Securely connecting to apps over the internet using rds

Securely Connecting to Applications over Securely Connecting to Applications over the Internet using RDSthe Internet using RDS

Greg Shields, MVP, vExpertGreg Shields, MVP, vExpertHead Geek, Concentrated Technologywww.ConcentratedTech.com

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC

http://www.ConcentratedTech.com/

AgendaAgenda

Topics– Part I: RemoteApps Under the

Covers– Part II: Architecting Application

Delivery– Part III: Tuning the User’s Experience– Part IV: Securing the User’s

Connection– Part V: Virtual Desktops Discussion

(…if we have time…)

3

Not Just About Desktops Any Not Just About Desktops Any More!More!

The Many Jobs of the RDS AdministratorThe Many Jobs of the RDS Administrator

Server Administrator Workstation Administrator

– Systems Babysitter…

Application Administrator– Installing, managing, maintaining, patching…

Security & Lockdown Administrator– Protect users from themselves and others…

Workflow Administrator– Getting users to their applications…

NEW!

RDS Admin as Workflow AdminRDS Admin as Workflow Admin

Now a part of the RDS Admin’s job– 2003 TS lacked options, so this job hasn’t been a

consideration for TS admins.– Citrix Admins have traditionally enjoyed many more

options for application delivery.

With TS in 2008, the options for getting users to their apps grow in number.– Therefore, you have more architectural decisions to

make…

New Features in 2008 TSNew Features in 2008 TS

RDC v6.1 Network Level

Authentication Plug-and-Play

Device Redirection Console Session Server Manager Licensing Changes

• TS Drain Mode• TS Easy Print• TS Remote App• TS Web Access• TS Gateway• TS Session Broker• Local Desktop

Installation for RemoteApps

New Features in 2008 TSNew Features in 2008 TS

RDC v6.1 Network Level

Authentication Plug-and-Play

Device Redirection Console Session Server Manager Licensing Changes

• TS Drain Mode• TS Easy Print• TS Remote App• TS Web Access• TS Gateway• TS Session Broker• Local Desktop

Installation for RemoteAppsNew Features Specific to

Deploying Applications

New Features in 2008 R2 RDSNew Features in 2008 R2 RDS

Remote App and Desktop Connection

Remote Desktop Virtualization (extensions to Hyper-V)

IP Virtualization RDS-aware

Windows Installer

• The “T” in every product changes to “RD”

• Hosted virtual desktops & pooled virtual desktops

• Fair Share CPU Scheduling

• Roaming Profile Cache Management

• PowerShell

Part IPart IRemoteApps Under the RemoteApps Under the CoversCovers

RemoteApps Look Like…AppsRemoteApps Look Like…Apps

RemoteApps are Easily CreatedRemoteApps are Easily Created

Step 1: Install the AppStep 2: Create the RemoteAppStep 3: Set Distribution Options

Multiple Options for LaunchingMultiple Options for Launching

…via a web page

…through document invocation.

…as an installed program

ProPro’’s/Cons/Con’’s of Remote Desktopss of Remote Desktops

Remote Desktop – Provides user access to a full “desktop”.– PRO: Familiar to users. Recognizable start bar,

desktop, icon access, app launch procedure.– PRO: Single connection for all remote apps.– PRO: Easy access to all needed applications.– CON: Easy access to all needed applications.– CON: Documents on remote desktop are not

easily accessible on local desktop.– CON: Users must connect to desktop to start

applications. This is a change to their usual launch procedure.

ProPro’’s/Cons/Con’’s of Remote Desktopss of Remote Desktops

Remote Desktop – Provides user access to a full “desktop”.– PRO: Familiar to users. Recognizable start bar,

desktop, icon access, app launch procedure.

– PRO: Single connection for all remote apps.

– PRO: Easy access to all needed applications.

– CON: Easy access to all needed applications.

– CON: Documents on remote desktop are not easily accessible on local desktop.

– CON: Users must connect to desktop to start applications. This is a change to their usual launch procedure.

ProPro’’s/Cons/Con’’s of RemoteAppss of RemoteApps

RemoteApp – Enables user access to a single application or content.– PRO: Applications appear to run locally. Seamless

boundary between application and local desktop.– PRO: Applications can be instantiated through

document double-click.– PRO: RemoteApps tend to use fewer and/or more

predictable levels of resources.– CON: Users may have multiple paths to access

applications.– CON: Finding documents on local desktops is not

immediately obvious.– CON: Users may be used to “desktops”. RemoteApps

changes their launch procedures.

ProPro’’s/Cons/Con’’s of RemoteAppss of RemoteApps

RemoteApp – Enables user access to a single application or content.– PRO: Applications appear to run locally. Seamless

boundary between application and local desktop.– PRO: Applications can be instantiated through

document double-click.– PRO: RemoteApps tend to use fewer and/or more

predictable levels of resources.– CON: Users may have multiple paths to access

applications.– CON: Finding documents on local desktops is not

immediately obvious.– CON: Users may be used to “desktops”. RemoteApps

change their launch procedures.

RemoteApps Change How Apps are RemoteApps Change How Apps are Delivered to UsersDelivered to Users

With Remote Desktops, there is really only one way for users to access their applications.– Log onto desktop. Start application.

This limits how your users interact with their applications.– Accessing a RDS-hosted application requires extra steps

to get started.

– Those extra steps waste the user’s time and consume unnecessary resources on the RD Session Host.

– The login/logout process adds unnecessary burden.

– Securing desktops is a challenging, cumbersome, time-consuming, expensive procedure.

RemoteApps Change How Apps are RemoteApps Change How Apps are Delivered to UsersDelivered to Users

RemoteApps eliminate the need to enable full desktop access.– No explorer.exe process is spawned.

– Limited login/logout resources required.

– Apps can spawn other apps, but generally limited to in-app integrations.

– Users are more limited from launching unnecessary or inappropriate apps.

– No desktop ==Limited user touch points ==Less time spent dinking around with lockdowns ==Greater security == A Happier You

LaunchingLaunchingRemoteAppsRemoteApps

WhatWhatReallyReallyHappens?Happens?

Source: Windows Server 2008Terminal Services Resource KitPage 258

RemoteApps & ResourcesRemoteApps & Resources

Source: TechNet MagazineJanuary, 2009

RemoteApps tend to use fewer resources. Resource utilization tends to be more predictable.

User1 logs into full desktopand launches Calc.exe.

User2 logs into “Calculator” RemoteApp.

So, What are Those Processes?So, What are Those Processes?


Explorer.exe is replaced by Rdpshell.exe.– Alternate (mini) shell loads/manages desktop session event hooks.– No desktop = Reduced resource requirements.

Task Scheduler Engine

Desktop Window Mgr

RDP Clipboard Mgr

Monitors processes

Explorer replacement

Task Scheduler Engine

Desktop Window Mgr

RDP Clipboard Mgr

Monitors processes

Explorer replacement

So, What are Those Processes?So, What are Those Processes?


Explorer.exe is replaced by Rdpshell.exe.– Alternate (mini) shell loads/manages desktop session event hooks.– No desktop = Reduced resource requirements.

RemoteApp has 50% lower memory utilization over a full desktop with

explorer.exe.

Caution: YMMV.

Part IIPart IIArchitecting Application Architecting Application DeliveryDelivery

5 Ways to Deploy RemoteApps5 Ways to Deploy RemoteApps

RDP File Distribution– Create an RDP file and store it in a file server or distribute it

to users. Users double-click to launch app. RD Web Access

– Users double-click applications on web sites to launch. Local Desktop Installation

– RemoteApps are wrapped into MSI files, which are “installed” onto desktops.

Local Desktop Installation with Client Extension Re-association– Same as above, but local client file extensions are modified

to enable document invocation. RemoteApp and Desktop Connection

– Windows 7 RADC regularly synchronizes data from server to populate desktop & Start Menu with configured apps.

#1 - RDP File Distribution#1 - RDP File Distribution

In Server 2003, only “true” native way to distribute connections to Remote Desktops.– Can also manually host RDP files on a web page.

Superseded in 2008 by new technologies, however remains useful for…– Users who want user-based customizability for RDP

connections.– Users who need portability for application

connections, such as those who roam networks.– Users who share/customize connections– Ad-hoc.

#1 - RDP File Distribution#1 - RDP File Distribution

#2 - RD Web Access#2 - RD Web Access

Enabling an app in RDWA requires two clicks.– Provisioning and deprovisioning apps is ridiculously

fast/easy.– Useful for users who use few applications that do not

integrate with each other.– Very useful for applications that rapidly change,

change versions, or require offline maintenance.

Zero additional effort at the individual desktop.


R2 supports the “hiding” of apps.– Use perms and “User Assignment” to restrict app

access.

Limited to a single server out-of-the-box in 2008.– RD Session Broker creates RDS farm of similarly-

configured servers.– SharePoint web part integration can group dissimilar

servers. Non-trivial.

R2 adds the ability to consolidate multiple RDSHs.

Does not support document invocation or local desktop integration.


Enabling or disabling access requires only a few mouse clicks in Server

Manager.

#3 - Local Desktop Installation#3 - Local Desktop Installation

Wrapping RDP files into MSI files enables local desktop installation.– RemoteApps launched from local Start Menu or

desktop shortcut.– Enhances RemoteApp “seamlessness”.

Can increase confusion.– RemoteApp C: drive is not equal to local desktop C:

drive.– “Am I remote or am I local???”– Users must learn to store docs on file servers.


MSI files must be installed onto each desktop.– Active Directory Software Installation through Group

Policy– A systems management solution (SCCM)– Shoe leather.

Removing applications once installed is complex with any mechanism. – Non-trivial to change once implemented.


#4 - Client Extension Re-Association#4 - Client Extension Re-Association

Client extension re-association is an optional part of local desktop installation.– Modifies client extensions (.DOCX, .XLSX, etc.) to

enable document invocation.– Users maintain existing local desktop workflow by

double-clicking documents.– Highest degree of “seamlessness” possible with RDS

and non-W7.

Document Invocation!

#4 - Client Extension Re-association#4 - Client Extension Re-association

Associate client extensions for this program

with the RemoteApp

program


Extensions re-associate with

“Remote Desktop Connection”


Arguably the most useful for users. However…

– Extends time-to-launch.– Difficult to update as applications change.– Applications transiently unavailable on RDS create big

confusion with users. They cannot double-click documents to launch apps.

– You must ensure high degree of availability if deployed.

– VPNs (including RDSG) can complicate.

#5 – RemoteApp & Desktop Connection#5 – RemoteApp & Desktop Connection

If you have Windows 7 / 08R2, then you have RADC. No other OSs currently support RADC.

RADC works functionally similar to Citrix XenApp Plug-in.– Plug-in regularly checks server to download XML file.– XML file contains connection information about

configured RemoteApps and desktops– By default, client checks once per hour, so

propagation can take time.

DEMODEMODeploying RemoteAppsDeploying RemoteApps

39

Your AppYour AppDeployment Deployment DecisionDecisionTreeTree

Windows 7?

RemoteApp & Desktop

Connection!

More Than One Way to Skin A…More Than One Way to Skin A…

Complex environments may find the need for combinations of these five options…– Static applications are deployed to desktops, while

high-rate-of-change apps hosted via RDS Web Access.– RADC for Windows 7 machines, RDWA or static for

others.– Local desktop installation for LAN machines, while

RDS Web Access for VPN access.– Access to RDS Web Access invoked via local desktop

installation. (Internet-based clients?)– “Empty” Remote Desktops deployed with local

desktop installation to appsA form of siloing, or Poor Man’s VDI.

Part IIIPart IIITuning the UserTuning the User’’s Experiences Experience

Tuning Memory ConsumptionTuning Memory Consumption


Tune dwm.exe & rdpclip.exe to keep memory consumption at lowest-possible levels.– Keep in mind each concurrent user spawns one of each process.

Desktop Window Mgr

RDP Clipboard Mgr

Keep Desktop Window Manager memory

consumption low by not installing Desktop

Experience. Font smoothing is bad too.

Keep RDP Clipboard Manager memory low by not enabling client clipboard mapping in

RDP properties.

Must-Monitor Performance CountersMust-Monitor Performance Counters

Processor\% Processor Time Memory\Available MBytes Memory\Pages/Sec System\Threads System\Context Switches/Sec System\Processor Queue Length Terminal Services\Active Sessions Terminal Services\Total Sessions

44

Windows Server Resource ManagerWindows Server Resource Manager Let’s face it: Some users really suck.

45

Windows Server Resource ManagerWindows Server Resource Manager Let’s face it: Some users really suck.

– Available resources that is…– Every environment has “Stan in Accounting” – Stan consumes dramatically more resources than

everyone else.– Stan is bad. Stan must be stopped.

WSRM is the anti-Stan.– Monitors processes and resource use.– Lowers the priority for hoggy processes.– Threads for lowered processes have longer wait time

between processor attention.

46

Windows Server Resource ManagerWindows Server Resource Manager WSRM is a separate install from TS.

– Install the WSRM feature.– Change its default policy to Equal Per Session.– (Optionally) Limit users to one session each.

WSRM can additionally log and report on process use.– Handy for giving Stan proof that he’s not been sharing with

the other children…er, users.– Potential for billing / chargebacks.

R2 eliminates the need for WSRM with its Fair Share CPU Scheduling Feature, enabled by default.

Also, is proactive rather than reactive.47

2003 & 2008 Profiles not Compatible2003 & 2008 Profiles not Compatible A Win2008 profile cannot be used to login to

a Win2003 TS.– Folder structures are completely different.– Separate profiles for each OS required.

Profile folder redirection can share some folders between these two OSs.– AppData(Roaming), Desktop, Start menu, Documents,

Pictures*, Music*, Video*

Caution: Redirection can increase login times, reduce user experience.– This can be a painful architecture. Consider user

virtualization, user workspace management, or flex profile solutions.

48

Software Restriction PoliciesSoftware Restriction Policies

RemoteApps enable users to access predefined applications. However they can and do spawn additional apps.– Outlook attachment launches IE.– Homegrown finance app launches Excel.

Software Restriction Policies & AppLocker ensure only approved apps can run.– Blacklist approach– Whitelist approach – Superior.

49


Computer Configuration | Policies | Windows Settings | Security Settings | Software Restriction Policies | Security Levels– Unrestricted – Blacklist approach. Everything runs

except what you deny.– Basic User – Fuggetaboudit. UAC-focused.– Disallowed – Whitelist approach. Apps will not run

except those you specifically allow.

Whitelists work best for RDSs.– They typically have a known app composition

50


Computer Configuration | Policies | Windows Settings | Security Settings | Software Restriction Policies | Additional Rules– Hash Rule– Certificate Rule– Path Rule– Network Zone Rule

You will typically use combinations of these, based on your app composition.

AppLocker also eases these configurations.

51

TS RemoteApps & Session TS RemoteApps & Session DisconnectionDisconnection

When users click the “X” to close a RemoteApp, RDS considers this a “Disconnect”.– Server resources are not released.

Configure disconnected sessions to reset after a small number of minutes.– 5 minutes…? Longer… Shorter… ??– YMMV

Use new Group Policy setting to configure this:– Set time limit for logoff of RemoteApp sessions

52

Virtual Channel Bandwidth AllocationVirtual Channel Bandwidth Allocation

From the network’s perspective, some user actions are far worse than others:– Copy-from/paste to local machine– Copy files to local machine– Print

These actions transfer real data, as opposed to efficient screen update data.

In Vista/08, Microsoft hard-limits this “real” virtual channel data to 30% of total data.– This amount can be adjusted.

53

Virtual Channel Bandwidth AllocationVirtual Channel Bandwidth Allocation

Limiting virtual channel data preserves the user’s experience– At the expense of increasing time-to-complete for

those other actions.

HKLM\System\CurrentControlSet\ServicesTermDD (REG_DWORD)– FlowControlDisplayBandwidth– FlowControlChannelBandwidth

Ratio of integer numbers equals distribution.

54

The RDS ApplicationThe RDS ApplicationCompatibility AnalyzerCompatibility Analyzer

https://connect.microsoft.com/tsappcompat/ downloads

55

Should I Virtualize my TSs?Should I Virtualize my TSs?

56

NoNoNoNo

No

NoNoNo

NoNoNo

NoNoNoNoNo

No

NoNoNoNo

No

No

EXCEPT: In the single situation where you plan for zero consolidation.

Or, essentially one virtual server per physical server.

Part IVPart IVSecuring the UserSecuring the User’’s s ConnectionConnection

What YouWhat You’’ll Needll Need

Enabling Internet-grade security for RDS sessions requires a few extra components:– RD Gateway Server– SSL Server certificate from Public CA– Two Holes in the Firewall

58

What YouWhat You’’ll Needll Need

Enabling Internet-grade security for RDS sessions requires a few extra components:

59

dc.contoso.com

contoso.com

server1.contoso.comRemote Desktop

Gateway

server2.contoso.comRemote Desktop

Session Host

client1.myhome.com

443/TCP 3389/TCP

SSL CertificatesSSL Certificates

Although it is possible to create free certificates through 2008 Certificate Services, save yourself headache and heartache and BUY ONE– $20/year at GoDaddy, automatically trusted, and

useful for multiple steps in this process

Server Authentication certificate– Name must exactly match the RDG’s FQDN– Must be installed to the local computer’s Personal

Store– Not current user’s Personal Store– Must include private keys

60

Installing the RDGInstalling the RDG

Four questions are required during installation.– Server authentication certificate. If you’ve correctly

installed your certificate to the local computer’s Personal Store, you will see that certificate listed in the box.

– RD Gateway User Groups. Groups which are are allowed to connect to internal resources through this RDG server.

– RD CAP. Identifies mechanisms used for authenticating users to the RD Gateway server: Password or smart card.

– RD RAP. Identifies internal computers which can be accessed by users who enter through the RDG.

61

If YouIf You’’ve Done it Right…ve Done it Right…

62

DEMODEMOManaging the RDGManaging the RDG

Exposing the RemoteAppExposing the RemoteApp

Once the RDG is installed, this creates the pathway by which RemoteApps can flow.

The next step is tocreate the RemoteApp.– Install an application.– Expose the application

using RemoteApp Manager– Enable RDG settings within

the RemoteApp– Distribute the RemoteApp

through one or moremechanisms

64

Special RDG SettingsSpecial RDG Settings

Two settings on this screen need special attention:

65

Enables single sign-on between RDG and RDSH

Enables direct RDSH access for LAN clients

Too Many Error Messages!Too Many Error Messages!

At this point, your clients can invoke the RDP file to connect either locally or via the Internet.

However, for reasons of scripting security, Microsoft requires an authentication at connection.

This confuses users. Creates pain for

we admins.

66

Eliminate Error Messages!Eliminate Error Messages!

Eliminate one of the two error messages by digitally signing your RDP file.

Possible to use same servercertificate as installedto RDG.

Install certificate to RDSH’slocal computer PersonalStore.

You’ll know if you screwedthis part up.

67

Error Messages to QuestionsError Messages to Questions

Signing the file creates the necessary authentication between client and server.

However, it doesn’t entirely eliminate the error message.– Instead, the user sees: “Do you trust the publisher of

this RemoteApp program?”– User can click Yes, also can click “Don’t ask me again”.

68

DEMODEMOCreating the RemoteAppCreating the RemoteApp

Part VPart VVirtual DesktopsVirtual Desktops(…if we have time…)(…if we have time…)

DEMO / DISCUSSIONDEMO / DISCUSSIONVirtual Desktops atop RDS & Virtual Desktops atop RDS & Hyper-VHyper-V

This slide deck was used in one of our many conference presentations. We hope you enjoy it, and invite you to use it

within your own organization however you like.

For more information on our company, including information on private classes and upcoming conference appearances, please

visit our Web site, www.ConcentratedTech.com.

For links to newly-posted decks, follow us on Twitter:@concentrateddon or @concentratdgreg

This work is copyright ©Concentrated Technology, LLC

http://www.ConcentratedTech.com/