RemoteApps in windows are great. They let us manipulate the application environment easier and audit activity related to an application in a controlled geography. With more than one environment I have had reasons why the use of printer redirection was not ideal for an application and it needed to be shut off. In most cases we can predict or manage the printer settings for users in that scenario and use scripts to set the default printer based on a predefined security group of the user or the connecting computer. However, there are cases where you need a user to not have their default printer dictated to them, the application being published doesn’t allow you to change the default printer, the users are not permitted to open devices and printers on the RD server, and the users are not grouped in a way that makes their default printer assignment realistic.
This seems farfetched, right? Well, I have now run into two environments where these were all requirements.. So now the second time I’ve had to do this for a customer I should document it.
There isn’t any great breakthrough here, but I had to put some time into writing this so I thought that it may help somebody else out.
What I needed was a published RemoteApp that would let the user set their default printer for their session and would take affect immediately. I’m using VB in an hta file to create the form so it is not precompiled. To get the printers on the RD server we are using WMI. I am assuming better than W2000.
A few people a month were asking me to send them this file directly, because they weren’t able to open from wordpress.
The PDF contains the text for the .hta file.
This test environment:
ISA 2006 on Windows 2003 Server in the DMZ (Proxy1)
Sonicwall firewall with the DMZ and LAN directly connected to an interface. (GW_FW)
Terminal server (RDServer): Remote app server, RD Gateway, 2008 R2
Overview of the connection process:
• Client connects to an HTTPS site over the internet.
• NAT at the firewall directs traffic destined for that address on port 443 to ISA on PROXY1 in the DMZ.
o The ISA listener secures the traffic using SSL.
• ISA creates an HTTPS connection to the Remote Desktop Gateway server (RD Gateway).
o This uses the internal DNS name for the site.
o In our case this is in the LAN.
o Here a private SSL certificate is appropriate because the ISA server is a member of the same domain and trusts the Certificate Authority (CA). If ISA were not on a machine in the same domain as the RD Gateway server then you would need to import a certificate for the CA as a trusted CA.
• IIS on the RD Gateway server returns a ‘forms-based’ authentication page.
• The user logs in using the domain\user format.
• There is a workspace page returned that shows the remote-apps allowed to that user.
o This is only displayed if the user is using IE and has allowed the active X control to run.
• The user clicks a remote-app icon and the RD client is started.
o The user is prompted for credentials by their local RD client in the format domain\user.
• The remote desktop client connects to the RD Gateway using HTTPS through ISA.
o This is an important distinction:
• The RD Client is launched on the CLIENT machine and makes a new connection to ISA
• ISA brokers the connection to the RD Gateway.
• The settings in the remote-app instruct the RD client to connect to the gateway using public address and then tell the gateway to connect to the INTERNAL address of the Remote-App Server (terminal server).
• The RD Gateway connects to the RD Server using SSL and TCP port 3389.
o In our case this is on the same machine so this traffic is not on the network.
o The same credentials are being passed to the RD Server that were used by the RD Gateway.
Steps taken to complete:
• Assign a public IP address to the RD Gateway process
o Create the address object in GW_FW
• Public IP – remote.publicDNS.com
o Create a DNS entry for remote.publicDNS.com
• Assign a DMZ address to the Proxy server for the RD Gateway process
o Create an address object in GW_FW
• DMZ address
• Create a firewall rule for WAN to DMZ traffic
o Allow WAN to DMZ – TCP 443 from anybody to Public IP
• Create a NAT policy at the firewall to direct traffic.
o From anywhere to Public IP on TCP 443; translate to DMZ IP on TCP 443
• Add the DMZ IP address to PROXY1
o Add to TCP/IP settings on the Network interface Windows 2003
• Get an SSL certificate from public CA for Remote.PublicDNS.com
o Use IIS on another web server to create the request and export the pfx file after complete
o Use the certificates MMC on PROXY1 to import the pfx file into personal certs for the local machine.
• Create the ISA listener that secures the traffic using SSL.
o Only allow HTTPS 443
o All users are allowed
• Necessary because the RD Client can’t have an authentication prompt
o Select the new DMZ IP
o Select the newly imported Cert for remote.PublicDNS.com
• Create an ISA firewall ACL to allow connections from the newly created listener to be directed over HTTPS to RDServer.domain.local
o The connection appears to come from the Proxy Server
o Unselect the bullet for ‘send the original address information to the internal site’
o The client can authenticate directly.
• Create a security group in AD for Web R-Proxy RD Gateway_G
• Install the RD Gateway role on RDServer
o Server Manager – Roles – Add new role services
• Install the RD Gateway role
• Configure RD Gateway in RD Gateway Manager
o Under the Properties of the Gateway
• SSL Certificates tab
• Import the certificate for RDServer that is signed by the domain CA
• RD CAP Store tab
• Use Local
• Server Farm
• Add RDServer
• Verify that the status changes to OK
• SSL Bridging
• SSL Bridging checked
• Select HTTPS to HTTPS
o Configure RDCAP and RDRAP policies
• RDCAP specifies Users allowed to use the RD Gateway
• RDRAP specifies network resources that a user is allowed to connect to
• Admin Security group = ALL LAN
• ‘Web R-Proxy RD Gateway_G’= RDServer
• Configure remote app in the RD Remote App Manager
o Remote app Deployment settings
• RD Gateway Tab
• Use these RD Gateway settings:
o Allow users to select logon method
o Use the Same credentials for RD Gateway and RD Session Host
o Bypass the RD Gateway for local addresses
• RD Host settings tab
o Port 3389
o Uncheck ‘Show remote desktop connection to this session host in rdweb access.’
o Do not allow users to start unlisted programs on initial connection
• Digital Signature tab
o Sign with certificate
o Change – Select RDServer issued by the local CA
• Custom RDP Settings Tab
o Add a line “authentication level:i:0”
• Add a remote app program.
• Browse for the executable to start.
• In the properties of the remote app
o Select the users allowed to launch the remote app.
o If users are not allowed they will not see a shortcut for the app in the web portal.
• Configure IIS
o From the IIS manager
• Expand Sites – Default Web Site – RDWEB virtual directory
• Set Authentication to Anonymous only
• Expand the pages virtual directory under RDWEB
• Set Authentication to Forms Based.
• Edit the application settings
o Create an entry for DefaultTSGateway
• Set the value = remote.PublicDNS.com
• Test using IE and at least XP SP3 from an inside connection and an outside connection.