop Gateway - edXMicrosoft+INF218x+4T2017+type@... · Module 3 – Remote...

Module 3 – Remote Desktop Gateway

Estimated Time: 90 minutes

A. Datum Corporation provided access to web intranet web applications by implementing Web Application Proxy. Now, IT management also wants to enable access to some of the internal desktop applications by leveraging capabilities of Windows Server 2016-based Remote Desktop Services (RDS). Your intention is to also take advantage of the existing Web Application Proxy deployment to provide a single, tightly controlled point of entry from Internet to your internal network.

Objectives

After completing this lab, students will be able to:

• Implement Remote Desktop Services.

• Publish Remote Desktop Gateway via Web Application Proxy

Lab environment

In general, you should avoid using AD domain controllers to host PKI roles. We are not following this

approach in the lab strictly in order to optimize use of lab VMs. The process of deploying and configuring a

Certification Authority server would be identical when using a domain member server.

The lab consists of the following computers:

• LON-DC1 (172.16.0.10) – a Windows Server 2016 domain controller in the adatum.com single-

domain forest. You will use it to host the Enterprise Certification Authority.

In general, you should avoid using AD domain controllers to host PKI roles. We are not following

this approach in the lab strictly in order to optimize use of lab VMs. The process of deploying and

configuring a Certification Authority server would be identical when using a domain member server.

• LON-SVR1 (172.16.0.11) – a Windows Server 2016 domain member server with Remote Server

Administrative tools installed. This server will host the Active Directory Federation Services

server role


Administrative tools installed. This server will host the Web Application Proxy role service and

will function as a Certificate Revocation List (CRL) Distribution Point for external clients.


Administrative tools installed. This will be used to host a single node Remote Desktop Services

deployment, including the Remote Desktop Session Host, Remote Desktop Connection Broker,

Remote Desktop Web Access and Remote Desktop Gateway role services.

• LON-CL1 (172.16.0.101)– a Windows 10 Pro or Enterprise version 1607 (or newer) domain

member computer

All computers have Windows PowerShell Remoting enabled.

Exercise 1: Implement Remote Desktop Services.

In this exercise, you will step through installing and Configuring Remote Desktop Services in a Windows Server 2016 environment. The main tasks for this exercise are as follows:

1. Create RDS Quick Start deployment on LON-SVR4 2. Configure DNS on LON-DC1 3. Install the RD Gateway and RD Licensing role service on LON-SVR4 4. Publish updated Certificate Revocation List (CRL). 5. Enroll LON-SVR4 for a certificate issued by Enterprise CA 6. Configure certificates settings of the RDS deployment on LON-SVR4 7. Review RD Gateway Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP) on LON-SVR4 8. Create a relying party trust for RD Gateway/Web Access Servers on LON-SVR1 9. Install RDS certificate on LON-SVR2 10. Publish the RDS Deployment via Web Application Proxy on LON-SVR2

Task 1: Create RDS Quick Start deployment on LON-SVR4

1. Sign in to the LON-SVR4 Windows Server 2016 lab virtual machine with the following credentials:

• USERNAME: ADATUM\Administrator

• PASSWORD: Pa55w.rd

2. Click Start and click Server Manager.

3. In Server Manager, in the Manage menu, click Add Roles and Features. This will start the Add Roles

and Features Wizard.

4. On the Before you begin page, click Next.

5. On the Select installation type page, select the Remote Desktop Services installation option and click

Next.

6. On the Select deployment type page, select the Quick Start option and click Next.

Quick Start deployment is intended for lab and proof of concept scenarios. It automatically deploys

RD Web Access, RD Connection Broker, and RD Session Host or RD Virtualization Host (depending

on your choice) on the same server. If you choose the RD Session Host option, it also automatically

configures a QuickStartCollection consisting of three RemoteApp programs (Calculator, Paint, and

WordPad).

7. On the Select deployment scenario page, select the Session-based desktop deployment and click

Next.

8. On the Select a server page, ensure that LON-SVR4 appears in the Selected section and click Next.

If you receive an error message at this point regarding PowerShell Remoting not being enabled,

restart the Add Roles and Features Wizard.

9. On the Confirm selections page, select the checkbox Restart the destination server automatically if

required and click Deploy. Wait for the server to restart.

The Remote Desktop Services installation can take up to 15 minutes.

10. Once the server has restarted, sign back in to the LON-SVR4 Windows Server 2016 lab virtual

machine with the following credentials:



11. If the installation does not automatically restart, repeat steps 3-10.

12. Wait for the installation to complete and, in the Add Roles and Features Wizard window, click Close.

Task 2: Configure DNS on LON-DC1

1. Sign in to the LON-DC1 Windows Server 2016 lab virtual machine with the following credentials:



2. Click Start and, in the Start menu, click Server Manager. In Server Manager, click Tools and then

click DNS.

3. In the DNS Manager console, navigate to the Adatum.com zone.

4. Right-click Adatum.com and, in the right-click menu, click New Host (A or AAAA).

5. In the New Host dialog box, type the following and click Add Host:

• Name: rds

• IP address: 172.16.0.14

6. In the DNS dialog box, click OK.

7. In the New Host dialog box, click Done.

Task 3: Install the RD Gateway and RD Licensing role service on LON-SVR4

1. On LON-SVR4, in Server Manager, in the left window pane, click Remote Desktop Services.

2. On the Overview page, verify that the current deployment includes RD Web Access, RD Connection

Broker, and RD Session Host role services, all residing on LON-SVR4.

3. Click the plus sign above the RD Gateway label. This will start the Add RD Gateway Servers wizard.

4. On the Server Selection page, ensure that LON-SVR4.adatum.com is selected in Server Pool on the

left-hand side of the window, click the right-pointing arrow head to add it to the Selected servers,

and click Next.

5. On the SSL Certificate Name page, in the SSL certificate name textbox, type rds.adatum.com and

click Next.

You will replace this certificate with a certificate issued by your Enterprise CA later in this lab. In

non-lab scenarios, you would use for this purpose a certificate issued by a public CA.

6. On the Confirmation page, click Add.

7. Wait till the operation completes and, on the Results page, click Close.

8. On the Overview page, click the plus sign above the RD Licensing label. This will start the Add RD

Licensing Servers wizard.

9. On the Server Selection page, ensure that LON-SVR4.adatum.com is selected in Server Pool on the

left-hand side of the window, click the right-pointing arrow head to add it to the Selected servers,

and click Next.

10. On the Confirmation page, click Add.

11. Wait till the operation completes and, on the Results page, click Close.

Task 4: Publish updated Certificate Revocation List (CRL)

1. From the LON-DC1 Windows Server 2016 lab virtual machine, in Server Manager, click Tools and, in

the Tools menu, start Certification Authority console.

You need to update Certificate Revocation List (CRL) Distribution Point (DP) in order to be able to

successfully enroll LON-SVR4 for a certificate issued by the Adatum CA in the next task.

2. In the Certification Authority console, expand the adatum-root-CA node, right-click Revoked

Certificates folder, click All Tasks and click Publish.

3. In the Publish CRL dialog box, accept the default setting and click OK.

Task 5: Enroll LON-SVR4 for a certificate issued by Enterprise CA

1. While signed in to LON-SVR4 as ADATUM\Administrator, click Start, right-click Windows

PowerShell, in the right click menu, click More and then click Run as administrator.

2. From the Administrator: Windows PowerShell window, type the following and press Enter:

certlm

This will open the Microsoft Management Console (MMC) with the Certificates - Local Computer

snap-in loaded.

3. Expand the Certificates – Local Computer top level node, expand the Personal folder, right-click the

Certificates folder, click All Tasks, and click Request New Certificate. This will start the Certificate

Enrollment wizard.

4. On the Before You Begin page, click Next.

5. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is

selected and click Next.

6. On the Request Certificates page, select the checkbox next to the Adatum Web Server certificate,

click Details to view properties of the certificate, and click Properties.

7. In the Certificate properties window, on the Subject tab, in the Subject name section, in the Type

drop-down list, click Common name, in the Value text box, type rds.adatum.com, and click Add.

8. In the Alternative name section, in the Type drop-down list, click DNS and, add the following names

by typing them in the Value text box and clicking Add each time:

• rds.adatum.com

• LON-SVR4.adatum.com

9. Click the Private Key tab.

10. Under Key options, ensure the Make private key exportable option is checked and click OK.

11. Back on the Request Certificates wizard page, ensure the checkbox for the template is checked and

click Enroll.

12. On the Certificate Installation Results page, click Finish.

Now, you will export the private key of the newly issued certificate. You will use it to configure the

RDS deployment and to configure the Web Application Proxy on LON-SVR2

13. Back in the Certificates console, in the Personal\Certificates folder, right-click rds.adatum.com entry

issued by adatum-root-CA, in the right-click menu, click All Tasks and then click Export. This will

start the Certificate Export Wizard.

Make sure to use the certificate issued by Adatum-root-CA – not the self-signed certificate you

generated in the previous task.

14. On the Welcome to the Certificate Export Wizard page, click Next.

15. On the Export Private Key page, click the Yes, export the private key option and click Next.

16. On the Export File Format page, click Next.

17. On the Security page, click the Password checkbox and then, type in Pa55w.rd in the Password and

Confirm password text boxes.

18. On the File to Export page, type C:\rds.adatum.com.pfx and click Next.

19. On the Completing the Certificate Export Wizard page, click Finish.

20. In the Certificate Export Wizard dialog box, click OK.

Task 6: Configure certificates settings of the RDS deployment on LON-SVR4

1. On LON-SVR4, in Server Manager, on the Remote Desktop Services page, click Collections.

2. On the Collections page, click Tasks in the upper right corner and, in the drop-down menu, click

Edit Deployment Properties. This will open the Deployment Properties window.

3. In the Deployment Properties window, click Certificates.

4. Make sure that the RD Connection Broker – Enable Single Sign On entry is selected and click Select

existing certificate.

5. In the Select Existing Certificate window, ensure that the Choose a different certificate option is

selected, click Browse, in the Open dialog box, navigate to the root of the C: drive, click

rds.adatum.com.pfx, and click Open.

6. In the Password textbox, type Pa55w.rd, select the checkbox Allow the certificate to be added to the

Trusted Root Certification Authorities certificate store on the destination computers and click OK.

7. Back on the Manage certificates page of the Configure the deployment window, click Apply.

Now you will repeat the same steps for the other role services

8. Make sure that the RD Connection Broker – Publishing entry is selected and click Select existing

certificate.







12. Make sure that the RD Web Access entry is selected and click Select existing certificate.







16. Make sure that the RD Gateway entry is selected and click Select existing certificate.







20. Click OK.

Task 7: Review RD Gateway CAP and RAP on LON-SVR4

1. On LON-SVR4, in Server Manager, click Tools, in the drop-down menu, click Remote Desktop

Services, and then click Remote Desktop Gateway Manager.

2. In the Remote Desktop Gateway Manager console, expand the LON-SVR4 (Local) node, expand the

Policies subfolder, and then click the Connection Authorization Policies subfolder.

3. Double-click the default RDG_CAP_AllUsers connection authorization policy.

4. In the RDG_CAP_AllUsers window, click the Requirements tab and verify that Password-based

Windows authentication method is enabled, and that connecting users must be members of the

ADATUM\Domain Users group.

5. In the RDG_CAP_AllUsers window, click the Device Redirection tab, and review the Disable device

redirection for the following client device types settings.

6. In the Remote Desktop Gateway Manager console, click the Resource Authorization Policies

subfolder.

7. Double-click the default RDG_AllDomainComputers resource authorization policy.

8. In the RDG_AllDomainComputers window, click the User Groups tab and verify that members of the

ADATUM\Domain Users group can connect through RD Gateway to network resources defined in

this policy.

9. In the RDG_AllDomainComputers window, click the Network Resource tab and verify that members

of the ADATUM\Domain Computers group are accessible through the RD Gateway.

10. Click OK to close the RDG_AllDomainComputers window.

11. Double-click the default RDG_RDConnectionBrokers resource authorization policy.

12. In the RDG_RDConnectionBrokers window, click the User Groups tab and verify that members of

the ADATUM\Domain Users group can connect through RD Gateway to network resources defined

in this policy.

13. In the RDG_RDConnectionBrokers window, click the Network Resource tab and verify that members

of the RDG_RDBCComputers group are accessible through the RD Gateway. This group currently

includes only LON-SVR4.

14. Click OK to close the RDG_RDConnectionBrokers window.

Task 8: Create a relying party trust for RD Gateway/Web Access Servers on

LON-SVR1

1. Switch to the console session on LON-SVR1 Windows Server 2016 lab virtual machine and verify that

you are signed in as ADATUM\Administrator. If not, sign out and sign back in with the following

credentials:



2. Click Start and then click Server Manager. In Server Manager, click Tools and, in the drop-down

menu, click AD FS Management.

3. In the AD FS Management console, click the Relying Party Trusts folder.

4. In the Actions pane, click Add Relying Party Trust. This will start Add Relying Party Trust Wizard.

5. On the Welcome to the Add Relying Party Trust Wizard page, ensure that the Claims aware option

is selected and click Start.

6. On the Select Data Source page, select the Enter data about the relying party manually option and

click Next.

7. On the Specify Display Name page, in the Display name text box, type Adatum RDS Deployment

and click Next.

8. On the Configure Certificate page, click Next.

9. On the Configure URL page, click Next.

10. On the Configure Identifiers page, in the Relying party trust identifier text box, type

https://rds.adatum.com/, click Add and click Next.

11. On the Choose Access Control Policy page, accept the default settings and click Next.

12. On the Ready to Add Trust page, click Next.

13. On the Finish page, uncheck the Configure claims issuance policy for this application checkbox and

click Close.

Task 9: Install RDS certificate on LON-SVR2

1. Switch to the console session on LON-SVR2 Windows Server 2016 lab virtual machine and verify

that you are signed in as ADATUM\Administrator. If not, sign out and sign back in with the

following credentials:



2. Right-click Start and, in the right-click menu, click Command Prompt (Admin).

3. From the Administrator: Command Prompt window, run the following:

robocopy \\172.16.0.14\c$ c:\ rds.adatum.com.pfx

In real-life scenarios, you would copy the certificate via a removable media.


certlm

This will open the Certificates – Local Computer console.

5. Expand the Certificates – Local Computer top level node, right-click the Personal folder, click All

Tasks, and click Import. This will start the Certificate Import Wizard.

6. On the Welcome to the Certificate Import Wizard page, click Next

7. On the File to Import page, click Browse…

8. In the Open dialog box, switch the filter to Personal Information Exchange (*.pfx), browse to the

root of C:, click rds.adatum.com.pfx, and click Open.

9. Back on the File to import page, click Next.

10. On the Private key protection page, in the Password text box, type Pa55w.rd and click Next.

11. On the Certificate Store page, accept the default setting and click Next.

12. On the Completing the Certificate Import Wizard page, click Finish.

13. In the Certificate Import Wizard dialog box, click OK.

Task 10: Publish the RDS Deployment via Web Application Proxy on LON-

SVR2

1. On LON-SVR2, in Server Manager, click Tools and, in the drop-down menu, click Remote Access

Management.

2. In the Remote Access Management console click Publish in the Tasks pane. This will start the

Publish New Application Wizard.

3. On the Welcome page, click Next.

4. On the Preauthentication page, ensure that Active Directory Federation Services (AD FS) option is

selected and click Next.

5. On the Supported Clients page, ensure that the Web and MSOFBA option is selected and click

Next.

6. On the Relying Party page, click Adatum RDS Deployment and click Next.

7. On the Publishing Settings page, set Name to Adatum RDS Deployment, set External URL to

https://rds.adatum.com/, accept the default setting for the Backend server URL (matching the

External URL), in the External certificate drop-down menu, select the rds.adatum.com certificate,

and click Next.

8. On the Confirmation page, click Publish

9. On the Results page, click Close.

10. While signed in to LON-SVR2 as ADATUM\Administrator, click Start, right-click Windows

PowerShell, in the right click menu, click More and then click Run as administrator.

11. From the Administrator: Windows PowerShell window, type the following and press Enter:

Get-WebApplicationProxyApplication –Name ‘Adatum RDS Deployment’ | Set-

WebApplicationProxyApplication –DisableHttpOnlyCookieProtection:$true –

InactiveTransactionsTimeoutSec 28800

DisableHttpOnlyCookieProtection must be enabled for the RD Gateway to function correctly in this

scenario. The InactiveTransactionsTimeoutSec increases the idle session timeout.

12. Switch to the console of LON-SVR4, where you are signed on as ADATUM\Administrator,

13. On LON-SVR4, from the Administrator: Windows PowerShell window, type the following and press

Enter:

Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection -

CustomRdpProperty "pre-authentication server

address:s:https://rds.adatum.com/rdweb/ `nrequire pre-authentication:i:1"

This assigns a custom property to the session collection named QuickSessionCollection in order to

allow RD Gateway to retrieve the AD FS edge token.

Results: After completing this exercise, you will have implemented AD FS and Web Application Proxy, created

and configured an RDS deployment, and published RD Web Access and RD Gateway by using AD FS pre-

authentication.

Exercise 2: Validate the RD Gateway-based access

Now that you have implemented a Remote Desktop Services deployment, you need to verify that both external and internal users can access the RDS-published apps. The main tasks for this exercise are as follows:

1. Test use of published RDS apps access from an external client 2. Test use of published RDS apps access from an internal client

Task 1: Test use of published RDS apps access from an external client

You will emulate scenario that involves an external client by using LON-CL1 that has been removed

from the domain in the Web Application Proxy lab of this course. At that time, the DNS settings of

LON-CL1 has been modified in order to prevent its communication with LON-DC1. Note that LON-

CL1 has also been configured to trust the CA that issued the AD FS/WAP and RDS certificates by

adding the adatum-root-CA certificate to its Trusted Root Certification Authorities certificate store.

In addition, LON-CL1 can reach the CRL distribution point of the adatum-root-CA Certification

Authority, since that distribution point has been set up on LON-SVR2, which functions as the Web

Application Proxy.

1. Sign in to the LON-CL1 Windows 10 lab virtual machine using the following credentials:

• USERNAME: Administrator


2. On LON-CL1, right-click Start and, in the right-click menu, click Command Prompt (Admin).


certlm

4. In the Certificates – Local Computer top level node, expand the Trusted Root Certification

Authorities folder, click the Certificates folder, and verify that it includes the adatum-root-CA entry.


Notepad c:\Windows\system32\drivers\etc\hosts

6. In Notepad, add to entries to the hosts file representing the external IP address of the Web

Application Proxy, the Adatum CA CRL Distribution Point, and the published Adatum RDS

deployment.

172.16.0.12 adfs.adatum.com

172.16.0.12 cdp.adatum.com

172.16.0.12 rds.adatum.com

Note that, in real-live scenarios, we would rely on the name resolution of a DNS server that the

client computer is using. Such DNS server should be able to resolve Internet-accessible names in

the externally hosted adatum.com DNS namespace to their corresponding public IP addresses.

7. Save your changes and close Notepad.


ncpa.cpl

9. In the Network Connections window, right-click the Ethernet connection and click Properties.

10. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.

11. Verify that the entry in the Preferred DNS server is blank and click OK.

12. Back in the Ethernet Properties window, click Close.

13. Start Internet Explorer (you will find it in the Accessories folder in the Start menu) and browse to

https://rds.adatum.com/RDWeb/

14. On the Adatum Federation Service page, specify the following credentials and click Sign in:

• ADATUM\Administrator

• Pa55w.rd

15. If prompted with the message Would you like to store your password for adatum.com, click Not for

this site.

16. When prompted with the message This webpage wants to run the following add-on: ‘Microsoft

Remote Desktop Services Web Access Control’ from ‘Microsoft Corporation’, click Allow and then

click Allow for all websites.

This add-on is critical for minimizing number of authentication prompts.

17. On the Work Resources RemoteApp and Desktop Connection page, in the Domain\user name text

box, type ADATUM\Administrator, in the Password text box, type Pa55w.rd, in the Security section,

click This is a private computer, and click Sign in.

18. When prompted with the message Would you like to store your password for adatum.com, click

Not for this site.

19. On the RemoteApp and Desktops tab of the Work Resources RemoteApp and Desktop Connection

page, click WordPad.

20. If prompted, in the RemoteApp dialog box, click Don’t ask me again for remote connections from

this publisher and click Connect.

21. Verify that the application launches successfully.

Note that the application might appear minimized as an icon in the Taskbar. If so, click it to display

WordPad window.

Task 2: Test use of published RDS apps access from an internal client

Now you will add LON-CL1 back to the domain to test the use of published RDS from an internal

network.

1. While signed to LON-CL1 Windows 10 lab virtual machine as LON-CL1\Administrator with the

password Pa55word, from the Administrator: Command Prompt window, run the following:

Notepad c:\Windows\system32\drivers\etc\hosts

2. In Notepad, comment out entries in the hosts file representing the external IP address of the Web

Application Proxy, the published web application, and the Adatum CA CRL Distribution Point by

placing hash sign in front of each:

# 172.16.0.12 adfs.adatum.com

# 172.16.0.12 cdp.adatum.com

# 172.16.0.12 rds.adatum.com

3. Save your changes and close Notepad.


ncpa.cpl

5. In the Network Connections window, right-click the Ethernet connection and click Properties.

6. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4) and click Properties.

7. Set the Preferred DNS server to 172.16.0.10 and click OK.

8. Back in the Ethernet Properties window, click Close.

9. Right-click the Start button, and then click System.

10. In the System window, click Advanced system settings, and then click the Computer Name tab.

11. On the Computer Name tab, click the Change button.

12. In the Computer Name/Domain Changes dialog box, click Domain, in the Domain box, type

adatum.com, and then click OK.

13. In the Computer Name/Domain Changes dialog box, in the User name text box, type

ADATUM\Administrator, in the Password text box, type Pa55w.rd, and click OK.

14. In the Welcome to the adatum domain dialog box, click OK.

15. To restart the computer, click OK.

16. To close the System Properties dialog box, click Close.

17. Click Restart Now, and then wait for the computer to restart.

18. Once LON-CL1 restarts, sign in using the following credentials:



19. Start Internet Explorer.

20. In the Internet Explorer, add https://*. adatum.com to the Local intranet zone

21. Next, browse to https://rds.adatum.com/RDWeb/

22. On the Work Resources RemoteApp and Desktop Connection page, in the Domain\user name text

box, type ADATUM\Administrator, in the Password text box, type Pa55w.rd, in the Security section,

click This is a private computer, and click Sign in.

23. When prompted with the message Would you like to store your password for adatum.com, click

Not for this site.

24. If prompted with the message This webpage wants to run the following add-on: ‘Microsoft Remote

Desktop Services Web Access Control’ from ‘Microsoft Corporation’, click Allow and then click Allow

for all websites

25. On the RemoteApp and Desktops tab of the Work Resources RemoteApp and Desktop Connection

page, click WordPad.

26. If prompted, in the RemoteApp dialog box, click Don’t ask me again for remote connections from

this publisher and click Connect.

27. Verify that the application launches successfully.

Results: After completing this exercise, you will have tested access from to RD Web Access published apps

from an internal and an external client.

Module 3 – Remote Desktop Gateway - edXMicrosoft+INF218x+4T2017+type@... · Module 3 – Remote...

Documents

Transcript of Module 3 – Remote Desktop Gateway - edXMicrosoft+INF218x+4T2017+type@... · Module 3 – Remote...