Your SlideShare is downloading. ×
WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services to the Internet with the RD Gateway:  How to Create your Own Cloud Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WinConnections Spring, 2011 - How to Securely Connect Remote Desktop Services to the Internet with the RD Gateway: How to Create your Own Cloud Applications

392
views

Published on

“The Cloud” is everywhere, but did you know that creating your own everywhere accessible cloud applications isn’t difficult. All you need are some certificates and Microsoft’s Remote Desktop …

“The Cloud” is everywhere, but did you know that creating your own everywhere accessible cloud applications isn’t difficult. All you need are some certificates and Microsoft’s Remote Desktop Services. Greg Shields is a Microsoft MVP in RDS, and he’s got the step-by-step solution for cloud-enabling your applications. Join him in this session to learn exactly how you’ll securely extend your applications to everywhere with an Internet connection. Your boss and your users will love you for it.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
392
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Greg Shields
  • Transcript

    • 1. Securely Extending RDS to the Internet How to Internet-Enable your Applications Greg Shields, MVP Senior Partner and Principal Technologist www.ConcentratedTech.com
    • 2. RDS: Not Just About Desktops Any More!
    • 3. The Many Jobs of the RDS Administrator
      • Server Administrator
      • Workstation Administrator
        • Systems Babysitter…
      • Application Administrator
        • Installing, managing, maintaining, patching…
      • Security & Lockdown Administrator
        • Protect users from themselves and others…
      • Workflow Administrator
        • Getting users to their applications…
      NEW!
    • 4. 5 Ways to Deploy RemoteApps
      • RDP File Distribution
        • Create an RDP file and store it in a file server or distribute it to users. Users double-click to launch app.
      • RD Web Access
        • Users double-click applications on web sites to launch.
      • Local Desktop Installation
        • RemoteApps are wrapped into MSI files, which are “installed” onto desktops.
      • Local Desktop Installation with Client Extension Re-association
        • Same as above, but local client file extensions are modified to enable document invocation.
      • RemoteApp and Desktop Connection
        • Windows 7 RADC regularly synchronizes data from server to populate desktop & Start Menu with configured apps.
    • 5. #1 - RDP File Distribution
      • In Server 2003, only “true” native way to distribute connections to Remote Desktops.
        • Can also manually host RDP files on a web page.
      • Superseded in 2008 by new technologies, however remains useful for…
        • Users who want user-based customizability for RDP connections.
        • Users who need portability for application connections, such as those who roam networks.
        • Users who share/customize connections
      • IMPORTANT: Currently the only way to deploy RemoteApp for Hyper-V applications!
    • 6. #2 - RD Web Access
      • Enabling an app in RDWA requires two clicks.
        • Provisioning and deprovisioning apps is ridiculously fast/easy.
        • Useful for users who use few applications that do not integrate with each other.
        • Very useful for applications that rapidly change, change versions, or require offline maintenance.
      • Zero additional effort at the individual desktop.
    • 7. #2 - RD Web Access
      • R2 supports the “hiding” of apps.
        • Use perms and “User Assignment” to restrict app access.
      • Limited to a single server out-of-the-box in 2008.
        • RD Session Broker creates RDS farm of similarly-configured servers.
        • SharePoint web part integration can group dissimilar servers. Non-trivial.
      • R2 adds the ability to consolidate multiple RDSHs.
      • Does not support document invocation or local desktop integration.
    • 8. #2 - RD Web Access Enabling or disabling access requires only a few mouse clicks in Server Manager.
    • 9. #3 - Local Desktop Installation
      • Wrapping RDP files into MSI files enables local desktop installation.
        • RemoteApps launched from local Start Menu or desktop shortcut.
        • Enhances RemoteApp “seamlessness”.
      • MSI files must be installed onto each desktop.
        • Active Directory Software Installation through Group Policy
        • A systems management solution (SCCM)
        • Shoe leather.
      • Removing applications once installed is complex with any mechanism.
        • Non-trivial to change once implemented.
    • 10. #3 - Local Desktop Installation
    • 11. #4 - Client Extension Re-Association
      • Client extension re-association is an optional part of local desktop installation.
        • Modifies client extensions (.DOCX, .XLSX, etc.) to enable document invocation.
        • Users maintain existing local desktop workflow by double-clicking documents.
        • Highest degree of “seamlessness” possible with RDS and non-W7.
      • Document Invocation!
    • 12. #4 - Client Extension Re-association Associate client extensions for this program with the RemoteApp program
    • 13. #4 - Client Extension Re-association Extensions re-associate with “Remote Desktop Connection”
    • 14. #5 – RemoteApp & Desktop Connection
      • If you have Windows 7 / 08R2, then you have RADC. No other OSs currently support RADC.
      • RADC works functionally similar to Citrix XenApp Plug-in.
        • Plug-in regularly checks server to download XML file.
        • XML file contains connection information about configured RemoteApps and desktops
        • By default, client checks once per hour, so propagation can take time.
    • 15. Securing the User’s Connection
    • 16. What You’ll Need
      • Enabling Internet-grade security for RDS sessions requires a few extra components:
        • RD Gateway Server
        • SSL Server certificate from Public CA
        • A firewall
        • Some holes in the firewall
    • 17. What You’ll Need
      • Enabling Internet-grade security for RDS sessions requires a few extra components:
    • 18. What You’ll Need
      • Enabling Internet-grade security for RDS sessions requires a few extra components:
      Wait a minute! Anyone see problems here?
    • 19. LIVE DRAW: RDG Architectures
    • 20. Four RDG Architectures
      • Option #1: No DMZ. RDG in the LAN.
    • 21. Four RDG Architectures
      • Option #1: No DMZ. RDG in the LAN.
      • Option #2: RDG in the DMZ. No internal AD exposure for RDG.
    • 22. Four RDG Architectures
      • Option #1: No DMZ. RDG in the LAN.
      • Option #2: RDG in the DMZ. No internal AD exposure for RDG.
      • Option #3: RDG in the DMZ. Internal AD is exposed to RDG.
        • Option #3a: Use internal DC. Open lots of ports.
        • Option #3b: Internal RODC in the DMZ. Open lots of ports.
        • Option #3c: Forest trust to DC in the DMZ.
    • 23. Four RDG Architectures
      • Option #1: No DMZ. RDG in the LAN.
      • Option #2: RDG in the DMZ. No internal AD exposure for RDG.
      • Option #3: RDG in the DMZ. Internal AD is exposed to RDG.
        • Option #3a: Use internal DC. Open lots of ports.
        • Option #3b: Internal RODC in the DMZ. Open lots of ports.
        • Option #3c: Forest trust to DC in the DMZ.
      • Option #4: ISA in the DMZ. RDG in the LAN.
        • Option #4 is Microsoft’s (and the industry’s) recommended practice.
    • 24. The Vast Power of SSL Reverse Proxying!
      • An SSL Reverse Proxy is a device used to bridge external SSL connections to the inside.
        • Inbound SSL connections are terminated at the proxy.
        • Decrypts SSL communication.
        • Inspects them for malicious code.
        • (Optionally) Reconstructs them into a new SSL connection and forwards traffic inside.
      • HTTPS – HTTPS or HTTPS – HTTP
        • HTTPS – HTTPS is better for internal security.
        • HTTPS – HTTP is better for performance.
    • 25. Installing the RDG
      • Four questions are required during installation.
        • Server authentication certificate. If you’ve correctly installed your certificate to the local computer’s Personal Store, you will see that certificate listed in the box.
        • RD Gateway User Groups. Groups which are allowed to connect to internal resources through this RDG server.
        • RD CAP. Identifies mechanisms used for authenticating users to the RD Gateway server: Password or smart card.
        • RD RAP. Identifies internal computers which can be accessed by users who enter through the RDG.
    • 26. SSL Certificates
      • Server certificate attributes
        • Must be a computer certificate
        • Extended key usage must be for Server Authentication (OID 1.3.6.1.5.5.7.3.1)
        • Subject Name must exactly match the RDG’s external FQDN, must also match internal FQDN if used internally.
        • Must be installed to the local computer’s Personal Store and not the current user’s Personal Store
    • 27. SSL Certificates
      • Server certificate attributes
        • Must be a computer certificate
        • Extended key usage must be for Server Authentication (OID 1.3.6.1.5.5.7.3.1)
        • Subject Name must exactly match the RDG’s external FQDN, must also match internal FQDN if used internally.
        • Must be installed to the local computer’s Personal Store and not the current user’s Personal Store
      • Although it is possible to create free certificates through 2008 Certificate Services, save yourself headache and heartache and BUY ONE.
        • $20/year at GoDaddy, automatically trusted, and useful for multiple steps in this process
    • 28. SSL Certificates
    • 29. RD CAPs and RAPs RD CAP RD RAP The “Who” The “What”
    • 30. Concerned about RDG Performance?
      • Don’t be.
      • Microsoft asserts that a single RDG server can support up to 1200 concurrent connections.
        • Dual-processor server with 4GB of RAM.
        • Virtualizing RDG is suggested.
        • Important Note: Windows Server Standard Edition has a hard limit of 256 concurrent connections.
        • Enterprise and Datacenter Edition have no connection limits.
    • 31. DEMO: RDG Settings & Configuration
    • 32. Exposing the RemoteApp
      • Once the RDG is installed, this creates the pathway by which RemoteApps can flow.
      • The next step is to create the RemoteApp.
        • Install an application.
        • Expose the application using RemoteApp Manager
        • Enable RDG settings within the RemoteApp
        • Distribute the RemoteApp through one or more mechanisms
    • 33. Special RDG Settings
      • Two settings on this screen need special attention:
      Enables single sign-on between RDG and RDSH Enables direct RDSH access for LAN clients
    • 34. Too Many Error Messages!
      • At this point, your clients can invoke the RDP file to connect either locally or via the Internet.
      • However, for reasons of scripting security, Microsoft requires an authentication at connection.
      • This confuses users.
      • Creates pain for we admins.
    • 35. Eliminate Error Messages!
      • Eliminate one of the two error messages by digitally signing your RDP file.
      • Possible to use same server certificate as installed to RDG.
      • Install certificate to RDSH’s local computer Personal Store.
      • You’ll know if you screwed this part up. 
    • 36. Error Messages to Questions
      • Signing the file creates the necessary authentication between client and server.
        • Prevents RDP file from being tampered with.
        • RDP files cannot be modified in any way, or it will break the certificate signage.
      • However, it doesn’t entirely eliminate the error message.
        • Instead, the user sees: “Do you trust the publisher of this RemoteApp program?”
        • User can click Yes, also can click “Don’t ask me again”.
    • 37. Securely Extending RDS to the Internet How to Internet-Enable your Applications Greg Shields, MVP Senior Partner and Principal Technologist www.ConcentratedTech.com

    ×