RD gateway

The RD gateway acts as a proxy between a remote user establishing a remote connection and the resources internal to the network. When users connect, they will validate the authenticity of the certificate. The purpose of the RD gateway is for authorized users to be able to connect to internal resources from a remote location on devices that run the Remote Desktop Connection(RDC) client.

The server authentication certificate must meet the following criteria:

• Must be a computer certificate
• The extended key usage must be server authentication (OID 1.3.6.1.5.5.7.3.1)
• The subject name of the ceritficate must match the DNS name the client will use to establish the connection.

Server farm:

In a medium to large organization, one server will not suffice, so a server farm will be necessary.

Server farm consists of two or more servers with the same configuration, they apper to the client as a single entity. There can be up to 32 servers in a cluster.

In a multi-server environment, the connection request no longer go to server directly, it will go through a connection broker and the load balancer.

Server farms are integrated with load balancing feature in order to ensure enhanced workload distribution, fault tolerance, performance, and scalability.

RD licensing:

The grace period ends when either of the following conditions is met:

• A permanent Terminal Services client access license (TS CAL) is issued by a license server to a client connecting to the terminal server (Windows Server 2008 or 2003), or a permanent Remote Desktop Services client access license (RDS CAL) is issued by a license server to a client (Windows Server 2008/R2 2012/R2 2016).
• The number of days in the grace period is exceeded( 120 days for win 2003 and server 2008).

 

Best practices:

1. For performance purposes, install the RD licensing role service on a server separate from the Remote Desktop Session Host, especially in larger environments.
2. Become familiar with the three panes in the RD services manager and the tabs and settings available, there are many settings in each panes and tabs.
3. Frequently monitor processes and user sessions to determine if corrective actions need to be taken or if a process or session needs to be terminated.
4. Many of the actions that you frequently perform can be performed faster through the command-line interfaces; thus, learn and use command-line for actions that you perform frequently.
5. Understand your operational environment and limit the number of simultaneous connections allowed and the session time limits accordingly.
6. Establish a corporate policy for remotely controlling a user’s session so all employees are aware of the potential and the activities performed when remotely controlling a session.
7. Establish a corporate policy for controlling and maintaining the CALs.
8. Ensure that the settings for the RD gateway adhere to the corporate security standards and policies to ensure that remote clients establish a secure and encrypted connection, if applicable.
9. Explore the RD gateway server properties to see which settings are needed to adhere to security standards and policies, such as SSL certificate, auditing, and SSL bridging.
10. Configure network load balancing (NLB) to increase performance, availability, and scalability for the clients supported. Ensure that this is monitored to verify the desired results.

 

Lab reflection

Create a new user or user group to log on RDC:

By default, the RDC and RDC app can be log on by Domain Users, but they can only see the icons in the RDC Web page, but will get an error ” not have the permission to Accessing Terminal Services”.  This is because only the Administrator group can log on by default. So we can either add the user to admin group or giving the Domain users permission to log on remotely. Of course we can not add new user so easily to admin group. So, I found the following solution after research.

After creating a new user and adding the user to Domain user group. Open group policy editor by enter ” gpedit.msc” . then navigate to ” local computer policy->computer configuration-> windows settings->security settings-> local Policies->user rights assignment” find and double click the “Allow log on through remote Desktop services”, ” Add user or group” then add the “Domain Users”group. or just add the new user if you like. After that open CMD, use gpupdate to update the local group policy.

 

Reference

 

Licensing: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license