10215 A 14

745 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
745
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A Presentation: 60 minutes Lab: 60 minutes This module helps students extend Remote Desktop Services outside the organization. After completing this module, students will be able to: Configure the Remote Desktop Gateway Configure Remote Desktop Web Access Required materials To teach this module, you need the Microsoft Office PowerPoint® file 10215A_14.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional online resources for the module on the Course CD.
  • Briefly present module content. Since RDS is new with Windows Server 2008 R2, ask the students if they have had any experience with previous versions of Terminal Services . Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Introduce the lesson content. Emphasize that this is an overview of Remote Desktop Services Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Explain the RDP/HTTPS flow when an external user is connecting to RDS through RD Gateway. Explain how and why RDP traffic is encapsulated to HTTPS and the prerequisites for encapsulation, such as defining digital certificate on the RD Gateway, RD CAP, and RD RAP policies. Review the benefits of RD Gateway. Students should be able to explain that RDP traffic (port 3389) is usually blocked on the firewall. Using RD Gateway, you can use HTTPS (port 443), which is allowed through a firewall. Point out that RDP traffic is encapsulated into HTTPS only to RD Gateway. RDS traffic is transmitted from RD Gateway to RDS host. Mention that RD Gateway role service is installed on the server in DMZ. Question : Does RD Gateway provide full end-to-end protection of RDP traffic? Answer : No; RD Gateway protects RDP traffic between RD client and RD Gateway. From RD Gateway to RDS host, the traffic is transmitted through RDP. Hence, RD Gateway does not provide additional protection there. You should be aware that RDP uses encryption, and from RD Gateway to RDS host, is a local network; not a public network like Internet. Course 10159A Module 6: Configuring Remote Desktop Services and Virtual Desktop Infrastructure in Windows Server 2008 R2
  • If students are familiar with the RD Gateway role service, make the session more interactive by asking for their experience with RD Gateway. Question: In which situations would you use RD Gateway? Answer: You can use RD Gateway if you need to provide remote users with access to RDS hosts over the Internet. Local users can access RDS hosts directly, but remote users need to establish a connection to the local network. Earlier, remote users needed to first establish a VPN connection to access RDS hosts, but with RD Gateway, they can access internal RDS hosts without establishing a VPN connection. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Cover the requirements needed for RD Gateway: Permissions – Local Admins group Certificates – SSL Certificate required Domain Membership – RD Gateway must be domain member of require users in CAP to be domain members IIS Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • On LON-SVR1, install the Remote Desktop Services server role by using the Server Manager console with the following information: Role Services: Remote Desktop Session Host, Remote Desktop Connection Broker, Remote Desktop Gateway , and Remote Desktop Web Access Authentication Method for Remote Desktop Session Host: Do not require Network Level Authentication Licensing Mode: Configure later Server Authentication Certificate for SSL Encryption: LON-SVR1.Contoso On the Start menu of LON-SVR1, point to Administrative Tools , and then click Server Manager . In the tree pane of the Server Manager console, click Roles . In the Role Summary area of the Roles result pane, click Add Roles . On the Before You Begin page of the Add Roles Wizard, click Next . On the Select Server Roles page, under Roles , select the Remote Desktop Services check box, and then click Next . On the Remote Desktop Services page, click Next . On the Select Role Services page, under Role services , select the Remote Desktop Session Host, Remote Desktop Connection Broker , and Remote Desktop Gateway check boxes. On the Select Role Services page, under Role services , select the Remote Desktop Web Access check box. On the Select Role Services page, click Next . On the Uninstall and Reinstall Applications for Compatibility page, click Next . On the Specify Authentication Method for Remote Desktop Session Host page, click Do not require Network Level Authentication , and then click Next . On the Specify Licensing Mode page, ensure that the Configure later option is selected, and then click Next . On the Select User Groups Allowed Access To This RD Session Host Server page, click Next . On the Configure Client Experience page, click Next . On the Start menu of LON-SVR1, click Run . In the Open box of the Run dialog box, type mmc , and then click OK . On the File menu of the Console1- [Console Root] console, click Add/Remove Snap-in . In the Available snap-ins area of the Add or Remove Snap-ins dialog box, in the Snap-in list, click Certificates , and then click Add . Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • In the Certificates snap-in wizard, click Computer account , click Next . In the Select Computer wizard, click Finish . In the Add or Remove Snap-ins dialog box, click OK . In the tree pane of the Console1- [Console Root] console, expand Certificates (Local Computer) , expand Personal , and then click Certificates . On the Action menu, point to All Tasks , and then click Request New Certificate . On the Before You Begin page of the Certificate Enrollment wizard, click Next . On the Select Certificate Enrollment Policy page, click Next . On the Request Certificates page, select the DirectAccess check box, and then click More information is required to enroll for this certificate . Click here to configure settings. In the Subject Name area of the Certificate Properties dialog box, in Type box, click Common name , in the Value box, type external.contoso.com , and then click Add . In the Alternative name area, in the Type box, click DNS , in the Value box type external.contoso.com , click Add , and then click OK . On the Request Certificates page, click Enroll . On the Certificate Installation Results page, click Finish . Note : Verify that certificate for external.contoso.com is listed in the Certificates result pane. In the Console1 - [Console Root\\Certificates (Local Computer)\\Personal\\Certificates] console, click the Close button. In the Microsoft Management Console message box, click No . Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Cover the new security features of RD Gateway in Windows Server 2008 R2. Enhancements are security related and require RDC 7.0. This connection client is included in Windows 7 and Windows Server 2008 R2, and it is available as a download for Windows Vista SP1 and Windows XP SP3. Cover the improvements in RD Gateway and why they are important. Ask for input on new functionalities and provide scenarios that can benefit from the new RD Gateway functionalities. Question: What should you do to take advantage of the RD Gateway functionality introduced in Windows Server 2008 R2? Answer: You must use RDC 7.0 to take advantage of the new RD Gateway functionality. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Discuss the purpose and creation of: Connection Authorization Policies Resource Authorization Policies Discuss how RAPs can be used to control access to internal resources. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • On LON-SVR1, create a Connection Authorization Policy (CAP) to restrict the users from accessing the RD Gateway Server with the following information: Type a name for the RD CAP: Authorized Remote Users User group membership: RD Users On LON-SVR1, in the tree pane of the Server Manager console, under RD Gateway Manager , expand LON-SVR1 (Local) , expand Policies , and then click Connection Authorization Policies . In the Actions pane, click Create New Policy , and then click Wizard . On the Create Authorization Policies for RD Gateway page of the Create New Authorization Policies Wizard, click Next In the Type a name for the RD CAP box of the Create an RD CAP page, type Authorized Remote Users , and then click Next . In the User group membership (required) area of the Select Requirements page, click Add Group In the Enter the object names to select (examples) box of the Select Groups dialog box, type RD Users , and then click OK . On the Select Requirements page, click Next . On the Enable or Disable Device Redirection page, click Next . On the Set Session Timeouts page, click Next . On the RD CAP Settings Summary page, click Finish . On the Confirm Creation of Authorization Policies page, click Close . On LON-SVR1, create a Resource Authorization Policy to control the connection between the internal resources and the Remote Desktop Gateway with the following information: Type a name for the RD RAP: Authorized Target Computers User Groups: RD Users Network Resources: RD Web Computers On LON-SVR1 server, in the tree pane of the Server Manager console, under Policies , click Resource Authorization Policies . In the Actions pane, click Create New Policy , and then click Wizard . On the Create Authorization Policies for RD Gateway page of the Create New Authorization Policies Wizard, click Next . In the Type a name for the RD RAP box of the Create an RD RAP page, type Authorized Target Computers , and then click Next . Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • On the Select User Groups page, click Add Group . In the Enter the object names to select (examples) box of the Select Groups dialog box, type RD Users , and then click OK . On the Select User Groups page, click Next . On the Select Network Resources page, ensure that the Select an Active Directory Domain Services network resource group option is selected, and then click Browse . In the Enter the object names to select (examples) box of the Select Group dialog box, type RD Web Computers , and then click OK . On the Select Network Resources page, click Next . On the Select Allowed TCP Ports page, click Next . On the RD RAP Settings Summary page, click Finish On the Confirm Creation of Authorization Policies page, click Close . In the Server Manager console, click the Close button. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Introduce the lesson content. Emphasize that this is an overview of Remote Desktop Services Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Cover how a user might use RD Web access for remote users or access a Remote Desktop Web Access session. Explain process that happens when a user accesses a RemoteApp program. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Cover the roles required, the clients that can access a RD Web Access. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Explain how the published RemoteApp applications, to which we subscribe through feed, are available on the Start menu. Explain that RemoteApp and Remote Desktops are available only on Window 7 and Windows Server 2008 R2. Clients using older versions can access the same applications through RD Web Access or shortcuts, but they will not be integrated on the Start menu. Question: When would you use RDS Web Access to access RemoteApp applications, instead of RemoteApp and Desktop Connection? Answer : RemoteApp and Desktop Connection requires Windows 7 as a client. If your client is running an older operating system, you cannot use RemoteApp and Desktop Connection, but you can still access the RDS Web portal and run RemoteApps from there. The RD Connection Broker will ensure that the same RemoteApps are available through both interfaces. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • In this lab, students will plan the implementation of Remote Desktop Services. Exercise 1 In this exercise, students will install the Remote Desktop Gateway . Exercise 2 In this exercise, students will install Remote Desktop Web Access Exercise 3 In this exercise, students will configure remote Desktop Web Access Exercise 4 In this exercise, students will integrate RemoteApp and Desktop Connection with Remote Desktop Web Access Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. Note: The lab exercise answer keys are provided on the Course Companion CD. To access the answer key, click the link located at the bottom of the relevant lab exercise page. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Use the questions on the slide to guide the debriefing after students have completed the lab exercises. Question 1 : How Contoso will benefit from deploying Remote Desktop Services ? Answer: The period of 120 days is the grace period to install RD Licensing, after installing RDS Session Host. You probably did not install the RD Licensing role service in the testing environment, and when the grace period expired, you are no longer able to connect to the RDS Session Host server Question 2: How will you restrict the user from viewing the icon for RemoteApp program? Answer: Virtual Desktop Infrastructure types are personal virtual desktops and pooled virtual desktops. When using personal virtual desktops, each user has a unique virtual machine. When using pooled virtual desktops, user can connect to any virtual machine in a pool Question 3: How will the deployment of Remote Desktop Connection Virtualization benefit Contoso Ltd Answer: RemoteApp and Desktop Connection will integrate published RemoteApps and Desktop Connections with the Start menu of Windows 7 computers. When using RD Web Access, you must open the Web page and run RemoteApps from there Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Review Questions 1 You installed RDS in a testing environment. After 120 days, you are no longer able to connect to the RDS server. What is the most probable reason for this? Answer : The period of 120 days is the grace period to install RD Licensing, after installing RDS Session Host. You probably did not install the RD Licensing role service in the testing environment, and when the grace period expired, you are no longer able to connect to the RDS Session Host server. 2. Why must you have a certificate for the Remote Desktop Gateway server? Answer : The certificate is used to encrypt communications between Remote Desktop clients and RD Gateway servers over the Internet. 3. How is the use of RemoteApp and Desktop Connection different from simply accessing RemoteApp from RD Web Access? Answer : RemoteApp and Desktop Connection will integrate published RemoteApps and Desktop Connections with the Start menu of Windows 7 computers. When using RD Web Access, you must open the Web page and run RemoteApps from there. Module 14: Extending Remote Desktop Services Outside the Organization Course 10215A
  • Module x: Title Course xxxxy Remind students to complete the course evaluation.
  • 10215 A 14

    1. 1. Module 14 Extending Remote Desktop Services Outside the Organization
    2. 2. Module Overview <ul><li>Configuring the RD Gateway </li></ul><ul><li>Configuring RD Web Access </li></ul>
    3. 3. Lesson 1 : Configuring the RD Gateway <ul><li>How RD Gateway Works </li></ul><ul><li>Benefits of RD Gateway </li></ul><ul><li>Requirements for Installing and Configuring RD Gateway </li></ul><ul><li>Demonstration: Installing RD Gateway </li></ul><ul><li>Securing the RD Gateway </li></ul><ul><li>Authorization Policies with RD Gateway </li></ul><ul><li>Demonstration: Configuring Connection and Resource Authorization Policies </li></ul><ul><li>Implementing NAP Remediation with RD Gateway </li></ul><ul><li>Considerations for Implementing Certificates for RD Gateway </li></ul>
    4. 4. Internet Corporate LAN Business Partner/ Client Site Hotel Home External Firewall Internal Firewall Remote Desktop Services Remote Desktop Services Remote Desktop– enabled host Network Policy Server Active Directory How RD Gateway Works Tunnels RDP over HTTPs Strips off HTTPs Passes RDP traffic to RDS
    5. 5. Benefits of RD Gateway RD Gateway provides the following benefits: <ul><li>Enables remote users to connect to internal network resources over the Internet </li></ul><ul><li>Provides a comprehensive security configuration model </li></ul><ul><li>Provides a secure and flexible RDP connection </li></ul><ul><li>Enforces authorization policies </li></ul><ul><li>Provides tools to help you monitor the RD Gateway connection status, health, and events </li></ul><ul><ul><li>Remote users can connect to RDS-based resources on an internal network from the Internet through Remote Desktop Gateway </li></ul></ul>
    6. 6. Requirements for Installing and Configuring RD Gateway To install and configure RD Gateway: <ul><li>Log on as a local Administrator </li></ul><ul><li>Obtain an SSL server certificate to enable TLS </li></ul><ul><li>Joining the computer to an AD DS domain </li></ul><ul><li>Install the Web Server (IIS) server role and the RPC over HTTP Proxy feature </li></ul><ul><li>Install or enable access to an Network Policy Server </li></ul>
    7. 7. Demonstration: Installing the RD Gateway <ul><li>In this demonstration , your instructor will show you how to install the RD Gateway </li></ul>
    8. 9. Securing the RD Gateway Configurable idle and session timeouts Background session authentication and authorization Pluggable authentication and authorization System and logon messages Network Access Protection (NAP) remediation Device redirection enforcement
    9. 10. Authorization Policies with RD Gateway Connection Authorization Policies: <ul><li>Define which users can access the RD Gateway </li></ul><ul><li>Can include additional conditions </li></ul>Resource Authorization Policies: <ul><li>Define which RD Session Host and RD-enabled computers can be accessed through RD Gateway </li></ul><ul><li>Requires RD Gateway or AD DS computer groups </li></ul>
    10. 11. Demonstration: Configuring Connection and Resource Authorization Policies <ul><li>In this demonstration , your instructor will show you how to create Connection Authorization Policies and Resource Authorization Policies </li></ul>
    11. 13. Implementing NAP Integration with RD Gateway To implement NAP integration with RD Gateway: <ul><li>Install a Network Policy Server </li></ul><ul><li>Configure the RD Gateway server to enable NAP health policy checking </li></ul><ul><li>Remove all RD CAPs that do not use NAP enforcement </li></ul><ul><li>Configure the Windows Security Health Validator in NPS </li></ul><ul><li>Configure the NAP policies in NPS </li></ul><ul><li>Configure the Remote Desktop client computers to enable NAP protection </li></ul><ul><li>Test the configuration </li></ul><ul><ul><li>NAP integration with RD Gateway ensures that only NAP compliant client computers can access the RD Gateway server </li></ul></ul>
    12. 14. Considerations for Implementing Certificates for RD Gateway <ul><ul><li>RD Gateway servers must be configured with an SSL certificate that is trusted by all RD client computers </li></ul></ul>Certificate Option Considerations Self-signed certificates <ul><li>Installed by default on the RD Gateway server </li></ul><ul><li>Not trusted by default by client computers </li></ul><ul><li>Recommended for testing only </li></ul>Internal CA certificates <ul><li>Can be issued by AD CS CAs </li></ul><ul><li>Can be automatically trusted by domain client computers </li></ul><ul><li>Recommended for organizations with only domain members connecting to RD Gateway </li></ul>Public CA certificates <ul><li>Issued by trusted public CAs </li></ul><ul><li>Automatically trusted by client computers </li></ul><ul><li>Recommended for organizations with non-domain member client computers </li></ul>
    13. 15. Lesson 2: Configuring RD Web Access <ul><li>What Is RD Web Access? </li></ul><ul><li>Installing RD Web Access </li></ul><ul><li>Configuring RD Web Access </li></ul><ul><li>Configuring User Access to RD Web Access </li></ul><ul><li>Configuring Internet Access to RD Web Access </li></ul><ul><li>Demonstration: Configuring RD Web Access </li></ul>
    14. 16. What Is RD Web Access? RD Web Access enables: <ul><li>Populating the list of available RemoteApps or virtual desktops in the RemoteApp and Desktop Connection application </li></ul><ul><li>Launching RemoteApps or virtual desktops from the RD Web Access Web site </li></ul><ul><li>Launching the Remote Desktop Web Connection which provide Remote Desktop connections to servers or client computers </li></ul><ul><ul><li>RD Web Access only enables users to launch applications or Remote Desktop sessions, it does not proxy RDP sessions </li></ul></ul>
    15. 17. Installing RD Web Access To install RD Web Access: <ul><ul><li>Install the role service on the appropriate Windows Server 2008 R2 edition </li></ul></ul><ul><ul><li>Install the Web Services (IIS) server role </li></ul></ul><ul><ul><li>Consider combining the role service with the RD Session Host role service </li></ul></ul><ul><ul><li>Configure SSL for the RD Web Access virtual directories </li></ul></ul><ul><ul><li>Log on as a local Administrator </li></ul></ul>
    16. 18. Configuring RD Web Access
    17. 19. Configuring User Access to RD Web Access To enable user access to RD Web Access: <ul><li>Provide users with the URL for the RD Web Access server </li></ul><ul><li>Configure RemoteApp and Desktop Connections to subscribe to a feed from the RD Web Access server </li></ul>To configure RemoteApp and Desktop Connections: <ul><li>Configure the URL for the RD Web Access server </li></ul><ul><li>Create a client configuration file in RD Connection Manager and distribute the file to clients </li></ul>
    18. 20. Configuring Internet Access To RD Web Access To configure Internet access to RD Web Access: <ul><li>Configure forms-based authentication </li></ul><ul><li>Publish RemoteApp programs to use a RD Gateway server </li></ul><ul><li>Configure RD Web virtual directory settings </li></ul>
    19. 21. Demonstration: Configuring RD Web Access <ul><li>In this demonstration, you will learn how to configure Remote Desktop Web Access </li></ul>
    20. 22. L ab : Integrating RD Web Access into the Desktop Virtualization Infrastructure <ul><li>Exercise 1 : Installing and Configuring Remote Desktop Gateway </li></ul><ul><li>Exercise 2 : Configuring Remote Desktop Web Access </li></ul><ul><li>Exercise 3 : Integrating RemoteApp and Desktop Connection with Remote Desktop Web Access </li></ul>Logon information: Estimated time: 75 minutes NYC-Host1, NYC-Host2 Host machines Virtual machines NYC-DC1, NYC-CL1, NYC-SVR4, NYC, SVR5, NYC-SVR6 User name Administrator Password Pa$$w0rd
    21. 23. Lab Scenario <ul><li>You are a server administrator at Contoso, Ltd. Your organization has deployed Remote Desktop Services to internal users. However, many users who work outside the office or who travel frequently also need to be able to access the remote applications. You now need to enable access to some of the applications for remote users. </li></ul>
    22. 24. Lab Review <ul><li>You installed RDS in a testing environment. After 120 days, you are no longer able to connect to the RDS server. What is the most probable reason for this? </li></ul><ul><li>Name the two types of Virtual Desktop Infrastructure? </li></ul><ul><li>How is the use of RemoteApp and Desktop Connection different from simply accessing RemoteApp from RD Web Access? </li></ul>
    23. 25. Module Review and Takeaways <ul><li>Review Questions </li></ul><ul><li>Tools </li></ul>
    24. 26. Course Evaluation

    ×