Forefront Unified Access Gateway 2010

Remote Desktop Services (RDS) Publishing Solution Guide

Microsoft® Corporation

Published: January, 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents

Remote Desktop Services publishing solution guide 5

Limitations for this release 5

About this guide 5

Overview of Remote Desktop Services publishing 5

Why publish Remote Desktop Services with Forefront UAG? 7

Steps for publishing Remote Desktop Services 7

Publishing RemoteApp applications 8

Exporting RemoteApp settings from RDS 8

Publishing RemoteApps and importing RemoteApp settings 8

Publishing Desktop Connections 10

Publishing a predefined Desktop Connection 10

Publishing a user-defined Desktop Connection 11

Remote Desktop Services publishing solution guide

Remote Desktop Services (RDS) facilitates the sharing of applications and desktops over the network, enabling users to access Windows-based programs that are installed on a Remote Desktop Session Host (RDSession Host) or the Windows desktop itself, from a range of computing devices. Users can connect to an RDSession Host to run programs on that server using RemoteApps, or they can connect to a remote desktop.

For more information about RDS, see What’s new in Terminal Services for Windows Server 2008 and What’s New in Remote Desktop Services.

Limitations for this release

The following are the limitations for RDS publishing in this release:

· Remote endpoint access is supported only for clients running the Windows 7 operating system; endpoints must be running Remote Desktop Connection (RDC) 6.1.

· If an endpoint running the RDC client is issued a session cookie that is longer than 840 characters, the remote desktop connection fails. This usually occurs if customized code adds cookies, or if you have enabled single sign-on across multiple Forefront UAG sites.

About this guide

This guide provides the following information about publishing RDS using Forefront Unified Access Gateway (UAG):

· Overview of Remote Desktop Services publishing—Provides an overview of using RDS with Forefront UAG.

· Why publish Remote Desktop Services with Forefront UAG?—Describes the benefits of publishing RDS via Forefront UAG.

· Steps for publishing Remote Desktop Services—Provides instructions for publishing RDS applications.

Overview of Remote Desktop Services publishing

Forefront Unified Access Gateway (UAG) allows you to provide access to published RemoteApps and Remote Desktops by integrating a Remote Desktop Gateway (RDGateway) to provide an application-level gateway for RDS services and applications. Previously, RDS was published by tunneling Remote Desktop Protocol (RDP) traffic from the endpoint to RDS servers using the Socket Forwarding component; tunneled traffic was not controlled or inspected, and client endpoints required installation of the Socket Forwarding endpoint component.

Forefront UAG integrates with RDGateway, as follows:

· Remote access─Remote users can access Remote Desktops and RemoteApp applications via a Forefront UAG portal:

· Remote Desktops─Allow full access to Remote Desktops within the organization.

· RemoteApp applications─Publish a single or multiple RemoteApps on a single RDS server, or by using a Remote Desktop Connection Broker (RDConnection Broker).

· Firewall traversal─RDGateway transmits RDP traffic on port 443 using an HTTP SSL/TLS tunnel. Most corporations open this port for Internet connectivity. Forefront UAG uses this traversal capability to allow users to connect to internal applications and resources hosted behind firewalls in private networks, and across network address translation (NAT) devices, without the need to install additional software on the client endpoint.

For information about the benefits of publishing RDS via Forefront UAG, see Why publish Remote Desktop Services with Forefront UAG?.

Forefront UAG handles requests from RDC clients to the RDS hosts, as follows:

1. A client accesses a Forefront UAG portal using a Web browser.

2. The client logs in. The client authenticates as required for the portal session, and Forefront UAG evaluates the settings and features of the endpoint against its session access policies.

3. The end user starts a RemoteApp or Remote Desktop application in the portal.

4. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint.

Note:

The ActiveX component is activated with parameters that are based on the health of the endpoint to ensure that only the features that are available on that endpoint are presented to the end user.

5. The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.

6. The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RDGateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.

7. An RDP session is established from Forefront UAG to the backend RDS hosts.

For the steps required to publish RDS, see Steps for publishing Remote Desktop Services.

Why publish Remote Desktop Services with Forefront UAG?

Publishing Remote Desktop Services (RDS) via Forefront Unified Access Gateway (UAG) provides the following benefits:

· Authentication─Authentication benefits include:

· Strong authentication methods─Forefront UAG enhances authentication by providing a wide range of additional authentication methods, including smartcards, one-time passwords, and token authentication.

· Preauthentication─You can require users to authenticate to the Forefront UAG server, ensuring that only authenticated traffic reaches RDS servers published via Forefront UAG.

· Single sign on (SSO)─Forefront UAG adds single sign-on functionality for RDS. The credentials provided by the user for session login can be used to authenticate to published RemoteApps and Desktop Connections.

· Access control and endpoint health─Forefront UAG enhances the authorization checks of the RDGateway by enabling end user health checks. This is important when determining which remote application capabilities (driver mapping, printers, or clipboard integration), other than the basic screen and keyboard, are available to end users.

Forefront UAG can verify endpoint health by using inbuilt access policies, Network Access Protection (NAP) policies, or a combination of inbuilt policies and NAP policies. You can create proprietary Forefront UAG access policies, or use access policies downloaded from a Network Policy Server (NPS).

· Single point of access─You can provide access to all Remote Desktops and RemoteApps from a single Forefront UAG portal.

· Ease-of-management—RDGateway integration allows you to configure and manage RDGateway from within the Forefront UAG Management console.

· Deployment and high-availability─By deploying an array of Forefront UAG servers to publish RDS, and implementing Forefront UAG integrated network load balancing across the array nodes, you can provide high availability to the RemoteApps and Desktop Connections that you publish.

Steps for publishing Remote Desktop Services

Forefront Unified Access Gateway (UAG) integrates with Remote Desktop Gateway (RDGateway) to enable client endpoints to connect to Remote Desktop Services (RDS) servers and applications, published via a Forefront UAG portal. Forefront UAG can publish RDS deployments even if RDS servers are configured to use an existing RDGateway, because Forefront UAG handles the RDP metadata before sending it to the requesting endpoint.

The following topics describe how to publish RemoteApp applications and Desktop Connections via Forefront UAG:

· Publishing RemoteApp applications

· Publishing Desktop Connections

Note:

When publishing RemoteApps and Desktop Connections, the server certificate presented to the end-user by the Forefront UAG site must be valid. If the certificate has expired or is not trusted by the endpoint, a connection cannot be established.

Publishing RemoteApp applications

The following procedures describe how to publish RemoteApp applications via Forefront Unified Access Gateway (UAG):

· Exporting RemoteApp settings from RDS

· Publishing RemoteApps and importing RemoteApp settings

Exporting RemoteApp settings from RDS

Before you can publish RemoteApp applications, you must export RemoteApp settings from RDS, as described in this procedure.

To export RemoteApp settings from RDS

1. On the RDSession Host server, click Start, click Administrative Tools, click Remote Desktop Services, and then click RemoteApp Manager.
2. Ensure that the RemoteApp Programs list contains the programs that you want to provide to end users.
3. In the Actions pane, click Export RemoteApp Settings.
4. Click Export the RemoteApp Programs list and settings to a file, and then click OK.
5. Specify a location to save the .tspub file, and click Save.

Publishing RemoteApps and importing RemoteApp settings

This procedure describes how to publish RemoteApps via Forefront UAG, and import RemoteApp settings during the publishing process.

To publish RemoteApps and import RemoteApp settings

1. In the Forefront UAG Management console, select the portal in which you want to publish RemoteApp applications. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.
2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select RemoteApp.
3. On the Configure Application page of the wizard, enter a name for the RemoteApp application.
4. On the Select Endpoint Policies page of the wizard, do the following:
a. In Access policy, select a Forefront UAG policy with which endpoints must comply in order to access the published RemoteApps in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply in order to access these local resources during remote desktop sessions.
b. To enable single sign-on for the session, select the Use RDS Single Sign-On (SSO) Services check box.
c. If the trunk through which you are publishing the RemoteApp applications uses Network Access Protection (NAP) policies, and you have a Network Policy Server (NPS) configured, do the following:
· Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access published RemoteApps.
· Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.
· Select Do not require NAP compliance, if you do not require clients to use NAP to access the published RemoteApps.
5. On the Import RemoteApp Programs page of the wizard, do the following:
a. In File to import, specify the location of the exported .tspub file, or click Browse to locate the file.
b. In RD Session Host or RD Connection Broker, specify the name of an RDSession Host (if different from that specified in the imported settings file), or the name of the RDConnection Broker server.
c. If you are using an RDConnection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RDSession Hosts that might be used by the RDConnection Broker. To specify multiple servers, use an IP address range or subnet.
6. On the Select Publishing Type page of the wizard, in the Available RemoteApps list, double-click each RemoteApp that you want to publish via Forefront UAG, to add it to the Published RemoteApps list. The list of available RemoteApps is retrieved from the imported .tspub file.
7. On the Configure Client Settings page of the wizard, specify how RemoteApps should be displayed. You can set a display resolution and color, or select to use display settings retrieved from the imported .tspub file.
8. Complete the Add Application Wizard.

Publishing Desktop Connections

This topic describes how to publish Desktop Connections via Forefront Unified Access Gateway (UAG).

Forefront UAG provides the following two options for publishing Desktop Connections:

· Publishing a predefined Desktop connection—When using the Remote Desktop option, the administrator configures all of the settings for the user-initiated connection to the remote desktop. When users access this application from the portal, they connect to the specific remote desktop defined by the administrator.

· Publishing a user-defined Desktop Connection—When using the Remote Desktop (Selective RD Host) option, the administrator configures all of the desktops to which a user can connect remotely. When users access this application from the portal, they must choose the remote desktop to which they want to connect.

Publishing a predefined Desktop Connection

To publish a predefined Desktop Connection

1. In the Forefront UAG Management console, select the portal in which you want to publish predefined Desktop Connections. In the Applications area of the main portal properties page, click Add. The Add Application Wizard opens.
2. On the Select Application page of the wizard, select Terminal Services (TS)/Remote Desktop Services (RDS). In the list, select Remote Desktop (Predefined).
3. On the Configure Application page of the wizard, enter a name for the Desktop Connection.
4. On the Select Endpoint Policies page of the wizard, do the following:
· In Access policy, select a Forefront UAG policy with which the endpoints must comply in order to access the published Desktop Connection in the portal. In Printers, Clipboard, and Drives, select access policies with which endpoints must comply to access these local resources during remote desktop sessions.
· If the trunk through which you are publishing the Desktop Connection uses Network Access Protection (NAP) policies, and a Network Policy Server (NPS) is configured, do the following:
· Select Require Network Access Protection (NAP) compliance, to specify that only endpoints that comply with NAP policy can access the remote desktop.
· Select Require NAP compliance for RDS device redirection only, to specify that only endpoints that comply with NAP policy can access devices and resources on RDS servers, such as drives, printers, and the clipboard. Access to other resources and applications on RDS servers does not require NAP compliance.
· Select Do not require NAP compliance, if you do not require clients to use NAP to access the published Desktop Connection.
5. On the Configure Server Settings page of the wizard, do the following:
a. In RD Session Host or RD Connection Broker, specify the name of an RDSession Host, or the name of the RDConnection Broker server.
b. If you are using an RDConnection Broker server, in IP addresses, IP address ranges, FQDNs, or subnets, add the names of all RDSession Hosts that might be used by the RDConnection Broker. To specify multiple servers, use an IP address range or subnet.
6. On the Configure Client Settings page of the wizard, specify how the remote desktop should be displayed. You can set a display resolution and color, or select to use the default settings.
7. Complete the Add Application Wizard.

Publishing a user-defined Desktop Connection

To publish a user-defined Desktop Connection