WF Logo

Enabling your workforce to work remotely during the COVID pandemic

 

COVID-19 has changed the world in many ways. Businesses are exploring ways to enable remote access to employees to continue operating during these challenging times. Remote access enables employers not only to stay productive but also keeps the client community happy with delivering solutions, all while keeping them safe. More importantly, it helps to avoid taking extreme measures like staff reductions or even going out of business. RDS is one of the popular remote access technologies that organizations can consider for remote access.

Remote access by itself does not need any introduction, as it has become a prominent role in our life during the pandemic. Remote access can be done in several ways, and RDS is one of the popular technologies from Microsoft for remote access. RDS is not new, as it has been known to us as Terminal services until Microsoft renamed it to RDS with Windows 2008 R2.

It is no surprise that enabling remote desktop connections have increased internet-based attacks. Fortunately, RDS provides a way to access internal applications securely. It provides much more than remote desktop solutions and, in this article, we will discuss just a few options that RDS will provide for remote access. VPN, VDI, and many open-source application-type solutions are a few other alternatives to explore based on the organization’s needs and requirements.

 

Remote Desktop Services (RDS)

Before we get into the steps on configuring, let’s discuss how this technology works. RDS is very popular since it enables the sharing of infrastructure resources, thereby reducing overall IT cost. However, it does require you to purchase a CAL license to work. When enabled, you have 120 days until license expiration, which gives enough time to convince management to buy-in.

The beauty behind the RDS is that IT no longer needs to worry about configuring or managing the application on client machines. Everyone will be running the same version so that the technical team will only focus on the server side. Additionally, the users do not need high bandwidth internet access since the data transfer will only contain the keyboard/mouse with screen display changes. This means the application data does not leave your network which provides data security. The entire session is encrypted, making it a popular solution to implement.

Installing RDS and configuring take a few steps – we’ll see those steps in detail later in the article. For this article, I plan to use Azure IaaS, all the way to deployment. We will create our lab with one DC and a RDS server. If you prefer with ARM approach for deployment, you can refer to the POC setup from Microsoft at https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-in-azure

We have eight sessions in achieving the lab setup. The first few sessions focus on creating the servers, and we move slowly into setting up RDS and finally test the remote application by publishing a standard application.

 

Create Virtual Machines

This blog assumes that you have a subscription and a P2S VPN configured for remote access to the network.

1. Login to Azure Portal and start creating a new resource group, named ‘rdsdemo’.

WF1

2. Name your resources with a tag to manage resources in the future.

WF2

3. Click on Create button to create the RG.

WF3

 

4. Next, start with creating a Windows 2019 Datacenter VM that will act as a RDS server.

WF4

 

5. Keep all defaults under disk tab.

WF5

 

6. Since I am creating the VM under a new resource group that we had created earlier, the wizard will create a new v-net, keep all defaults. For the network security group, select the “advanced” option to create a new network security group, and we will configure it later for remote access from outside.

WF6

 

7. Keep all defaults under Management for the demo.

WF7

 

8. Keep defaults under the “Advanced” tab.

WF8

 

9. Configure the resources under the same tag to identify and clean up after the demo.

WF9

 

10. Review the settings and click on the “Create” button.

WF10

 

11. Wait for the deployment to finish.

WF11

 

12. The RDS VM is now ready for setup.

WF12

 

13. Next, create a new VM for our Domain controller. The steps are very similar to what we have covered before. Please note that RDS can only work inside a domain setting , so you will need a Domain controller on your network to work.

WF13

 

14. Keep all defaults under the Disks tab.

WF14

 

15. Select none on the public IP option, and make sure you select the same v-net for simplicity .

WF15

 

16. Keep the defaults under the Management tab, then click Next.

WF16

 

17. Again, no change to the Advanced tab, then click Next.

WF17

 

18. Set the tags like before (optional).

WF18

 

19. No change under the Management tab, then click Next.

WF19

 

20.  Wait for the deployment to finish, and we will have domain controller VM ready to configure.

WF20

 

21.  In my case, I have a P2S setup on a different v-net, so I am going to create a pairing to access the server via my existing P2S VPN.

WF21

 

If you need to setup P2S VPN to your network, please refer to Microsoft documentation at
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal

When you go back to view Azure VM, it would display our new two VMs as shown below:

WF22

 

Setup Domain Controller

1. First, we will setup domain controller, RDP to Murali-DCDemo (using private IP), and select the “Add Roles and Features” option

WF23

 

2. Click Next

WF24

 

3. Select “Role-based option” and click Next

WF25

 

4. We have only one server to choose from, then click Next to continue

WF26

 

5. Select “ADDS” from the list of available roles

WF27

 

6. Click “Add Features” when prompted to add additional dependencies then click Next

WF28

 

7. If you’re happy with all the defaults, click Next to continue

WF29

 

8. For our demo, we are not setting up Azure AD, so click Next to continue

WF30

 

9. Review the summary and click Install to continue

WF31

 

10. Wait for the installation to complete

WF32

 

11. Now, it is time to setup our new domain. Click on “Promote this server to a domain controller”

WF33

 

12. Select the “Add a new forest” option and name the domain as “MaraliDomain.local”

WF34

 

13. Set a strong password and click Next to continue

WF35

 

14. For our demo, we can ignore the warning and click Next to continue

WF36

 

15. Review NetBIOS (yes- Windows 2019 still supports NetBIOS), and click Next to continue

WF37

 

16. Click Next unless you want to change the file location

WF38

 

17. Review and click Next to continue

WF39

 

18. On a real production setup, you will need to address all the warnings. For our demo, it is ok to ignore the warnings and click Install to finish & reboot the VM

WF40

 

Add RDS to our new domain

Now, we’ll start with adding our RDS VM to the domain. Go to Systems, click on Change settings, and enter the domain name and click OK. When prompted, restart and login back with the domain account.

WF41

WF42

 

Setup RDS

1. At this time, we are ready to setup RDS. On the server manager, select “Add Roles and Features” option inside Server Manager

WF43

 

2. Click Next to continue

WF44

 

3.For our demo, we will choose second option. Choose the first option if you are comfortable with running numerous PowerShell scripts to enable/disable roles later.

WF45

 

4. Pick Standard deployment option and click Next

WF46

 

5. This blog covers session-based deployment, while the VM option addresses a different set of needs. Please refer to MS for additional information:
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/welcome-to-rds

WF47

 

6. Finally, we are about to configure RDS components

WF48

 

7. I am going to use the same machine for all three roles in our demo. This is not recommended for a production scenario; I am keeping it simple to better understand the configuration.

WF49

 

8. Click on Deploy and the VM will reboot a couple of times before all our components are in place.

WF50

 

Configure RDS- Licensing

1. Once you login (with domain account), select the RDS from the left menu.

WF51

 

If you login as local account, RDS will not work as shown below

WF52

 

2. Install licensing server. When you are setting this up for the first time, the license is valid for 120 days (trial).

WF53

 

3. Select the server listed on your Server pool and move to the Selected column. In our case, we have only one server, and as I mentioned earlier, it is not recommended for a production setup. Click Next and confirm selection.

WF54

 

4. Wait for the install to complete and close the wizard.

WF55

 

If you want to check the licensing period, you can run the following PS script:
(Invoke-WmiMethod -PATH (gwmi -namespace root\cimv2\terminalservices -class win32_terminalservicesetting).__PATH -name GetGracePeriodDays).daysleft

WF56

In my case, I installed the server yesterday and it says I have 119 days left.

 

Configure RDS- Gateway

1. The following steps are pretty much the same as we did for Licensing. Click on “RD Gateway” to launch the install wizard.

WF57

 

2. On this step, you would select the SSL and the external URL to access. For our demo, I am going with “MuraliRemoteAccess.com”, you would pick FQDN that you own and plan to configure for remote access from outside.

WF58

 

3. Wait for it to install.

WF59

 

4. Click on Configure certificate link and apply certificates. For our demo, I go with self-signing certificate for demo purposes. You have an option to use the same certificate for all the listed services. Unfortunately, you need to select each one and apply the certificate individually.

WF60

WF61

WF62

 

5. Once you close the wizard, it is pretty much ready for application configuration.

WF63

 

Configure application

1. Click on “Create session collections”, and name your collection. For my demo, I am publishing the calculator application, so I name it as “calculator” and provide a brief description(optional).

WF64

 

2. By this time, you should be very familiar with this UI. Pick the server from the available list.

WF65

 

3. This step is very important for security. Please create a security group and grant access at the group level. Just for demo purposes, I am selecting everyone.

WF66

 

4. Enable profile disks if you need to.

WF67

 

5. Review and click Create.

WF68

 

6. Click on our newly created collection and select publish remoteapp program from the tasks list.

WF69

 

7. Select the EXE from the list. You have an option to add your custom application. Click on Publish.

WF70

 

8. Wait for it to finish.

WF71

 

Configure firewall

Next, we will want to configure it for external access. Switch back to Azure portal and open 443 port to the server for web access.

Go to Networking information on Murali-RDSDemo and select the Network security group that we created earlier during initial setup as shown below.

WF72

Add SSL port (443) as shown below:

WF73

We are all set with configuration, lets login to verify.

 

Testing

Since I am using a non-existent domain, I am going to make an entry to my client hosts file to simulate a real case scenario:

WF74

 

Open Chrome browser and type in https://yourdomainname/RDWeb. Enter your domain credentials. The calculator will be listed as an application. Clicking calc will open a remote session as shown below.

WF75

 

As you can see here, the calculator is running on the remote server. Your local task manager lists the app under RD connection.

WF76

 

Final Thoughts

As you can see, it is very easy to enable remote access for your workforce. Keep in mind that the we have covered just the basics, and I would strongly recommend enabling MFA on the account before considering remote access for your workforce.