Deploy a Windows Server 2019 RDS farm with HTML5 client

These days I’m trying in depth Windows Server 2019. Today I chose to pay attention to Remote Desktop Services. The goal of my lab is to deploy a RDS Farm with all components and with the new HTML5 Remote Desktop Client. Even though I’m running my lab on Windows Server 2019, you can also deploy the HTML5 client on Windows Server 2016. In this topic, I wanted to share with you the steps I followed to deploy the Windows Server 2019 RDS farm.

Requirements

To make this lab, I have deployed four virtual machines which are running Windows Server 2019:

  • RDS-APP-01: RD Host Server that hosts the RemoteApp collection
  • RDS-DKP-01: RD Host Server that hosts the Remote Desktop collection
  • RDS-BRK-01: Hosts RD Broker and RD Licensing
  • RDS-WEB-01: Hosts RD Web Access and RD Gateway

Then I have a public certificate for RD Web Access and RD Gateway role:

I have also a private certificate for RD Broker publishing and RD Broker connection. To create this certificate, I duplicated the Workstation Authentication ADCS template as described in this topic.

I have register both certificates in PFX (with private key) and in cer (just the public certificate).

Finally, I have two DNS zone:

  • SeromIT.local: Active Directory forest zone
  • SeromIT.com: splitted zone: hosted by local domain controllers and by public provider. I use this zone to connect from Internet. In this zone I have created two registrations:
    • Apps.SeromIT.com: leading to RDS-WEB-01 (CNAME)
    • RDS-GW.SeromIT.com: leading to RDS-BRK-01 (CNAME) for the gateway

RDS farm deployment

To deploy the RDS farm, I use only PowerShell. In this way I can reproduce the deployment for other customers. First of all, I run a Remote Desktop deployment to configure a RD Web Access, a RD Broker and a RD Host Server:


New-RDSessionDeployment -ConnectionBroker RDS-BRK-01.SeromIT.local `
                        -SessionHost RDS-DKP-01.SeromIT.local `
                        -WebAccessServer RDS-WEB-01.SeromIT.local

Then I run a PowerShell cmdlet to add another RD Host Server, a RD Licensing and a RD Gateway role.


Add-RDServer -Server RDS-APP-01.SeromIT.local `
             -Role RDS-RD-SERVER `
             -ConnectionBroker RDS-BRK-01.SeromIT.local

Add-RDServer -Server RDS-BRK-01.SeromIT.local `
             -Role RDS-Licensing `
             -ConnectionBroker RDS-BRK-01.SeromIT.local

Add-RDServer -Server RDS-WEB-01.SeromIT.local `
             -Role RDS-Gateway `
             -ConnectionBroker RDS-BRK-01.SeromIT.local `
             -GatewayExternalFqdn RDS-GW.SeromIT.com

Once these commands are run, the role deployment is finished:

Now we can configure the certificates.

Certificate configuration

To configure each certificate, I use again PowerShell. Remember, I have store both certificates in PFX in C:\temp\RDS of my broker server.

$Password = Read-Host -AsSecureString
$Password = Read-Host -AsSecureString
Set-RDCertificate -Role RDGateway `
                  -ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDWebAccess `
                  -ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDPublishing `
                  -ImportPath C:\temp\RDS\Broker.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDRedirector `
                  -ImportPath C:\temp\RDS\Broker.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Once these commands are executed, the certificate are installed for each role:

Collection creation

Now I create a collection to add resources inside the RD Web Access portal:

New-RDSessionCollection -CollectionName Desktop `
                        -CollectionDescription "Desktop Publication" `
                        -SessionHost RDS-DKP-01.SeromIT.local `
                        -ConnectionBroker RDS-BRK-01.SeromIT.local

Then from Server Manager, you can configure settings of this collection:

Enable HTML 5 Remote Desktop client

In this lab, I don’t want to use the legacy portal. I’d like to use the super cool new HTML5 RD client. To enable this client, I connect to the server hosting RD Web Access role and I run the following cmdlet:

Install-Module -Name PowerShellGet -Force -Confirm:$False

After, close and open again a PowerShell window. Then execute this command:

Install-Module -Name RDWebClientManagement -Confirm:$False

Then copy the RD Broker certificate in cer format into the RD Web Access server and run the following cmdlets:

Import-RDWebClientBrokerCert c:\temp\broker.cer

Install-RDWebClientPackage
Publish-RDWebClientPackage -Type Production -Latest

Now you can connect to the RD Web client by using the following URL: https:///RDWeb/WebClient/Index.html. In my example, I connect to https://apps.SeromIT.com/RDWeb/WebClient/Index.html.

Conclusion

I like the RD Web client for several reasons. First, you can connect to a RDS session from a HTML5 ready web browser. You don’t need anymore a compatible RD client and you can connect from several devices such as Mac, a Linux device or maybe a tablet or smartphone. Secondly, the HTML5 client doesn’t require settings for SSO like we did with the legacy portal. The deployment is easier as before. And finally I found this client more user friendly than the legacy portal. The only thing missing is the ability to enable the HTML5 client by a single click or PowerShell cmdlet, or to enable it by default.

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

28 comments

  1. Hi great post, does USB redirection work?

  2. Merci Romain,
    Great post x2 🙂 Does it work for testing purposes with autosigned certificates?
    Thanks

  3. Thanks for your post. What, when i have certificate problems, also when i’ve done it the same way then you?
    Is it possible to contact you directly?

  4. You have 4 servers to begin with, but then in the later section you have a brand-new RDS-DKP-01.SeromIT.local, seemingly 5th server… can you please explain what’s going on? I appreciate your walk-through brother!

  5. David Culverson

    Hii, thanks for the article. To save the next reader a bunch of time troubleshooting, you reference the CNAME for the Gateway pointing to the RDS-BRK-01 server, when it should be the RDS-WEB-01 server where you install the gateway role.

  6. Hi, thank you very much for your guide, I really appreciate your work here.
    I have 1 Question regarding Clustering.
    I read, that with 2019, you can cluster the Licensing using a SQL-Database. How would that change the deployment If we want every server clustered ?

  7. Hi, what type of Licensing do you use ? User or Device ? Freek Berson wrote in his Blog, that you need to use for the HTML5 per User Licensing… Did you try it per Device too ?

  8. I’m wondering which of these servers can be installed as Server Core, and which need to be the full desktop experience?

  9. Hello!

    Thanks for a great post!

    Does this mean that I only log once and then I can use any published app without need to reenter my credentials if using non domain joined devices?

    Thank you once again!

    Regards,
    Adi

  10. Hi,

    Is it possible to create a HA this way, so that a users Remote Desktop is automaticly moved to other terminal servers, when the one they original connected to goes down?

    I have been looking for something like that for a while, and I was thinking about using the HTML5 client instead, and it might work.

    It should work like Hyper-V Live Migration / Failover.

    • Hello,

      When you create a RD farm, the broker is in charge of distributing workload among RD Server. If a RD Server is down, the broker is able to detect it and stop to distribute traffic to this RD Server.

  11. It looks like HTML5 doesn’t have MFA support? So I won’t use it in production I think.

    • You have to setup MFA via NPS, not in the HTML5 client. Azure MFA is fully supported for RDS connections through a gateway, so you must force even internal connections to go via the gateway.

  12. Hello great articel,

    RDS-GW.SeromIT.com: leading to RDS-BRK-01 (CNAME) for the gateway — is that the correct cname to the connection broker ?

    Thanks

  13. Hi,
    Like many before me, i really want to thank you Romain.
    That’s a great article and it’s very well explained!
    Wanted to know if there’s a way to set the default on the customized rdweb client html to download to rpd file for everyone who enters?
    Thanks!!

  14. For the Certificates, why did you use two one for the broker and one being wildcard? I understand what the wildcard is for but can you go into a bit detail or some documentation for the broker cert.

  15. Jeremy Koleske

    Hello, thanks for the write up! can this method be used to create a windows 10 session in HTML 5 Browser window?

    • worked for me, in chrome and explorer, though i have to say that it takes around 5 minutes for the session to begin (at least in my case), so i just rather use the rdp files

  16. Hi !
    How I can configure “Desktop” on app publish?
    In my work resources I add the “calculator” and works fine. But I want to my domain users open “vrtual windows” on their browers.

    Could you help me pls?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Create a custom SUU to update Dell firmware

Dell provides a smart utility to update firmware and drivers in their servers. This utility ...

Next gen Microsoft management tool: Honolulu

Since the beginning of the year, Microsoft is working on a new management tool based ...

Windows Server 2016 servicing model

Recently Microsoft announced that the official launch for Windows Server 2016 should be at the ...