Securely connecting to apps over the internet using rds
-
Upload
concentrated-technology -
Category
Technology
-
view
1.785 -
download
6
description
Transcript of Securely connecting to apps over the internet using rds
Securely Connecting to Applications over Securely Connecting to Applications over the Internet using RDSthe Internet using RDS
Greg Shields, MVP, vExpertGreg Shields, MVP, vExpertHead Geek, Concentrated Technologywww.ConcentratedTech.com
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC
AgendaAgenda
Topics– Part I: RemoteApps Under the
Covers– Part II: Architecting Application
Delivery– Part III: Tuning the User’s Experience– Part IV: Securing the User’s
Connection– Part V: Virtual Desktops Discussion
(…if we have time…)
3
Not Just About Desktops Any Not Just About Desktops Any More!More!
The Many Jobs of the RDS AdministratorThe Many Jobs of the RDS Administrator
Server Administrator Workstation Administrator
– Systems Babysitter…
Application Administrator– Installing, managing, maintaining, patching…
Security & Lockdown Administrator– Protect users from themselves and others…
Workflow Administrator– Getting users to their applications…
NEW!
RDS Admin as Workflow AdminRDS Admin as Workflow Admin
Now a part of the RDS Admin’s job– 2003 TS lacked options, so this job hasn’t been a
consideration for TS admins.– Citrix Admins have traditionally enjoyed many more
options for application delivery.
With TS in 2008, the options for getting users to their apps grow in number.– Therefore, you have more architectural decisions to
make…
New Features in 2008 TSNew Features in 2008 TS
RDC v6.1 Network Level
Authentication Plug-and-Play
Device Redirection Console Session Server Manager Licensing Changes
• TS Drain Mode• TS Easy Print• TS Remote App• TS Web Access• TS Gateway• TS Session Broker• Local Desktop
Installation for RemoteApps
New Features in 2008 TSNew Features in 2008 TS
RDC v6.1 Network Level
Authentication Plug-and-Play
Device Redirection Console Session Server Manager Licensing Changes
• TS Drain Mode• TS Easy Print• TS Remote App• TS Web Access• TS Gateway• TS Session Broker• Local Desktop
Installation for RemoteAppsNew Features Specific to
Deploying Applications
New Features in 2008 R2 RDSNew Features in 2008 R2 RDS
Remote App and Desktop Connection
Remote Desktop Virtualization (extensions to Hyper-V)
IP Virtualization RDS-aware
Windows Installer
• The “T” in every product changes to “RD”
• Hosted virtual desktops & pooled virtual desktops
• Fair Share CPU Scheduling
• Roaming Profile Cache Management
• PowerShell
Part IPart IRemoteApps Under the RemoteApps Under the CoversCovers
RemoteApps Look Like…AppsRemoteApps Look Like…Apps
RemoteApps are Easily CreatedRemoteApps are Easily Created
Step 1: Install the AppStep 2: Create the RemoteAppStep 3: Set Distribution Options
Multiple Options for LaunchingMultiple Options for Launching
…via a web page
…through document invocation.
…as an installed program
ProPro’’s/Cons/Con’’s of Remote Desktopss of Remote Desktops
Remote Desktop – Provides user access to a full “desktop”.– PRO: Familiar to users. Recognizable start bar,
desktop, icon access, app launch procedure.– PRO: Single connection for all remote apps.– PRO: Easy access to all needed applications.– CON: Easy access to all needed applications.– CON: Documents on remote desktop are not
easily accessible on local desktop.– CON: Users must connect to desktop to start
applications. This is a change to their usual launch procedure.
ProPro’’s/Cons/Con’’s of Remote Desktopss of Remote Desktops
Remote Desktop – Provides user access to a full “desktop”.– PRO: Familiar to users. Recognizable start bar,
desktop, icon access, app launch procedure.
– PRO: Single connection for all remote apps.
– PRO: Easy access to all needed applications.
– CON: Easy access to all needed applications.
– CON: Documents on remote desktop are not easily accessible on local desktop.
– CON: Users must connect to desktop to start applications. This is a change to their usual launch procedure.
ProPro’’s/Cons/Con’’s of RemoteAppss of RemoteApps
RemoteApp – Enables user access to a single application or content.– PRO: Applications appear to run locally. Seamless
boundary between application and local desktop.– PRO: Applications can be instantiated through
document double-click.– PRO: RemoteApps tend to use fewer and/or more
predictable levels of resources.– CON: Users may have multiple paths to access
applications.– CON: Finding documents on local desktops is not
immediately obvious.– CON: Users may be used to “desktops”. RemoteApps
changes their launch procedures.
ProPro’’s/Cons/Con’’s of RemoteAppss of RemoteApps
RemoteApp – Enables user access to a single application or content.– PRO: Applications appear to run locally. Seamless
boundary between application and local desktop.– PRO: Applications can be instantiated through
document double-click.– PRO: RemoteApps tend to use fewer and/or more
predictable levels of resources.– CON: Users may have multiple paths to access
applications.– CON: Finding documents on local desktops is not
immediately obvious.– CON: Users may be used to “desktops”. RemoteApps
change their launch procedures.
RemoteApps Change How Apps are RemoteApps Change How Apps are Delivered to UsersDelivered to Users
With Remote Desktops, there is really only one way for users to access their applications.– Log onto desktop. Start application.
This limits how your users interact with their applications.– Accessing a RDS-hosted application requires extra steps
to get started.
– Those extra steps waste the user’s time and consume unnecessary resources on the RD Session Host.
– The login/logout process adds unnecessary burden.
– Securing desktops is a challenging, cumbersome, time-consuming, expensive procedure.
RemoteApps Change How Apps are RemoteApps Change How Apps are Delivered to UsersDelivered to Users
RemoteApps eliminate the need to enable full desktop access.– No explorer.exe process is spawned.
– Limited login/logout resources required.
– Apps can spawn other apps, but generally limited to in-app integrations.
– Users are more limited from launching unnecessary or inappropriate apps.
– No desktop ==Limited user touch points ==Less time spent dinking around with lockdowns ==Greater security == A Happier You
LaunchingLaunchingRemoteAppsRemoteApps
WhatWhatReallyReallyHappens?Happens?
Source: Windows Server 2008Terminal Services Resource KitPage 258
RemoteApps & ResourcesRemoteApps & Resources
Source: TechNet MagazineJanuary, 2009
RemoteApps tend to use fewer resources. Resource utilization tends to be more predictable.
User1 logs into full desktopand launches Calc.exe.
User2 logs into “Calculator” RemoteApp.
So, What are Those Processes?So, What are Those Processes?
Source: TechNet MagazineJanuary, 2009
Explorer.exe is replaced by Rdpshell.exe.– Alternate (mini) shell loads/manages desktop session event hooks.– No desktop = Reduced resource requirements.
Task Scheduler Engine
Desktop Window Mgr
RDP Clipboard Mgr
Monitors processes
Explorer replacement
Task Scheduler Engine
Desktop Window Mgr
RDP Clipboard Mgr
Monitors processes
Explorer replacement
So, What are Those Processes?So, What are Those Processes?
Source: TechNet MagazineJanuary, 2009
Explorer.exe is replaced by Rdpshell.exe.– Alternate (mini) shell loads/manages desktop session event hooks.– No desktop = Reduced resource requirements.
RemoteApp has 50% lower memory utilization over a full desktop with
explorer.exe.
Caution: YMMV.
Part IIPart IIArchitecting Application Architecting Application DeliveryDelivery
5 Ways to Deploy RemoteApps5 Ways to Deploy RemoteApps
RDP File Distribution– Create an RDP file and store it in a file server or distribute it
to users. Users double-click to launch app. RD Web Access
– Users double-click applications on web sites to launch. Local Desktop Installation
– RemoteApps are wrapped into MSI files, which are “installed” onto desktops.
Local Desktop Installation with Client Extension Re-association– Same as above, but local client file extensions are modified
to enable document invocation. RemoteApp and Desktop Connection
– Windows 7 RADC regularly synchronizes data from server to populate desktop & Start Menu with configured apps.
#1 - RDP File Distribution#1 - RDP File Distribution
In Server 2003, only “true” native way to distribute connections to Remote Desktops.– Can also manually host RDP files on a web page.
Superseded in 2008 by new technologies, however remains useful for…– Users who want user-based customizability for RDP
connections.– Users who need portability for application
connections, such as those who roam networks.– Users who share/customize connections– Ad-hoc.
#1 - RDP File Distribution#1 - RDP File Distribution
#2 - RD Web Access#2 - RD Web Access
Enabling an app in RDWA requires two clicks.– Provisioning and deprovisioning apps is ridiculously
fast/easy.– Useful for users who use few applications that do not
integrate with each other.– Very useful for applications that rapidly change,
change versions, or require offline maintenance.
Zero additional effort at the individual desktop.
#2 - RD Web Access#2 - RD Web Access
R2 supports the “hiding” of apps.– Use perms and “User Assignment” to restrict app
access.
Limited to a single server out-of-the-box in 2008.– RD Session Broker creates RDS farm of similarly-
configured servers.– SharePoint web part integration can group dissimilar
servers. Non-trivial.
R2 adds the ability to consolidate multiple RDSHs.
Does not support document invocation or local desktop integration.
#2 - RD Web Access#2 - RD Web Access
Enabling or disabling access requires only a few mouse clicks in Server
Manager.
#3 - Local Desktop Installation#3 - Local Desktop Installation
Wrapping RDP files into MSI files enables local desktop installation.– RemoteApps launched from local Start Menu or
desktop shortcut.– Enhances RemoteApp “seamlessness”.
Can increase confusion.– RemoteApp C: drive is not equal to local desktop C:
drive.– “Am I remote or am I local???”– Users must learn to store docs on file servers.
#3 - Local Desktop Installation#3 - Local Desktop Installation
MSI files must be installed onto each desktop.– Active Directory Software Installation through Group
Policy– A systems management solution (SCCM)– Shoe leather.
Removing applications once installed is complex with any mechanism. – Non-trivial to change once implemented.
#3 - Local Desktop Installation#3 - Local Desktop Installation
#4 - Client Extension Re-Association#4 - Client Extension Re-Association
Client extension re-association is an optional part of local desktop installation.– Modifies client extensions (.DOCX, .XLSX, etc.) to
enable document invocation.– Users maintain existing local desktop workflow by
double-clicking documents.– Highest degree of “seamlessness” possible with RDS
and non-W7.
Document Invocation!
#4 - Client Extension Re-association#4 - Client Extension Re-association
Associate client extensions for this program
with the RemoteApp
program
#4 - Client Extension Re-association#4 - Client Extension Re-association
Extensions re-associate with
“Remote Desktop Connection”
#4 - Client Extension Re-association#4 - Client Extension Re-association
Arguably the most useful for users. However…
– Extends time-to-launch.– Difficult to update as applications change.– Applications transiently unavailable on RDS create big
confusion with users. They cannot double-click documents to launch apps.
– You must ensure high degree of availability if deployed.
– VPNs (including RDSG) can complicate.
#5 – RemoteApp & Desktop Connection#5 – RemoteApp & Desktop Connection
If you have Windows 7 / 08R2, then you have RADC. No other OSs currently support RADC.
RADC works functionally similar to Citrix XenApp Plug-in.– Plug-in regularly checks server to download XML file.– XML file contains connection information about
configured RemoteApps and desktops– By default, client checks once per hour, so
propagation can take time.
DEMODEMODeploying RemoteAppsDeploying RemoteApps
39
Your AppYour AppDeployment Deployment DecisionDecisionTreeTree
Windows 7?
RemoteApp & Desktop
Connection!
More Than One Way to Skin A…More Than One Way to Skin A…
Complex environments may find the need for combinations of these five options…– Static applications are deployed to desktops, while
high-rate-of-change apps hosted via RDS Web Access.– RADC for Windows 7 machines, RDWA or static for
others.– Local desktop installation for LAN machines, while
RDS Web Access for VPN access.– Access to RDS Web Access invoked via local desktop
installation. (Internet-based clients?)– “Empty” Remote Desktops deployed with local
desktop installation to appsA form of siloing, or Poor Man’s VDI.
Part IIIPart IIITuning the UserTuning the User’’s Experiences Experience
Tuning Memory ConsumptionTuning Memory Consumption
Source: TechNet MagazineJanuary, 2009
Tune dwm.exe & rdpclip.exe to keep memory consumption at lowest-possible levels.– Keep in mind each concurrent user spawns one of each process.
Desktop Window Mgr
RDP Clipboard Mgr
Keep Desktop Window Manager memory
consumption low by not installing Desktop
Experience. Font smoothing is bad too.
Keep RDP Clipboard Manager memory low by not enabling client clipboard mapping in
RDP properties.
Must-Monitor Performance CountersMust-Monitor Performance Counters
Processor\% Processor Time Memory\Available MBytes Memory\Pages/Sec System\Threads System\Context Switches/Sec System\Processor Queue Length Terminal Services\Active Sessions Terminal Services\Total Sessions
44
Windows Server Resource ManagerWindows Server Resource Manager Let’s face it: Some users really suck.
45
Windows Server Resource ManagerWindows Server Resource Manager Let’s face it: Some users really suck.
– Available resources that is…– Every environment has “Stan in Accounting” – Stan consumes dramatically more resources than
everyone else.– Stan is bad. Stan must be stopped.
WSRM is the anti-Stan.– Monitors processes and resource use.– Lowers the priority for hoggy processes.– Threads for lowered processes have longer wait time
between processor attention.
46
Windows Server Resource ManagerWindows Server Resource Manager WSRM is a separate install from TS.
– Install the WSRM feature.– Change its default policy to Equal Per Session.– (Optionally) Limit users to one session each.
WSRM can additionally log and report on process use.– Handy for giving Stan proof that he’s not been sharing with
the other children…er, users.– Potential for billing / chargebacks.
R2 eliminates the need for WSRM with its Fair Share CPU Scheduling Feature, enabled by default.
Also, is proactive rather than reactive.47
2003 & 2008 Profiles not Compatible2003 & 2008 Profiles not Compatible A Win2008 profile cannot be used to login to
a Win2003 TS.– Folder structures are completely different.– Separate profiles for each OS required.
Profile folder redirection can share some folders between these two OSs.– AppData(Roaming), Desktop, Start menu, Documents,
Pictures*, Music*, Video*
Caution: Redirection can increase login times, reduce user experience.– This can be a painful architecture. Consider user
virtualization, user workspace management, or flex profile solutions.
48
Software Restriction PoliciesSoftware Restriction Policies
RemoteApps enable users to access predefined applications. However they can and do spawn additional apps.– Outlook attachment launches IE.– Homegrown finance app launches Excel.
Software Restriction Policies & AppLocker ensure only approved apps can run.– Blacklist approach– Whitelist approach – Superior.
49
Software Restriction PoliciesSoftware Restriction Policies
Computer Configuration | Policies | Windows Settings | Security Settings | Software Restriction Policies | Security Levels– Unrestricted – Blacklist approach. Everything runs
except what you deny.– Basic User – Fuggetaboudit. UAC-focused.– Disallowed – Whitelist approach. Apps will not run
except those you specifically allow.
Whitelists work best for RDSs.– They typically have a known app composition
50
Software Restriction PoliciesSoftware Restriction Policies
Computer Configuration | Policies | Windows Settings | Security Settings | Software Restriction Policies | Additional Rules– Hash Rule– Certificate Rule– Path Rule– Network Zone Rule
You will typically use combinations of these, based on your app composition.
AppLocker also eases these configurations.
51
TS RemoteApps & Session TS RemoteApps & Session DisconnectionDisconnection
When users click the “X” to close a RemoteApp, RDS considers this a “Disconnect”.– Server resources are not released.
Configure disconnected sessions to reset after a small number of minutes.– 5 minutes…? Longer… Shorter… ??– YMMV
Use new Group Policy setting to configure this:– Set time limit for logoff of RemoteApp sessions
52
Virtual Channel Bandwidth AllocationVirtual Channel Bandwidth Allocation
From the network’s perspective, some user actions are far worse than others:– Copy-from/paste to local machine– Copy files to local machine– Print
These actions transfer real data, as opposed to efficient screen update data.
In Vista/08, Microsoft hard-limits this “real” virtual channel data to 30% of total data.– This amount can be adjusted.
53
Virtual Channel Bandwidth AllocationVirtual Channel Bandwidth Allocation
Limiting virtual channel data preserves the user’s experience– At the expense of increasing time-to-complete for
those other actions.
HKLM\System\CurrentControlSet\ServicesTermDD (REG_DWORD)– FlowControlDisplayBandwidth– FlowControlChannelBandwidth
Ratio of integer numbers equals distribution.
54
The RDS ApplicationThe RDS ApplicationCompatibility AnalyzerCompatibility Analyzer
https://connect.microsoft.com/tsappcompat/ downloads
55
Should I Virtualize my TSs?Should I Virtualize my TSs?
56
NoNoNoNo
No
NoNoNo
NoNoNo
NoNoNoNoNo
No
NoNoNoNo
No
No
EXCEPT: In the single situation where you plan for zero consolidation.
Or, essentially one virtual server per physical server.
Part IVPart IVSecuring the UserSecuring the User’’s s ConnectionConnection
What YouWhat You’’ll Needll Need
Enabling Internet-grade security for RDS sessions requires a few extra components:– RD Gateway Server– SSL Server certificate from Public CA– Two Holes in the Firewall
58
What YouWhat You’’ll Needll Need
Enabling Internet-grade security for RDS sessions requires a few extra components:
59
dc.contoso.com
contoso.com
server1.contoso.comRemote Desktop
Gateway
server2.contoso.comRemote Desktop
Session Host
client1.myhome.com
443/TCP 3389/TCP
SSL CertificatesSSL Certificates
Although it is possible to create free certificates through 2008 Certificate Services, save yourself headache and heartache and BUY ONE– $20/year at GoDaddy, automatically trusted, and
useful for multiple steps in this process
Server Authentication certificate– Name must exactly match the RDG’s FQDN– Must be installed to the local computer’s Personal
Store– Not current user’s Personal Store– Must include private keys
60
Installing the RDGInstalling the RDG
Four questions are required during installation.– Server authentication certificate. If you’ve correctly
installed your certificate to the local computer’s Personal Store, you will see that certificate listed in the box.
– RD Gateway User Groups. Groups which are are allowed to connect to internal resources through this RDG server.
– RD CAP. Identifies mechanisms used for authenticating users to the RD Gateway server: Password or smart card.
– RD RAP. Identifies internal computers which can be accessed by users who enter through the RDG.
61
If YouIf You’’ve Done it Right…ve Done it Right…
62
DEMODEMOManaging the RDGManaging the RDG
Exposing the RemoteAppExposing the RemoteApp
Once the RDG is installed, this creates the pathway by which RemoteApps can flow.
The next step is tocreate the RemoteApp.– Install an application.– Expose the application
using RemoteApp Manager– Enable RDG settings within
the RemoteApp– Distribute the RemoteApp
through one or moremechanisms
64
Special RDG SettingsSpecial RDG Settings
Two settings on this screen need special attention:
65
Enables single sign-on between RDG and RDSH
Enables direct RDSH access for LAN clients
Too Many Error Messages!Too Many Error Messages!
At this point, your clients can invoke the RDP file to connect either locally or via the Internet.
However, for reasons of scripting security, Microsoft requires an authentication at connection.
This confuses users. Creates pain for
we admins.
66
Eliminate Error Messages!Eliminate Error Messages!
Eliminate one of the two error messages by digitally signing your RDP file.
Possible to use same servercertificate as installedto RDG.
Install certificate to RDSH’slocal computer PersonalStore.
You’ll know if you screwedthis part up.
67
Error Messages to QuestionsError Messages to Questions
Signing the file creates the necessary authentication between client and server.
However, it doesn’t entirely eliminate the error message.– Instead, the user sees: “Do you trust the publisher of
this RemoteApp program?”– User can click Yes, also can click “Don’t ask me again”.
68
DEMODEMOCreating the RemoteAppCreating the RemoteApp
Part VPart VVirtual DesktopsVirtual Desktops(…if we have time…)(…if we have time…)
DEMO / DISCUSSIONDEMO / DISCUSSIONVirtual Desktops atop RDS & Virtual Desktops atop RDS & Hyper-VHyper-V
This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it
within your own organization however you like.
For more information on our company, including information on private classes and upcoming conference appearances, please
visit our Web site, www.ConcentratedTech.com.
For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg
This work is copyright ©Concentrated Technology, LLC