In my previous post titled Windows 2008 R2 Remote Desktop Services (RDS) (1 of 2) where I covered Understanding and Deploying RDS, I gave an intro to RDS as well as the basic installation of the Windows 2008 R2 Remote Desktop Services (formerly known as Terminal Services). In this post, I’m going to key in specifically on the Remote Desktop Services Web Access and RemoteApp roles.
This Web Access and RemoteApp are new to Windows 2008 Terminal Services and enhanced in RDS 2008 R2. Effectively prior to Terminal Services / RDS Web Access, the only way to access a TS / RDS session was to run the Remote Desktop Connection (RDC) client software that launched a full desktop window complete with a Start button on this session.
With RDS Web Access, you can simply give a user a Web URL and they get a list of the applications they can launch and run. The list of programs is all determined by group policy, so you can set it so that some users see 5 application icons to choose from where other users might see 10 application icons to run. Also through group policy you can identify that someone might get 10 icons when they are accessing RDS Web Access from within the company network, and they only see 7 icons when they are accessing RDS Web Access from outside of the company network (effectively preventing them to access sensitive or compliance regulated data externally).
Even if a user accesses two separate apps from the Web Access interface, they can still cut/paste content between the sessions, and when they save information, it all saves back to the company network by default (although RDS Web Access does have the ability for users to load and save files locally).
With RemoteApp, users can simply have an icon placed on their desktop and they can double click the icon to launch an application off a shared RDS Host server.
To install the RDS Web Access and RDS RemoteApp, here’s a snippit out of my book “Windows Server 2008 R2 Unleashed”…
Before installing RD Web Access, you need to take a few considerations into account:
The RD Web Access is a role service of the Remote Desktop Services role.
The RD Web Access needs to be a Windows Server 2008 R2 machine, but does not need to have the RD Sessions Host role service installed.
To run the RD Web Access role service, Microsoft Internet Information Services (IIS) 7.5 must/will be installed.
Clients must meet the requirements for RD Web Access
Installing the RD Web Access Role Service
Use the following steps to install the RD Web Access role service:
Log on to the desired server with local administrator privileges.
Click Start, and then click Run.
In the Run dialog box, type in ServerManager.msc and click OK.
In the Roles Summary section, click the Add Roles task.
After the Add Roles Wizard loads, click Next.
On the Select Server Roles page, select the Remote Desktop Services role, and click Next.
On the Remote Desktop Services page, click Next.
Now, on the Select Role Services page, only select the Remote Desktop Web Access role service. This is the only role service that is being installed at this time
When prompted with the Add Roles Wizard dialog box, click the Add Required Role Services button (any missing required role services or features for RD Web Access role service will now be added)
On the Select Role Services page, click Next.
On the Web Server (IIS) page, click Next.
On the Select Role Services page, click Next (do not change the defaults).
On the Confirm Installation Selections page, review the selections made, and then click Install.
On the Installation Results page, review the results, and click Close.
Defining the RemoteApps Programs Source
Before users can use RemoteApp and Desktop Connection, the source for RemoteApps programs must be defined for an RD Web Access server. A RemoteApp source can be either of the following:
RD Connection Broker server
RD Session Host server or farm (with identically configured RD Session Host servers)
Use the following steps to define the RemoteApp source:
Connect to the RD Web Access Web site using either of the following methods:
On the RD Web Access server, click Start, Administrative Tools, Remote Desktop Services, Remote Desktop Web Access Configuration.
Using Internet Explorer, connect to the RD Web Access website using the following URL: https://<server_fqdn>/rdweb.
When prompted with the RD Web Access forms-based authentication logon page, log on to the site using a domain account that is a member of the local RD Web Access server’s TS Web Access Administrators group.
Ensure that the Configuration page is selected, and choose either the “An RD Connection Broker Server” option or the “One or More RemoteApp Sources” option
If the “An RD Connection Broker Server” option is selected, the NetBIOS name or FQDN of the RD Connection Broker must be defined in the Source Name box.
If the “One or More RemoteApp Sources” option is selected, the NetBIOS name or FQDN of an RD Session Host server or DNS name of the RD Session Host server farm must be entered. If multiple RemoteApp sources are being used, each name must be separated using a semicolon.
Click OK to save the changes.
When defining a RemoteApp source, certain requirements must be met depending on the option used. For example, if an RD Session Host is used as the source, the RD Web Access server must be added to the TS Web Access Computers security group on the RD Session Host server. Or, when using an RD Connection Broker server as the source, the RD Connection Broker server must be installed, configured, and online.
Additionally, if the “One or More RemoteApp Sources” option is used, a connection name and connection ID must be defined on the RD Web Access server, and the RDWebAccess.config file needs to be modified. This file is found under the: %windir%\Web\RDWeb\App_Data\ directory. The contents of this file include instructions as to how to define the connection name and connection ID. Once a connection name has been defined, it is used to identify the RemoteApp and Desktop Connection that comes from that RD Web Access server. Conversely, if the “An RD Connection Broker Server” option is used, the connection name and connection ID are defined using the Remote Desktop Connection Manager tool on the RD Connection Broker server.
Securing RD Web Access
After RD Web Access has been installed, it is recommended that you secure the RD Web Access traffic by installing and using a Server Authentication (SSL) certificate. To complete this task, refer to the IIS 7.5 online help section titled “Request an Internet Server Certificate.” After a certificate has been requested, installed, and bound to the website hosting the RD Web Access role service, that website should then be configured to only accept SSL connections.
Configuring RemoteApp and Desktop Connection Properties
Log on to the RD Connection Broker server with local administrator privileges.
Click Start, Administrative Tools, Remote Desktop Services, Remote Desktop Connection Manager.
Click the root node, and then in the Actions pane, click Properties.
In the RemoteApp and Desktop Connection Properties dialog box, on the Connection Settings tab, define the following:
Display name—The name that users will use to identify the customized view of RemoteApp programs and virtual desktops provided by this server
Connection ID—The ID that is used to identify the customized view of RemoteApp programs and virtual desktops provided by this server
Next select the RD Web Access tab, and then in the Server Name text box, enter in the FQDN for the RD Web Access server.
Click the Add button.
Click Apply and then click OK.
Adding Programs to the RemoteApp Programs
Log on to the RD Session Host server that is a RemoteApp source for the RD Session Host server farm with local administrator privileges.
Click Start, Administrative Tools, Remote Desktop Services, RemoteApp Manager.
In the Actions pane, click Add RemoteApp Programs.
On the Welcome page for the RemoteApp Wizard, click Next.
On the Choose Programs to Add to the RemoteApp Programs List page, select the program(s) that are to be added to the RemoteApps list from the list
The applications that are shown on this page are shortcuts that are found in the All Users Start Menu folder. If there is an application that is not listed on this page, an administrator can click on the Browse button, and then specify the location to that application’s executable.
6. After selecting an application or applications to add to the RemoteApps list, an administrator can then choose to configure the different RemoteApp properties for that application or applications. To do this, select the application name, click Properties, make any needed modifications, and then click OK.
It is important to note that, by default, the RemoteApp Program Is Available Through RD Web Access option is enabled. Also, only system environment variables can be used in the pathname for an application (such as %windir%). Per-user environment variables cannot be used. Lastly, if needed, using the User Assignment tab, an administrator can define which users/groups have access to the RemoteApp program.
7. Click Next.
8. Finally, review the settings on the Review Settings page, and then click Finish.
9. The RemoteApps list will then appear
Configuring Global Deployment Settings
In the RD RemoteApp Manager interface, an administrator can also configure a number of deployment settings that globally apply to all RemoteApp programs in the RemoteApps list. The settings are grouped into the following categories:
RD Session Host Server Settings—These settings are used to define how users will connect to an RD Session Host server or RD Session Host server farm to access RemoteApp programs
RD Gateway Settings—These settings are used to define RD Gateway deployment settings.
Digital Signature Settings—This setting is used to define the digital certificate that is used to digitally sign .rdp files.
RDP Settings—These settings are used to define common RDP settings for RemoteApp connections, such as device and resource redirection.
Accessing RemoteApp and Desktop Connection
When using Windows 7 or Windows Server 2008 R2, users can also access RemoteApp and Desktop Connection using two methods. The first method is to use a RemoteApp and Desktop Connection URL, which is provided by administrators. For example, such a URL might be formatted as: https://remotedesk.companyabc.com/RDWeb/Feed/webfeed.aspx. Using this URL, a user can then create a new connection to RemoteApp and Desktop Connection using the Control Panel, RemoteApp and Desktop Connection.
The second method to access RemoteApp and Desktop Connection is to use a configuration file that is generated by an administrator. These configuration files are generated using the Remote Desktop Configuration Manager tool. Once the configuration file is given to a user, the user just has to double-click the configuration file and the connection to RemoteApp and Desktop Connection is created.
RemoteApp and Desktop Connection connections are also created when a user logs on to RD Web Access and accesses RemoteApp programs, session-based remote desktops, or virtual desktops. To access RemoteApp and Desktop Connection, users would log on to RD Web Access using the following URL:
The <name> might be the FQDN of the RD Web Access server or some other known name that refers to that server or group of servers. Additionally, for centralized portal deployments, an RD Web Access web part can be added to a Windows SharePoint Services site.