In latest two weeks, I learnt how to deploy the Remote Desktop Services, I deployed an environment with single-sign-on and network load balancing. It contains a web portal server (also as RD gateway server) and a farm with two session host servers. I need to write deployment document in English, it's a good opportunity to improve my writing skill of English, that's why I write this blog in English, I think it's so simple that every programmer can understand, and it's also as a good document for RDS, of course, there are some deployment documents about the RDS in MSDN, most of them wrote in 2008, and based on Vista, but my document is based on windows 2008 and windows 7, so you could understand.
OK, do not say so much, let's read document.
1. Requesting & installing certificate step-by-step guide
In a standard environment, these are some roles: the web portal server, the RD gateway server, the broker server (all host units are both contained in the broker server, it is used for network load balancing), the presentation server, these roles are based on the Remote Desktop Services.
In order to implement SSO, we need to use different certificates for different roles:
a. The web portal server could be as the RD gateway server at the same time, so that they could use the same certificate.
b. The broker server and the presentation servers could use another of the same certificate.
This section describes how to request these two certificates, it assumes you have installed the Active Directory Certificate Services on the certificate server.
To request a certificate for the web portal server (the RD gateway server)
The web portal and the RD gateway need a certificate for SSL, as long as the users trust the Issuing Authority, they will trust the web portal and the RD gateway.
1. Remote logon to the web portal server, click Start on the left-bottom of your desktop, point toAdministrator Tools, and click Server Manage.
2. On the Server Manager page, Expend Server Manager (hostname) -> Roles -> Web Server (IIS) -> Internet Information Services (IIS) Manager.
3. Under Internet Information Services (IIS) Manager, Clickhost name (domain username), and find out an icon called Server Certificates, double click the icon.
4. Click Create Certificate Request… on the right part of the page (UnderActions).
5. On the Request Certificate page, according to the tips, enter something, theCommon name should be consistent with thecompany name of the Web Portal Server, click next.
6. Keep default setting (Microsoft RSA SChannel Cryptographic Provider, 1024), Click next.
7. Select a text document for saving the requesting string, if the document is not exist, it’ll be created after clickingFinish.
8. Open the text document, and copy the requesting string to Clipboard.
9. Open IE, enter the web site of certificate service (URL likes ‘https://hostname/certsrv’).
10. Click Request a certificate, click advanced certificate request, and then clickSubmit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
11. Under Submit a Certificate Request or Renewal Request, paste the requesting string intoSaved Request, SelectWeb Server as Certificate Template, and then click Submit, if it pop up confirm box, click YES.
12. Select Base 64 encoded, click Download Certificate, and save the certificate file.
To complete certificate request
After requesting a certificate, we should complete certificate request on IIS, and the web server can use with web sites configured for SSL.
1. Under Internet Information Services (IIS) Manager, Clickhost name (domain username), and find out an icon calledServer Certificates, double click the icon.
2. Click Complete Certificate Request… on the right part of the page (Under Actions).
3. On the Complete Certificate Request page, Choose the certificate file, friendly name is not important, and then click OK, you can see the certificate under theServer Certificates.
4. The certificate will be used as SSL certificate for the web portal and the RD gateway.
To request a certificate for the presentation server
When we deploy an environment of RDS with Network load balancing, Based on the default mechanism of the RDS, it always finds outthe first presentation server in the farm (which machine is the first presentation server? Ping the farm name, you’ll get an IP, and the machine which matches this IP is the first presentation server), so that the name of the certificate will be same as the FQDN of the first presentation server, if you do not follow this convention, the SSO may be failing.
So let’s follow these steps as below:
1. Remote logon to the first presentation server, click Start on the left-bottom of your desktop, and clickRun.
2. Enter MMC and click OK, if it pops up message box, click Yes.
3. On the Console1 page, click File, point toAdd/Remote Snap-inand click it.
4. On the Add or Remove Snap-ins page, under Available snap-ins, double clickCertificates.
5. On the Certificates snap-in page, select Computer accountradio button, click next, and click Finish, and then click OK.
6. Under Console1 – [Console Root], Expend Console Root -> Certificates (Local Computer) -> Personal -> Certificates, and then right click Certificates, point toAll Tasks, clickRequest New Certificate.
7. On the Certificate Enrollment page, at the Before Your Begin step, click next.
8. At the Select Certificate Enrollment Policy step, click next.
9. At the Request Certificates step, select the Computer checkbox, and find an icon behind of the Details, click the icon, and then click Properties, click the tab namedPrivate Key, find an icon behind of theKey Options, and then click it, selectthe Make private key exportable checkbox, click Ok, and then click Enroll, click Finish, you can see the certificate under the center part of the window.
10. Right click the certificate, click Export.
11. On the Export Certificate page, choose a path for saving, and set password, click OK.
12. The “.pfx” file will be used on all of presentation servers.
2. Installing Remote Desktop Services
Based on the requirement of our production environment, we need four roles as below:
a. Web Portal Server: publish virtual desktops to using a web interface.
b. RD Gateway Server: enable authorized users to connect to remote desktop over the Internet.
Above two servers could be deployed in one server.
c. RD Connection Broker Server: enumerate and orchestrate presentation servers.
d. RD Session Host Server : Remote Application will run in this server.
To install Remote Desktop Services in web portal server
1. Click Start on the left-bottom of your desktop, point to Administrative Tools, and then clickServer Manager.
2. On the Server Manager page, Expand Server Manager (Computer name) -> Roles, right clickRoles, clickAdd Roles.
3. On the Add Roles Wizard page, click next, on the middle of page, you’ll see a list of roles, select theRemote Desktop Services andIIS roles, then click next.
4. It shows the introduction to Remote Desktop Services, click next.
5. Select the role services to install for Remote Desktop Services, select theRemote Desktop Web Access and Remote Desktop Gateway checkbox on the web portal server, if it pops up a message box, clickAdd Required Role Services, and then click next.
6. At the Server Authentication Certificate step, under the only list of certificate, select the certificate for the web portal server, and click next.
7. At the Authorization Policies step, select the Now radio button, and then click next.
8. At the RD Gateway User Groups step, add the domain user (group), and click next.
9. At the RD CAP step, keep default setting, and click next.
10. At the RD RAP step, select the Allow users to connect to any computer on the network radio button.
11. At the Network Policy and Access Services step, click next.
12. At the Role Servers step, keep default setting, and click next.
13. At the Confirm Installation Selections step, click Install.
14. Don’t mind the warning message, click Close, click yes and restart computer.
To install Remote Desktop Services in RD Connection Broker Server
1. Click Start on the left-bottom of your desktop, point to Administrative Tools, and then clickServer Manager.
2. On the Server Manager page, Expand Server Manager (Computer name) -> Roles, right clickRoles, clickAdd Roles.
3. On the Add Roles Wizard page, click next, on the middle of page, you’ll see a list of roles, select theRemote Desktop Services, then click next.
4. It shows the introduction to Remote Desktop Services, click next.
5. Select the role services to install for Remote Desktop Services, select theRemote Desktop Connection Broker checkbox, and click next.
15. At the Confirmation step, click Install.
16. Don’t mind the warning message, click Close, click yes and restart computer.
To install Remote Desktop Services in RD Session Host Server (Presentation server)
1. Click Start on the left-bottom of your desktop, point to Administrative Tools, and then clickServer Manager.
2. On the Server Manager page, Expand Server Manager (Computer name) -> Roles, right clickRoles, clickAdd Roles.
3. On the Add Roles Wizard page, click next, on the middle of page, you’ll see a list of roles, select theRemote Desktop Services, then click next.
4. It shows the introduction to Remote Desktop Services, click next.
5. Select the role services to install for Remote Desktop Services, select theRemote Desktop Session Hostcheckbox, if it pops up a message box, and clickAdd Required Role Services. Click next.
6. Remain the default setting in application compatibility, choose “Do not require network Level Authentication” Checkbox. Click Next.
7. Choose Configure later checkbox for license mode. Click Next.
8. Choose related tenant user group which is allow connecting the presentation server. Click next.
9. You can add some client experience like Audio and video playback, audio recording redirection….
10. On the Confirm Installation Selections page, click Install.
11. Don’t mind the warning message, click Close, click Yes and restart computer.
3. Implement Load-Balanced Presentation Server Farm by using RD Connection Broker.
With a load-balanced RD Presentation farm, you canscalethe performance of a single RD Presentation server by distributing Remote Desktop Services sessions across multiple servers. You can configure a load-balanced farm by using the RD Connection Broker Load Balancing feature, Network Load Balancing (NLB), or a third-party solution. RD Connection Broker also enables a user to reconnect to their existing session in a load-balanced Presentation Server farm.
There are four steps that are required to create and configure a load-balanced RD Session Host server farm by using RD Connection Broker Load Balancing.
Step 1: Install the RD Connection Broker role service on the server that you want to use to track user sessions for a farm. (Done Above)
Step 2: Add Each Presentation Server in the Farm to the Session Broker Computers Local Group
1. On the RD Connection Broker server, click Start, point to Administrative Tools, and then clickComputer Management.
2. In the left pane, expand Local Users and Groups, and then clickGroups.
3. In the middle pane, right-click the Session Broker Computers group, and then clickProperties.
4. On the General tab, click Add.
5. In the Select Users, Computers, or Groups dialog box, clickObject Types.
6. Select the Computers checkbox, and then click OK.
7. Locate and then add the computer account for each Presentation Server that you want to add.
8. When you are finished, click OK
Step 3: Configure the Presentation Servers in the farm to join a farm in RD Connection Broker
1. On the Presentation Server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration,clickStart, point to Administrative Tools, point to Remote Desktop Services, and then clickRemote Desktop Session Host Configuration.
2. In the Edit settings area, under RD Connection Broker, double-click Member of farm in RD Connection Broker.
3. On the RD Connection Broker tab of the Properties dialog box, clickChange Settings.
4. In the RD Connection Broker Settings dialog box, clickFarm member.
5. In the RD Connection Broker server name box, type the name of the RD Connection Broker server.
6. In the Farm name box, type the name of the farm that you want to join in RD Connection Broker.
| Important |
| RD Connection Broker uses a farm name to determine which servers are in the same Presentation Server farm. You must use the same farm name for all servers that are in the same load-balanced Presentation Server farm. If you type a new farm name, a new farm is created in RD Connection Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in RD Connection Broker. Although the farm name in RD Connection Broker does not have to be registered in Active Directory Domain Services, we recommend that you use the same name that you will use in DNS for the Presentation Server farm. The Presentation Server farm name in DNS represents the virtual name that clients will use to connect to the Presentation Server farm. For more information, seeConfigure DNS for RD Connection Broker Load Balancing. |
7. Click OK to close the RD Connection Broker Settings dialog box.
8. To participate in RD Connection Broker Load Balancing, select the Participate in Connection Broker Load-Balancing checkbox.
9. Optionally, in the Relative weight of this server in the farm box, modify the server weight. By default, the value is 100. The server weight is relative. Therefore, if you assign one server a value of 50, and one a value of 100, the server with a weight of 50 will receive half the number of sessions.
10. Verify that you want to use IP address redirection. By default, the Use IP address redirection setting is enabled.
11. In the Select IP addresses to be used for reconnection box, select the checkbox next to each IP address that you want to use.
12. When you are finished, click OK.
13. Confirm that after above operation, the RD Session Host Server name is change to farm name.
14. In the RemoteAPP Manager panel, add program under “RemoteAPP Programs” panel.
15. Add related tenant group to be able to see the icon for the program in user assignment tab.
Step 4: Configure DNS round robin entries for Presentation Servers in the farm.
1. Login the DNS Server.
2. Expand the server name, expand Forward Lookup Zones, and then expand the domain name.
3. Right-click the appropriate zone and then click New Host (A or AAAA).
4. In the Name (uses parent domain name if blank) box, type the Presentation Server farm name.
The farm name is the virtual name that clients will use to connect to the Presentation Server farm. Do not use the name of an existing server. For management purposes, we recommend that you use the same farm name that you specified when you configured the Presentation Servers to join a farm in RD Connection Broker.
5. In the IP address box, type the IP address of a Presentation Server in the farm.
6. Click Add Host.
7. Repeat steps three through six for each Presentation Server in the farm.
| Important |
| You must specify the same farm name in the Name (uses parent domain name if blank) box for each DNS entry. |
For example, if you have three Presentation Servers in a farm named FARM1, with IP addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would look similar to the following:
| Farm1 | Host(A) | 192.168.1.20 |
| Farm1 | Host(A) | 192.168.1.21 |
| Farm1 | Host(A) | 192.168.1.22 |
8. When you are finished, click Done.
4. Configuring Web SSO
4.1 Configuring Web SSO when using RD Connection Broker mode
There are 4 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Portal server to the TS Web Access Computers group on the RD Connection Broker server
1. On the RD Connection Broker server, click Start, point to Administrative Tools, and then clickComputer Management.
2. In the left pane, expand Local Users and Groups, and then clickGroups.
3. In the right pane, double-click TS Web Access Computers.
4. In the TS Web Access Computers Properties dialog box, clickAdd.
5. In the Select Users, Computers, Service Accounts, or Groups dialog box, clickObject Types.
6. In the Object Types dialog box, select the Computers checkbox, and then click OK.
7. In the Enter the object names to select box, specify the computer accounts of the RD Web Portal server and the RD Connection Broker server, and then click OK.
8. Click OK to close the TS Web Access Computers Properties dialog box.
Step 2: Add Presentation server as RemoteApp Sources on RD Connection Broker server
1. On the RD Connection Broker server, open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, clickStart, point toAdministrative Tools, point toRemote Desktop Services, and then clickRemote Desktop Connection Manager.
2. In the left pane, click RemoteApp Sources, and then on the Action menu, click Add RemoteApp Source.
3. In the Add RemoteApp Source dialog box, in the RemoteApp source name box, the DNS name of the Presentation Server farm that is hosting the RemoteApp programs, and then clickAdd.
| Note |
| Do not enter the name of each Presentation Server in the Presentation Server farm. If you do, users will see multiple instances of the RemoteApp program icons. |
4. The RemoteApp source name will appear in the center pane. To add additional RemoteApp sources, repeat the previous steps.
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each presentation server.
1. On the Presentation Server, clickStart, point toAdministrative Tools, and then clickComputer Management.
2. In the left pane, expandLocal Users and Groups, and then clickGroups.
3. In the right pane, double-click TS Web Access Computers.
4. In the TS Web Access Computers Properties dialog box, clickAdd.
5. In the Select Users, Computers, or Groups dialog box, clickObject Types.
6. In the Object Types dialog box, select the Computers checkbox, and then clickOK.
7. In the Enter the object names to select box, specify the computer account of theRD Connection Broker server, and then clickOK.
8. Click OK to close the TS Web Access Computers Properties dialog box.
Step 4: Specify certificate on RD Connection Broker server and digitally sign the RemoteApp program on each Presentation server
| Note |
| The certificate for digitally signing RemoteApp programs on each Presentation server and RD Connection Broker server should be the same. |
1. On the RD Connection Broker server, open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, clickStart, point toAdministrative Tools, point toRemote Desktop Services, and then clickRemote Desktop Connection Manager.
2. Select the root ‘Remote Desktop Connection Manager: <RD Connection Broker Machine Name> ’
3. In the middle pane, in the Status area, click on Specify beside the Digital certificate (shown below).
4. Use the related certificate which created in the beginning of the guide.
5. Repeat the steps in the procedure for each Presentation server is providing RemoteApp programs through RemoteApp and Desktop Connection.
4.2 Configuring the client computer for Web SSO
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the Presentation Server and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the Presentation Server, and RD Connection Broker machines.
4.3 Web SSO with RD Gateway
In our environment, the gateway server and web portal server is the same server. So the certificate is the same.
In gateway server, specify the SSL Certificate like below:
Membership in the local Administrators group (or equivalent) on the Presentation Server that you plan to configure is the minimum requirement to complete each of the following steps.
1. On the Presentation Server, open RemoteApp Manager. To open RemoteApp Manager, clickStart, point toAdministrative Tools, point toRemote Desktop Services, and then clickRemoteApp Manager.
2. In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in theOverview pane, next toRD Gateway Settings, clickChange.)
3. Select the Use these RD Gateway server settings.
4. In the Server name box, click the FQDN of the RD Gateway server.
5. In the Logon box, select the Ask for password (NTLM).
6. Select the Use the same user credentials for RD Gateway and Presentation Server checkbox.
7. Click OK to close the RemoteApp Deployment Settings dialog box.
8. Do same operation in RD connection broker server.
5. Enable Remote desktop access (Not recommended)
If partner permits tenant user to login the remote presentation, it should do follow operations.
1. On each Presentation Server, click Start, point to Administrative Tools, point to Remote Desktop Services, and then clickRemoteAPP Manager.
2. In the Actions pane of RemoteApp Manager, click RD Session Host Server Settings.
3. Select “Show a remote desktop connection to this RD Session Host Server in RD Web Access”.
4. Click Start, point to Administrative Tools, and then clickComputer Management.
5. In the left pane, expand Local Users and Groups, and then clickGroups.
6. Double click remote desktop users.
7. Add related tenant group to it, only permit the related tenant group to login it.
5022
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
