Remote Desktop Services configuration on Windows Server for Fudo Enterprise¶
Before you start the procedure, check the following requirements:
- All servers with Windows Server 2019 or 2022 environment are connected in a domain;
- Domain Controller with AD user group is configured on Windows Server;
- All Windows servers have the security patch
CredSSP CVE-2018-0886
installed;- You have the access to the Fudo Admin Panel to set up an RDP connection.
To configure and use the Remote Desktop Services (RDS) with Fudo Enterprise, please follow below steps.
Note
Please note that this is a general guide, and specific details may vary depending on your Windows Server setup. Refer to the Windows Server documentation for precise configuration steps.
Setup Remote Desktop Services (RDS)¶
Add Servers:
- Log in to the server on which you want to setup the Remote Desktop Services.
- Open the Server Manager application.
- Click Manage button on the upper right corner of the window to expand the menu list and select Add Servers.
- Click Find Now.
- Add all the servers you’re going to use for RDS by clicking on each server in the deployment. Click OK. In this use case we add 3 servers:
HOST1, HOST2,
andRDB
which will play the Broker role.
Deploy the Remote Desktop Services components:
- Click Manage button on the upper right corner of the window to expand the menu list and select Add Roleas and Features.
- On the Before You Begin tab, click Next to proceed.
- On the Installation Type tab, select Remote Desktop Services installation, and click Next to proceed.
- On the Deployment Type tab, select Standard Deployment to access more detailed instructions for installing Remote Desktop Services. Click Next to proceed.
- On the Deployment Scenario tab, select Session-based desktop deployment. Click Next to proceed.
- On the Role Services tab, review the services that will be installed. Click Next to proceed.
- On the RD Connection Broker tab, select the appropriate server on which to install the RD Connection Broker role service. In this example
RDB
server was selected. Click Next to proceed.
- On the RD Web Access tab, select the appropriate server on which to install the RD Web Access role service. In this example, the
RDB
server was also selected. Click Next to proceed.
- On the RD Session Host tab, select the appropriate servers on which to install the RD Session Host role service. In this example, the
HOST1
andHOST2
servers were selected. Click Next to proceed.
- On the Confirmation tab, select Restart the destination server automatically if required, and then click Deploy.
- Wait for the deployment to complete successfully and click Close.
Add the RD Gateway server and certificate name:
- Select the Remote Desktop Services section from the left-hand menu and go to Overview tab.
- Click the + RD Gateway button and in the Add RD Gateway Servers wizard, select the virtual machine where you want to install the RD Gateway server. In this example
RDB
server was selected.
- Click Next.
- Enter the SSL certificate name for the RD Gateway server using the external fully qualified DNS Name (FQDN) of the RD Gateway server. Example,
cert.mk.local.
- Click Next, and then click Add.
- Wait until the role service is deployed and click Close.
Configure the RD Gateway and RD Licensing deployment properties:
- Go back to the Overview tab, click Tasks and select Edit Deployment Properties from the drop down list.
- On the RD Gateway tab, select Automatically detect RD Gateway server settings option and click Apply.
- Expand the RD Licensing tab and select Per Device. Click Apply.
- Expand the ‘RD Web Access’ tab, to check the RD Web Access IIS application URL. It is installed by default under the
/RdWeb
.
- Click on the displayed URL to verify the RD Web Access login using the administrator account.
Note
While login, please use the domain in the user name field. For example,
Administrator@mk.local
.
- Save this address for the subsequent configuration steps.
- Click OK in the Deployment Properties window to go back to the Overview tab of the Remote Desktop Services section.
Add the RD License Server:
Create a session collection:
- Go to the Collections tab of the Remote Desktop Services section, click Tasks and select Create Session Collection from the drop down list.
- On the Before You Begin tab, click Next to proceed.
- On the Collection Name tab, provide a descriptive name of the collection. In this example we used
test-collection
name. Click Next to proceed.Note
This name will be displayed under its icon in the Web Access interface.
- On the RD Session Host tab, select the RD Session Host Servers to add to this collection. In this example, the
HOST1
andHOST2
servers were selected.- On the User Groups tab, define user groups. You can either accept the default user groups or add one or more groups of users permitted to connect using RDP to the Session Host server(s).
- On the User Profile Disks tab, select Enable User Profile Disks option and specify the settings if needed. You can also leave this option disabled.
- On the Confirmation tab, please review all the information and then click ‘Create’.
- Wait until the collection is created. Click Close.
Test the connection:
- Open the RD Web Access URL saved in previous steps (e.g.,
https://rdb.mk.local/RDWeb/
).- Enter a valid username and password and click Sign in. You can use the domain admin account to login, for example,
Administrator@mk.local
.- After logging in, the full collection of created desktop sessions is presented.
- Click on the created
test-collection
icon to download the RDP connection file or immediately establish a connection.
- Provide login credentials of one of the users specified in the domain.
Note
In this part of the manual, a general process for configuring Remote Desktop Services has been presented. To utilize Fudo Enterprise’s functionality during connections, please follow the steps outlined in the subsequent part of the instruction.
Setup Fudo Enterprise¶
Note
This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.
Configure external authentication method:
- Login into your Fudo Enterprise Admin Panel.
- Select
> .- In the External authentication tab click
.
- From the Type drop down list select Active Directory.
- In the Host field provide the Domain Controller IP address (e.g.,
10.0.136.1
).- Leave default port number:
389
.- Set the Bind address to Any.
- Provide the name of the domain which will be used for authenticating users in Active Directory (e.g.,
mk.local
).- In the Login, Secret, and Repeat secret fields provide the privileged account’s login credentials used to access the Domain Controller.
- Click
.
Create User in Fudo:
- Select
> and then click .- Enter the user name that matches the chosen user account in Active Directory (e.g., ‘user1’).
- In the Settings tab, under the Safes section, select portal.
- Click
.
- Go to the Authentication section and from the Add authentication method drop down list select External authentication.
- Chose created in previous steps Active Directory method and click
.
- If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.
- Click
.
Configure Server with the role of Connection Broker:
- Select
> and then click .
- Enter server’s unique name (e.g.,
Broker
).- In the Permissions section, add users allowed to manage this object.
- In the Settings section on the list of available protocols select
RDP.
- Select the TLS enabled and the NLA enabled options.
- In the Destination section select
IPv4
and enter IP address of the server selected during RDS setup for the RD Broker role (in our example,RDB
server with IP10.0.136.2
).
- Click
.
Configure Servers with the role of Session Hosts:
- Select
> and then click .
- Enter server’s unique name (e.g.,
HOST1
).- In the Permissions section, add users allowed to manage this object.
- In the Settings section on the list of available protocols select
RDP.
- Select the TLS enabled and the NLA enabled options.
- In the Destination section select
IPv4
and enter server’s IP address (in our example,10.0.136.4
).
- Click
.
- Repeat all the above steps to create second server with name
HOST2
and IP address10.0.136.5
.
Configure Pool:
Configure Account:
- Select
> and then click .
- Define object’s name (e.g.,
user1
).- Select
forward
from the Type drop-down list.- Go to the Server / Pool section and from the drop down list select Pool created in previous step (e.g.,
RDS-pool
) to assign created account to this server pool.
- In the Credentials section select Forward domain option to have the domain name included in the string identifying the user.
- Click
.
Configure Listener
- Select
> and then click .
- Enter listener’s unique name (e.g.,``rdp-broker-bastion``).
- Go to Permissions tab and add users allowed to manage this listener (e.g.,
user1
).
- Go to Settings tab and press the
button in the Protocol field.- Select the TLS enabled option to enable encryption.
- Check the NLA enabled option for additional security.
- In the Connection mode section, select
bastion
.- Set the local address to
10.0.58.238
orAny
, and port3389.
- In the CA certificate field, click
to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click to upload server certificate file with private key pasted at the end of the file.- Click
.
Establish a connection through the Access Gateway:
Warning
When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.
- Log in to the Fudo Enterprise Access Gateway using
user1
as the username and password corresponding to the one configured in the Active Directory.Note
You can find the Access Gateway address in the
> menu tab.
- Hover the cursor over the
user1
account name, select Native client and click the button to download the.rdp
configuration file.
- Open the downloaded file to establish a connection.
- Enter the password for the
user1
account to log in to the server.
Redirect the connection through Fudo using RDP native client:
- In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
- Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
- Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.
- In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.
Note
You can find the Access Gateway address in the
> menu tab.
- Connect to the added PC by providing the bastion login string in Username field and password in the Password field.
Note
- Please use the following pattern for the bastion login string: user name # account login on the target server # target server address (e.g.,
user1#user1#10.0.136.4
).- You can skip the account login if it’s the same as the user name, e.g,
user1##10.0.136.4
- Remote Desktop client will establish connection with one of the servers from the RDS collection.
View the established session in the Fudo Enterprise Admin Panel:
Related topics: