Migrating RD Web and RD Gateway Roles

KB ID 0001406

Problem

I’ve got a job coming up to deploy some Duo two factor authentication into a clients RDS farm. To make things a bit easier for them I needed to migrate their RD Connection Broker. They had their Connection Broker, Gateway, and Web roles on one server, (which is not unusual, or incorrect). It turned out, that moving the Connection Broker, was going to be a major task, and it would be a lot easier to move the other two roles.

Solution

Note: Before deploying make sure you have the certificate ready to import (in .PFX format with a known password). If you are confused export the one from the old server. If you’re still confused use the search button above, I’ve written that procedure up before.

Moving the Gateway and Web roles is actually pretty simple to do, the process is, add the server to the RDS farm, ddd the Role, migrate the IIS settings. You can then repoint your firewall rules to the new server and remove the roles form the old one.

Build your new server, update it and join it to the domain.

Add the new server into the RDS deployment, (on one of the RDS farm members).

You can (from one to the other servers in the RDS farm) now deploy the new role, I’m going to deploy RD Web Access first.

Search for, select, then add the new server > Next.

Add

The new role will be deployed, (time for a coffee?).

Select  ‘Configure Certificate’.

Your newly added role will say ‘Error’ > Select it > ‘Select existing certificate’.

Browse to the certificate > Supply the password > Tick ‘Allow the certificate to be added to the Trusted Root……’ option > OK.

When the display changes to ‘Success’ > Apply > OK.

Now you can add the other RDS Server(s) into the Server Manager console on the ‘new’ RDS server.

Now to ‘migrate’ any custom IIS settings, download the web Deploy Tool, either directly fromMicrosoft,

Or you can deploy from the Web Platform Installer.

Then to migrate all the IIS settings issue the following commands;

[box]CD “C:\Program Files (x86)\IIS\Microsoft Web Deploy V3”

msdeploy.exe -verb:sync -source:webServer,computername={Source-Server-IP} -dest:webServer,computername={Destination-Server-IP}[/box]

Repeat the process for the RD Gateway Role

Related Articles, References, Credits, or External Links

NA

Publishing Remote Desktop Services With Web Application Gateway

KB ID 0001143 

Problem

Getting this article to completion has been a bit of a journey! This is the final post that will stitch together all the others I’ve posted over the last couple of weeks, that will enable you to publish your RemoteApps with  ‘Remote Desktop Web Access’, and have that service presented securely from your DMZ. I’ll be using Active Directory Federation Services, (you don’t have to, but it’s more secure than simply using ‘pass-though’ security).

Solution

Prerequisites

Topology: Simply getting your ‘ducks in a row’ will take a lot longer than actually deploying the service. Here is the topology that I’m going to deploy;

Firewall Rules: You will see I’ve labelled all the Certificate/CRL rules as optional, this is because you would only need them if you were using self signed certificates. In this example that’s what I am doing, this means that all my remote clients need the root certificate installing on them, so for production I suggest you purchase a publicly signed wildcard certificate for simplicity.

DNS Requirements: For your internal domain and the DMZ it’s simple enough but your external clients will need to be able to resolve your public URL (and the URL of your CRL is used).

Certificate Services (Optional): If you want to deploy self signed wildcard certificates you will  need a PKI environment and a published CRL. See the following article;

Windows Certificate Services – Setting up a CRL

Once setup you will need to generate a self signed wildcard certificate. See the following article;

Certificate Services – Create a ‘Wildcard Certificate’

Active Directory Directory Services: You need to have your ADFS farm deployed and ready to add your relying trust to. See the following article;

Deploy Active Directory Federation Services

Web Application Proxy: The Role needs installing ready to have the publishing rule added for Remote Desktop Web Access. See the following article;

Deploying Windows ‘Web Application Proxy’

MAKE SURE: You have ran Windows updates on the WAP server, there are a number of bugs that have been fixed, ensure you have at least KB2975719, and in addition you need to have KB2983037 Hotfix installed.

Step 1: Add A Relying Trust To Active Directory Federation Services For Web Application Proxy

On your ADFS Server > Administrative Tools > AD FS Management > AD FS > Trust Relationships > Relying Party Trusts > Add Relying Party Trust.

Next.

Enter data about relying party trust manually > Next.

Give the trust a name > Next.

AD FS Profile  > Next.

Next.

Next.

As an identifier, add in the UEL to access Remote Desktop Web Access > Next.

I do not want to configure multi-factor authentication settings for this relying  party trust at this time > Next.

Permit all users to use this relying party > Next.

Next.

Untick “Open Edit Claim Rules dialog  for this relying party trust when the wizard closes’ > Close.

You should see your relying part trust listed, take note of its name.

Step 2: Configure Web Application Proxy To Publish Remote Desktop Web Access

On the WAP Server > Administrative Tools > Remote Access Management > Select the Server > Publish.

Next.

Select ‘Active Directory Federation Services (AD FS) > Next.

Note: As mentioned above, you can choose ‘pass-through’, then author authentication is done on the internal RD Web Access server (which is less secure).

Select the relying trust you created above > Next. (If it’s not there check https is open, and you can resolve the AD FS service name) > Next.

Give the publishing rule a name, and enter the URL the service will be published on, (this is usually the same inside and outside but does not have to be) >  Select your wildcard certificate > Next.

Publish.

Close

In PowerShell execute the following command;

[box]

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableHttp

[/box]

Then the following command;

[box]

Get-WebApplicationProxyApplication -Name “SmoggyNinja Remote Desktop Web Access” | Set-WebApplicationProxyApplication -DisableTranslateUrlInRequestHeaders:$true
[/box]

Note: You only actually need this command if you’re  using different URLs but let’s stick with a script that works.

Step 3: Additional Works.

On the Remote Desktop Session Host Server run the following commands;

[box]

Import-Module Remote Desktop

Set-RDSessionCollectionConfiguration -CollectionName SN-RDS-COLLECTION -CustomRdpProperty “pre-authentication server address:s:https://remote.smoggyninja.com`nrequire pre-authentication:i:1″

[/box]

Related Articles, References, Credits, or External Links

NA

vSphere 5 – Install and Configure the Web Client

KB ID 0000551 

Problem

The ability to administer vCenter via a web browser is nothing new, vCenter has had a web console in previous versions.

vCenter vSphere 4 Web Client (Web Access)

The version with vSphere 5 is much more feature rich. Like the VMware vSphere client it talks directly to the vCenter vSphere API, but unlike previous web access, the component needs to be installed and configured before you can use it.

What the Web Client Can Do

1. Connect to a vSphere vCenter server.

2. Can be used on non Windows machines (VI Client is Windows only).

3. Deploy Virtual Machines (Including deployment from Templates).

4. Configure Virtual Machines.

5. Provide basic monitoring.

What the Web Client Can’t Do

1. Manage Hosts

2. Manage Clusters

3. Manage Networks.

4. Manage Datastores or Datastore Clusters.

5. Connect to ESX or ESXi hosts.

Solution

Step 1 Install and Configure Web Access

Prerequisite: The vCenter server needs to have Adobe Flash installing on it to access the management console.

1. From the vCenter Installer media select “VMware vSphere Web Client (Server) > Install > Follow the on screen prompts.

2. Accept all the defaults, note the secure port number we will be using that later (TCP Port 9443).

3. Once installed > On the vCenter server itself open a browser window > navigate to > https://{servername}:9443/admin-app > Select “Register vCenter Server”.

vSphere Web Client Supported Browsers: Internet Explorer (7 or newer) and Firefox (3.5 or newer), I’ve tried Chrome, it works, but some functionality is lost. (anything that requires the plug in i.e. console connections).

4. Enter the details for the vCenter server > Take note of the URL for your client to access (https://{servername}:9443/vsphere-client) > Register.

5. You will probably be using self signed certificates to tick the box and select “Ignore”.

6. That’s the server configured and ready to go.

Step 2 – Access the vCenter from web client

1. Open a browser window and navigate to https://{servername}:9443/vsphere-client> You may receive a warning about the certificate (because it’s self signed) click to continue > Enter your credentials > Login.

2. The first time you connect it launches the welcome splash screen > tick “Do not show..” and close the window. (Note you can launch it again from the help menu).

Note: If you see this error:

Connection Error
Unable to connect to vCenter Inventory Service –
https://{servername}:10443

Check on the vCenter server to make sure this service is running.

3. You should then be connected, and be able to browse your virtual infrastructure.

4. You can “console” onto your VM’s (Note: will need a plug in installing your browser will prompt you to accept/install).

 

Related Articles, References, Credits, or External Links

NA

Install and Configure Remote Desktop Services (Web Access)

KB ID 0000104

Problem

Originally we had TS Web in 2003, and while I had a little play with it, it basically just gave you RDP over web, which would have been good if it ran over HTTP or HTTPS, but it didn’t. Also, as anyone who has ever done a complex Google search for “/tsweb” will testify, left a nice big security hole in to your servers.

With the release of Server 2008 we got TSWeb 2008, this was a whole different beast, and the web portal was very similar in operation to Citrix Web Presentation Server.

With Server 2008 R2, Terminal Services became Remote Desktop Services, so if you only have a couple of clients (i.e. don’t need an application farm etc,) then this might be just what you need, and buying licences for Remote Desktop Services is a LOT cheaper than buying the same licences plus Citrix licences that are about three times the price per seat.

I originally wrote this for TSWeb 2008, and updated it for Remote Desktop Services 2008 R2, I’ll leave the older information at the bottom for anyone who is still running 2008 R1.

Solution

Setup Remote Desktop Services Web Access on Server 2008 R2

1. In this example I’ve got a fresh server which is a domain member, and I’m going to put the Licensing server and the same box. From server manager (ServerManager.msc) >Roles > Add Roles > Next > Remote Desktop Services > Next > Next.

2. Everything is going on one server, you may want to split roles up in a larger production environment, but here we are adding Remote Desktop Session Host, Remote Desktop Licensing, Remote Desktop Gateway > Remote Desktop Web Access > Next > Next.

Note: When selecting role services, you will be prompted to “add required role services”, please do so.

3. I’m choosing the least secure method (choose this if you have older client running older versions of the RDP client) > Next > Either select a Licensing model (per user or per device, or select configure later) > Next.

Note: The licensing model chosen MUST match the CALS that will be in the licensing server. (If you are unsure configure it later, then you will have 120 days grace period to sort it out).

4. Add in which user groups to want to allow access to the host server > Next.

5. Decide which options you want to allow, to enrich your end user experience > Next > I dont need a scope as all my RD Servers will be 2008 R2, it you have TS servers as well you will need to configure a scope > Next.

6. If you already have a certificate you can select it here, I’m going to manually import the certificate into IIS at the end of the procedure > Select “Now” to configure the access policies > Next.

7. Add in which user groups you want to allow through the Remote Desktop Gateway > Next.

8. At the RD CAP screen, I’m just going to use passwords > Next > Then at the RD RAP screen, I’m going to allow connections TO ANY computer > Next > Next > let it install the Network Policy Server component > Next.

9. Install > Then go and have a coffee.

10. When completed, select yes to reboot which it will do (twice).

11. After you log back into Windows the installation will complete > Close

Import and Enable a Digital Certificate in IIS7

12. Start > Administrative tools > Internet Information Services Manager > Select the {server-name} > Server certificates > From here you can either create a certificate request, or complete a request, and import a certificate.

13. Here is my certificate with the “friendly name” WebServer.

14. To enable my certificate right click the “Default Web Site” (Assuming that’s where you have RDWeb installed) > Edit Bindings.

15. Select HTTPS > Edit > And select your SSL certificate > OK.

16. Restart the website (or run “iisreset /noforce” from command line).

17. Start > Administrative Tools > Remote Desktop Services > RemoteApp Manager.

18. Anything that needs configuring will have a yellow warning triangle, or a red cross over it. First you will see it’s complaining that there are no computers in the “TS Web Access Computer ” group.

19. That’s just a LOCAL group on the server itself, launch ServerManager >Configuration > Local Users and Groups > Groups > Locate the group.

20. Add in your groups as required > Apply >OK.

21. Back in the RemoteApp Manger > Check the RD Session Host Server >Settings (on the menu on the right) > Make sure the PUBLIC name (which will be the CN on your digital certificate) is displayed NOT the LOCAL FQDN of the server. You can also tick the option (shown with the arrow) to display the RDP shortcut to your users on the web portal. > Apply > OK.

22. To do the next step, you need to have the applications you want to give to your users, actually installed on the server. > Either right click at the bottom, or select “Add RemoteApp Programs”.

23. Follow the wizard, and select the programs as required.

24. Click refresh > Make sure there’s no more red/yellow warnings > Close RemoteApp Manager.

25. To test it, connect to your server on https://{servername}/RDWeb and log in.

26. You applications should be shown, give them a test, here I’ll launch Outlook.

27. I already have Outlook configured on the Remote Desktop Server so mine just opens (your users will need to setup Outlook, if they don’t have a profile on the RD server already).

Setup Terminal Services Web Access on Server 2008 R1

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles..

2. Next.

3. Tick Terminal Services > Tick Web Server IIS.

4. As soon as you select IIS > In the Pop up Select “Add Required Features”.

5. Next.

6. Next.

7. Select Terminal Server > TS Licensing > TS Gateway > At The Popup Select “Add Required Roles Services”.

8. Select TS Web Access > At the Popup Select “Add Required Roles Services”.

9. Next.

10 Next.

11 I’m going to select “Do Not require Network Level Authentication” > Next.

12. Next.

13. Next.

14. .I’m selecting “Configure Later” for the licensing (Like previous versions you get 120 days grace to sort this out) > Next.

15. Allowing Access to TS > By default the “Remote Desktop Users” group on the TS server is allowed access you can add additional groups here > Next.

16. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login.

17. Select the scope you require for TS Licensing > Next.

18. Later > Next.

20. Next.

21. Next.

22. Next.

23. Next.

24. Install.

25. The Roles will install.

26. Close.

27. Click Yes to reboot.

28. After reboot installation will continue.

29. Close.

Deploying Applications

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter)) > Expand > Roles > Terminal Services > TS Remote App Manager > Select “Add Remote App Programs” (Right hand window).

2. Next.

3. Select the application you require or browse to its Executable > Next. >

4. Finish.

Connecting from a client

1. On a Client PC open internet explorer > Navigate to http://{serverIP or name}/ts > Note: If you do not have ActiveX enabled and the latest RDP client you may see this error.

2. There’s your applications > simply select one.

3. Enter your login credentials.

4. Wait for the application to deploy.

5. And there you go 🙂

Related Articles, References, Credits, or External Links

Windows Server 2008 R2 Deploying Applications with RemoteApp /p>

Original Article Written 02/11/11

PowerShell Web Access

KB ID 0001036

Problem

One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.

What is PowerShell Web Access?

It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.

You Expect Me to Open All My Servers To Remote Management?

In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.

In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.

Solution

Setting Up PowerShell Remote Access

1. PowerShell web access is a ‘windows feature’ add it with the following command;

[box]

Add-WindowsFeature WindowsPowerShellWebAccess
[/box]

 

2. Now it’s available you can install it like so;

[box]

Install-PswaWebApplication

Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;

Install-PswaWebApplication –UseTestCertificate

Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.

[/box]

3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).

[box]Add-PswaAuthorizationRule * * *[/box]

4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.

[box]

Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *

[/box]

5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.

PowerShell Web Access – It Doesn’t Work!

If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.

Configure Windows Remote Management for a Single Host

From an elevated command prompt execute the following command and follow the on-screen prompts;

[box]WinRM QuickConfig [/box]

Configure Windows Remote Management via Group Policy

A better approach would be to configure you hosts via GPO. You can find the correct GPO at;

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'

[/box]

Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.

Providing all is well, you should have PowerShell access.

 

PowerShell from an Apple IOS Device (iPad shown)

PowerShell from an Android Device (Samsung Note shown)

Related Articles, References, Credits, or External Links

NA

Exchange 2010 – Blank OWA Page?

KB ID 0000429

Problem

When trying to access Outlook Web App (or Outlook Web Access for those used to earlier versions of Exchange), you see a blank white page and nothing else.

The certificate and IIS works but no OWA.

Solution

This is usually due to an exchange pre-requisite that is missing, or one of them is not working.

1. Launch the Exchange Management Shell, (Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Shell).

2. Issue the following command.

[box]Import-Module ServerManager[/box]

3. Issue the following command.

[box]Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart[/box]

4. Issue the following command.

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

5. Retry OWA.

 

Related Articles, References, Credits, or External Links

Exchange – OWA and ECP Websites Blank After Logon

HP Procurve Adding a Management IP

KB ID 0000428

Problem

You have an HP Procurve switch, and you would like to add a management IP so you can view the web console.

Solution

Related Articles, References, Credits, or External Links

HP Procurve – Trunking / Aggregating Ports

Setup an HP 1800-24G (J9028B) Switch

KB ID 0000800 

Problem

Essentially you can unbox this switch, plug it in and it will do what you want (unless you have VLANS, or trunks (port-channels)). Which is what my client had done, but I needed to get on the web console and have a look at what was going on, and there is NO CONSOLE socket on this unit at all.

Solution

1. Don’t bother looking in DHCP, it’s NOT set to DHCP by default. From the factory the switch will have the following IP address; 192.168.2.10 (255.255.255.0). So put yourself on the same network segment and connect to the switch via a normal network cable.

Note: Start > Run > ncpa.cpl will get you there.

2. Now open a browser window and connect to https://192.168.2.10 by default the password will be blank.

3. To change the IP address, navigate to System > IP Address > Set accordingly > Apply.

Note: Obviously this will kick you off, and you will need to change your IP address again to reconnect.

4. To change the password navigate to System > Password > change accordingly > Apply.

 

Related Articles, References, Credits, or External Links

NA