RDP Gateway with MFA

Step 1: Install RDS Gateway
1. Enable Power Shell Remoting 
2. SSL Certs (e.g. go to https://www.startssl.com/ to obtain a SSL certificate for your domain)
Run Powershell as Administrator: Set-Item WSMan:\localhost\Shell\MaxMemoryPerShellMB 1000
Run Powershell as Administrator: netsh winhttp reset proxy
Add  “Windows Remote Management” rule to Windows Firewall
Disable IPV6
Ensure the NTP is running and that it’s synchronized
“Shift” click on “Server Manager” and select “Run as administrator”
Server Manager >> Manager >> Add Roles and Features Wizard >> Installation Type >> Remote Desktop Services Installation >> Choose “Standard Deploment” for multiple servers deployment or Choose “Quick start” to have all RDP roles on one machine >> Choose “Virtual machine-based desktop deployment” for virtual desktops or choose “Session-based desktop deployment” to have all users share similar desktop settings
Step 2: Configure RD roles: RD Web Access, RD Gateway, RD Licensing, RD Connection Broker
Remote Desktop Services >> Overview >> click on RD Gateway >> create self-signed SSL certificate by typing in FQDN of the Gateway server such as desktop.[domain].com >> >> enter FQDN >> complete the wizard >> at the last prompt, click on “Configure certificate” instead of “close” – Deployment Properties window appears >> select RD Connection Broker – Enable Single Sign-on >> click on “Create new certificate” if a publicly signed certificate is not available >> choose certificate name and password and store it on the desktop >> OK >> Apply >> repeat process to apply the same certificate to “RD Connection Broker – Publishing,” “RD Web Access,” and “RD Gateway”
Step 3: Configure gateway to enable routing to any routable computer on the network, even those PCs that have not joined the domain
Run: tsgateway.msc >> [servername.domain.local] >> Policies >> Resource Authorization Policies >> right-click “RDG_AllDomainComputers” >> Properties >> Network Resource >> select “Allow users to connect to any network resource” >> Apply >> OK
Step 4: Test the setup
Copy the certificate from the server to the client >> double-click on the certificate >> enter the password >> finish the Certificate Import Wizard to install it onto the “local machine” under “Trusted Root Certificate Authorities” >> Open Internet Explorer >> go to https://desktop.[domain].net/rdweb >> enter user credential and sign in >> connect to a RDP server
Step 5: Publish Remote App Programs
On Server >> Remote Desktop Services >> Collections >> QuickSessionConnection >> Publish RemoteApp Programs
On Client >> search for RemoteApp and Desktop Connections >> enter “https://rdp.kimconnect.net/rdweb/feed/webfeed.aspx” >> Next >> authenticate >> OK >> Finish
Step 6 (optional): How to apply new SSL certificate
Remote Desktop Services >> Overview >> Tasks >> Edit Deployment Properties >> select each of the item under Role Service to repeat this step: click “Select existing certificate”” >> follow the prompts to complete the wizard
Step 7 (optional): How to remove expired certificates from client
Buy a certificate from Godaddy or some other vendor
Console to server >> run MMC >> add “certificates” plug-in for “local computer” >> browse to “Trusted Certificates” store and remove the cert
Step 8: Add Licenses
RD Licensing Manager >> All servers >> right-click the server name and complete the process
Additional resources:
– https://technet.microsoft.com/en-us/library/dd983941%28v=ws.10%29.aspx
Step 9: Install Applications on RD Session Host Server
Method 1
– Install RD Session Host role service: Control Panel >> Install Applications on Remote Desktop Server
– Complete the wizard
Method 2
– run CMD: “change user /install”
– Perform software installation(s)
– When done, run CMD: “change user /execute”
Step 10: Forward default website to RDWeb Application
IIS Manager >> Sites >> Click Default Web Site >> double-click HTTP Redirect >> Redirect requests to this destination “https://desktop.[domain].com/RDWeb/Pages/en-US/” or “/RDWeb/Pages/en-US/” >> check “Only redirect requests to content in this directory” >> Status code: Permanent (301) >> Apply
Step 11: Change the published FQDN
Put this script into current directory: 
[Parameter(Mandatory=$True,HelpMessage="Specifies the FQDN that clients will use when connecting to the deployment.",Position=1)]
[Parameter(Mandatory=$False,HelpMessage="Specifies the RD Connection Broker server for the deployment.",Position=2)]

$Host.UI.RawUI.BackgroundColor = "Black"; Clear-Host

$CurrentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
If (($CurrentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) -eq $false)
$ArgumentList = "-noprofile -noexit -file `"{0}`" -ClientAccessName $ClientAccessName -ConnectionBroker $ConnectionBroker"
Start-Process powershell.exe -Verb RunAs -ArgumentList ($ArgumentList -f ($MyInvocation.MyCommand.Definition))

Function Get-RDMSDeployStringProperty ([string]$PropertyName, [string]$BrokerName)
$ret = iwmi -Class "Win32_RDMSDeploymentSettings" -Namespace "root\CIMV2\rdms" -Name "GetStringProperty" `
-ArgumentList @($PropertyName) -ComputerName $BrokerName `
-Authentication PacketPrivacy -ErrorAction Stop
Return $ret.Value

If ((Get-RDMSDeployStringProperty "DatabaseConnectionString" $ConnectionBroker) -eq $null) {$BrokerInHAMode = $False} Else {$BrokerInHAMode = $True}
Catch [System.Management.ManagementException]
If ($Error[0].Exception.ErrorCode -eq "InvalidNamespace")
If ($ConnectionBroker -eq "localhost")
Write-Host "`n Set-RDPublishedName Failed.`n`n The local machine does not appear to be a Connection Broker. Please specify the`n FQDN of the RD Connection Broker using the -ConnectionBroker parameter.`n" -ForegroundColor Red
Write-Host "`n Set-RDPublishedName Failed.`n`n $ConnectionBroker does not appear to be a Connection Broker. Please make sure you have `n specified the correct FQDN for your RD Connection Broker server.`n" -ForegroundColor Red

$OldClientAccessName = Get-RDMSDeployStringProperty "DeploymentRedirectorServer" $ConnectionBroker

If ($BrokerInHAMode.Value)
Import-Module RemoteDesktop
Set-RDClientAccessName -ConnectionBroker $ConnectionBroker -ClientAccessName $ClientAccessName
$return = iwmi -Class "Win32_RDMSDeploymentSettings" -Namespace "root\CIMV2\rdms" -Name "SetStringProperty" `
-ArgumentList @("DeploymentRedirectorServer",$ClientAccessName) -ComputerName $ConnectionBroker `
-Authentication PacketPrivacy -ErrorAction Stop

$CurrentClientAccessName = Get-RDMSDeployStringProperty "DeploymentRedirectorServer" $ConnectionBroker

If ($CurrentClientAccessName -eq $ClientAccessName)
Write-Host "`n Set-RDPublishedName Succeeded." -ForegroundColor Green
Write-Host "`n Old name: $OldClientAccessName`n`n New name: $CurrentClientAccessName"
Write-Host "`n If you are currently logged on to RD Web Access, please refresh the page for the change to take effect.`n"
Write-Host "`n Set-RDPublishedName Failed.`n" -ForegroundColor Red
Run Powershell as Admnistrator
cd [location of script]
.\Set-RDPublishedName “desktop.kimconnect.com”
.\Set-RDPublishedName “RDS01.kimconnect.com”
.\Set-RDPublishedName “rdgateway.kimconnect.com”
.\Set-RDSessionCollectionConfiguration –CollectionName RemoteApps -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:rdgateway.kimconnect.com”
Step 12: Set up server farm
RD Gateway Manager: right-click ServerName >> Properties >> Server Farm tab >> Enter other RDS server names in the “RD Gateway serverfarm member” text field >> click Add >> click OK
Step X: Install MFA and Integrate It Into RDS Gateway
Step X+1: Install Thin Client OS
– Disable user write access to C:\
Right-click C:\ >> Properties >> Security tab >> click Advanced >> Delete Allow Users “Create Folders” and “Create files” >> OK >> OK
Install applications:
Activate “RD-install” mode prior to running any application installation:
Run PowerShell as Administrator with these commands:
change user /install     (turn on rd-install mode)
change user /execute     (turn back to regular mode)
change user /query     (query existing mode)
– Edit Desktop.aspx file to speed up connections, allowing 3389 attempt while making a connection via 443
     Change: RDPstr += “gatewayusagemethod:i:2\n”;  ==>>  RDPstr += “gatewayusagemethod:i:1\n”;
– Install the Desktop Experience
Install http://www.classicshell.net/ (recommended)
Run PowerShell as Administrator: Add-WindowsFeature Desktop-Experience
Launch Server Manager >> click on Manage >> Add Roles and Features >> click Next (4) times to get to the “Features” selection >> unfold User Interfaces and Infrastructure to put a check mark next to “Desktop Experience” >> a pop-up appears, click “Add features” >> Next >> Install
Uninstall-WindowsFeature to turn off unwanted features
Install common apps: https://ninite.com/7zip-chrome-cutepdf-firefox-googleearth-irfanview-java8-notepadplusplus-putty-vlc-winscp/
Create Useful shortcuts to the desktop
Sort the default Start Menu:
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
Troubleshooting error: “Could not create the template VHD. Error Message: The remote procedure call failed. (Exception from HRESULT: 0x800706BE).”
1. Check your video driver: http://codeworks.it/blog/?p=136 ?
2. If The remote computer is blocked by the firewall.
Solution: Open the Group Policy Object Editor snap-in (gpedit.msc) to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure. Enable the following exception: “Allow Remote Administration Exception” and “Allow File and Printer Sharing Exception”.
– Whenever there’s a change in IIS, RD-Gateway service will stop automatically. It needs to be started to accept RDP connections on port 443.
– Set up DNS round-robin if using multiple connection brokers
– If external SQL server is used, ensure that port 1433 is opened
– If multiple NICs are configured, uncheck “automatic metric” and configure the internal NIC to have a value of 1 while leaving the external NIC on the automatic metric setting.

How to Integrate Remote Desktop Services with 2nd Factor Authentication
1) Install MFA Server
a. Follow the MFA installation guide to finish the intial setup of MFA
b. Run Multi-Factor Authentication Server >> click Radius Authentication >> check the box next to “Enable Radius Authentication” >> click Add >> Enter the intended RDS server name or IP and the shared secret password >> check the boxes next to Require User Match and enable Fallback OATH Token >> OK
2) Install NPS On A Separate Server
Note: this service will cause issues if it is running on the same server as MFA or RDS
a. Add roles and install “Network Policy and Access Services” role
b. Run nps.msc >>
3) Configure NPS on RDS
a. run tsgateway.msc >> right-click servername >> Properties >> RD CAP Store tab >> select Central server running NPS >> input MFA servername, then click Add >> input shared secret password >> OK
a. Run nps.msc >> RADIUS Clients and Servers – Remote RADIUS Server Groups >> right-click “TS GATEWAY SERVER GROUP” >> Properties >> click “Add…” >> Enter MFA servername >> OK >> click on the new entry >> Edit >> Load Balancing tab >> change both entries of “Number of seconds…” to 60 >> OK
b. Right-click RADIUS Clients >> New >> Add name and address of MFA server >> input the “shared secret” password >> OK
c. Policies >> select Connection Request Policies >> right-click “TS GATEWAY AUTHORIZATION POLICY” >> Duplicate Policy >> rename copied policy to “From MFA” >> double-click “From MFA” >> Conditions tab >> Add Client Friendly Name using the same Friendly name you set for the RADIUS client you created earlier >> Settings tab >> click Authentication >> select “Authenticate requests on this server” >> click Accounting >> uncheck Forward accounting requests to this remote RADIUS server group >> OK >> right-click “From MFA” >> move up to Processing Order 1 >> right-click From MFA >> Enable
d.  right-click “TS GATEWAY AUTHORIZATION POLICY” to “To MFA” with Processing Order 2 with Accounting Provider Name = TS GATEWAY SERVER GROUP, Authentication Provider Name = TS GATEWAY SERVER GROUP, and Authentication Provider = Forwarding Request
f. Configure MFA servers to have a test user with enabled 2nd-factor authentication
– Event ID: 20499 
Remote Desktop Services has taken too long to load the user configuration from server
—————- Resolution —————————-
This is what the help -examples tells us, but i can’t see where that would help either. I have the same issue. We run Citrix XenApp 7.6 om 2012r2 in 2003 domain
Installs the required role services for session-based desktop deployment.
Example 1: Install role services for a session deployment
PS C:\> New-RDSessionDeployment -ConnectionBroker “RDCB.Contoso.com” -WebAccessServer “rdgateway.kimconnect.com”
-SessionHost “RDS01.kimconnect.com”
This command installs Remote Desktop role services on specified servers. The command installs an RDConnection
Broker role service on the server named RDCB.kimconnect.com. The command installs an RDWebAccess role service on the
server named rdgateway.kimconnect.com. The command installs the RDSession Host role service on the server named
Example 2: Install role services that include multiple RD Session Host servers
PS C:\> New-RDSessionDeployment -ConnectionBroker “RDCB.Contoso.com” -WebAccessServer “RDWA.Contoso.com”
-SessionHost @(“RDSH01.Contoso.com”,”RDSH02.Contoso.com”)
This command installs Remote Desktop role services on specified servers. The command installs an RDConnection
Broker role service on the server named RDCB.Contoso.com. The command installs an RDWebAccess role service on the
server named RDWA.Contoso.com. The command installs the RDSession Host role service on two servers, named
RDSH01.Contoso.com and RDSH02.Contoso.com.
Auditing and restricting NTLM (in another KimConnect article)

Leave a Reply

Your email address will not be published. Required fields are marked *