exeGesIS Spatial Data Management

 

Server 2012 setting up remote gateway, remote desktop and RemoteApp

Having set up lots of these using Server 2008 I thought this should be straightforward.  However the changes in Server 2012 make this quite a different process in some scenarios with some new limitations (as well as significant benefits too!)

There are quite a number of related components that all need installing, but can mostly be installed through a wizard provided you are on a domain.  This  post will describe a simple install where all components are installed on a single server.

One of the biggest differences is that Microsoft really now expect you to be joined to a domain for any of this to work.  Having said that it is still possible to install Remote Gateway and Licencing as in Server 2008 R2 (the old style GUIs for these are still there – but not used during a domain install).  What I have been unable to do is to use RemoteApp on Server 2012 without a domain.  This is managed via collections now and the tools to manage it all require you to be on the domain.

Microsoft also say if you are installing everything on a domain controller (i.e. a single machine)– you can not install the Connection Broker component (RDCB) as this will not work (not yet tested this scenario).

There is a good walk through of the process here http://mizitechinfo.wordpress.com/2013/07/26/fast-and-easy-how-to-deploy-remoteapp-on-windows-server-2012/ so I won’t repeat that but will instead concentrate on differences I found.

Your server needs to be joined to a domain for this to work (it is possible to install the gateway by itself without a domain

Installing without a domain

Clearly this will only be of use for a standalone server. This can be done  using the Add Roles and Features directly – similar to Server 2008 – it is (eventually) a supported option in Server 2012 – see http://support.microsoft.com/kb/2833839/en-us.  This works for remote gateway – but not yet seen how to configure RemoteApps – in fact I’m starting to believe this isn’t possible anymore without a domain.

image

image

If not on a domain you can’t use the server manager interface to configure your new install as that requires you to be a domain member

image

But you can run remote gateway (as in Server 2008 under Admin tools) and configure from there:

image

Add a certificate

Its important that your FQDN name (i.e. the name you will access the server with e.g. mytest.esdm.co.uk matches the name of the certificate you use – otherwise you will get all sorts of certificate warnings and may setups maybe lock access as the certificate will not be trusted.  We have a wildcard certificate so we can use any subdomain we like pointe at the server.

image

Browse to the .pfx file and import it – entering the password when asked.

You must the setup a CAP and a RAP – but this is all the same as 2008 RS and well described here: http://www.esdm.co.uk/setting-up-remote-desktop-gateway

Setting up licencing without a domain

Microsoft really seem to want you to run this on a domain.

You can configure the licence server fine - and register your licences - but you can't configure the session host using the server interface if its not on a domain - which means you can't define the licence server of the licencing mode (user / device).

You can though use gpedit.msc to edit the group policy and set it in there:

  • Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing

Then:

  • "Use the specified RD license servers" = YourServerName
  • "Set the Remote Desktop licensing mode" = "Per User"

As a separate issue you may get the warning bubble saying "Remote desktop services will stop in xxx days"

This can be removed by removing the following key from registry HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Grace Period

You may find you have to grant ownership to that key to your Administrator before it will allow you to delete.

Installing on a domain

Nice description here: http://www.techieshelp.com/windows-server-2012-install-and-configure-remote-desktop-services/

and here http://www.urtech.ca/2013/02/solved-1-hour-to-install-and-configure-a-single-server-remote-desktop-services-on-server-2012/

This install process is very different from installing with no domain.  The diagram below shows the components that are installed.  Fortunately the wizard does most of the work for you.

image

To install

1. In the server manager select “Add Roles and Features”

image

2. Select Remote Desktop Services Installation

image

3. Select Quick start

image

If it gives a message saying your server has been excluded due to compatibility issues then.

You need to ensure that  Powershell Remoting is enabled and also that it has enough memory to work with:

  • Start PS Shell as Administrator (right-click, Run As Administrator).
  • Run the commands:
    • Enable-PSRemoting –force
    • Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000
  • Reboot the server.

In my case I got away with just Enable-PSRemoting –force and no reboot

You should then be able to continue

Configuring remote gateway

Once the install has completed you are presented with a screen where the green bits need further configuration by clicking on it

image

You will need to enter the name of the SSL certificate.  This MUST match the name of the FQDN that you will access the gateway with and that will match your certificate.  e.g. netest99.esdm.co.uk

On completion you will be prompted to configure your certificate

image

This must be done once for each service

image

Until it looks like this:

image

Changing the FQDN to match the name of your certificate

Its essential that the name matches that of your certificate, or at least the domain element of it if using a wildcard certificate like *.esdm.co.uk.  For some reason Microsoft have removed the interface to control this – but fortunately it can bee done using a PowerShell script which can be downloaded from here: http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 and then run from a powershell window:

.\Set-RDPublishedName "MySubdomain.esdm.co.uk”
Note you may also have to elevate your powershell script permissions first:
Set-ExecutionPolicy RemoteSigned

Make sure your FQDN resolves on the server

As you have to connect using a subdomain name (e.g. netest99.esdm.co.uk) that matches your signed certificate, there is an issue in that the netest99.esdm.co.uk can not be resolved on the server. So this needs resolving either by adding an A record into your DNS – or an easier way given we are simply dealing with a single server here – we can enter it into the hosts file (remember you need to open Notepad as Administrator so you can save the file back to its location)

image

Allowing users to connect

Users have to be given permissions to connect to RemoteApps and also to a specific RemoteApp collection.  Fortunately the wizard takes care of this for us and sets this to Domain users which is normally OK

However I still had problems connecting until I altered the Remote Authorization Policy (RAP) which is accessed via the Remote Desktop Gateway Manager in Administrative tools .  I found by default this was set as Domain Computers which meant a user couldn’t connect to the server.  Changing it to any network resource resolved this.

image

Licencing server

You should also set this up if this is more than a test server – though you have a90 day grace period to get this sorted so it won’t stop you getting going in a test scenario.

Setting up RemoteApp collections

You can setup a number of different “Collections” which can expose different RemoteApps to different users. By default a “QuickSessionCollection” will have been created – with 3 default apps to test with.

You can control who can access the collection etc using Tasks.

Adding or removing a RemoteApp to a collection is simply a case of pointing at the exe There are no longer pre prepared rdp files etc

image

User permissions

Must be member of Remote Desktop User

Also local security policy has to “Allow log on through Remote Desktop Services” – this was set for me on Gateway machine – but wasn’t on second server with Session host – I had to manually set this

http://www.orbitsit.co.uk/2014/03/unable-remote-desktop-server-2012-adding-user-remote-desktop-users-group/

Remote App permissions

If you are setting up your own remote Apps, make sure users have rights to execute in the folders on all servers – for some reason I ended up with Domain users having rights on one server – but not on a second.

Testing connections

You are now connecting over https – so you must have port 443 open both out of the client (which it usually would be) and inbound on the server.

If using RemoteApp you can connect by:

https://netest99.esdm.co.uk/RDWeb

If you are wanting to create an RDP connection then make sure both the RDGateway and the server name are set to your FQDN (e.g. netest99.esdm.co.uk).  Also remember to include the domain in your logon name.

image

image


 

 

https://www.esdm.co.uk/server-2012-setting-up-remote-gateway-remote-desktop-and-remoteapp