extending your applications into the cloud with rds
DESCRIPTION
WSV301. Extending your Applications into the Cloud with RDS. Greg Shields Senior Partner & Principal Technologist Concentrated Technology www.ConcentratedTech.com. RDS: Not Just About Desktops Any More!. The Many Jobs of the RDS Administrator. Server Administrator - PowerPoint PPT PresentationTRANSCRIPT
Extending your Applications into the Cloud with RDS
Greg ShieldsSenior Partner & Principal TechnologistConcentrated Technologywww.ConcentratedTech.com
WSV301
RDS: Not Just About Desktops Any More!
The Many Jobs of the RDS Administrator
Server AdministratorWorkstation Administrator
Systems Babysitter…
Application AdministratorInstalling, managing, maintaining, patching…
Security & Lockdown AdministratorProtect users from themselves and others…
Workflow AdministratorGetting users to their applications…
NEW!
5 Ways to Deploy RemoteApps
RDP File DistributionCreate an RDP file. Distribute it to users.
RD Web AccessUsers launch applications from a web site.
Local Desktop InstallationRemoteApps wrapped into MSI files, which are “installed” onto desktops.
Local Desktop Installation with Client Extension Re-associationLocal client file extensions are modified to enable document invocation.
RemoteApp and Desktop ConnectionSynchronizes data to populate desktop & Start Menu with configured apps.
#1 - RDP File Distribution
In Server 2003, only “true” native way to distribute connections to Remote Desktops.Superseded in 2008 by new technologies, however remains useful for…
Users who want user-based customizability for RDP connections.Users who need portability for application connections, such as those who roam networks.
IMPORTANT: Currently the only way to deploy RemoteApp for Hyper-V applications!
#2 - RD Web Access
Enabling an app in RDWA requires two clicks.Provisioning and deprovisioning apps is ridiculously fast/easy.Useful for users who use few applications that do not integrate with each other.Very useful for applications that rapidly change, change versions, or require offline maintenance.
Zero additional effort at the individual desktop.
#2 - RD Web Access
Enabling or disabling access requires only a few mouse clicksin RemoteApp Manager.
#3 - Local Desktop Installation
MSI files enable local desktop installation.RemoteApps seamlessly launched from Start Menu or desktop.
MSI files must be deployed to each desktop.Active Directory Software Installation through Group PolicyA systems management solution (SCCM)Shoe leather.
Removing applications once installed is complex. Non-trivial to change once implemented.
#3 - Local Desktop Installation
#4 - Client Extension Re-Association
Client extension re-association is an optional part of local desktop installation.
Modifies client extensions (.DOCX, .XLSX, etc.) to enable document invocation.Users can simply double-click documents.
Document Invocation!
#4 - Client Extension Re-association
Associate client extensions for this program with the
RemoteApp program
#4 - Client Extension Re-association
Extensions re-associate with “Remote Desktop Connection”
#5 – RemoteApp & Desktop Connection
Requires Windows 7 & Server 2008 R2RADC functions similarly to Citrix XenApp Plug-in.
Plug-in regularly checks server to download XML file.XML file contains connection information about configured RemoteApps and desktops.By default, client checks once per hour.
Securing the User’s Connection
What You’ll Need
Enabling Internet-grade security for RDS sessions requires a few extra components:
RD Gateway ServerSSL Server certificate from Public CAA firewallSome holes in that firewall
What You’ll Need
Enabling Internet-grade security for RDS sessions requires a few extra components:
dc.contoso.com
contoso.com
server1.contoso.comRemote Desktop
Gateway
server2.contoso.comRemote Desktop
Session Host
client1.myhome.com
443/TCP 3389/TCP
What You’ll Need
Enabling Internet-grade security for RDS sessions requires a few extra components:
dc.contoso.com
contoso.com
server1.contoso.comRemote Desktop
Gateway
server2.contoso.comRemote Desktop
Session Host
client1.myhome.com
443/TCP 3389/TCP
Wait a minute!
Anyone see problems here?
LIVE DRAW:RDG Architectures
Four RDG Architectures
Option #1: No DMZ. RDG in the LAN.
Four RDG Architectures
Option #1: No DMZ. RDG in the LAN. Option #2: RDG in the DMZ. No internal AD
exposure for RDG.
Four RDG Architectures
Option #1: No DMZ. RDG in the LAN. Option #2: RDG in the DMZ. No internal AD exposure for
RDG. Option #3: RDG in the DMZ. RDG uses internal AD.
Option #3a: Use internal DC. Open lots of ports. Option #3b: Internal RODC in the DMZ. Open lots of ports. Option #3c: Forest trust to DC in the DMZ.
Four RDG Architectures
Option #1: No DMZ. RDG in the LAN. Option #2: RDG in the DMZ. No internal AD exposure for
RDG. Option #3: RDG in the DMZ. RDG uses internal AD..
Option #3a: Use internal DC. Open lots of ports. Option #3b: Internal RODC in the DMZ. Open lots of ports. Option #3c: Forest trust to DC in the DMZ.
Option #4: ISA/TMG in the DMZ. RDG in the LAN. Option #4 is Microsoft’s (and the industry’s) recommended
practice. Easy. Safe. Secure. Scalable.
The Vast Power of SSL Reverse Proxying!
An SSL Reverse Proxy is a device used to bridge external SSL connections to the inside. Inbound SSL connections are terminated at the TMG. TMG decrypts SSL communication. TMG inspects for malicious code. (Optionally) TMG reconstructs a new SSL connection and
forwards traffic inside.
HTTPS – HTTPS or HTTPS – HTTP HTTPS – HTTPS is better for internal security. HTTPS – HTTP is better for performance.
Installing the RDG
Four questions are asked during installation.Server authentication certificate. If you’ve correctly installed your certificate to the local computer’s Personal Store, you will see that certificate listed in the box.RD Gateway User Groups. Groups which are allowed to connect to internal resources through this RDG server.
RD CAP. Identifies mechanisms used for authenticating users to the RD Gateway server: Password or smart card. RD RAP. Identifies internal computers which can be accessed by users who enter through the RDG.
SSL Certificates
Server certificate attributesMust be a computer certificateExtended key usage must be for Server Authentication(OID 1.3.6.1.5.5.7.3.1)Subject Name must exactly match the RDG’s external FQDN, must also match internal FQDN if used internally.Must be installed to the local computer’s Personal Store andnot the current user’s Personal Store
SSL Certificates
Server certificate attributesMust be a computer certificateExtended key usage must be for Server Authentication(OID 1.3.6.1.5.5.7.3.1)Subject Name must exactly match the RDG’s external FQDN, must also match internal FQDN if used internally.Must be installed to the local computer’s Personal Store andnot the current user’s Personal Store
Although it is possible to create free certificates through 2008 Certificate Services, save yourself headache and heartache and BUY ONE.
SSL Certificates
27
RD CAPs and RAPs
RD CAP RD RAP
The “Who” The “What”
Concerned about RDG Performance?
Don’t be.
Microsoft asserts a single RDG server can support up to 1200 concurrent connections.
Dual-processor server with 4GB of RAM.Virtualizing RDG is suggested.
Important: Windows Server Standard Edition has a hard limit of 256 concurrent connections.Enterprise and Datacenter Edition have no connection limits.
RDG Settings & Configuration
demo
Exposing the RemoteApp
RDG creates the pathway by which RemoteApps can flow.The next step is tocreate the RemoteApp.
Install an application.Expose the applicationusing RemoteApp ManagerEnable RDG settings withinthe RemoteAppDistribute the RemoteAppthrough one or moremechanisms
31
Special RDG Settings
Two settings require special attention:
32
Enables single sign-on betweenRDG and RDSH
Enables direct RDSH access for LAN clients
Too Many Error Messages!
At this point, your clients can invoke the RDP file to connect either locally or via the Internet.However, for reasons of scripting security, Microsoft requires an authentication at connection.This confuses users.Creates pain forwe admins.
33
Eliminate Error Messages!
Eliminate one of the two error messages by digitally signing your RDP file.Possible to use same servercertificate as installedto RDG.Install certificate to RDSH’slocal computer PersonalStore.You’ll know if you screwedthis part up.
34
Error Messages to Questions
Signing the file creates the necessary authentication between client and server.
Prevents RDP file from being tampered with.RDP files cannot be modified in any way, or it will break the certificate signage.
However, it doesn’t entirely eliminate the error message.Instead, the user sees: “Do you trust the publisher of this RemoteApp program?”User can click Yes, also can click “Don’t ask me again”.
Final Thoughts
Extending applications to the Internet isn’t hard.Remember your Active Directory integration.Remember your internal DNS resolution.Remember your external DNS resolution.Remember your certificates.Remember your deployment options.
Greg ShieldsSenior Partner & Principal TechnologistConcentrated Technologywww.ConcentratedTech.com
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile