Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Similar documents
Module 1 Web Application Proxy (WAP) Estimated Time: 120 minutes

Module 4 Network Controller Estimated Time: 90 minutes

20411D D Enayat Meer

INF204x Module 1, Lab 3 - Configure Windows 10 VPN

This course comes with a virtual lab environment where you can practice what you learn.

Using the Terminal Services Gateway Lesson 10

LAB 5 IMPLEMENTING WINDOWS IN AN ENTERPRISE ENVIRONMENT

Student Lab Manual MS101.1x: Microsoft 365 Security Management

Lab: Configuring and Troubleshooting DNS

Course CLD221x: Enabling Office 365 Clients

INF204x Module 1 Lab 1: Configuring and Troubleshooting Networking Part 1

INF204x Module 1 Lab 2: Configuring and Troubleshooting Networking Part 2

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

Student Lab Manual MS100.1x: Office 365 Management

Privileged Access Agent on a Remote Desktop Services Gateway

INF204x Module 2 Lab 2: Using Encrypting File System (EFS) on Windows 10 Clients

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Windows Server 2012 R2 RDS Role Installation

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

Course CLD209.1x Microsoft Exchange Server 2016 Hybrid Topologies

Copyright

Configuring ADFS for Academic Works

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

VMware AirWatch Integration with SecureAuth PKI Guide

Lab - Share Resources in Windows

ArcGIS Enterprise Administration

List of Virtual Machines Used in This Lab

AutomaTech Application Note July 2015

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Certificate Management

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

VMware AirWatch Certificate Authentication for EAS with ADCS

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Table of Contents. VMware AirWatch: Technology Partner Integration

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

VMware AirWatch Integration with RSA PKI Guide

Entrust Connector (econnector) Venafi Trust Protection Platform

AirWatch Mobile Device Management

Microsoft ADFS Configuration

Privileged Identity App Launcher and Session Recording

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

This course comes with a virtual lab environment where you can practice what you learn.

Table of Contents HOL-1757-MBL-6

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Windows Server 2008 Active Directory Certificate Services Step By Step Guide Pdf

Course CLD211.5x Microsoft SharePoint 2016: Search and Content Management

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Using vrealize Operations Tenant App as a Service Provider

LAB MANUAL. Craig Zacker.

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

App Orchestration 2.6

Module 9. Configuring IPsec. Contents:

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

How to Configure SSL Interception in the Firewall

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Azure 209x Practical Exercises Overview

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

VMware Identity Manager Administration

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Cloud Access Manager Configuration Guide

VMware AirWatch: Directory and Certificate Authority

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Installing and Configuring vcloud Connector

Azure for On-Premises Administrators Practice Exercises

METHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

In most cases, the userid is Adatum\Administrator and the password is Pa55w.rd, but read the instructions carefully.

Two factor authentication for Microsoft Remote Desktop Web Access

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Setup Guide for AD FS 3.0 on the Apprenda Platform

Implementing Messaging Security for Exchange Server Clients

Microsoft Virtualizing Enterprise Desktops and Apps

At Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning

Configuration of Microsoft Live Communications Server for Partitioned Intradomain Federation

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

VMware Enterprise Systems Connector Installation and Configuration

Install and Issuing your first Full Feature Operator Card

Publication date: December 17, 2012, updated Feb. 10, Product version: Windows Server 2003, Windows Server 2008, Windows Server 2012

M20742-Identity with Windows Server 2016

Self-Service Password Reset

NBC-IG Installation Guide. Version 7.2

Using SSL to Secure Client/Server Connections

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

VMware AirWatch Integration with Microsoft ADCS via DCOM

1) Use either Chrome of Firefox to access the VMware vsphere web Client. FireFox

Installation and Configuration Guide

Implementing Cross- Domain Kerberos Constrained Delegation Authentication. VMware Workspace ONE UEM 1810

Transcription:

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes A. Datum Corporation provided access to web intranet web applications by implementing Web Application Proxy. Now, IT management also wants to enable access to some of the internal desktop applications by leveraging capabilities of Windows Server 2016-based Remote Desktop Services (RDS). Your intention is to also take advantage of the existing Web Application Proxy deployment to provide a single, tightly controlled point of entry from Internet to your internal network. Objectives After completing this lab, students will be able to: Implement Remote Desktop Services. Publish Remote Desktop Gateway via Web Application Proxy Lab environment In general, you should avoid using AD domain controllers to host PKI roles. We are not following this approach in the lab strictly in order to optimize use of lab VMs. The process of deploying and configuring a Certification Authority server would be identical when using a domain member server. The lab consists of the following computers: LON-DC1 (172.16.0.10) a Windows Server 2016 domain controller in the adatum.com singledomain forest. You will use it to host the Enterprise Certification Authority. In general, you should avoid using AD domain controllers to host PKI roles. We are not following this approach in the lab strictly in order to optimize use of lab VMs. The process of deploying and configuring a Certification Authority server would be identical when using a domain member server. LON-SVR1 (172.16.0.11) a Windows Server 2016 domain member server with Remote Server Administrative tools installed. This server will host the Active Directory Federation Services server role LON-SVR2 (172.16.0.12) a Windows Server 2016 domain member server with Remote Server Administrative tools installed. This server will host the Web Application Proxy role service and will function as a Certificate Revocation List (CRL) Distribution Point for external clients. LON-SVR4 (172.16.0.14) a Windows Server 2016 domain member server with Remote Server Administrative tools installed. This will be used to host a single node Remote Desktop Services deployment, including the Remote Desktop Session Host, Remote Desktop Connection Broker, Remote Desktop Web Access and Remote Desktop Gateway role services. LON-CL1 (172.16.0.101) a Windows 10 Pro or Enterprise version 1607 (or newer) domain member computer All computers have Windows PowerShell Remoting enabled.

Exercise 1: Implement Remote Desktop Services. In this exercise, you will step through installing and Configuring Remote Desktop Services in a Windows Server 2016 environment. The main tasks for this exercise are as follows: 1. Create RDS Quick Start deployment on LON-SVR4 2. Configure DNS on LON-DC1 3. Install the RD Gateway and RD Licensing role service on LON-SVR4 4. Publish updated Certificate Revocation List (CRL). 5. Enroll LON-SVR4 for a certificate issued by Enterprise CA 6. Configure certificates settings of the RDS deployment on LON-SVR4 7. Review RD Gateway Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP) on LON-SVR4 8. Create a relying party trust for RD Gateway/Web Access Servers on LON-SVR1 9. Install RDS certificate on LON-SVR2 10. Publish the RDS Deployment via Web Application Proxy on LON-SVR2 Task 1: Create RDS Quick Start deployment on LON-SVR4 1. Sign in to the LON-SVR4 Windows Server 2016 lab virtual machine with the following credentials: USERNAME: ADATUM\Administrator 2. Click Start and click Server Manager. 3. In Server Manager, in the Manage menu, click Add Roles and Features. This will start the Add Roles and Features Wizard. 4. On the Before you begin page, click Next. 5. On the Select installation type page, select the Remote Desktop Services installation option and click Next. 6. On the Select deployment type page, select the Quick Start option and click Next. Quick Start deployment is intended for lab and proof of concept scenarios. It automatically deploys RD Web Access, RD Connection Broker, and RD Session Host or RD Virtualization Host (depending on your choice) on the same server. If you choose the RD Session Host option, it also automatically configures a QuickStartCollection consisting of three RemoteApp programs (Calculator, Paint, and WordPad). 7. On the Select deployment scenario page, select the Session-based desktop deployment and click Next. 8. On the Select a server page, ensure that LON-SVR4 appears in the Selected section and click Next. If you receive an error message at this point regarding PowerShell Remoting not being enabled, restart the Add Roles and Features Wizard. 9. On the Confirm selections page, select the checkbox Restart the destination server automatically if required and click Deploy. Wait for the server to restart. The Remote Desktop Services installation can take up to 15 minutes.

10. Once the server has restarted, sign back in to the LON-SVR4 Windows Server 2016 lab virtual machine with the following credentials: USERNAME: ADATUM\Administrator 11. If the installation does not automatically restart, repeat steps 3-10. 12. Wait for the installation to complete and, in the Add Roles and Features Wizard window, click Close. Task 2: Configure DNS on LON-DC1 1. Sign in to the LON-DC1 Windows Server 2016 lab virtual machine with the following credentials: USERNAME: ADATUM\Administrator 2. Click Start and, in the Start menu, click Server Manager. In Server Manager, click Tools and then click DNS. 3. In the DNS Manager console, navigate to the Adatum.com zone. 4. Right-click Adatum.com and, in the right-click menu, click New Host (A or AAAA). 5. In the New Host dialog box, type the following and click Add Host: Name: rds IP address: 172.16.0.14 6. In the DNS dialog box, click OK. 7. In the New Host dialog box, click Done. Task 3: Install the RD Gateway and RD Licensing role service on LON-SVR4 1. On LON-SVR4, in Server Manager, in the left window pane, click Remote Desktop Services. 2. On the Overview page, verify that the current deployment includes RD Web Access, RD Connection Broker, and RD Session Host role services, all residing on LON-SVR4. 3. Click the plus sign above the RD Gateway label. This will start the Add RD Gateway Servers wizard. 4. On the Server Selection page, ensure that LON-SVR4.adatum.com is selected in Server Pool on the left-hand side of the window, click the right-pointing arrow head to add it to the Selected servers, and click Next. 5. On the SSL Certificate Name page, in the SSL certificate name textbox, type rds.adatum.com and click Next. You will replace this certificate with a certificate issued by your Enterprise CA later in this lab. In non-lab scenarios, you would use for this purpose a certificate issued by a public CA. 6. On the Confirmation page, click Add. 7. Wait till the operation completes and, on the Results page, click Close.

8. On the Overview page, click the plus sign above the RD Licensing label. This will start the Add RD Licensing Servers wizard. 9. On the Server Selection page, ensure that LON-SVR4.adatum.com is selected in Server Pool on the left-hand side of the window, click the right-pointing arrow head to add it to the Selected servers, and click Next. 10. On the Confirmation page, click Add. 11. Wait till the operation completes and, on the Results page, click Close. Task 4: Publish updated Certificate Revocation List (CRL) 1. From the LON-DC1 Windows Server 2016 lab virtual machine, in Server Manager, click Tools and, in the Tools menu, start Certification Authority console. You need to update Certificate Revocation List (CRL) Distribution Point (DP) in order to be able to successfully enroll LON-SVR4 for a certificate issued by the Adatum CA in the next task. 2. In the Certification Authority console, expand the adatum-root-ca node, right-click Revoked Certificates folder, click All Tasks and click Publish. 3. In the Publish CRL dialog box, accept the default setting and click OK. Task 5: Enroll LON-SVR4 for a certificate issued by Enterprise CA 1. While signed in to LON-SVR4 as ADATUM\Administrator, click Start, right-click Windows PowerShell, in the right click menu, click More and then click Run as administrator. 2. From the Administrator: Windows PowerShell window, type the following and press Enter: certlm This will open the Microsoft Management Console (MMC) with the Certificates - Local Computer snap-in loaded. 3. Expand the Certificates Local Computer top level node, expand the Personal folder, right-click the Certificates folder, click All Tasks, and click Request New Certificate. This will start the Certificate Enrollment wizard. 4. On the Before You Begin page, click Next. 5. On the Select Certificate Enrollment Policy page, ensure that Active Directory Enrollment Policy is selected and click Next. 6. On the Request Certificates page, select the checkbox next to the Adatum Web Server certificate, click Details to view properties of the certificate, and click Properties. 7. In the Certificate properties window, on the Subject tab, in the Subject name section, in the Type drop-down list, click Common name, in the Value text box, type rds.adatum.com, and click Add. 8. In the Alternative name section, in the Type drop-down list, click DNS and, add the following names by typing them in the Value text box and clicking Add each time:

rds.adatum.com LON-SVR4.adatum.com 9. Click the Private Key tab. 10. Under Key options, ensure the Make private key exportable option is checked and click OK. 11. Back on the Request Certificates wizard page, ensure the checkbox for the template is checked and click Enroll. 12. On the Certificate Installation Results page, click Finish. Now, you will export the private key of the newly issued certificate. You will use it to configure the RDS deployment and to configure the Web Application Proxy on LON-SVR2 13. Back in the Certificates console, in the Personal\Certificates folder, right-click rds.adatum.com entry issued by adatum-root-ca, in the right-click menu, click All Tasks and then click Export. This will start the Certificate Export Wizard. Make sure to use the certificate issued by Adatum-root-CA not the self-signed certificate you generated in the previous task. 14. On the Welcome to the Certificate Export Wizard page, click Next. 15. On the Export Private Key page, click the Yes, export the private key option and click Next. 16. On the Export File Format page, click Next. 17. On the Security page, click the Password checkbox and then, type in Pa55w.rd in the Password and Confirm password text boxes. 18. On the File to Export page, type C:\rds.adatum.com.pfx and click Next. 19. On the Completing the Certificate Export Wizard page, click Finish. 20. In the Certificate Export Wizard dialog box, click OK. Task 6: Configure certificates settings of the RDS deployment on LON-SVR4 1. On LON-SVR4, in Server Manager, on the Remote Desktop Services page, click Collections. 2. On the Collections page, click Tasks in the upper right corner and, in the drop-down menu, click Edit Deployment Properties. This will open the Deployment Properties window. 3. In the Deployment Properties window, click Certificates. 4. Make sure that the RD Connection Broker Enable Single Sign On entry is selected and click Select existing certificate. 5. In the Select Existing Certificate window, ensure that the Choose a different certificate option is selected, click Browse, in the Open dialog box, navigate to the root of the C: drive, click rds.adatum.com.pfx, and click Open. 6. In the Password textbox, type Pa55w.rd, select the checkbox Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers and click OK. 7. Back on the Manage certificates page of the Configure the deployment window, click Apply.

Now you will repeat the same steps for the other role services 8. Make sure that the RD Connection Broker Publishing entry is selected and click Select existing certificate. 9. In the Select Existing Certificate window, ensure that the Choose a different certificate option is selected, click Browse, in the Open dialog box, navigate to the root of the C: drive, click rds.adatum.com.pfx, and click Open. 10. In the Password textbox, type Pa55w.rd, select the checkbox Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers and click OK. 11. Back on the Manage certificates page of the Configure the deployment window, click Apply. 12. Make sure that the RD Web Access entry is selected and click Select existing certificate. 13. In the Select Existing Certificate window, ensure that the Choose a different certificate option is selected, click Browse, in the Open dialog box, navigate to the root of the C: drive, click rds.adatum.com.pfx, and click Open. 14. In the Password textbox, type Pa55w.rd, select the checkbox Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers and click OK. 15. Back on the Manage certificates page of the Configure the deployment window, click Apply. 16. Make sure that the RD Gateway entry is selected and click Select existing certificate. 17. In the Select Existing Certificate window, ensure that the Choose a different certificate option is selected, click Browse, in the Open dialog box, navigate to the root of the C: drive, click rds.adatum.com.pfx, and click Open. 18. In the Password textbox, type Pa55w.rd, select the checkbox Allow the certificate to be added to the Trusted Root Certification Authorities certificate store on the destination computers and click OK. 19. Back on the Manage certificates page of the Configure the deployment window, click Apply. 20. Click OK. Task 7: Review RD Gateway CAP and RAP on LON-SVR4 1. On LON-SVR4, in Server Manager, click Tools, in the drop-down menu, click Remote Desktop Services, and then click Remote Desktop Gateway Manager. 2. In the Remote Desktop Gateway Manager console, expand the LON-SVR4 (Local) node, expand the Policies subfolder, and then click the Connection Authorization Policies subfolder. 3. Double-click the default RDG_CAP_AllUsers connection authorization policy. 4. In the RDG_CAP_AllUsers window, click the Requirements tab and verify that Password-based Windows authentication method is enabled, and that connecting users must be members of the ADATUM\Domain Users group. 5. In the RDG_CAP_AllUsers window, click the Device Redirection tab, and review the Disable device redirection for the following client device types settings. 6. In the Remote Desktop Gateway Manager console, click the Resource Authorization Policies subfolder.

7. Double-click the default RDG_AllDomainComputers resource authorization policy. 8. In the RDG_AllDomainComputers window, click the User Groups tab and verify that members of the ADATUM\Domain Users group can connect through RD Gateway to network resources defined in this policy. 9. In the RDG_AllDomainComputers window, click the Network Resource tab and verify that members of the ADATUM\Domain Computers group are accessible through the RD Gateway. 10. Click OK to close the RDG_AllDomainComputers window. 11. Double-click the default RDG_RDConnectionBrokers resource authorization policy. 12. In the RDG_RDConnectionBrokers window, click the User Groups tab and verify that members of the ADATUM\Domain Users group can connect through RD Gateway to network resources defined in this policy. 13. In the RDG_RDConnectionBrokers window, click the Network Resource tab and verify that members of the RDG_RDBCComputers group are accessible through the RD Gateway. This group currently includes only LON-SVR4. 14. Click OK to close the RDG_RDConnectionBrokers window. Task 8: Create a relying party trust for RD Gateway/Web Access Servers on LON-SVR1 1. Switch to the console session on LON-SVR1 Windows Server 2016 lab virtual machine and verify that you are signed in as ADATUM\Administrator. If not, sign out and sign back in with the following credentials: USERNAME: ADATUM\Administrator 2. Click Start and then click Server Manager. In Server Manager, click Tools and, in the drop-down menu, click AD FS Management. 3. In the AD FS Management console, click the Relying Party Trusts folder. 4. In the Actions pane, click Add Relying Party Trust. This will start Add Relying Party Trust Wizard. 5. On the Welcome to the Add Relying Party Trust Wizard page, ensure that the Claims aware option is selected and click Start. 6. On the Select Data Source page, select the Enter data about the relying party manually option and click Next. 7. On the Specify Display Name page, in the Display name text box, type Adatum RDS Deployment and click Next. 8. On the Configure Certificate page, click Next. 9. On the Configure URL page, click Next. 10. On the Configure Identifiers page, in the Relying party trust identifier text box, type https://rds.adatum.com/, click Add and click Next.

11. On the Choose Access Control Policy page, accept the default settings and click Next. 12. On the Ready to Add Trust page, click Next. 13. On the Finish page, uncheck the Configure claims issuance policy for this application checkbox and click Close. Task 9: Install RDS certificate on LON-SVR2 1. Switch to the console session on LON-SVR2 Windows Server 2016 lab virtual machine and verify that you are signed in as ADATUM\Administrator. If not, sign out and sign back in with the following credentials: USERNAME: ADATUM\Administrator 2. Right-click Start and, in the right-click menu, click Command Prompt (Admin). 3. From the Administrator: Command Prompt window, run the following: robocopy \\172.16.0.14\c$ c:\ rds.adatum.com.pfx In real-life scenarios, you would copy the certificate via a removable media. 4. From the Administrator: Command Prompt window, run the following: certlm This will open the Certificates Local Computer console. 5. Expand the Certificates Local Computer top level node, right-click the Personal folder, click All Tasks, and click Import. This will start the Certificate Import Wizard. 6. On the Welcome to the Certificate Import Wizard page, click Next 7. On the File to Import page, click Browse 8. In the Open dialog box, switch the filter to Personal Information Exchange (*.pfx), browse to the root of C:, click rds.adatum.com.pfx, and click Open. 9. Back on the File to import page, click Next. 10. On the Private key protection page, in the Password text box, type Pa55w.rd and click Next. 11. On the Certificate Store page, accept the default setting and click Next. 12. On the Completing the Certificate Import Wizard page, click Finish. 13. In the Certificate Import Wizard dialog box, click OK.

Task 10: Publish the RDS Deployment via Web Application Proxy on LON- SVR2 1. On LON-SVR2, in Server Manager, click Tools and, in the drop-down menu, click Remote Access Management. 2. In the Remote Access Management console click Publish in the Tasks pane. This will start the Publish New Application Wizard. 3. On the Welcome page, click Next. 4. On the Preauthentication page, ensure that Active Directory Federation Services (AD FS) option is selected and click Next. 5. On the Supported Clients page, ensure that the Web and MSOFBA option is selected and click Next. 6. On the Relying Party page, click Adatum RDS Deployment and click Next. 7. On the Publishing Settings page, set Name to Adatum RDS Deployment, set External URL to https://rds.adatum.com/, accept the default setting for the Backend server URL (matching the External URL), in the External certificate drop-down menu, select the rds.adatum.com certificate, and click Next. 8. On the Confirmation page, click Publish 9. On the Results page, click Close. 10. While signed in to LON-SVR2 as ADATUM\Administrator, click Start, right-click Windows PowerShell, in the right click menu, click More and then click Run as administrator. 11. From the Administrator: Windows PowerShell window, type the following and press Enter: Get-WebApplicationProxyApplication Name Adatum RDS Deployment Set- WebApplicationProxyApplication DisableHttpOnlyCookieProtection:$true InactiveTransactionsTimeoutSec 28800 DisableHttpOnlyCookieProtection must be enabled for the RD Gateway to function correctly in this scenario. The InactiveTransactionsTimeoutSec increases the idle session timeout. 12. Switch to the console of LON-SVR4, where you are signed on as ADATUM\Administrator, 13. On LON-SVR4, from the Administrator: Windows PowerShell window, type the following and press Enter: Set-RDSessionCollectionConfiguration -CollectionName QuickSessionCollection - CustomRdpProperty "pre-authentication server address:s:https://rds.adatum.com/rdweb/ `nrequire pre-authentication:i:1" This assigns a custom property to the session collection named QuickSessionCollection in order to allow RD Gateway to retrieve the AD FS edge token.

Results: After completing this exercise, you will have implemented AD FS and Web Application Proxy, created and configured an RDS deployment, and published RD Web Access and RD Gateway by using AD FS preauthentication. Exercise 2: Validate the RD Gateway-based access Now that you have implemented a Remote Desktop Services deployment, you need to verify that both external and internal users can access the RDS-published apps. The main tasks for this exercise are as follows: 1. Test use of published RDS apps access from an external client 2. Test use of published RDS apps access from an internal client Task 1: Test use of published RDS apps access from an external client You will emulate scenario that involves an external client by using LON-CL1 that has been removed from the domain in the Web Application Proxy lab of this course. At that time, the DNS settings of LON-CL1 has been modified in order to prevent its communication with LON-DC1. Note that LON- CL1 has also been configured to trust the CA that issued the AD FS/WAP and RDS certificates by adding the adatum-root-ca certificate to its Trusted Root Certification Authorities certificate store. In addition, LON-CL1 can reach the CRL distribution point of the adatum-root-ca Certification Authority, since that distribution point has been set up on LON-SVR2, which functions as the Web Application Proxy. 1. Sign in to the LON-CL1 Windows 10 lab virtual machine using the following credentials: USERNAME: Administrator 2. On LON-CL1, right-click Start and, in the right-click menu, click Command Prompt (Admin). 3. From the Administrator: Command Prompt window, run the following: certlm 4. In the Certificates Local Computer top level node, expand the Trusted Root Certification Authorities folder, click the Certificates folder, and verify that it includes the adatum-root-ca entry. 5. From the Administrator: Command Prompt window, run the following: Notepad c:\windows\system32\drivers\etc\hosts 6. In Notepad, add to entries to the hosts file representing the external IP address of the Web Application Proxy, the Adatum CA CRL Distribution Point, and the published Adatum RDS deployment. 172.16.0.12 adfs.adatum.com 172.16.0.12 cdp.adatum.com 172.16.0.12 rds.adatum.com

Note that, in real-live scenarios, we would rely on the name resolution of a DNS server that the client computer is using. Such DNS server should be able to resolve Internet-accessible names in the externally hosted adatum.com DNS namespace to their corresponding public IP addresses. 7. Save your changes and close Notepad. 8. From the Administrator: Command Prompt window, run the following: ncpa.cpl 9. In the Network Connections window, right-click the Ethernet connection and click Properties. 10. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4) and click Properties. 11. Verify that the entry in the Preferred DNS server is blank and click OK. 12. Back in the Ethernet Properties window, click Close. 13. Start Internet Explorer (you will find it in the Accessories folder in the Start menu) and browse to https://rds.adatum.com/rdweb/ 14. On the Adatum Federation Service page, specify the following credentials and click Sign in: ADATUM\Administrator Pa55w.rd 15. If prompted with the message Would you like to store your password for adatum.com, click Not for this site. 16. When prompted with the message This webpage wants to run the following add-on: Microsoft Remote Desktop Services Web Access Control from Microsoft Corporation, click Allow and then click Allow for all websites. This add-on is critical for minimizing number of authentication prompts. 17. On the Work Resources RemoteApp and Desktop Connection page, in the Domain\user name text box, type ADATUM\Administrator, in the Password text box, type Pa55w.rd, in the Security section, click This is a private computer, and click Sign in. 18. When prompted with the message Would you like to store your password for adatum.com, click Not for this site. 19. On the RemoteApp and Desktops tab of the Work Resources RemoteApp and Desktop Connection page, click WordPad. 20. If prompted, in the RemoteApp dialog box, click Don t ask me again for remote connections from this publisher and click Connect. 21. Verify that the application launches successfully. Note that the application might appear minimized as an icon in the Taskbar. If so, click it to display WordPad window.

Task 2: Test use of published RDS apps access from an internal client Now you will add LON-CL1 back to the domain to test the use of published RDS from an internal network. 1. While signed to LON-CL1 Windows 10 lab virtual machine as LON-CL1\Administrator with the password Pa55word, from the Administrator: Command Prompt window, run the following: Notepad c:\windows\system32\drivers\etc\hosts 2. In Notepad, comment out entries in the hosts file representing the external IP address of the Web Application Proxy, the published web application, and the Adatum CA CRL Distribution Point by placing hash sign in front of each: # 172.16.0.12 adfs.adatum.com # 172.16.0.12 cdp.adatum.com # 172.16.0.12 rds.adatum.com 3. Save your changes and close Notepad. 4. From the Administrator: Command Prompt window, run the following: ncpa.cpl 5. In the Network Connections window, right-click the Ethernet connection and click Properties. 6. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4) and click Properties. 7. Set the Preferred DNS server to 172.16.0.10 and click OK. 8. Back in the Ethernet Properties window, click Close. 9. Right-click the Start button, and then click System. 10. In the System window, click Advanced system settings, and then click the Computer Name tab. 11. On the Computer Name tab, click the Change button. 12. In the Computer Name/Domain Changes dialog box, click Domain, in the Domain box, type adatum.com, and then click OK. 13. In the Computer Name/Domain Changes dialog box, in the User name text box, type ADATUM\Administrator, in the Password text box, type Pa55w.rd, and click OK. 14. In the Welcome to the adatum domain dialog box, click OK. 15. To restart the computer, click OK. 16. To close the System Properties dialog box, click Close. 17. Click Restart Now, and then wait for the computer to restart. 18. Once LON-CL1 restarts, sign in using the following credentials: 19. Start Internet Explorer. USERNAME: ADATUM\Administrator 20. In the Internet Explorer, add https://*. adatum.com to the Local intranet zone

21. Next, browse to https://rds.adatum.com/rdweb/ 22. On the Work Resources RemoteApp and Desktop Connection page, in the Domain\user name text box, type ADATUM\Administrator, in the Password text box, type Pa55w.rd, in the Security section, click This is a private computer, and click Sign in. 23. When prompted with the message Would you like to store your password for adatum.com, click Not for this site. 24. If prompted with the message This webpage wants to run the following add-on: Microsoft Remote Desktop Services Web Access Control from Microsoft Corporation, click Allow and then click Allow for all websites 25. On the RemoteApp and Desktops tab of the Work Resources RemoteApp and Desktop Connection page, click WordPad. 26. If prompted, in the RemoteApp dialog box, click Don t ask me again for remote connections from this publisher and click Connect. 27. Verify that the application launches successfully. Results: After completing this exercise, you will have tested access from to RD Web Access published apps from an internal and an external client.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback