Privileged Access Agent on a Remote Desktop Services Gateway

Similar documents
Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Migrating from Citrix XenApp (IMA / FMA) to Parallels Remote Application Server

IBM SECURITY PRIVILEGED IDENTITY MANAGER

Windows Server 2012 Immersion Experience Enabling Secure Remote Users with RemoteApp, DirectAccess, and Dynamic Access Control

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

ThinManager and FactoryTalk View SE Deployment Guide

Horizon Console Administration. 13 DEC 2018 VMware Horizon 7 7.7

20411D D Enayat Meer

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

AutomaTech Application Note July 2015

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Using vrealize Operations Tenant App as a Service Provider

Installing and Configuring vcloud Connector

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Privileged Identity App Launcher and Session Recording

App Orchestration 2.0

Getting Started with VMware View View 3.1

Microsoft Dynamics GP Web Client Installation and Administration Guide For Service Pack 1

Setting Up Resources in VMware Identity Manager

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

edp 8.2 Info Sheet - Integrating the ediscovery Platform 8.2 & Enterprise Vault

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

NetExtender for SSL-VPN

Configuring Cross Platform Monitoring Using System Centre Operation Manager 2007 R2

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Reconfiguring VMware vsphere Update Manager. 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7

Secure Mobile Access Module

Using VMware View Client for Mac

Install and upgrade Qlik Sense. Qlik Sense 3.0 Copyright QlikTech International AB. All rights reserved.

vrealize Suite Lifecycle Manager 1.1 Installation, Upgrade, and Management vrealize Suite 2017

External Authentication with Windows 2016 Server with Remote Desktop Web Gateway with Single Sign On

Citrix SCOM Management Pack 1.4 for ShareFile

Copyright and Trademarks

AirWatch Mobile Device Management

Installing and Configuring vcenter Multi-Hypervisor Manager

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Configuring the SFB 2015 Reverse Proxy Server for Express for Lync 3.0

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

VMware Horizon Session Recording Fling:

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

SecurEnvoy Microsoft Server Agent

Setting up Certificate Authentication for SonicWall SRA / SMA 100 Series

NetMan Desktop Manager Quick-Start Guide

Configuring the SMA 500v Virtual Appliance

Business Insights Dashboard

REVISED 1 AUGUST REVIEWER'S GUIDE FOR VMWARE APP VOLUMES VMware App Volumes and later

Covene Cohesion Server Installation Guide A Modular Platform for Pexip Infinity Management October 25, 2016 Version 3.3 Revision 1.

Best Practices for Security Certificates w/ Connect

Workspace Desktop Edition Deployment Guide. Installing The Workspace SIP Endpoint

REVISED 1 AUGUST QUICK-START TUTORIAL FOR VMWARE APP VOLUMES VMware App Volumes and later

IT Department Premier Cooperative Jonathan Pate. General Overview

Dell EMC License Manager Version 1.5 User's Guide

Setting Up the Server

VMware Horizon View Deployment

App Orchestration 2.6

USER GUIDE. CTERA Agent for Windows. June 2016 Version 5.5

Using the Terminal Services Gateway Lesson 10

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

Deploying F5 with Microsoft Remote Desktop Services

Movithere Server edition Guide. Guide to using Movithere to perform a Microsoft Windows Server data migration quickly and securely.

XenMobile 10 Cluster installation. Here is the task that would be completed in order to implement a XenMobile 10 Cluster.

Personal vdisk Implementation Guide. Worldwide Technical Readiness

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

ForeScout Extended Module for Tenable Vulnerability Management

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

INUVIKA TECHNICAL GUIDE

VMware AirWatch Integration with RSA PKI Guide

Load Balancing VMware Workspace Portal/Identity Manager

VII. Corente Services SSL Client

ONESolution 16.1 Desktop Client Installation

Sophos Mobile SaaS startup guide. Product version: 7.1

Configuring Remote Access using the RDS Gateway

Cisco Secure Desktop (CSD) on IOS Configuration Example using SDM

Secure Web Appliance. SSL Intercept

Privileged Identity App Launcher and Session Recording

Installing and Configuring vcloud Connector

Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

Dell License Manager Version 1.2 User s Guide

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Pearl Echo.Suite Quick Start Installation Guide

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

VMware Horizon Cloud Service on Microsoft Azure Administration Guide

Dell AppAssure Core to Core Replication Configuration Guide for Silver Peak Velocity

NetIQ Advanced Authentication Framework. Deployment Guide. Version 5.1.0

Password Reset Server Installation

Parallels Remote Application Server

Connect to Wireless, certificate install and setup Citrix Receiver

VMware Horizon 7 Administration Training

Managing GSS Devices from the GUI

Dell Storage Compellent Integration Tools for VMware

Dell Storage Compellent Integration Tools for VMware

LifeSize Control Installation Guide

SIP Proxy Deployment Guide. SIP Server 8.1.1

Sophos Mobile as a Service

DameWare Server. Administrator Guide

Transcription:

Privileged Access Agent on a Remote Desktop Services Gateway IBM SECURITY PRIVILEGED IDENTITY MANAGER User Experience and Configuration Cookbook Version 1.0 November 2017

Contents 1. Introduction 5 2. Prerequisites 7 3. Setting up Privileged Access Agent on a Remote Desktop Services Gateway 8 3.1 Exporting Root Certificate 8 3.2 Deploying certificate 9 3.3 Installing Privileged Access Agent 10 3.4 Configuring automatic login for Privileged Access Agent 11 4. User experience 12 4.1 Connecting to RemoteApp 13 4.2 Automatic login to applications 15 4.3 Starting applications 16 4.4 Session timeout 17 4.5 Terminating an active session 18 5. Benefits 19 6. Troubleshooting and support 20 6.1. Remote Desktop Services 20 Page 2 6.1.1 Unable to install Remote Desktop Services 20 6.1.2 Unable to connect to the Remote Desktop Gateway Server 20 6.1.3 Remote Computer could not be found 21 6.1.4 Unable to verify the identity of the RD Gateway 23 6.1.5 Unable to login automatically to Remote Desktop Session Host 24 6.2. Privileged Access Agent 25 6.2.1 Unable to connect to the IMS server 25 7. Appendix 26 7.1. Setting up Remote Desktop Services 26

7.1.1 Joining a network domain 26 7.1.2 Installing Remote Desktop Services 28 7.1.3 Configuring Remote Desktop Services 28 7.1.4 Configuring automatic login for Remote Desktop Services 30 7.1.5 Configuring session time out 33 Page 3

Document history Version Updates Author Date 1.0 Initial version Chee Meng Low, Jia Hui Chan 20 November 2017 For cookbook updates, contact one of the following authors: Daniel Kuan Jern Ng, ngkjd@sg.ibm.com Haan-Ming Lim, haanming@sg.ibm.com Page 4

1. Introduction This cookbook describes the user experience of using Privileged Access Agent on a Remote Desktop Gateway. You learn how to integrate both Microsoft Remote Desktop Services with Privileged Access Agent. Microsoft RemoteApp, is part of the Microsoft Remote Desktop Services virtualization platform for Windows servers. RemoteApp allows organizations to provide access to individual applications without having users install these applications on their workstation. By using a web browser, users can log in to the Remote Desktop Services Web Access page with their corporate credentials to run the published applications. Publishing applications through RemoteApp reduces the need to manage and maintain them. Page 5

With the integration of Privileged Access Agent on a Remote Desktop Services Gateway, privileged users can connect to protected systems that are sitting in a protected network that have no direct network connectivity to their workstation. When you start an application, such as PuTTY or WinSCP, that is published as a RemoteApp, Privileged Access Agent performs the necessary check out of credentials and triggers single sign-on into various targets. Page 6

2. Prerequisites IBM Security Privileged Identity Manager Version 2.1.0 with Fix Pack 6 or later. Privileged Access Agent Version 2.1.0 with Fix Pack 7 or later. Remote Desktop Services Running on Windows Server 2012 R2. Note: Otherwise known as Terminal Server in earlier versions of Windows. Ensure that you have the following components installed and configured. For information on installing and configuring the components, refer to the product documentation: IBM Security Privileged Identity Manager Virtual Appliance Installing and Configuring. (2016). Retrieved from https://www.ibm.com/support/knowledgecenter/en/ssrqbp_2.1.0/com.ibm.ispim.doc/landing/i nstalling_landing.html Active Directory Server Managing the external user configuration. (2016). Retrieved from https://www.ibm.com/support/knowledgecenter/en/ssrqbp_2.1.0/com.ibm.ispim.doc/installing /tsk/t_managing_extldap.html Managed Resources Identity provider management. (2016). Retrieved from https://www.ibm.com/support/knowledgecenter/en/ssrqbp_2.1.0/com.ibm.ispim.doc/admin/c pt/cpt_sc_identityprov_mngt.html Note: You must configure IBM Security Privileged Identity Manager to use Active Directory as the user registry. This configuration allows automatic login to Privileged Access Agent when the user logs in to Microsoft Remote Desktop Services. Page 7

3. Setting up Privileged Access Agent on a Remote Desktop Services Gateway Before you set up Privileged Access Agent on a Remote Desktop Services Gateway, ensure that the server has Remote Desktop Services with the necessary configuration. For more information, see the following sections: Appendix 7.1.2 Installing Remote Desktop Services Appendix 7.1.3 Configuring Remote Desktop Services 3.1 Exporting Root Certificate You must import the signer certificate for the IBM Security Privileged Identity Manager Virtual Appliance into the Trusted Authorities store of the server where Privileged Access Agent is being installed. Privileged Access Agent will validate the connections to the IBM Security Privileged Identity Manager Virtual Appliance. Note: The following configuration steps uses Firefox 55.0 as the primary web browser. Refer to your specific web browser documentation on how to export the certificate for a website to a file. 1. Open a Firefox web browser and connect to the self-service interface. For example: https://ispim1.example.com/itim/self 2. From the address bar, click and select. 3. Select More Information. 4. In the Security tab, select View Certificate. 5. In the Details tab > select PIMVA in the Certificate Hierarchy section > Export. Page 8

6. Save the file type as X.509 Certificate (DER). 3.2 Deploying certificate After exporting the certificate, copy the certificate with the Privileged Access Agent installer. 1. Copy the certificate to the following location in the installer. For x86 operating systems aa-<version_number>\{9713108d-08d5-474e-92a3-09cd7b63db34}\config For x64 operating systems aa-<version_number>_x64\{e72c4028-45bb-4ee6-8563-3066eeb39a84}\config 2. Proceed on with installing the Privileged Access Agent. Page 9

3.3 Installing Privileged Access Agent Note: Before you install Privileged Access Agent, modify the following options with the respective values in the SetupHlp.ini file located in the Config folder of the Privileged Access Agent installation package. Option EncentuateNetworkProviderEnabled Value Set to 1 to enable the PAA Network Provider. EncentuateCredentialProviderEnabled Set to 0 to disable the PAA Credential Provider. EnginaEnabled Set to 0 to disable the PAA Credential Provider. InstallTypeGPO Verify that the value is set to 1. ImsConfigurationPromptEnabled Verify that the value is set to 0. ImsServerName Specify the virtual appliance or the Load Balancer. For example: IMSServerName = ispim1.example.com. Save the file with the new values and proceed on with the installation 1. Open the command prompt. 2. Type the following command: 32-bit aa-<version>\setup.exe /silent /language:lcid 64-bit aa-<version>_x64\setup.exe /silent /language:lcid Where: Setup.exe Installs Privileged Access Agent. /silent Page 10 Specifies a silent installation.

/language:lcid Specifies the language that is displayed in Privileged Access Agent. For example, to set the language to English (United States) /language:1033 Note: If the parameter is not specified, the installer uses the operating system locale to determine the language to install. For a list of language Locale IDs (LCID), go to the Microsoft website at www.microsoft.com and search for Locale IDs assigned by Microsoft. If you specify a language ID that is not supported by the installation, the parameter is ignored. 3. When the system restarts, the Privileged Access Agent icon is shown in the System Tray. 3.4 Configuring automatic login for Privileged Access Agent To enable automatic login into Privileged Access Agent upon user s login to a Windows session on the Remote Desktop server, use the following procedure: 1. Open a web browser and login to AccessAdmin. For example: https://ispim1.example.com/admin 2. Select Machine Policy Templates > New template. 3. Enter a name. For example: Automatic Login MPT 4. Under Criteria, select Use this as the default template for machines. 5. Navigate to AccessAgent Policies > Logon/Log off Policies. 6. Set the value of Enable Network Provider to Yes. 7. Click Add. 8. Select Machine Policy Templates > Template assignments > move the created template to the top of the list. Page 11

4. User experience Table 1 Comparing a typical Privileged Access Agent deployment on a workstation with a deployment on the Remote Desktop Services Gateway. Privileged Access Agent Operating system of the Privileged Users workstation Prerequisites Logon and connection On a workstation Requires an RDP Client Client application installed on Privileged Users workstation. Privileged Access Agent installed on the Privileged Users workstation. 1. Privileged User logs on to the workstation. 2. Privileged User launches the target client application. Privileged Access Agent triggers credential check out prompt. 3. Privileged User selects credential and enters justification. Privileged Access Agent checks out and injects privileged credential. On Remote Desktop Services Gateway Supported RDP Client for the operating system Client application published on Remote Desktop Services Gateway. Privileged Access Agent published on Remote Desktop Services Gateway. Web browser on user s workstation 1. Privileged User logs on to the workstation. 2. Privileged user logs in to RD Web Access web application. 3. Privileged User launches the published client application. Privileged Access Agent triggers credential check out prompt. 4. Privileged User selects the credential and enters justification. Privileged Access Agent checks out and injects privileged credential. Page 12

4.1 Connecting to RemoteApp Important: To achieve automatic login for a workstation that is not in the same domain as the gateway, you must use Internet Explorer as your web browser to access RemoteApp. Note: Automatic login for Remote Desktop Services requires Remote Desktop Protocol (RDP) 8.0 for Windows 7 or earlier workstations. When connecting to the RemoteApp server, you must log in through a web browser with the Remote Desktop Gateway address. On your initial log on, you will be prompted to allow the webpage to run the Microsoft Remote Desktop Services Web Access Control add-on. Verify that the add-on is enabled by navigating to Tools and selecting Manage Add-ons. Select the MsRdpClientShell add-on to view more details. Page 13

If you are using a workstation that is in the same domain as the gateway, you can use any web browser to access RemoteApp. Additional add-ons are not required for a domain member workstation. After you log in to RemoteApp with a valid Active Directory credential, the list of published applications is displayed. An administrator can manage these applications by publishing and unpublishing it at any time. This process allows deploying of application updates to be done easily. It also ensures that your users are always using the preferred versions. Page 14

4.2 Automatic login to applications Since Remote Desktop Services supports automatic login, you do not need to enter the credentials again when a published application is started. The login credentials are validated when you log in to RemoteApp. Privileged users are logged in automatically into Privileged Access Agent since the user ID and password are synchronized with the Active Directory. A taskbar tray icon is displayed when you establish a successful connection to the server. Manage connections by using the RemoteApp and Desktop Connections application that is running in the taskbar. To achieve a seamless login process, you must configure the IBM Security Privileged Identity Manager to use Active Directory as its user registry. Furthermore, extra configurations are required on the Active Directory server. See Appendix 7.1.4 Configuring automatic login for Remote Desktop Services. Page 15

4.3 Starting applications When you access a managed resource through an application such as PuTTY, RDP, WinSCP, Privileged Access Agent performs a single sign-on with automated check-out and check-in of shared credentials. This feature allows privileged users to connect to the system without any knowledge of the password for the privileged identity. Each recorded session is available to authorized users for replay via the Privileged Identity Manager Session Recorder console. You can also launch these applications from workstations that are non-windows-based, where it is not feasible to install Privileged Access Agent. Applications are started in a local window without having to view the full Windows desktop environment. However, you may be prompted to re-enter your Active Directory credentials upon the entry to a Remote Desktop server. Page 16

4.4 Session timeout By default, Remote Desktop Services allows you to disconnect from an active session without having to log off and end the session. When a session is disconnected, applications that are running are kept active even when you are not connected. If an idle session limit is set to expire, you are either logged off or disconnected from the session after 2 minutes. Optionally, extend your session by clicking OK. Configure these settings on Remote Desktop Services host. See Appendix 7.1.5 Configuring session time out. Page 17

4.5 Terminating an active session To terminate an active session, close all the applications and disconnect from the RemoteApp server. When the session is disconnected, sign out of the RemoteApp portal. Page 18

5. Benefits Privileged Access Agent on a Remote Desktop Services Gateway has several benefits that reduce deployment complexity, support multi-platform, enhances security and improve overall efficiency. The benefits of Privileged Access Agent on a Remote Desktop Services Gateway are listed as follows: Ease of access: You can access remotely as the gateway is made accessible over the internet, across firewall, and proxies. A privileged user s workstation does not need to join the Active Directory domain to access the gateway. Secure remote access: As credentials are fetched and consumed within the Remote Desktop Services Servers, privileged credentials are secured even when you are accessing from an untrusted network. Centralized deployment: Installation of Privileged Access Agent is performed on the gateway rather than on the privileged user s workstation. This setup allows large deployments to be done with ease. Application consolidation: Installing Privileged Access Agent and applications on the gateway eliminates the need for updating applications on privileged user s workstation. This approach ensures that the users are always using Privileged Access Agent and applications of the preferred versions. Support for various platforms: For privileged users who are not using a Windows operating system, it is not feasible to install Privileged Access Agent on the workstation. Privileged Access Agent on a Remote Desktop Services Gateway allows such users to connect to the gateway from any operating system that is supported by Microsoft. Page 19

6. Troubleshooting and support To help you understand, isolate, and resolve problems with your IBM software, the troubleshooting and support information contains instructions for using the problemdetermination resources that are provided with your IBM products. 6.1. Remote Desktop Services This section describes the solutions for potential Remote Desktop Services problems. 6.1.1 Unable to install Remote Desktop Services The following error occurs during installation of the Remote Desktop Services through the Add Roles and Features Wizard. Solution: Ensure that the server is connected to a domain. Details can be found in Appendix 7.1.1 Joining a network domain. 6.1.2 Unable to connect to the Remote Desktop Gateway Server The following error occurs when you try to connect to a web app from the RD Web Access through a web browser. Solution: Ensure that your workstation can resolve the server s FQDN. Check the DNS configuration for the gateway server. Configure the hosts file if necessary. Page 20

6.1.3 Remote Computer could not be found The following error occurs when you try to connect to a web app from the RD Web Access through a web browser. Solution: 1. On the Gateway Server, open Server Manager. 2. Click Tools > Terminal Services > Remote Desktop Gateway Manager. 3. Select the server name, right-click, and select Properties. 4. In the Properties dialog box, under the Server Farm tab, enter the Server s FQDN and click Add. 5. Ensure that the status is OK. Page 21

6. On the Gateway Server, open Server Manager. 7. Click Tools > Internet Information Services (IIS) Manager. 8. Expand the directory tree > Sites > Default Web Site > RDWeb. 9. Click Pages > Select Application Setting. 10. Double-click DefaultTSGateway > Enter the Server s FQDN > OK. 11. To restart IIS, open the command prompt (cmd) > type iisreset 12. Verify the connection by logging in to RD Web Access and start an application. Page 22

6.1.4 Unable to verify the identity of the RD Gateway The following error occurs when you try to connect to a web app from the RD Web Access through a web browser. Solution: 1. Select View certificate. 2. Click the Details tab > Copy to File. 3. Select DER encoded binary X.509 (.DER). 4. Save the file to a location. 5. Locate the certificate, right click > Install Certificate. 6. Select Local Machine > Next. 7. Select Place all certificates in the following store > Browse > Select Trusted Root Certification Authorities > Next > Finish. Page 23

6.1.5 Unable to login automatically to Remote Desktop Session Host When starting a published application from RemoteApp, you are prompted to enter your credentials again. Solution: Ensure that the group policy is configured for the domain workstation. See Appendix 7.1.4 Configuring automatic login for Remote Desktop Services. If you are connecting from a non-domain workstation, ensure that you are using Internet Explorer as your web browser along with the add-on MsRdpClientShell. See 4.1 Connecting to RemoteApp. Page 24

6.2. Privileged Access Agent This section describes the solutions for potential Privileged Access Agent problems. 6.2.1 Unable to connect to the IMS server The following error occurs when the connection to the IMS Server fails even when you log in with a valid credential. Solution: Verify that the certificate is installed on the local machine. If the certificate is not installed on the local machine, export the certificate before proceeding with installing the certificate manually. See 3.1 Exporting Root Certificate. 1. Locate the exported certificate, then right-click and select Install Certificate. 2. Select Local Machine > Next. 3. Select Place all certificates in the following store > Browse > Select Trusted Root Certification Authorities > Next > Finish. Page 25

7. Appendix 7.1. Setting up Remote Desktop Services 7.1.1 Joining a network domain Before you configure the network domain, obtain the DNS address and domain name. Add an entry to the hosts configuration file with the respective IP address and FQDN if needed. Ensure that the DNS resolution is working correctly before you proceed with the following steps. 1. Click Start > Control Panel > Network and Sharing Center. 2. On the left pane, select Change adapter settings. 3. Select the network adapter, right-click, and select Properties. 4. Double-click Internet Protocol Version 4 (TCP/IPv4). 5. Select Use the following DNS server addresses and enter the domain DNS address. 6. Click Advanced. 7. In the DNS tab, select Append these DNS suffixes (in order) and click Add. Page 26

8. Enter the domain suffix > click Add > select OK. 9. Click Start > Control Panel > System > Under Computer name, domain, and workgroup settings click Change Settings. 10. In the Computer Name tab, select Change. 11. Select Domain > enter the domain name > select OK. 12. In the Windows Security dialogue, enter a domain administrator user name and password and click OK. 13. A welcome message is displayed. Click OK in the message dialog box. Page 27 14. When prompted to restart, click OK.

7.1.2 Installing Remote Desktop Services Ensure that the server is connected to a domain network before you install Remote Desktop Services. See Appendix 7.1.1 Joining a network domain. Verify the domain before you proceed on with the installation. 1. On the Gateway Server, open Server Manager. 2. Click Manage and select Add Roles & Features. 3. Under Installation Type, select Remote Desktop Services installation and click Next. 4. Under Deployment Type, select Quick Start and click Next. 5. Under Deployment Scenario, select Session-based desktop deployment and click Next. 6. Under Server Selection, select the server and click Next. 7. Select Restart the destination server automatically if required and click Deploy. 8. The server will automatically restart after deployment. 7.1.3 Configuring Remote Desktop Services After the server restarts, ensure that all roles services are deployed successfully before you proceed with the configuration. 1. On the Gateway Server, open Server Manager. 2. On the left pane, select Remote Desktop Services. 3. Under Overview, click RD Licensing. 4. Under Server Selection, select the server from the Server Pool and click Next. 5. Review the selection and click Add. 6. Return to Overview, click RD Gateway. 7. Under Server Selection, select the server from the Server Pool and click Next. 8. Under SSL Certificate Name, enter the name for the self-signed certificate and click Next. Note: Ensure that the SSL certificate name matches the FQDN of the RD Gateway server Page 28

9. Review the selection and click Add. 10. Under Results, select Configure certificate. 11. On the left pane, select RD Licensing. 12. Under Remote Desktop licensing mode, select Per User and click Apply. Page 29

7.1.4 Configuring automatic login for Remote Desktop Services To enable automatic login for Remote Desktop Services, extra configuration must be made on the Active Directory server. If you are connecting from a non-domain network, automatic login will only work by connecting to the gateway through Internet Explorer. In addition, the add-on MsRdpClientShell must be enabled when you are prompted on your first login. 1. Log in to the Active Directory server as a domain administrator. 2. Open the Group Policy Management Console (gpmc.msc). 3. Right-click on Group Policy Object and select New. 4. Enter a name. For example: Automatic Login Policy. 5. Right-click on the newly created policy and select Edit. 6. Navigate to Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation. 7. Double-click Allow Delegating Default Credentials. Page 30

8. Enable the policy and click Show. 9. Under Values, Add TERMSRV/<Server Name> and select OK. For example: TERMSRV/ispim1.example.com Page 31

10. Select Apply to save the changes. 11. Return to the Group Policy Management window 12. Double-click the newly created policy. 13. In the Scope tab, click Add. 14. Enter the host name of the workstations to apply the policies. 15. Confirm the changes by selecting OK. 16. In the console tree, right-click on the domain name. 17. Select Link an Existing GPO. 18. Under Group Policy objects, select the newly created policy and click OK. 19. On the client s workstation, start the command prompt (cmd) and type gpupdate /force Note: Alternatively, the settings will be applied to the selected workstations on the next restart. Page 32

7.1.5 Configuring session time out By default, Remote Desktop Services sessions are set to never expire. To modify the default settings, proceed with the following the steps. 1. On the Gateway Server, open Server Manager. 2. On the left pane, select Remote Desktop Services. 3. Under Collections, select QuickSessionCollection. 4. At the upper right of the Properties section, click Tasks and select Edit Properties. 5. On the left pane, select Session. 6. Specify the necessary values. Page 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback