Enabling your workforce to work remotely during the COVID pandemic

 

COVID-19 has changed the world in many ways. Businesses are exploring ways to enable remote access to employees to continue operating during these challenging times. Remote access enables employers not only to stay productive but also keeps the client community happy with delivering solutions, all while keeping them safe. More importantly, it helps to avoid taking extreme measures like staff reductions or even going out of business. RDS is one of the popular remote access technologies that organizations can consider for remote access.

Remote access by itself does not need any introduction, as it has become a prominent role in our life during the pandemic. Remote access can be done in several ways, and RDS is one of the popular technologies from Microsoft for remote access. RDS is not new, as it has been known to us as Terminal services until Microsoft renamed it to RDS with Windows 2008 R2.

It is no surprise that enabling remote desktop connections have increased internet-based attacks. Fortunately, RDS provides a way to access internal applications securely. It provides much more than remote desktop solutions and, in this article, we will discuss just a few options that RDS will provide for remote access. VPN, VDI, and many open-source application-type solutions are a few other alternatives to explore based on the organization’s needs and requirements.

 

Remote Desktop Services (RDS)

Before we get into the steps on configuring, let’s discuss how this technology works. RDS is very popular since it enables the sharing of infrastructure resources, thereby reducing overall IT cost. However, it does require you to purchase a CAL license to work. When enabled, you have 120 days until license expiration, which gives enough time to convince management to buy-in.

The beauty behind the RDS is that IT no longer needs to worry about configuring or managing the application on client machines. Everyone will be running the same version so that the technical team will only focus on the server side. Additionally, the users do not need high bandwidth internet access since the data transfer will only contain the keyboard/mouse with screen display changes. This means the application data does not leave your network which provides data security. The entire session is encrypted, making it a popular solution to implement.

Installing RDS and configuring take a few steps – we’ll see those steps in detail later in the article. For this article, I plan to use Azure IaaS, all the way to deployment. We will create our lab with one DC and a RDS server. If you prefer with ARM approach for deployment, you can refer to the POC setup from Microsoft at https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-in-azure

We have eight sessions in achieving the lab setup. The first few sessions focus on creating the servers, and we move slowly into setting up RDS and finally test the remote application by publishing a standard application.

 

Create Virtual Machines

This blog assumes that you have a subscription and a P2S VPN configured for remote access to the network.

1. Login to Azure Portal and start creating a new resource group, named ‘rdsdemo’.

2. Name your resources with a tag to manage resources in the future.

3. Click on Create button to create the RG.

 

4. Next, start with creating a Windows 2019 Datacenter VM that will act as a RDS server.

 

5. Keep all defaults under disk tab.

 

6. Since I am creating the VM under a new resource group that we had created earlier, the wizard will create a new v-net, keep all defaults. For the network security group, select the “advanced” option to create a new network security group, and we will configure it later for remote access from outside.

 

7. Keep all defaults under Management for the demo.

 

8. Keep defaults under the “Advanced” tab.

 

9. Configure the resources under the same tag to identify and clean up after the demo.

 

10. Review the settings and click on the “Create” button.

 

11. Wait for the deployment to finish.

 

12. The RDS VM is now ready for setup.

 

13. Next, create a new VM for our Domain controller. The steps are very similar to what we have covered before. Please note that RDS can only work inside a domain setting , so you will need a Domain controller on your network to work.

 

14. Keep all defaults under the Disks tab.

 

15. Select none on the public IP option, and make sure you select the same v-net for simplicity .

 

16. Keep the defaults under the Management tab, then click Next.

 

17. Again, no change to the Advanced tab, then click Next.

 

18. Set the tags like before (optional).

 

19. No change under the Management tab, then click Next.

 

20.  Wait for the deployment to finish, and we will have domain controller VM ready to configure.

 

21.  In my case, I have a P2S setup on a different v-net, so I am going to create a pairing to access the server via my existing P2S VPN.

 

If you need to setup P2S VPN to your network, please refer to Microsoft documentation at
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

When you go back to view Azure VM, it would display our new two VMs as shown below:

 

Setup Domain Controller

1. First, we will setup domain controller, RDP to Murali-DCDemo (using private IP), and select the “Add Roles and Features” option

 

2. Click Next

 

3. Select “Role-based option” and click Next

 

4. We have only one server to choose from, then click Next to continue

 

5. Select “ADDS” from the list of available roles

 

6. Click “Add Features” when prompted to add additional dependencies then click Next

 

7. If you’re happy with all the defaults, click Next to continue

 

8. For our demo, we are not setting up Azure AD, so click Next to continue

 

9. Review the summary and click Install to continue

 

10. Wait for the installation to complete

 

11. Now, it is time to setup our new domain. Click on “Promote this server to a domain controller”

 

12. Select the “Add a new forest” option and name the domain as “MaraliDomain.local”

 

13. Set a strong password and click Next to continue

 

14. For our demo, we can ignore the warning and click Next to continue

 

15. Review NetBIOS (yes- Windows 2019 still supports NetBIOS), and click Next to continue

 

16. Click Next unless you want to change the file location

 

17. Review and click Next to continue

 

18. On a real production setup, you will need to address all the warnings. For our demo, it is ok to ignore the warnings and click Install to finish & reboot the VM

 

Add RDS to our new domain

Now, we’ll start with adding our RDS VM to the domain. Go to Systems, click on Change settings, and enter the domain name and click OK. When prompted, restart and login back with the domain account.

 

Setup RDS

1. At this time, we are ready to setup RDS. On the server manager, select “Add Roles and Features” option inside Server Manager

 

2. Click Next to continue

 

3.For our demo, we will choose second option. Choose the first option if you are comfortable with running numerous PowerShell scripts to enable/disable roles later.

 

4. Pick Standard deployment option and click Next

 

5. This blog covers session-based deployment, while the VM option addresses a different set of needs. Please refer to MS for additional information:
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds

 

6. Finally, we are about to configure RDS components

 

7. I am going to use the same machine for all three roles in our demo. This is not recommended for a production scenario; I am keeping it simple to better understand the configuration.

 

8. Click on Deploy and the VM will reboot a couple of times before all our components are in place.

 

Configure RDS- Licensing

1. Once you login (with domain account), select the RDS from the left menu.

 

If you login as local account, RDS will not work as shown below

 

2. Install licensing server. When you are setting this up for the first time, the license is valid for 120 days (trial).

 

3. Select the server listed on your Server pool and move to the Selected column. In our case, we have only one server, and as I mentioned earlier, it is not recommended for a production setup. Click Next and confirm selection.

 

4. Wait for the install to complete and close the wizard.

 

If you want to check the licensing period, you can run the following PS script:
(Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft

In my case, I installed the server yesterday and it says I have 119 days left.

 

Configure RDS- Gateway

1. The following steps are pretty much the same as we did for Licensing. Click on “RD Gateway” to launch the install wizard.

 

2. On this step, you would select the SSL and the external URL to access. For our demo, I am going with “MuraliRemoteAccess.com”, you would pick FQDN that you own and plan to configure for remote access from outside.

 

3. Wait for it to install.

 

4. Click on Configure certificate link and apply certificates. For our demo, I go with self-signing certificate for demo purposes. You have an option to use the same certificate for all the listed services. Unfortunately, you need to select each one and apply the certificate individually.

 

5. Once you close the wizard, it is pretty much ready for application configuration.

 

Configure application

1. Click on “Create session collections”, and name your collection. For my demo, I am publishing the calculator application, so I name it as “calculator” and provide a brief description(optional).

 

2. By this time, you should be very familiar with this UI. Pick the server from the available list.

 

3. This step is very important for security. Please create a security group and grant access at the group level. Just for demo purposes, I am selecting everyone.

 

4. Enable profile disks if you need to.

 

5. Review and click Create.

 

6. Click on our newly created collection and select publish remoteapp program from the tasks list.

 

7. Select the EXE from the list. You have an option to add your custom application. Click on Publish.

 

8. Wait for it to finish.

 

Configure firewall

Next, we will want to configure it for external access. Switch back to Azure portal and open 443 port to the server for web access.

Go to Networking information on Murali-RDSDemo and select the Network security group that we created earlier during initial setup as shown below.

Add SSL port (443) as shown below:

We are all set with configuration, lets login to verify.

 

Testing

Since I am using a non-existent domain, I am going to make an entry to my client hosts file to simulate a real case scenario:

 

Open Chrome browser and type in https://yourdomainname/RDWeb. Enter your domain credentials. The calculator will be listed as an application. Clicking calc will open a remote session as shown below.

 

As you can see here, the calculator is running on the remote server. Your local task manager lists the app under RD connection.

 

Final Thoughts

As you can see, it is very easy to enable remote access for your workforce. Keep in mind that the we have covered just the basics, and I would strongly recommend enabling MFA on the account before considering remote access for your workforce.