DISCLAIMER: Any of the Method’s listed below, should be approved by your customer before use.
The biggest issue with Secure Environments is the limited amount of ports that are allowed Outbound. However I would guestimate that 99% of customers allow 443/TCP outbound. All of the methods below leverage the use of 443/TCP Outbound.
Overview
By leveraging Remote Desktop Services and Direct Access, any internal app can be made available via Desktop or Streamed Application and all over a secure port (443/TCP) session. Most environments have 443/TCP Outbound open so this should not be a problem. To support this you will need to setup one virtual machine with the following services:
Active Directory Domain Services
Remote Desktop Services
Operating System: Windows Server 2012
**To accommodate all technical levels, detailed instructions are listed below. If you are familiar with a particular part of the setup then feel free to move on to the next step.
CONFIGURING THE VM
Configuring the Computer Name
Log onto the VM.
When the Server Manager Dashboard opens click on Configure this local server.
Under the Properties section click on the Computer name.
On the Computer Name tab click the Change button.
Under Computer name: enter [SERVERNAME OF YOUR CHOICE] then click OK.
***Note: For the purposes of this lab the server will be named RDP-HOME-V
At the Computer Name/Domain Changes screen click OK.
Click Close to close the System Properties then click Restart Later.
Configuring the IP Address
Under the Properties section click on the Ethernet IP Address.
Right-click Ethernet and select Properties.
Highlight Internet Protocol Version 4 (TCP/IPv4) then click the Properties button.
Under the Properties section click on the Ethernet IP Address.
Select Use the following IP Address then enter the following:
IP Address: 192.168.2.8
Subnet mask: 255.255.255.0
Default Gateway:192.168.2.1 (This should be the IP of your router)
Select Use the following DNS server addresses then enter the following:
Preferred DNS server:192.168.2.8
Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.
Click Close to close the Ethernet Properties window then close the Network Connections window.
Installing Active Directory Domain Services and Remote Desktop Services
In the Left-Pane of Server Manager click Dashboard.
In the Right-Pane under Configure this local server click on Add roles and features.
At the Before you begin screen click Next.
At the Select installation type screen click Next.
At the Select destination server screen click Next.
At the Select server roles screen select Active Directory Domain Services.
At the Add features that are required for Active Directory Domain Services? pop-up click Add Features.
Now select Remote Desktop Services then click Next.
At the Select features screen click Next.
At the Active Directory Domain Services screen click Next.
At the Remote Desktop Services screen click Next.
At the Select role services screen select Remote Desktop Gateway.
At the Add features that are required for Remote Desktop Services? pop-up click Add Features then click Next.
At the Network Policy and Access Services screen click Next.
At the Select role services screen click Next.
At the Web Server Role (IIS) screen click Next.
At the Select role services screen click Next.
At the Confirm installation selections screen select Restart the destination server automatically if required.
At the Add Roles and Features Wizard pop-up click Yes then click Install.
When the installation completes click Close then Restart the VM.
Configuring Active Directory Services (Formerly DCPROMO)
CONFIGURING NAME RESOLUTION FOR YOUR LAB
If you DO own your own Domain Name and DO HAVE a Static Public IP Address from your ISP, then you must assure that you have created an A Record for rdp.yourdomain.com with your Domain Name Registrar that points to your Static Public IP Address from your ISP. Since the instructions for each vendor varies and Domain Record Creation is outside of the scope of this paper, please refer to each vendors instructions on how to register your own Domain Name. Once this is confirmed you may move on to the CONFIGURING REMOTE DESKTOP GATEWAY CERTIFICATE section.
CONFIGURING REMOTE DESKTOP GATEWAY CERTIFICATE
Remote Desktop Gateway requires a certificate that matches the name that is used by the client machine. Although there are workarounds that allow the use of a certificate issued by an internal Certificate Authority, the easiest method is using a Public Certificate Authority.
Acquiring a Public Certificate
Creating your Certificate Signing Request (CSR)
Common Name: rdp.yourdomain.com (Should Be your Public Domain Name)
Organization: Your made up Organization Name (Example Contoso)
Organization Unit: Your made up Organization Unit (Example IT)
City/locality: Your City
State/province: Your State
Country/region: Select Your Country
then click Next.
then click Next.
Once your CSR has been created then you must pick a Certificate Issuer such as DigiCert, GoDaddy, etc. to submit your CSR to. Since the instructions for each vendor varies and CSR submittal is outside of the scope of this paper, please refer to each vendors instructions on how to Submit your Certificate Request.
Retrieving your Certificate
After submitting your CSR you should receive an email that your request is complete. This email should contain a zipped attachment that includes your certificate or instructions on how to retrieve your certificate. Save this attachment to your VM and extract it, then follow the steps below:
Importing your Certificate on your Remote Desktop Gateway
CONFIGURING REMOTE DESKTOP GATEWAY
Configuring Connection Authorization Policies (CAP) and Resource Authorization Policies (RAP)
From the Left-Pane expand RDP-HOME-V (Local) then right-click Policies and select Create New Authorization Policies.
At the Create Authorization Policies for RD Gateway screen click Next.
At the Create an RD CAP screen enter HOME RD CAP then click Next.
At the Select Requirements screen make sure Password is selected and also select Smartcard.
Under the User Group membership (required): section click the Add Group button.
At the Select Groups pop-up enter Domain Users then click Check Names.
Once resolved (Underlined) click OK then click Next.
At the Enable or Disable Device Redirection screen click Next.
At the Set Session Timeouts screen click Next.
At the RD CAP Settings Summary screen click Next.
At the Create an RD RAP screen enter HOME RD RAP then click Next.
At the Select User Groups screen confirm that HOME\Domain Users is added under the User group membership (required): section then click Next.
At the Select Network Resources screen select Allow users to connect to any network resource (computer) then click Next.
At the Select Allowed Ports screen click Next.
At the RD RAP Settings Summary screen click Finish, then Close
Allowing Remote App Redirection
Log onto the VM.
Open an Elevated Command Prompt.
Open the Registry by entering the following command:
regedit
Navigate to the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Terminal Server\TSAppAllowList
In the Right-Pane double-click the FDisabledAllowList value.
Under the Value data: section enter 1 then click OK.
CONFIGURING APPLICATION SOURCE
This machine should be a machine that is joined to your home lab environment and has the applications that you would like to stream to your secure location.
Granting Local Admin to Your Account
From the Start Menu open Give administrative rights to a domain user.
At the User Accounts pop-up click the Add button.
At the Add a domain account screen under the User name: section enter your username and enter northamerica under the Domain: section then click Next.
At the What level of access do you want to grant this user? Section select Administrator then click Next.
At the You’re almost done screen click Finish, then OK.
Publishing Home IE
Log onto the VM.
Open an Elevated Command Prompt.
Open the Registry by entering the following command:
regedit
Navigate to the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Terminal Server
Right-Click TSAppAllowList and select New | Key and name it Applications.
Right-Click Applications and select New | Key and name it IE.
Right-Click IE Key and select New | String Value and name it Name.
Double-Click Name value and enter IE.
Right-Click IE Key and select New | String Value and name it Path.
Double-Click Path value and enter C:\Program Files (x86)\Internet Explorer\iexplore.exe
CONNECTING FROM YOUR CUSTOMER MACHINE
Remote Desktop Connections can be saved with pre-populated settings in files called .rdp files. In the following steps we will create a .rdp file that will be used to logon to your Home Desktop as well as launch a streamed IE session from your Home Laptop.
Creating a Corporate Desktop .rdp File
Log on to your customer workstation.
Open Remote Desktop Connection.
Under the Computer: section enter your Corpnet Computer Name.
Click on the Show Options button, then click on the Advanced tab.
Under the Connect from anywhere section click on the Settings button.
Server name: section enter rdp.yourdomain.com.
Using the drop-down menu change the Logon method: from Allow me to select later to Smart card.
Under the Logon settings section check the Use my RD Gateway credentials from the remote computer then click OK.
Click on the General tab then under the Connection settings section click the Save As… button.
Give the file a descriptive name then click Save.
At the point you can Double-Click the previously created .rdp file to connect to your Home Desktop!!!
***Note: At the Certificate Mismatch screen click Yes.
Creating a Home IE .rdp File
Make a copy of the previously created .rdp clip then open it using Notepad.
Change the following values:
From To
Gatewayusagemethod:i:2 Gatewayusagemethod:i:1
Alternate shell:s: Alternate shell:s:rdpinit.exe
Remoteapplicationmode:i:0 Remoteapplicationmode:i:1
Add the following value:
Remoteapplicationprogram:s:Iexplore
Remoteapplicationmode:i:0 Remoteapplicationmode:i:1
Add the following value:
TROUBLESHOOTING
Can’t connect to RemoteApp (IE) on Home Laptop
Log on to your customer workstation.
Launch the Desktop RDP clip.
Once connected to your Corpnet Laptop press Ctrl+Alt+End then click on Task Manager.
At the bottom of the Task Manager windows click on More Details.
Under Background Processes find RemoteApp Shell then Rick-Click it and select End Task.
Repeat this process for RemoteApp Logon Application.
Sign Out of the Remote Desktop session and try to re-connect using RemoteApp.