RDS Installation on Windows 2025 Server (All in One Quick Deployment)

siwei 好物分享

This is an all-in-one deployment, including Domain controllor, DNS, RDS services, all are in one server.

High Level steps:
1. Update windows to latest if there is any
2. Promote TX-Win-2025 to DC, Domain : 51sec.local
3. Install RDS services, but not license server for now.
4. Create CSR for certificate then send to sign, install singed cert for RDS services
5. Install and configure Cloudflared for https://rdp.51sec.dev/
6. Install and configure RDS Gateway for https://rdp.51sec.dev/rdweb/webclient

Install Win 2025 & Update

Server is running Microsoft Windows Server 2025 Standard 64-bit on following hardware Configuration

  • Number of CPU: 4 vCPU
  • Memory Size: 6144MB (6GB)
  • 1 Disk: 150GB


Note: It is a cloud server hosting at kamatera.com with a price : 0.094 USD/hour (appx. 68.62 USD for 730 hours)
Make sure all pending Windows Updates have been installed. 

Install Domain Service & Promote to DC

Server Manage - Add Roles and Features Wizard - Role-based or feature-baseed installation
Select a server from the server pool as your destination server, which is this Win2025 server in your network. 
Choose "Active Directory Domian Services" and next, wizard should automatically select other needed services such as DNS Server to be installed as well.
Keep default selections for features. 

Install RDS services

1. Choose remote desktop services installation

2. Choose Quick Start to install three RDS services into one server and then create a collection with published default 3 remoteapp programs. 
Background Image
After three RDS services installed, the web portal (https://<ServerName>/RDWeb) is still not working. 
Background Image
Because there is no trusted certificate for your services. 

Create Self-Signed Certificate & Install Cert

Server manager - Remote Desktop Services - Overview
Deployment Properties - Configure the deployment - Certificates - Create new certificate...

Since new certificate has been created and saved on local, you can install this cert for all other RDS services, such as RD Connection broker - Enable single sign on, pulishing, and RD Web Access. 
During create a new certificate, make sure check the mark to all the certificates to be added to the Trusted Root Certification Authorities store in the destination computer.
It will look like the screenshot below. Level shows untrusted since it is not public signed or CA signed cert. It is self-signed cert. But it is enough for us to run our rdweb page on local. 

You should be able to use computer name, localhost, 127.0.0.1, or FQDN name to access RDWeb page.

Install Cloudflared service & Configure a new app

1. Log into Cloudflare and Click Zero Trust menu
2. Go to Networks - Tunnel - Create a tunnel

Download Windows 64B Cloudflared from github using following command. 
  • winget install --id Cloudflare.cloudflared
Right click download cloudflared-windows-amd64.exe file to run it as administrator. 
It will disappear the installation automatically.  Check the program files folder for installed files. 
Copy the code (token is populated in it) to get installed Cloudflared to connect to tunnel. 
Configure public hostname for this tunnel:
services: https://localhost:443

TLS - No TLS Verify

Zero Trust Tunnel Access Policy

You can add differnet IDP (Identity Provider) here as your authentication method, such as Azure Entra ID's security group. 
In following example, we are just using email addresses to receive One Time Code as authentication method. 

Now we should be able to access rdp.51sec.dev , which is loading our local https://localhost website. 
You can access RDWeb page by adding RDWeb at the end of url such as https://rdp.51sec.dev/rdweb

Unfortunately, this will not work, since RDP traffic is crossing the internet. By clicking those icons, RemoteApps, you will download RDP configuration file, but not able to launch it , without installation of RDS Gateway. 

Manage CA Signed Certificates

Several components of RDS can use certificates to provide secure communications. Self-signed certificates can be used, but they must be manually installed on clients in order to be trusted. Certificates issued by a trusted CA are automatically trusted by clients, but configuring RDS to use these certificates is not straightforward.

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-services-certificates?tabs=gui
A remote desktop services deployment requires certificates for server authentication, sso, and establishing secure connections. 
More on the CA services installation, check this post: 
Method 1 - Create Self-signed certificate
Please check previous section, "Create Self-Signed Certificate & Install Cert"
Method 2 - Create domain CA signed certificate
1. Create domain certificate

2. Fill in Distinguished name properties

use your member server (RDS web access server)'s fqdn name as common name. 

3. Choose online CA in your domain

4. Click finish to complete .

5. Export (Copy to file) the certificate

Make sure export the private key. 

6. Default is .pfx format, click next to continue the wizard

7. Enter password and file name to export then finish this certificate export wizard. 
8. Configure certificate to RD Web Access

Make sure this cert to be added into Trusted Root CA certificate store.
9. Click apply, since only one service can be configured cert at one time. 

10. Add cert to other two Role Services. 

Also add cert for RD Gateway as well if you have configured RD Gateway on same machine. 
11. Now you can enable RD Gateway configuration as show below. 
12. It should work as expected for RD Web Access to launch application such as Calculator, Paint or Wordpad. 
Method 3 - Create Certificate Signing Request
You should be able to use IIS mgmt tool to create CSR. Also you will can use MMC with Certifiacates snap-in to create a proper CSR with the option to make the private key exportable and it is much contrable way to gererate CSR. 
The thing is if you want MS CA generated certificate with your CSR is able to export to pfx format for RDS services to use, you will need to create a proper CSR with private key exportable option enabled.
https://www.entrust.com/knowledgebase/ssl/how-to-generate-certificate-signing-request-using-microsoft-management-console-mmc-on-windows-2012
 

After got the public CA signed certificate, you will need to install this signed cert into your machine which generated CSR then you can export it to pfx. 

Generate pfx cert from Cloudflare Origin Server Cert and Key

 

To obtain a PFX certificate from Cloudflare for use with your origin server, you need to generate an Origin CA certificate and then use OpenSSL to combine it with your private key to create the PFX file. Cloudflare's Edge Certificates are for use with Cloudflare's proxy and cannot be exported as PFX.

Here's a step-by-step guide:
1. Generate an Origin CA Certificate:
  • Log in to your Cloudflare dashboard.
  • Navigate to SSL/TLS > Origin Server.
  • Click Create Certificate.
  • Choose to have Cloudflare generate the private key and CSR (Certificate Signing Request). 

2. Download and Save the Certificate and Private Key:
  • Copy the generated CSR and save it to a file (e.g., domain.com.csr).
  • Copy the generated private key (PEM format) and save it to a file (e.g., domain.com.pem). 

3. Create the PFX file using OpenSSL:
  • Open a command prompt or PowerShell on your workstation. 

  • Navigate to the directory where OpenSSL is installed. If you don't have OpenSSL, you can download it from OpenSSL Website. 

  • Run the following command, replacing the file paths and passwords with your actual values: 

Code
 openssl pkcs12 -export -out C:/Temp/domain.com.pfx -inkey C:/Temp/domain.com.pem -in C:/Temp/domain.com.csr
  • You'll be prompted to enter a password for the PFX file. Choose a strong password and confirm it. 

  • The PFX file will be created in the specified output location (e.g., C:/Temp/domain.com.pfx). 

4. Install the PFX file on your server:
  • Copy the PFX file to the location on your server where it needs to be installed. 

  • Depending on your server software (e.g., IIS, Apache), follow the specific instructions for installing a PFX certificate. 

Important Notes:
  • Cloudflare's Edge Certificates (used for the connection between Cloudflare and the user's browser) cannot be downloaded in PFX format. These certificates are specifically for Cloudflare's infrastructure. 

  • The Origin CA certificate you create is for securing the connection between Cloudflare and your origin server. 

  • You can use a tool like SSLTrust to generate the PFX file, according to SSLTrust if you prefer not to use OpenSSL directly. 

By following these steps, you can successfully generate a PFX certificate from Cloudflare for use with your origin server. 

Install RD Gateway


Install RD Web Access

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/remote-desktop-web-client-admin

What is RD Web Access?

Remote Desktop Web Access (RD Web Access) is a Microsoft role service designed to provide secure, web-based access to applications and desktops. It allows users to connect to RemoteApp and Desktop Connections through a web interface, eliminating the need for complex VPN setups.

When RD Web Access is installed, it uses Microsoft Internet Information Services (IIS) to host the web portal. This means the server hosting RD Web Access acts as a web server, but it does not need to double as a Remote Desktop Session Host or a Connection Broker.

This flexibility makes RD Web Access suitable for various deployment scenarios.

 

Key Features of RD Web Access

  • Web-Based Access: Users can launch applications or desktops directly from their browsers.
  • Integration with Remote Desktop Services: Seamlessly connects with other Remote Desktop roles like Session Host and Connection Broker.
  • Domain-Based Security: Ensures secure authentication using domain credentials.

 

Prerequisites for Using RD Web Access

Before getting started, keep the following things in mind:

  • Make sure your Remote Desktop deployment has an RD Gateway, an RD Connection Broker, and RD Web Access running on Windows Server 2016 or 2019 or later.

  • Make sure your deployment is configured for per-user client access licenses (CALs) instead of per-device, otherwise all licenses are consumed.

  • Install the Windows 10 KB4025334 update on the RD Gateway. Later cumulative updates might already contain this KB.

  • Make sure public trusted certificates are configured for the RD Gateway and RD Web Access roles.

  • Make sure that any computers your users connect to are running one of the following OS versions:

    • Windows 10 or later
    • Windows Server 2016 or later

Videos

 

References

https://blog.51sec.org

版权声明:
作者:siwei
链接:https://www.techfm.club/p/221533.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>