07 November 2011

How to configure Connect From Anywhere for Remote Desktop Connection clients

Remote desktop connections to server are normally made with the Remote Desktop Connection application.  It seems everyone calls it something else. RDP client, Terminal Server client, Remote Desktop ...

Just to clarify I going to over the setting for c:\Windows\System32\mstsc.exe version 6.1.7601.17514 The version shipped with Windows 7.

How it fits together
Connect from anywhere is the client component for Remote Desktop Services Gateway (RDSGW).  This is normally configured for RDP session coming in from the Internet.  For you to try this out you would either need your own or a provided RDGW.  If you want to setup your own here are some guides on how to do it

http://fixmyitsystem.com/2010/08/rds-gateway-connection-broker-and-web.html
http://fixmyitsystem.com/2010/08/buildng-rds-load-balanced-farm-with-rd.html


RDSGW encapsulates the RDP data in SSL so it allows connection through HTTPS port 443, this normally allows tunneling through firewalls.

The RDSGW also enforces policies to govern what is and what is not accessible to who.
The Connection Authorization Policies (RD CAP) govern what authentication types are allowed as well as device redirection settings.
The Resource Authorization Policies (RD RAP) govern what servers a user is allowed to connect to.

Once a connection passes policy check the RDGW establishes a RDP session to the requestesed server on normal RDP port 3389 (unless specified otherwise in a policy.)

Manually Configuring the Remote Desktop Connection 
By default the Connect from Anywhere is set to "Automatically detect RD Gateway server settings"  This setting will for look for settings specified in group Policy.


  • Open the Remote Desktop Connection
  • Click the advanced tab
  • from the Connect from anywhere section click on Settings
  • Select the "Use these RD gateway server settings" radio button
  • Specify the RDGW FQDN name




The " Bypass RD gateway server for local addresses" will enable the connection to go direct without going through the RDGW.  The local addresses actually means that the client will attempt to look up and resolve the server name, if it cannot it will attempt to use the RDGW specified.

Depending on your requirement you can leave this enabled or un-check it to force all connection through the RDGW.

Once that is configured you can specify the server name you want to connect to on the General tab.
You do not have to specify the FQDN of your server as the RDGW will do that resolution.



Once you click connect the following will happen.

  1. The RDC will prompt for credentials
  2. The connection attempt is sent to the RDGW over HTTPS 443
  3. Your connection attempt it processed through the RD CAP and RD RAP policies
  4. The connection to the server is established on RDP port 3389 between the RDGW and the server.


Configuring the Remote Desktop Connection with Group Policy


The following will enable administrators to configure and optionally enforce the settings

Create and Edit a new group policy
Expand User Configuration - Administrative Templates - Windows Components - Remote Desktop Services
Under the RD Gateway key there are three settings


  • Set RD Gateway authentication method


Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication.


  • Enable connection through RD Gateway


If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.


  • Set RD Gateway server address


Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default.
Note: If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.

These setting work in combination witch each other so check the options carefully.

One advantage of forcing all connection through the Gateways is that you can centrally control connection with the RD CAP and RD RAP policies.

Conclusion
The added functionality of using a RDGW can be utilized and enforced for both external and internal network connections.  It not only allows tunneling of connection from the outside but also enforces policies locally.  RDGW can be built in a NLB cluster so multiple nodes can be used to make it a high availability tier for RDS.

NOTE: this article pertains to the Remote Desktop Connection application.  RDS applications published through the Web interface or via RDP or MSI files are configured by the setting specified in the RemoteApp Manager.

Disclaimer - Group policy description copy and pasted from group policy directly

No comments:

Post a Comment