Windows RDS Installation Notes
RDS services seem easy to install on Windows Server if you are just setting up in lab environment. Actually you might meet quite a few different issue depending on what kind of production use case is.
This blog post is to summarize some common situation when you deploy it into production.
https://www.51sec.org/forum/it-support/how-to-set-up-rd-web-access-to-access-applications-remotely/
1. Choose remote desktop services installation
2. Choose Quick Start to install three RDS services into one server and then create a collection with published default 3 remoteapp programs.
After three RDS services installed, the web portal (https://<ServerName>/RDWeb) is still not working.
Accsess Portal from IE
At this moment, the web portal (https://<ServerName>/RDWeb) is still not fully working. The certificate warning message "This site is not secure" is still showing. And even you ignore the message and continue, the website will not show in Edge, but works on IE.
After you entered proper domain/username and password, you will be able to access the site:
The three applications is default setting in collection settings:
Depending on your use case, you might have installed RD Gateway but not fully configured it yet. Here is one thing you might meet.
There is one thing interesting, if you specify RD Gateway settings for the deployment with following settings, the application in the collection wont be launched since certificate is not installed properly on corresponding servers.
After i changed to Do not use an RD Gateway server. It works.
Even a workgroup machine is able to access Web Portal using ie, and also launch a RDP application such as Calculator.
Manage Certificates
Several components of RDS can use certificates to provide secure communications. Self-signed certificates can be used, but they must be manually installed on clients in order to be trusted. Certificates issued by a trusted CA are automatically trusted by clients, but configuring RDS to use these certificates is not straightforward.
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-certificates?tabs=gui
A remote desktop services deployment requires certificates for server authentication, sso, and establishing secure connections.
More on the CA services installation, check this post:
- https://blog.51sec.org/2020/05/install-ad-cs-certification-service-on.html
- https://blog.51sec.org/2020/08/generate-csr-from-windows-server-and.html
- https://www.youtube.com/watch?v=q79ayMhb0WU
Method 1 - Create domain certificate
1. Create domain certificate
2. Fill in Distinguished name properties
use your member server (RDS web access server)'s fqdn name as common name.
3. Choose online CA in your domain
4. Click finish to complete .
5. Export (Copy to file) the certificate
Make sure export the private key.
6. Default is .pfx format, click next to continue the wizard
7. Enter password and file name to export then finish this certificate export wizard.
8. Configure certificate to RD Web Access
Make sure this cert to be added into Trusted Root CA certificate store.
9. Click apply, since only one service can be configured cert at one time.
10. Add cert to other two Role Services.
Also add cert for RD Gateway as well if you have configured RD Gateway on same machine.
11. Now you can enable RD Gateway configuration as show below.
12. It should work as expected for RD Web Access to launch application such as Calculator, Paint or Wordpad.
Method 2 - Create Certificate Request
You should be able to use IIS mgmt tool to create CSR. Also you will can use MMC with Certifiacates snap-in to create a proper CSR with the option to make the private key exportable and it is much contrable way to gererate CSR.
The thing is If you want MS CA generated certificate with your CSR is able to export to pfx format for RDS services to use, you will need to create a proper CSR with private key exportable option enabled.
https://www.entrust.com/knowledgebase/ssl/how-to-generate-certificate-signing-request-using-microsoft-management-console-mmc-on-windows-2012
You will need to install cert into your machine which generated CSR then you can export it to pfx.
Generate pfx cert from Cloudflare Origin Server Cert and Key
To obtain a PFX certificate from Cloudflare for use with your origin server, you need to generate an Origin CA certificate and then use OpenSSL to combine it with your private key to create the PFX file. Cloudflare's Edge Certificates are for use with Cloudflare's proxy and cannot be exported as PFX.
Here's a step-by-step guide:
1. Generate an Origin CA Certificate:
- Log in to your Cloudflare dashboard.
- Navigate to SSL/TLS > Origin Server.
- Click Create Certificate.
- Choose to have Cloudflare generate the private key and CSR (Certificate Signing Request).
2. Download and Save the Certificate and Private Key:
- Copy the generated CSR and save it to a file (e.g.,
domain.com.csr). - Copy the generated private key (PEM format) and save it to a file (e.g.,
domain.com.pem).
3. Create the PFX file using OpenSSL:
- Open a command prompt or PowerShell on your workstation.
- Navigate to the directory where OpenSSL is installed. If you don't have OpenSSL, you can download it from OpenSSL Website.
- Run the following command, replacing the file paths and passwords with your actual values:
- You'll be prompted to enter a password for the PFX file. Choose a strong password and confirm it.
- The PFX file will be created in the specified output location (e.g.,
C:/Temp/domain.com.pfx).
4. Install the PFX file on your server:
- Copy the PFX file to the location on your server where it needs to be installed.
- Depending on your server software (e.g., IIS, Apache), follow the specific instructions for installing a PFX certificate.
Important Notes:
- Cloudflare's Edge Certificates (used for the connection between Cloudflare and the user's browser) cannot be downloaded in PFX format. These certificates are specifically for Cloudflare's infrastructure.
- The Origin CA certificate you create is for securing the connection between Cloudflare and your origin server.
- You can use a tool like SSLTrust to generate the PFX file, according to SSLTrust if you prefer not to use OpenSSL directly.
By following these steps, you can successfully generate a PFX certificate from Cloudflare for use with your origin server.
Create Collection
1 Create your own templates
2 Create Own Security Policies
3 Create Own Secret folder
4 Onboard Account
Add Remote Desktop Gateway
It seems Remote Desktop Gateway is not installed.
Click that green plus icon to add RG Gateway servers:
It will ask self-signed SSL certificate. Enter the FQDN name of the server.
Click add to complete this Remote Desktop Gateway role service configuration.
Videos
References
- Microsoft Windows: How to Set up a Remote Desktop Services Gateway Server on a Server 2016, 2019 or 2022 https://www.youtube.com/watch?v=F_khxN40egM
- Windows Server: How to Use Trusted Certificates with Remote Desktop Services https://www.youtube.com/watch?v=vpnBZuBzkGQ
共有 0 条评论