Requirements

To make this lab, I have deployed four virtual machines which are running Windows Server 2019:

• RDS-APP-01: RD Host Server that hosts the RemoteApp collection
• RDS-DKP-01: RD Host Server that hosts the Remote Desktop collection
• RDS-BRK-01: Hosts RD Broker and RD Licensing
• RDS-WEB-01: Hosts RD Web Access and RD Gateway

Then I have a public certificate for RD Web Access and RD Gateway role:

I have also a private certificate for RD Broker publishing and RD Broker connection. To create this certificate, I duplicated the Workstation Authentication ADCS template as described in this topic.

I have register both certificates in PFX (with private key) and in cer (just the public certificate).

Finally, I have two DNS zone:

• SeromIT.local: Active Directory forest zone
• SeromIT.com: splitted zone: hosted by local domain controllers and by public provider. I use this zone to connect from Internet. In this zone I have created two registrations:
  • Apps.SeromIT.com: leading to RDS-WEB-01 (CNAME)
  • RDS-GW.SeromIT.com: leading to RDS-BRK-01 (CNAME) for the gateway

RDS farm deployment

To deploy the RDS farm, I use only PowerShell. In this way I can reproduce the deployment for other customers. First of all, I run a Remote Desktop deployment to configure a RD Web Access, a RD Broker and a RD Host Server:

New-RDSessionDeployment -ConnectionBroker RDS-BRK-01.SeromIT.local `
                        -SessionHost RDS-DKP-01.SeromIT.local `
                        -WebAccessServer RDS-WEB-01.SeromIT.local

Then I run a PowerShell cmdlet to add another RD Host Server, a RD Licensing and a RD Gateway role.

Add-RDServer -Server RDS-APP-01.SeromIT.local `
             -Role RDS-RD-SERVER `
             -ConnectionBroker RDS-BRK-01.SeromIT.local

Add-RDServer -Server RDS-BRK-01.SeromIT.local `
             -Role RDS-Licensing `
             -ConnectionBroker RDS-BRK-01.SeromIT.local

Add-RDServer -Server RDS-WEB-01.SeromIT.local `
             -Role RDS-Gateway `
             -ConnectionBroker RDS-BRK-01.SeromIT.local `
             -GatewayExternalFqdn RDS-GW.SeromIT.com

Once these commands are run, the role deployment is finished:

Now we can configure the certificates.

Certificate configuration

To configure each certificate, I use again PowerShell. Remember, I have store both certificates in PFX in C:\temp\RDS of my broker server.

$Password = Read-Host -AsSecureString
$Password = Read-Host -AsSecureString
Set-RDCertificate -Role RDGateway `
                  -ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDWebAccess `
                  -ImportPath C:\temp\RDS\wildcard_SeromIT_com.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDPublishing `
                  -ImportPath C:\temp\RDS\Broker.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Set-RDCertificate -Role RDRedirector `
                  -ImportPath C:\temp\RDS\Broker.pfx `
                  -Password $Password `
                  -ConnectionBroker RDS-BRK-01.SeromIT.local `
                  -Force

Once these commands are executed, the certificate are installed for each role:

Collection creation

Now I create a collection to add resources inside the RD Web Access portal:

New-RDSessionCollection -CollectionName Desktop `
                        -CollectionDescription "Desktop Publication" `
                        -SessionHost RDS-DKP-01.SeromIT.local `
                        -ConnectionBroker RDS-BRK-01.SeromIT.local

Then from Server Manager, you can configure settings of this collection:

Enable HTML 5 Remote Desktop client

In this lab, I don’t want to use the legacy portal. I’d like to use the super cool new HTML5 RD client. To enable this client, I connect to the server hosting RD Web Access role and I run the following cmdlet:

Install-Module -Name PowerShellGet -Force -Confirm:$False

After, close and open again a PowerShell window. Then execute this command:

Install-Module -Name RDWebClientManagement -Confirm:$False

Then copy the RD Broker certificate in cer format into the RD Web Access server and run the following cmdlets:

Import-RDWebClientBrokerCert c:\temp\broker.cer

Install-RDWebClientPackage
Publish-RDWebClientPackage -Type Production -Latest

Now you can connect to the RD Web client by using the following URL: https:///RDWeb/WebClient/Index.html. In my example, I connect to https://apps.SeromIT.com/RDWeb/WebClient/Index.html.

Conclusion

I like the RD Web client for several reasons. First, you can connect to a RDS session from a HTML5 ready web browser. You don’t need anymore a compatible RD client and you can connect from several devices such as Mac, a Linux device or maybe a tablet or smartphone. Secondly, the HTML5 client doesn’t require settings for SSO like we did with the legacy portal. The deployment is easier as before. And finally I found this client more user friendly than the legacy portal. The only thing missing is the ability to enable the HTML5 client by a single click or PowerShell cmdlet, or to enable it by default.

The post Deploy a Windows Server 2019 RDS farm with HTML5 client appeared first on Tech-Coffee.

• Deploy a Windows Server 2016 RDS Farm in Microsoft Azure
• Create Microsoft Azure networks, storage and Windows image
• Deploy the Microsoft Azure Virtual Machines
• Configure Domain Controllers
• Deploy the RDS farm
• Configure File Servers for User Profile Disk (UPD)
• RDS final configuration
  

Certificates

Before creating the collection, we can configure the certificates for RD Web Access, RD Gateway and the brokers. You can request a public certificate for this or you can use your own PKI. If you not use your own PKI, you have to distribute the certificate authority certificates to all clients. You have also to provide the CRL/OCSP responder. If you use a public certificate, there is almost no client side configuration. You can get more information about required certificates here.

Once you have your certificate(s), you can open the properties of the RDS Farm from the server manager. Then navigate to certificates. In this interface, you can add the certificate(s) for each role.

On client side, you should add a setting by GPO or with local policy editor. Get the RD Connection Broker – Publishing thumbprint and copy it. Then edit this setting (Specify SH1 thumbprint of certificates representing trusted .rdp publishers) and add the certificate thumbprint without spaces. This setting enable to remove a pop-up for the clients.

Create and configure the collection

To create the collection, I use the following PowerShell cmdlet:

New-RDSessionCollection –CollectionName RemoteApps `
                        –SessionHost azrdh0.homecloud.net, azrdh1.homecloud.net `
                        –CollectionDescription "Remote application collection" `
                        –ConnectionBroker azrdb0.homecloud.net

Once you have created the collection, the RDS farm should indicates a new collection:

Now we can configure the User Profile Disks location:

Set-RDSessionCollectionConfiguration -CollectionName RemoteApps `
                                     -ConnectionBroker azrdb0.homecloud.net `
                                     -EnableUserProfileDisk `
                                     -MaxUserProfileDiskSizeGB 10 `
                                     -DiskPath \\SOFS\UPD$

If you edit the properties of the collection, you should have this User Profile Disk configuration:

In the \\sofs\upd$ folder, you can check if you have new VHDX files as bellow:

From the Server Manager, you can configure the collection properties as below:

Add applications to the collection

The collection that we have created is used to publish applications. So, you can install each application you need in all RD Host servers. Once the applications are installed you can publish them. Open the collection properties and click on add applications in RemoteApp Programs part.

Then select applications you want to publish. If the application you want to publish is not available in the list, you can click on add.

Then the wizard confirms you the application that will be published.

Test

Now that applications are published, you can browse to the RD Web Access portal. In my configuration, I have added a DNS record which is bound to the Azure Load Balancer public IP. Specify your credential and click on Sign In.

Click on the application of your choice.

I have chosen the calculator. As you can see in the task manager, the calculator is run through a Remote Desktop Connection. Great, it is working.

Conclusion

This series of topics about Remote Desktop Services shown you how to deploy the farm in Azure. We saw that Windows Server 2016 brings a lot of new features that ease the deployment in Azure. However, you can also deploy the RDS Farm On-Prem if you wish.

The post RDS 2016 farm: RDS Final configuration appeared first on Tech-Coffee.

• Deploy a Windows Server 2016 RDS Farm in Microsoft Azure
• Create Microsoft Azure networks, storage and Windows image
• Deploy the Microsoft Azure Virtual Machines
• Configure Domain Controllers
• Deploy the RDS farm
  
• Configure File Servers for User Profile Disk (UPD)
• RDS final configuration

Deploy the Azure SQL database

In the previous topics, we have not deployed the Azure SQL database. In this part, I will deploy this component. In Microsoft Azure, open marketplace and look for SQL Database. Create a blank database and create a new SQL Server. I have called the SQL server sql-rds and the database DBA-Broker.

Deploy RDS 2016 Farm

Once all your VM has joined the Active Directory, you can create a new Remote Desktop deployment based on session. The first broker server is AZRDB0, the first RD host server is AZRAH0 and the first RD access server is AZRDA0. From AZRDB0, I run the following cmdlet:

New-RDSessionDeployment -ConnectionBroker AZRDB0.homecloud.net `
                        -SessionHost AZRAH0.homecloud.net `
                        -WebAccessServer AZRDA0.homecloud.net

Next, in the Server Manager of AZRDB0, add all servers of the RDS farm.

Then, I add additional server to the RDS Farm. First, I add two license servers. Each server will have some licenses, so even if a server is down, a license server is available.

Add-RDServer -ConnectionBroker AZRDB0.homecloud.net -Server AZRDB0.homecloud.net -Role RDS-LICENSING
Add-RDServer -ConnectionBroker AZRDB0.homecloud.net -Server AZRDB1.homecloud.net -Role RDS-LICENSING

Then I add an additional RD host server:

Add-RDServer -ConnectionBroker AZRDB0.homecloud.net -Server AZRAH1.homecloud.net -Role RDS-RD-SERVER

And I add an additional RD Web Access server:

Add-RDServer -ConnectionBroker AZRDB0.homecloud.net -Server AZRDA1.homecloud.net -Role RDS-WEB-ACCESS

In Server Manager, if you browse the Remote Desktop Deployment, you should have the following diagram.

Configure the RD Broker in High Availability

Before configuring the RD Broker in High Availability mode, go back to the Azure Portal and open the SQL database settings. Click on the link connection strings.

Then create two DNS records where each DNS record is associated to one RD broker.

N.B: you can use an Azure Load Balancer instead of DNS round-robin for the RD Broker. For more information, you can read this topic.

Then install the SQL Native Client on each RD Broker server. Next run the following cmdlet. Replace in the Connection String the SQL server and database name.

Set-RDConnectionBrokerHighAvailability -ConnectionBroker 'azrdb0.homecloud.net' `
                                       -DatabaseConnectionString 'Driver={SQL Server Native Client 11.0};Server=tcp:sql-rds.database.windows.net,1433;Database=DBA-Broker;Uid=master@sql-rds;Pwd={DATABASE PASSWORD};Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;' `
                                       -ClientAccessName 'broker.homecloud.net'

To finish, run the following cmdlet to add an additional RD Broker server:

Add-RDServer -ConnectionBroker AZRDB0.homecloud.net -Server AZRDB1.homecloud.net -Role RDS-CONNECTION-BROKER

If you come back to the deployment overview In Server Manager, the RD Connection Broker should be marked as a High Availability Mode.

Configure RD Gateway

To add RD Gateways, click on the + symbol in the deployment overview. Then select both RD Gateway servers and add them to selected box.

Provide an SSL certificate name which should be the FQDN of the RD Gateway servers.

Then click on add to start the RD Gateway deployment.

Now the deployment overview should look like that :

In each RD Gateway server, open the RD Gateway console and edit the server properties. Then navigate to Transport Settings and disable UDP.

In Server Farm tab, add both servers and click on Apply.

Repeat these steps for each RD Gateway server.

Deploy the Load Balancer

A Load Balancer is required for the RD Web Access and the RD Gateways. You can use also an Azure Load Balancer for the RD Broker. But in this example I deploy an Azure Load Balancer for RD Web Access and Gateway. Open the marketplace and specify load balancer in the search box.

Provide a name to the Load Balancer and select public. Select the Public IP address previously created from the JSON template.

Once the Azure Load Balancer is created, open the Backend Pools settings. Then click on Add.

Specify a name for the backend pool and select associated to Availability Set. Select the RD Access availability set and add both virtual machines.

Next add a Health probe based on TCP 443 (HTTP / 443 is currently not supported).

Add also a load balancing rule based on TCP. Specify the public TCP port and the backend port. Then select the health probe.

Now you can try the public IP (https://<IP>/rdweb). You should get the Remote Web Access authentication page.

What is missing?

For the moment, no certificate has been deployed. So, you should have some security alerts in the web browser and the RD Gateway still not working. We will configure these certificates in another topic.

Next topic

In the next topic, I’ll deploy a SOFS cluster based on Storage Spaces Direct to store User Profile Disk.

The post RDS 2016 Farm: Deploy RDS 2016 farm in Azure appeared first on Tech-Coffee.