RDS: A Saving Grace for Businesses Affected by COVID-19

By Jamie Pleasants In Blog

31

Mar
2020

Working from home is a common factor between many businesses these days due to COVID-19. Even if this isn’t the reason that you or other employees are working remotely, having the ability to quickly and securely access important company applications, such as QuickBooks, from anywhere can be a great asset to your company. As some may know, even if QuickBooks is installed on a user’s laptop, if a VPN tunnel exists between the user and the QuickBooks company file, it may or may not work. If it works, it will be extremely slow, to the point that some actions take minutes. This is not an efficient use of personnel nor company resources.

In this blog, we’ll go step-by-step through creating a Remote Desktop Services deployment in order to allow you or your users efficient access to company applications from anywhere as if they were installed on their individual computers.

If the process seems a bit too involved, feel free to reach out to the SAM IT team at [email protected] and we can provide a quote to complete everything for you. We also provide application migration services and can host your applications in our secure datacenter environment.

Requirements:

  • Windows Server 2012 R2 or greater (Standard or Datacenter)
  • Remote Desktop Service Client Access Licenses (RDS CALs)
  • Active Directory
  • SSL Certificate
  • Networking knowledge to Port-forward
  • Config files
  1. Ensure your version of Windows Server is NOT an Essentials version. RDS CALs cannot be used on Essentials. Use Standard or Datacenter editions
  2. Be sure to rename the Windows Server to something you can easily identify, if not already done.
  3. Ensure a static IP is assigned to the server
  4. Ensure Windows Server is up to date
  5. If you do not have Active Directory, one will need to be setup. Azure Active Directory will not work. An on-premise AD is necessary. Join the server to the domain.
    1. An excellent resource for creating a domain is here, if needed: https://www.youtube.com/watch?v=h3sxduUt5a8
  6. Within Server Manager on the server, go to Manage at the top and then click Add Roles and Features.
  7. In Installation Type, click Remote Desktop Services Installation and Next
  8. Choose Quick Start and Next
  9. Choose Session-based desktop deployment and Next
  10. You will need to choose to allow restart to continue with the installation
  11. For the next part, you will need a SSL Certificate and to import it to the server. The easiest way to create a package, after the SSL certificate has been generated, that’s very easy to import is to use the tool here: https://decoder.link/converter
    1. Choose PEM to PKCS#12 option
    2. You will need the certificate, the private key and the bundle file and to create a password. Special characters other than ‘!’ should be avoided for the password.
    3. Once the PFX file has been generated and you have downloaded it, move it over to the server if you haven’t already and then double-click it and import to the Local Computer account. Use the same password you created a few moments ago. Upload this certificate into IT Glue and document the password you created.
  12. Go back to Server Manager on the server and go to Remote Desktop Services on the left and then Overview
  13. At the Deployment Overview section, click the dropdown labeled Tasks and click Edit Deployment Properties
    1. Click Certificates and then for each of the available 3 options, you will need to click Select existing certificate and then Choose a different certificate
      1. Select the certificate that you moved to the server and the password is from step 11b
      2. You will need to click Apply after each one. All of them cannot be done at once
  14. Back in Server Manager, in Remote Desktop Services->Overview, click the green + for RD Licensing and add the server as an RD Licensing server
  15. In the folder that this document resides, open Add RDS SH and Services Manager
      1. Move the contents of Desktop to Desktop on the server
      2. Move the contents of Windows\System32 to C:\Windows\System32 on the server
      3. Import reg on the server by double-clicking it
  16. Open tsconfig on the desktop
      1. Right-click RDP-Tcp in the Connections section and then click Properties
      2. Ensure Allow connections only from computers running Remote Desktop with Network Level Authentication is unchecked
      3. Make sure the correct Certificate is selected. It should be the FQDN of the expected URL (i.e. qb.yourcompany.com)
      4. Click OK
  17. Open PowerShell as admin on the server and execute the following
      1. Set-ExecutionPolicy -ExecutionPolicy Unrestricted
      2. From the same PowerShell prompt AS ADMIN on the server, execute the script inside the folder where this document resides named Set-RDPublishedName by changing directory to it (i.e
        cd C:\Users\Administrator\Desktop\RDS Documentation and Files

        ) and then running the following:

        1. .\Set-RDPublishedName “qb.yourcompany.com”
          1. Replace yourcompany.com with the correct FQDN
        2. After success, execute the following:
          1. Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
            1. Additionally, a guide for hardening PowerShell as well as preventing and removing fileless malware can be found here: https://www.samitsolutions.com/fileless-malware-remove-and-prevent-it/
          2. Close PowerShell
  18. Create a user group in Active Directory that will need access to the applications that you will publish and then add the users to it.
    1. Back in Server Manager, go to Remote Desktop Services, Collections and then the Collection that exists.
      1. In the Properties section, click the dropdown labeled Tasks and click Edit Properties
        1. In User Groups section, choose the User Group you just selected
        2. In Security section, uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication
        3. Close Properties
        4. In Remote App Programs section, click the dropdown labeled Tasks and Unpublish RemoteApp Programs
          1. Unpublish the default programs
        5. In Remote App Programs section, click the dropdown labeled Tasks and Publish RemoteApp Programs
          1. Publish the necessary applications
  19. A group policy will need to be created on the Domain Controller that specifies the licensing server and type (per user or per device) for Remote Desktop Services
    1. Open Group Policy Management
      1. Expand Forest
      2. Expand Domains
      3. Right-click the domain name and click Create a GPO in this domain, and Link it here
        1. Name it RDS
        2. Right-click the new policy and click Edit
          1. Go to Computer Configuration, Policies, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Licensing
            1. Right-click Use the specified Remote Desktop license servers and choose Enabled and specify the actual, full name of the server (ie. vQuickbooks.yourcompany.local). Click OK
            2. Right-click Set the Remote Desktop licensing mode, click Enabled and then select the correct mode, usually Per User
  20. You should have already received the RDS CALs (Remote Desktop Services Client Access Licenses) or are in the process of purchasing them.
    1. Once you have them, in Server Manager, go to Tools at the top, Remote Desktop Services and then Remote Desktop Licensing Manager
      1. Expand All services
      2. Right-click the server name
      3. Click Activate Server, Next
      4. Enter the company contact information
      5. If you have the licenses, you can leave Start Install Licenses now checked. Otherwise, uncheck and click Finish
      6. If you started the license installation, just enter the information as provided when you purchased the licenses.
  1. In the folder that this document resides, open the Script to Add Application Shortcuts to Client Desktop folder
    1. Edit wcx with Notepad
      1. Replace qb.yourcompany.com with the correct FQDN
      2. Save
    2. Move the 2 files to the users’ desktop(s) on their computers and then right-click and Run with PowerShell the file named “Right-click and Run with Powershell”
    3. The user will need to enter their AD credentials that they already had or that you created and then a folder named “Remote Apps” will be created on their Desktop with any applications they have access to on the server.
  2. Finally, traffic will need to be allowed to the server from outside. In the network firewall, ports 80, 443 and 3389 will need to be opened and a public IP pointing to the server. I also usually like to add a couple of URL Rewrite rules in IIS to redirect HTTP traffic to HTTPS and to redirect the base domain (qb.yourcompany.com) to the RDS webpage.

We are just a phone call (or e-mail) away. You can reach us at +1-919-800-0044 or by email at [email protected]

Jamie Pleasants
Chief Operations Officer
SAM IT Solutions

Leave a reply