Virtualization: RD Web Access Enables Discovery
You can have the most exquisitely configured VMs ready for your user community, but they won’t be able to use them if they don’t know they exist.
Kristin Griffin
The Remote Desktop Connection Broker (RD Connection Broker) is essential for delivering virtual machines (VMs) and sessions. However, you can’t broker session connections and VMs unless users try to reach them, and they won’t try to reach them if they don’t even know about them.
You can use the RD Web Access role service to help users discover sessions and VMs you want them to use. It can also help you publish those VMs and sessions to them. You can even customize RD Web Access to create a better user experience.
Before RD Web Access became part of Terminal Services in Windows Server 2008, you could tell people which Terminal Servers they could reach by e-mailing them an RDP file or publishing the RDP files on a network share. The catch to either of those approaches is keeping that information up-to-date.
If you changed anything about the connection, you’d need to redistribute the RDP files and ensure that no one used the old ones. You would also need to ensure people know to look for the updated RDP files. To avoid the extra work of making sure that users know what resources they have access to and are always using the right settings to connect to those resources, you can use RD Web Access to publish those resources.
Access for the Authenticated
Many think the RD Web Access role service is just a Web site that provides access to RemoteApp programs and full remote desktop sessions. It’s really a publishing service that collates information from the RD Connection Broker or individual RD Session Host servers and presents it to authenticated users who have the right to use the RemoteApp programs, full desktop sessions and VMs available from those sources.
There are two ways RD Web Access helps discover RemoteApp programs, full desktop sessions, and personal and pooled VMs:
- RD Web Access Web site (available to computers running Window XP SP3 and later)
- RemoteApp and Desktop Connection (RADC) in Windows 7 and Windows 2008
The RD Web Access role service is configured to query different resources (the RD Connection Broker or one or more RD Session Host servers) for their application or remote desktop availability. It publishes the available applications and desktops as links in the RD Web Access site. For Windows machines that have RADC configured, these links will appear in the user’s Start Menu. Users will only see links for applications and desktops for which they have access permission.
From the user perspective, accessing RemoteApp programs and desktop sessions via RD Web Access or RADC provides “one-stop-shop” access to RD Session Host server RemoteApp programs, other desktops and VMs. From a management perspective, access is always up-to-date. You don’t need to redistribute new RDP files every time you make a change to the list of available applications or user permissions.
RD Web Access Communication
In order for RD Web Access to query and publish the resources available from RD Session Host servers and RD Virtualization Host servers, you must specify the sources as part of the Web site configuration. RD Web Access gets the publishing information from the other role services of Remote Desktop Services (See Figure 1).
.jpg "RD Web Access will get publishing information from other role services of Remote Desktop Services")
Figure 1 RD Web Access will get publishing information from other role services of Remote Desktop Services.
You can specify either individual RD Session Host servers or farms as the source from which RD Web Access should query for resource data. You can also specify RD Connection Broker as the source. The RD Web Access role service communicates with RD Session Host servers or farms via WMI. It will use RPC when RD Connection Broker is specified as the source.
While the source for sessions may be individual RD Session Host servers, farms or the RD Connection Broker (which would return resource data from all of the farms and VMs of which it’s aware), the source for VMs must always be the RD Connection Broker.
Set up RD Web Access
To set up RD Web Access, follow these steps:
- Install the RD Web Access role service, which will also install the RD Web Access Web site
- Allow RD Web Access sources to communicate with RD Web Access
- Configure the source that RD Web Access will query for RemoteApp programs, full remote desktop sessions, and pooled and personal VMs
- Configure RADC on Windows 7 so links to available resources appear in the user’s Start Menu
Install the role service via Server Manager or Windows PowerShell. When you install the RD Web Access role service, it will install IIS (if it isn’t already), because it is a dependency.
You can allow RD Web Access sources to communicate with RD Web Access by one of these methods:
- Specify individual RD Session Host servers or farms as sources (in which case you would add the RD Web Access server’s computer account to the TS Web Access security group on each RD Session Host server)
- Specify RD Connection Broker as the source
If you use the latter method, there are two additional steps:
- On each farm member, add the RD Connection Broker server’s computer account to the TS Web Access Computers group
- On the RD Connection Broker server, add the RD Web Access server’s computer account to the TS Web Access Computers group
To add RD Web Access sources to RD Web Access, open Internet Explorer (other browsers aren’t supported because an ActiveX control launches the RDP file) and navigate to https://rdwa-server-name/rdweb. Log in as an administrator or a user added to the TSWeb Access Administrators group on the RD Web Access server.
Select the Configuration tab and choose to either Add individual RD Session Host servers and/or farms as sources (separate entries with a semi-colon), or Specify RD Connection Broker as the source (which will pull data from all RD Session Host server farms and RD Virtualization Host server VMs of which its aware).
To set up RADC, open the RADC Control Panel applet and add the URL to the RD Web Access feed as https://rdwa-server-name/Rdweb/feed/webfeed.aspx. If you’ve configured DNS for a more user-friendly name for your Web site, then you can use that address. You will most likely not want to manually configure all your client machines with this setting. See this blog post I wrote last year on how to automate the process.
Update RDP Files Through RD Web Access
When you click on a link in RD Web Access, it opens an RDP file that’s built on the fly from the settings gathered from the source (using the RemoteApp Manager settings on each RD Session Host Server or from Remote Desktop Connection Manager on RD Connection Broker). To update these links, simply change the configuration settings on the source. These settings will be reflected upon refreshing the Web page or the next time the user logs on.
If you’re using Windows 7, click on a Start Menu link provided by RADC. This opens an RDP file created with the published RDP settings.
When there are changes made to the connection settings on the source, RADC RDP files get updated either manually or automatically. If you do it manually, click the Update button on the Control Panel | All Control Panel Items | RemoteApp and Desktop Connections | Properties page.
If you choose to have it done automatically (once daily), set it up as a Task Scheduler rule when you configure RADC. You can edit the Task Scheduler jobs by opening Task Scheduler and navigating to: Task Scheduler Library | Microsoft | Windows | RemoteApp and Desktop Connections Update | username. Right click the job and select Properties.
Log on Once with WebSSO
One great feature of RD Web Access for Windows 2008 R2 is that users can log in once to the RD Web Access Web site. It will store the log in credentials for all the RemoteApp resources published for that user—even RemoteApps in different farms. This is called Web Single Sign-On (WebSSO). WebSSO does’ot work for accessing full desktop sessions or pooled or personal VMs, however. Your infrastructure must meet the following requirements to use WebSSO:
- Clients must run Remote Desktop Connection (RDC) 7.0 (Windows 7 runs RDC 7.0). For Windows XP SP3, get the RDC 7.0 update Microsoft Support.
- RemoteApp programs must be signed with an SSL certificate or code signing certificate. You can get a certificate from a public Certificate Authority like Verisign or GoDaddy, or your company may have its own PKI. (For WebSSO to work across multiple farms, you need to use the same certificate to sign RemoteApp programs on all farm servers.)
- Clients must trust the certificate used to sign the RemoteApp programs. Make sure the certificate used to sign your certificate (the CA certificate) is installed in the client’s Computer Trusted Root Certificate store.
To set up WebSSO, follow these instructions.
Customize the RD Web Access Site
You can make several significant customizations to the default RD Web Access Web site. These customizations, adapted from the Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit, are easy to implement, but they make a big difference to the user experience.
Automatically Add Domain Name to a User’s Login Credentials: To log in to the RD Web Access default Web site, your users will have to type their username as domain name\username. If they forget to add the domain name and backslash to their login credentials, login will fail. To automatically add the domain name and backslash to the user login name, follow these steps:
Open the Renderscript.js file located in the %WinDir%\Web\RDWeb\Pages folder, find the following code block, and change it from this:
if ( objForm != null ) { strDomainUserName = objForm.elements("DomainUserName").value; strPassword = objForm.elements("UserPass").value; strWorkspaceId = objForm.elements("WorkSpaceID").value; strRDPCertificates = objForm.elements("RDPCertificates").value;
To this:
if ( objForm != null ) { strDomainUserName = objForm.elements("DomainUserName").value; // Add default domain if ( strDomainUserName.indexOf("\\") == -1 ) { strDomainUserName = "YOUR-DOMAIN-HERE\\" + strDomainUserName; objForm.elements("DomainUserName").value = strDomainUserName; } strPassword = objForm.elements("UserPass").value; strWorkspaceId = objForm.elements("WorkSpaceID").value; strRDPCertificates = objForm.elements("RDPCertificates").value;
Customize RD Web Access Page Titles and Subtitles: There are four main pages of the RD Web Access Web site: Login, RemoteApp Programs, Remote Desktop and Configuration. Each page contains two lines in the upper-left portion of the page:
- Page Title (the default is “Remote Desktop Services Default Connection”)
- Page Subtitle (the default is “Remote Desktop Services Default Connection”)
You can customize these two lines on each page, or for the whole Web site.
Change all Page Titles by editing the %WinDir%\Web\RDWeb\App_Data\RDWebAccess.Config file line:
<WorkspaceSettings Name="YOUR TEXT HERE" ID="servername.domain.suffix" Description="" />
An easier way to change the Page Titles for all site pages is to use RD Connection Broker as the source. Then set the Display Name on the Connection Settings tab of the Properties dialog box in RD Connection Manager. The text placed here will be used as the Page Title for all RD Web Access website pages.
To change the Subtitle area on each Web site page, navigate to: %WinDir%\Web\RDWeb\Pages\en-US\. Then edit each of the pages as follows:
- To change the Login page, edit Login.aspx
- To change the RemoteApp programs page, edit Default.aspx
- To change the Remote Deskops page, edit Desktops.aspx
- To change the Configuration Page, edit Config.aspx
You can customize subtitle areas on each page by editing the following line on each page:
const string L_ApplicationName_Text = "YOUR TEXT HERE";
Configure Remote Desktop Web Connection Behavior: Some companies don’t want to let their users access Remote Desktops with the Remote Desktops tab on the RD Web Access Web site. They might want connections made from the Remote Desktops Tab to use RD Gateway or to use certain device redirection settings. The steps you need to take to configure these settings are detailed in the TechNet Library.
You can make resources and VMs available to your user community, but they won’t be able to use them if they don’t know about them. Discovery is an important feature of any virtualization deployment and RD Web Access can help enable this discovery. Next month, I’ll cover how to use RD Gateway to enable secure access to sessions and VMs over public networks.
.jpg "Kristin Griffin")
Kristin Griffin is a Remote Desktop Services MVP. She moderates a Microsoft forum dedicated to helping the server-based computing community (Remote Desktop Services) and maintains an RDS blog at blog.kristinlgriffin.com. She’s a contributor to Mark Minasi’s “Mastering Windows Server 2008” (Sybex, 2008) and “Mastering Windows Server 2008 R2” (Sybex, 2010). She also coauthored “Microsoft Windows Server 2008 Terminal Services Resource Kit” (Microsoft Press, 2008) and “Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit” (Microsoft Press, 2010) with Christa Anderson.
Related Content
Sidebar: RD Web Access Q & A
Q. Where should I deploy RD Web Access?
A. This really depends on the amount of access you want to achieve. If you’d like users outside your network to be able to access RD Web Access, deploy it in your DMZ. You could also deploy internally and allow public access to the server over port 443. If you only want to allow internal access, deploy the role service on your LAN only.
Q. Do I need to dedicate a whole server for this role service?
A. No, you do not need to dedicate a whole server or VM to RD Web Access. Where you deploy RD Web Access may influence the machine upon which you install it. For example, if you choose to install RD Web Access and RD Gateway in your DMZ, you could combine the role services on the same machine.
Q. I made changes in RD Connection Manager on RD Connection Broker that I expected to see updated in RD Web Access, but they don’t appear right away (for instance, changing the Display Name). Is this normal?
A. RD Web Access caches the settings it polls from RD Connection Broker for three minutes at a time for performance reasons. To see these changes right away, restart the Web site in IIS on the RD Web Access server.
Q. I set up RD Web Access, but I don’t see any icons displayed on the Web site. Any suggestions?
A. Permissions is a very common reason for this problem. Refer to the General Setup section earlier in this article for the proper permissions to check. There are a few other reasons why this might occur, which are outlined in this blog entry.