Remote Desktop Services configuration on Windows Server for Fudo Enterprise

Before you start the procedure, check the following requirements:

  • All servers with Windows Server 2019 or 2022 environment are connected in a domain;
  • Domain Controller with AD user group is configured on Windows Server;
  • All Windows servers have the security patch CredSSP CVE-2018-0886 installed;
  • You have the access to the Fudo Admin Panel to set up an RDP connection.

To configure and use the Remote Desktop Services (RDS) with Fudo Enterprise, please follow below steps.

Note

Please note that this is a general guide, and specific details may vary depending on your Windows Server setup. Refer to the Windows Server documentation for precise configuration steps.

Setup Remote Desktop Services (RDS)

Add Servers:

  1. Log in to the server on which you want to setup the Remote Desktop Services.
  2. Open the Server Manager application.
  3. Click Manage button on the upper right corner of the window to expand the menu list and select Add Servers.
../../_images/rds_manager_add_server.png
  1. Click Find Now.
  2. Add all the servers you’re going to use for RDS by clicking on each server in the deployment. Click OK. In this use case we add 3 servers: HOST1, HOST2, and RDB which will play the Broker role.
../../_images/rds_manager_add_server_list.png

Deploy the Remote Desktop Services components:

  1. Click Manage button on the upper right corner of the window to expand the menu list and select Add Roleas and Features.
../../_images/rds_manager_add_roles.png
  1. On the Before You Begin tab, click Next to proceed.
../../_images/rds_roles_1.png
  1. On the Installation Type tab, select Remote Desktop Services installation, and click Next to proceed.
../../_images/rds_roles_2.png
  1. On the Deployment Type tab, select Standard Deployment to access more detailed instructions for installing Remote Desktop Services. Click Next to proceed.
../../_images/rds_roles_3.png
  1. On the Deployment Scenario tab, select Session-based desktop deployment. Click Next to proceed.
../../_images/rds_roles_4.png
  1. On the Role Services tab, review the services that will be installed. Click Next to proceed.
  2. On the RD Connection Broker tab, select the appropriate server on which to install the RD Connection Broker role service. In this example RDB server was selected. Click Next to proceed.
../../_images/rds_roles_5.png
  1. On the RD Web Access tab, select the appropriate server on which to install the RD Web Access role service. In this example, the RDB server was also selected. Click Next to proceed.
../../_images/rds_roles_6.png
  1. On the RD Session Host tab, select the appropriate servers on which to install the RD Session Host role service. In this example, the HOST1 and HOST2 servers were selected. Click Next to proceed.
../../_images/rds_roles_7.png
  1. On the Confirmation tab, select Restart the destination server automatically if required, and then click Deploy.
../../_images/rds_roles_8.png
  1. Wait for the deployment to complete successfully and click Close.

Add the RD Gateway server and certificate name:

  1. Select the Remote Desktop Services section from the left-hand menu and go to Overview tab.
  2. Click the + RD Gateway button and in the Add RD Gateway Servers wizard, select the virtual machine where you want to install the RD Gateway server. In this example RDB server was selected.
../../_images/rds_add_rd_gateway.png
  1. Click Next.
  2. Enter the SSL certificate name for the RD Gateway server using the external fully qualified DNS Name (FQDN) of the RD Gateway server. Example, cert.mk.local.
  3. Click Next, and then click Add.
  4. Wait until the role service is deployed and click Close.

Configure the RD Gateway and RD Licensing deployment properties:

  1. Go back to the Overview tab, click Tasks and select Edit Deployment Properties from the drop down list.
../../_images/rds_rd_prop.png
  1. On the RD Gateway tab, select Automatically detect RD Gateway server settings option and click Apply.
../../_images/rds_rd_prop_gateway.png
  1. Expand the RD Licensing tab and select Per Device. Click Apply.
../../_images/rds_rd_prop_lic.png
  1. Expand the ‘RD Web Access’ tab, to check the RD Web Access IIS application URL. It is installed by default under the /RdWeb.
../../_images/rds_rd_prop_web.png
  1. Click on the displayed URL to verify the RD Web Access login using the administrator account.

Note

While login, please use the domain in the user name field. For example, Administrator@mk.local.

../../_images/rds_rd_prop_verif.png
  1. Save this address for the subsequent configuration steps.
  2. Click OK in the Deployment Properties window to go back to the Overview tab of the Remote Desktop Services section.

Add the RD License Server:

  1. Click the + RD Licensing button in the Overview tab of the Remote Desktop Services section.
../../_images/rds_add_rd_lic.png
  1. Select the virtual machine where the RD license server will be installed. In this example RDB server was selected. Click Next, and then click Add.
  2. Wait until the role service is deployed and click Close.

Create a session collection:

  1. Go to the Collections tab of the Remote Desktop Services section, click Tasks and select Create Session Collection from the drop down list.
../../_images/rds_collections.png
  1. On the Before You Begin tab, click Next to proceed.
  2. On the Collection Name tab, provide a descriptive name of the collection. In this example we used test-collection name. Click Next to proceed.

Note

This name will be displayed under its icon in the Web Access interface.

  1. On the RD Session Host tab, select the RD Session Host Servers to add to this collection. In this example, the HOST1 and HOST2 servers were selected.
  2. On the User Groups tab, define user groups. You can either accept the default user groups or add one or more groups of users permitted to connect using RDP to the Session Host server(s).
  3. On the User Profile Disks tab, select Enable User Profile Disks option and specify the settings if needed. You can also leave this option disabled.
  4. On the Confirmation tab, please review all the information and then click ‘Create’.
  5. Wait until the collection is created. Click Close.

Test the connection:

  1. Open the RD Web Access URL saved in previous steps (e.g., https://rdb.mk.local/RDWeb/).
  2. Enter a valid username and password and click Sign in. You can use the domain admin account to login, for example, Administrator@mk.local.
  3. After logging in, the full collection of created desktop sessions is presented.
../../_images/rds_collections_login.png
  1. Click on the created test-collection icon to download the RDP connection file or immediately establish a connection.
../../_images/rds_collections_connection.png
  1. Provide login credentials of one of the users specified in the domain.
../../_images/rds_user_login.png

Note

In this part of the manual, a general process for configuring Remote Desktop Services has been presented. To utilize Fudo Enterprise’s functionality during connections, please follow the steps outlined in the subsequent part of the instruction.

Setup Fudo Enterprise

Note

This use case describes how to configure Fudo Enterprise using the Active Directory external authentication method. Please keep in mind that you can customize user authentication using any other method supported by Fudo Enterprise to align with your specific requirements, the methods typically used in your environment, and your work scenarios.

Configure external authentication method:

  1. Login into your Fudo Enterprise Admin Panel.
  1. Select Settings > Authentication.
  2. In the External authentication tab click Add an external authentication source.
  1. From the Type drop down list select Active Directory.
  2. In the Host field provide the Domain Controller IP address (e.g., 10.0.136.1).
  3. Leave default port number: 389.
  4. Set the Bind address to Any.
  5. Provide the name of the domain which will be used for authenticating users in Active Directory (e.g., mk.local).
  6. In the Login, Secret, and Repeat secret fields provide the privileged account’s login credentials used to access the Domain Controller.
../../_images/rds_fudo_external_auth.png
  1. Click Save.

Create User in Fudo:

  1. Select Management > Users and then click Add user.
  2. Enter the user name that matches the chosen user account in Active Directory (e.g., ‘user1’).
  3. In the Settings tab, under the Safes section, select portal.
  1. Click Save.
  1. Go to the Authentication section and from the Add authentication method drop down list select External authentication.
  1. Chose created in previous steps Active Directory method and click Save.
  1. If necessary, please fill in the remaining parameters as needed for your specific configuration. For more details, please refer to the Creating a user section.
  1. Click Save and close.

Configure Server with the role of Connection Broker:

  1. Select Management > Servers and then click + Add server.
  1. Enter server’s unique name (e.g., Broker).
  2. In the Permissions section, add users allowed to manage this object.
  3. In the Settings section on the list of available protocols select RDP.
  1. Select the TLS enabled and the NLA enabled options.
  1. In the Destination section select IPv4 and enter IP address of the server selected during RDS setup for the RD Broker role (in our example, RDB server with IP 10.0.136.2).
  1. Click Save and close.

Configure Servers with the role of Session Hosts:

  1. Select Management > Servers and then click + Add server.
  1. Enter server’s unique name (e.g., HOST1).
  2. In the Permissions section, add users allowed to manage this object.
  3. In the Settings section on the list of available protocols select RDP.
  1. Select the TLS enabled and the NLA enabled options.
  1. In the Destination section select IPv4 and enter server’s IP address (in our example, 10.0.136.4).
  1. Click Save and close.
  1. Repeat all the above steps to create second server with name HOST2 and IP address 10.0.136.5.

Configure Pool:

  1. Select Management > Pools and then click + Add pool
  1. Enter pool’s unique name (e.g., RDS-pool).
  2. In the Settings tab select servers to be added to the pool (e.g., HOST1, HOST2).
  3. In the Permissions section, add users allowed to manage this object (e.g., user1).
../../_images/rds_fudo_pool.png
  1. Click Save and close

Configure Account:

  1. Select Management > Accounts and then click Add.
  1. Define object’s name (e.g., user1).
  2. Select forward from the Type drop-down list.
  3. Go to the Server / Pool section and from the drop down list select Pool created in previous step (e.g., RDS-pool) to assign created account to this server pool.
  1. In the Credentials section select Forward domain option to have the domain name included in the string identifying the user.
  2. Click Save.

Configure Listener

  1. Select Management > Listeners and then click Add listener.
  1. Enter listener’s unique name (e.g.,``rdp-broker-bastion``).
  2. Go to Permissions tab and add users allowed to manage this listener (e.g., user1).
  1. Go to Settings tab and press the RDP button in the Protocol field.
  2. Select the TLS enabled option to enable encryption.
  3. Check the NLA enabled option for additional security.
  1. In the Connection mode section, select bastion.
  2. Set the local address to 10.0.58.238 or Any, and port 3389.
  1. In the CA certificate field, click Generate certificate to generate TLS certificate by choosing key algorithm and providing Common Name (server name where the certificate is installed), or click Upload to upload server certificate file with private key pasted at the end of the file.
  2. Click Save and close.

Establish a connection through the Access Gateway:

Warning

When establishing connections using the Remote Desktop Services, please use the Native client option. Web client feature is not functional for this type of scenario.

  1. Log in to the Fudo Enterprise Access Gateway using user1 as the username and password corresponding to the one configured in the Active Directory.

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

../../_images/rds_fudo_ip.png
  1. Hover the cursor over the user1 account name, select Native client and click the Connect button to download the .rdp configuration file.
  1. Open the downloaded file to establish a connection.
  2. Enter the password for the user1 account to log in to the server.

Redirect the connection through Fudo using RDP native client:

  1. In order to redirect the connection through Fudo Enterprise, we need to use the Fudo Access Gateway address in the RDP client configuration.
  2. Choose your favorite remote desktop client, such as Microsoft Remote Desktop, and follow its workflow to add a new PC for connection.
  3. Following the example of Microsoft Remote Desktop, click the plus icon in the upper part of the window and select Add PC.
../../_images/rds_mrd_add_pc.png
  1. In the PC Name field, enter the address of the Fudo Enterprise Access Gateway followed by the port number and click Add.
../../_images/rds_mrd_config.png

Note

You can find the Access Gateway address in the Settings > Network configuration menu tab.

../../_images/rds_fudo_ip.png
  1. Connect to the added PC by providing the bastion login string in Username field and password in the Password field.

Note

  • Please use the following pattern for the bastion login string: user name # account login on the target server # target server address (e.g., user1#user1#10.0.136.4).
  • You can skip the account login if it’s the same as the user name, e.g, user1##10.0.136.4
../../_images/rds_mrd_bastion_string.png
  1. Remote Desktop client will establish connection with one of the servers from the RDS collection.

View the established session in the Fudo Enterprise Admin Panel:

  1. Login into your Fudo Enterprise Admin Panel.
  1. Select Management > Sessions.
  2. Find desired session and click i.
../../_images/rds_fudo_sessionview_1.png

../../_images/rds_fudo_sessionview_2.png

Related topics: