Understanding the concept
The
Remote desktop service(RDS) in windows server 2008 R2 is the renamed and
advanced version of terminal server service that is available in windows server
2003. This feature enable users to access Windows-based programs that are
installed on a terminal server or to access the full Windows desktop. Users can
access a remote desktop server within the corporate network or from the
Internet. When a user accesses a program on a terminal server, the program
execution occurs on the server and only keyboard, mouse and display information
are transmitted over the network. Each users sees only their individual session
and the session is managed transparently by the server operating system, it is
independent of any other client session. Remote desktop service is useful
especially when you have programs that are frequently updated, infrequently
used, or difficult to manage. Let us consider the scenario that, your
organization has got its own application which is private and you need to
access it from outside the organization, or deployment of multiple versions of
an application, especially if installing multiple versions locally would cause
conflicts and many other cases. The more details are described here in MS tech
center,
When you
are planning to implement remote desktop service, there are few terms that you
must understand.
1. Remote
Desktop Session Host(Terminal server)
Remote
desktop session host is the server where we hosts the application that are
required for TS clients. Users can
connect to a terminal server to run programs, to save files, and to use network
resources on that server. So the servers that have this feature installed will
act as your remote desktop server.
2. Remote
Desktop Licensing(TS Licensing)
The RD
licensing will manages the Remote Desktop Services client access licenses (RDS
CALs) that are required for each device or user to connect to a Remote Desktop
Session Host or Remote Desktop Virtualization Host server. You use RD Licensing
to install, issue and track the availability of RDS CALs on a Remote Desktop
license server. The grace period of this service is 120 days and a permanent
RDS CAL should be purchased. There are several methods to purchase the
license and those are mentioned on MS article(
http://technet.microsoft.com/en-us/library/cc771547.aspx). The License Server role can be installed on
your Session Host server or in a dedicated server. If we install Remote Desktop Licensing role
on a dedicated server any additional RD Session Hosts that we add in the future
can share this service. However this roles is not required to be configured
with initial stages as we have a trial license for 120 days.
3. RD Web
Access(TS web access)
RD Web
Access allows the users to get access with the applications and server desktop
that are allowed to the clients. In order to achieve this, users can visit the
web site that are configured by remote desktop administrators through their web
browsers(IE, chrome, Firefox etc.). When the users starts a RemoteApp program,
a terminal Services session is started on the terminal server that hosts the
RemoteApp program. When you deploy RD Web Access, you can specify which
terminal server to use as the data source to populate the list of RemoteApp
programs that appears on the Web page.
4. Remote
Desktop Gateway(TS gateway)
This
role enables authorized remote users to connect to resources on an internal
corporate network from any Internet-connected device that can run the Remote
Desktop Connection (RDC) client. RD gateway improves the security by
establishing an encrypted connection between remote users on the Internet and
the internal network resources(hosted on Remote desktop server). Note that, RD Gateway role service require other roles to be installed for its
functionalities(Ex: Network policy and access service ,Web Server (IIS)) and
those will be installed automatically
during the role installation.
5. RD
Connection Broker(TS session broker)
RD
Connection Broker have one of the vital role in remote desktop service. It
keeps track of user sessions in a load-balanced terminal server farm. You can
make use of Windows failover clustering feature to achieve this. The RD
connection broker saves session state information, associated user of
particular session and server where each session exists. When a user who has
existing session connects back to terminal server the RD connection broker
identifies it and redirects to the server where its session exists. This prevents the user from being connected
to a different server in the farm and starting a new session.
6. Remote
Desktop Virtualization Host
RD
Virtualization Host integrates with Hyper-V to provide virtual machines that
can be used as personal virtual desktops or virtual desktop pools. If a user is
assigned and requests a personal virtual desktop, RD Connection Broker
redirects the user to this virtual machine. If the virtual machine is not
turned on, RD Virtualization Host turns on the virtual machine and then
connects the user.
I hope
the above information is good enough to understand the various roles that comes
under remote desktop service. Now let us see how to install and configure these
roles,
Installation and configuration
In my
environment I am going to install the
roles Remote Desktop Licensing, Remote
Desktop Gateway, RD Connection
Broker, RD Web Access and Remote Desktop
Session Host on the same server and I don't want the service remote Desktop
Virtualization Host as I don't have Hyper V installed.
Note: It is not recommended to install and
configure RDS on an active directory server as it can reduce the security and
decrease performance of server, however you can do it if required.
It is
recommended to install remote desktop session
host before you install any applications that you want to make available
to users. Else the application may not work as expected for clients.
1. Log on to the server
where you want to install RDS as the user who has administrator and enterprise
admin rights.
2. Open Server Manager, click Start-> Administrative Tools->Server Manager.
3. Under the Roles Summary heading, click Add Roles.
4. In the Add Roles
Wizard, if the Before You Begin page
appears, click Next.
5. On the Select Server Roles page, select the Remote Desktop Services check box, and then
click Next.
6. On the Remote Desktop Services page, click Next. This is just a brief idea about remote
desktop services.
7. On the Select Role
Services page, select Remote Desktop
Licensing, Remote Desktop Gateway, RD
Connection Broker, RD Web Access and
Remote Desktop Session Host. If you are installing Remote Desktop Session Host on the active directory server you
will have the warning message as it is not recommended, Click install Remote Desktop Session Host (not recommended) and select the other features. As
described earlier, You may need to install additional features to support Remote Desktop Gateway so select Add required role
services when it
prompts. Click Next
to continue,
8. On the Uninstall and
Reinstall Applications for Compatibility page, click Next. Hopes you have got the message.
9. Next
step describes you about the level of authentication that you require for
RDS(remote desktop service). It is recommended to enable network level authentication and you can
select the option as required. If you have Windows XP clients to access RDS you
should not enable Network level authentication as it is not having the upgraded
version of remote desktop connection client. You can select network level
authentication if your clients are at lease windows 7 or later. Click Next,
10. You
need to specify the licensing mode that you want to use for using RDS. It can
be purchased either for per user or per computer. Else you can install the
license later as we have 120 days trial period. I am selecting as trial and
continue where as you can install the license now or later.
11.
Select the user groups that can access the remote desktop server and its
services. I am selecting all the users of my domain and you can achieve the
same by clicking on Add button. If you
have a specific set of users that have to access terminal server you can create
a group in active directory and add the groups to this list later as well.
Note: Administrator users are default in this
operation and cannot be removed.
12. Now
you can specify the client experience, this settings are optional and select as
required. Please note that, when we enable more functionalities that can lead
to high system and bandwidth usage which may affect the performance RD session
host server. So reduce the feature if it is really not required.
13. Next
you need to specify the discovery scope for RD licensing. It is used by RD
session host servers to automatically identify and discover the licensing
server. Leave the selection as default and you can the RD licensing database
location if required. It would be really worth if you can click on the link More about licensing directory to get much
better experience on this.
14. You
must have a certificate for SSL communication. It is recommended to get the
certificate from a trusted certificate authority(CA) especially when you have
to access the RD session from outside network. In my case I have one self
signed certificate installed on my server and it is list automatically here. If
you do not have any certificate installed on server it will not list and you
can import that now by clicking Import
button. If you want to create a SSL certificate now, you must select the second
option create a self-signed certificate for SSL
encryption or you can select the third option choose a certificate for SSL encryption. Make sure that the SSL
certificate is attached to HTTPS binding on your IIS.
I will
continue with my existing SSL certificate. Click Next
to continue,
15. Now
on you need to specify the authorization
policies that will control the RD session host clients with the way it
is allowed to connect. There are two important terms to understand in this
concept, that are Remote desktop connection
authorization policy(RD CAP) and Remote
desktop resource authorization policy(RD RAP). In simple words, RD CAP
describes the users that can connect to this RD gateway server and RD RAP
allows us to specify which terminal server is allowed for users to connect from network. Until we configure RD RAP and
RD CAP users will not be able to connect to RD server, so I will configure this
policies now. Select Now under create authorization policies and click Next.
16. Under
User group membership (required), click Add button, and then specify a user group whose
members can connect to the TS Gateway server. You must specify at least one
user group and I have allowed it for all my domain users. In this session you
might be little confused as we have already configured the user groups that can
access the RD server at step 11. All you want to understand is, step 11 is
defined for RD session host server and as
you know RD gateway is an additional security feature for RD server here you
are specifying the users that are allowed to connect through RD gateway. Hence
the same user group is mentioned here as well, Click Next to continue.
17. In
the above step we have specified the user group that can connect. Here you must
specify a name for RD CAP and specify at lease one way of authentication that
are required for users. You will have a default name and it can be edited if
required, for example, if you are allowed users of a particular group to access
the RD server it would be worth to customize the RD CAP name which will help us
to identify the policies easily in future. Windows authentication can be either
password or smartcard which determines how the users are authenticated to get
the access to RD server. In my case I am setting the RD CAP name as default and authentication method only Password. Click Next,
18. Here
you want to specify the details for RD RAP. The RD RAP can be either the
default or customized one as per your choice. Here you must specify the network
resources that the RD users can connect through, When a RD user connects and we
need to set him the limitation of accessing the computers you can specify this
settings here. For example, When the user 'Livin' connects through RD gateway
and he needs to access only a group of computers, you can select the second
option Allow user to connect only to computers
in the following groups and set the group. In my scenario I have allowed
all of my domain users to use RD service and I am not settings the limitation
for this so selecting Allow users to connect to
any computer on the network. Define the settings as required for you and
click Next.
19.
As discussed above, for RD
gateway to function properly we need to have certain
features to be installed. That are Network policy and access service ,Web Server
(IIS). Now you will have the introduction and confirmation to install these
features, simply click Next to get it done.
20. Now
we will have the summary of the configurations that we done so far. Review
those and click install to start the
installation.
21. Once
the installation is completed you can close the window and you must restart the
server to complete this operation.
22. Once
the server is rebooted, you must login and the installation will continue which
will end up in below window, Click Close.
This
completes the installation and basic configuration of Remote desktop server.
The advanced level of configuration can be viewed on this link.