Step by Step Customizing RD Web Access 2012 R2 – Part 0

Set up Remote Desktop Services in Windows 2012


Setup a collection of remote desktop servers for end clients to connect to using Session Hosts. This is not a VDI setup.


Service Requirements

– Active Directory. This guide assumes you have a working AD environment up and running already.

– DNS Server. This guide assumes you have a working DNS environment up and running already.

– External DNS domain optional for Labs, but of course you would probably want one in production.


Servers used in this deployment

– 1 x Domain Controller (Microsoft recommend at least two DC’s in live environments for redundancy purposes)

Roles Applied: Domain Controller, DNS

Hostname: DC1.tsdomain.local

– 1 x Domain Member Server

Roles Applied: Domain Member, Web Access Server, Gateway Server, Licensing Server, Connection Broker Server

Hostname: DC2.tsdomain.local

– 1 x Domain Member Server

Roles Applied: Domain Member, File and Storage Services

Hostname: fs1.tsdomain.local

– 3 x Domain Member Servers

Roles Applied: Domain Member, Remote Desktop Session Host.

Hostname: ts1.tsdomain.local, ts2 and ts3


General Client Settings/Tips


RDP Client – Some connection/security problems can occur when using older versions of the RDP client. The majority of this article I was able to connect using Windows 7 SP1 with RDP client 6.1.7601. If possible I would recommend that you upgrade your RDP clients to 6.2.9200.


The update can be downloaded from –


I also believe that you will require the latest version of RDP to get the best out of Remote Desktop Services VDI – More information here.


Web Access – When users are using the web access portal, I would recommend using Internet Explorer. Especially when using a Self Signed Certificate, as you are then able to install it correctly via the browser. Chrome never allowed me to do this and I never bothered with Firefox.


User Groups

– Human Resources

– Jenny Smith (jsmith\Password123!)

– Finance

– Paul Jones (pjones\Password123!)

– Sarah Young (syoung\Password123!)


Role definitions


RD Session Host – These are the servers that users will be connecting to for the Remote Desktop Sessions.

Official Definition – Remote Desktop Session Host (RD Session Host) enables a server to host RemoteApp programs or session-based desktops. Users can connect to RD Session Host servers in a session collection to run programs, save files, and use resources on those servers.


Session Collection – A group of RD Session Hosts, with permissions assigned according to User/Group requirements. An RD Session Host can only be part of one Session Collection.


RD Connection Broker – This is the role that connects users to their Remote Sessions, whether it’s a new session or an existing session.

Official Definition – Allows users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops. Enables you to evenly distribute the load among RD Session Host servers in a session collection or pooled virtual desktops in a pooled virtual desktop collection. Provides access to virtual desktops in a virtual desktop collection.


RD Web Access – The starting point/online portal for users to login and start their Remote Desktop Sessions.

Official Definition – Remote Desktop Web Access (RD Web Access) enables users to access RemoteApp and Desktop Connection through the Start menu on a computer that is running Windows 8, Windows 7, or through a web browser. RemoteApp and Desktop Connection provides a customized view of RemoteApp programs and session-based desktops in a session collection, and RemoteApp programs and virtual desktops in a virtual desktop collection.


RD Licensing – Remote Desktop Licensing (RD Licensing) manages the licenses required to connect to a Remote Desktop Session Host server or a virtual desktop. You can use RD Licensing to install, issue, and track the availability of licenses.


RD Gateway – Remote Desktop Gateway (RD Gateway) enables authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on an internal corporate network from any Internet-connected device.


Firewall Rules

My servers all had Windows Firewall enabled, but I configured rules on each to allow all traffic between all the servers. These are not configured by default. Here are scripts to help you configure these rules:

Where x, y and z are replaced with your trusted IP’s and “Policy Name” is the name of the policy in question.


To add a new Policy:


New-NetFirewallRule -DisplayName “Policy Name” -LocalAddress “any” -RemoteAddress,yyy.yyy.yyy.yyy,zzz.zzz.zzz.zzz -Direction Inbound -Action Allow -Protocol TCP -LocalPort any


To edit an existing Policy:


Set-NetFirewallRule -DisplayName “Policy Name” -LocalAddress “any” -RemoteAddress,yyy.yyy.yyy.yyy,zzz.zzz.zzz.zz -Direction Inbound -Action Allow -Protocol TCP -LocalPort any

Installing Roles and Services


All Six servers are part of the domain that I have setup in this scenario, tsdomain.local.

You will also benefit from adding them all the Server Manager “All Services” Pool > Highlight “All Servers” in Server Manager > Right click ” Add Servers:

I did this from DC2 where the majority of the setup will take place.

Let’s Begin:

From the Server Manager Dashboard, select “Add roles and Features” and we want “Remote Desktop Services Installation” :

The main difference between Standard and Quick is Quick will install all the roles on one server, good for testing/learning, we of course want “Standard Deployment“:

We are doing a “Session Based Desktop Deployment“:

The Role Services to be installed are confirmed:

DC2.tsdomain is going to be my RD Connection Broker:

As well as the RD Web Access Server:

Now you are adding in the Session Host Servers (TS1, TS2 and TS3), these are the servers that will host the RD Sessions:

Review the selection of each role and when ready, hit Deploy:

Server Manager will then attempt to deploy each role for you, progress can be followed:

Once complete, we can go ahead and configure each of the Roles as required:


Configuring Roles and Services

Now that the Roles and Services have been successfully installed, we now need to configure each of the services accordingly.


Configure Gateway Server:

From Server Manager > Remote Desktop Services > Overview, Click the green “+” icon on the RD Gateway icon within the Deployment Overview, Add your RD Gateway Server, click next:



Set your RD Gateway URL,

Confirm and click “add“:

From Server Manager > Remote Desktop Services > Overview, Click the “Tasks” Menu and select “Edit Deployment“:

From here we can configure the following Services:


– RD Gateway

– RD Licensing

– RD Web Access

– Certificates

Gateway Configuration:

Specify the “Server name” using the Domain as the External FQDN that users will be using to connect to the service:

In this example, I have setup an A record in my External DNS for pointing to the External IP of my Gateway Server:


Note: The RD Gateway and RD Web Access roles will reside on the same Server

Licensing Configuration:

As this is a lab environment, we do not have any licenses. But this is where you would add the server with the installed licenses, it is pretty straight forward once the CALs are installed on the license server:

RD Web Access Configuration:

This is where the Web Access portal is activated, there should be no need to change anything here. The Internal URL is shown here and if you browse to the External FQDN ( set earlier in the Gateway Configuration you will/should see the RD Web Access portal:

RD Web Access Portal:

Certificates Setup:


At this point if you browsed to the above Web Access Portal, you would of seen the Certificate warning, of course. In this section you can configure your certificates for each of the Roles. It is recommended that you use a valid Certificate for the domain but as this is a lab, we can go ahead and use a self signed Certificate:

Note: If you want to use a Self Signed Certificate then your client will need to access the Portal using Internet Explorer as this will allow you to install the certificate from the browser, in my scenario, Chrome did not let me do this.

You can either use an existing Certificate if you have one already, or Create a new one. The preferred would be an existing one of course. You will need to know the location of the Certificate itself, as for some reason, this wizard doesn’t use the Certificate Store:

Note: Ensure you check the “Allow the Certificate to be added to the Trusted Root Certificate Store” as this gives the client to install the Certificate from the browser, required for Self Signed Certificates.

Once you have selected your Certificate, click apply:

Rinse and repeat for each of the Roles and Services listed, until they all have the Certificate installed:

Configure Session Collections:

Now that we have configured the Roles and Services, we now need to create Session Collections and assign Users/Groups to the Session Collections, this is in turn is giving Users/Groups that they require access to.

From Server Manager > Remote Desktop Services > Collections:



In the “Collections” section as above, go to “Tasks” on the right and “Create Session Collection“:


Give it a name and a Description, I will be creating two Session Collections according to the groups I have created in AD and assigning Session Hosts to each:


Note: Session Hosts can only be part of one Session Collection


User Groups

– Human Resources

– Jenny Smith (tsdomain\jsmith\Password123!)

– Finance

– Paul Jones (tsdomain\pjones\Password123!)

– Sarah Young (tsdomain\syoung\Password123!)

Session Collections:


– Human Resources

– ts1.tsdomain.local

– Finance

– ts2.tsdomain.local

– ts3.tsdomain.local

Setting up the Human Resources Collection:

I will setup User Profile Disks later, so un-tick that option and then continue:

Once complete, you will be able to see your collections in Server Manager:

If you highlight the collection itself on the left, you can edit the properties of the Session Collection itself in a bit more detail:

At this point you should now be able to logon as a user through the RD Web Access Gateway and selecting the Session Collection you have assigned to that user:

For Example: Jenny Smith in Human Resources:

As you can see above, I have successfully logged in as Jenny Smith.


Note: If you are using a Self Signed Certificate, you will need to get it installed before you will connect, look out for hidden certificate prompts behind other windows you may have open.


Setting up User Profile Disks

There are two main steps when setting up User Profile Disks (UPD for short):

  1. Creating the NTFS Share where the vhdx files will live
  2. Enabling and configuring UPD’s on the Session Collections


Creating User Profile Share

Logon to your Share Server, in this case I am using:

– 1 x Domain Member Server

Roles Applied: Domain Member, File and Storage Services

Hostname: fs1.tsdomain.local

Please Note: You will need to create a separate UPD Share for each Session Collection that you are enabling UPD’s on, you cannot use a single share for UPD across Session Collections

Create the folder where you are going to store your UPD’s:

From “Server Manager” go to “File and Storage Services” > “Shares” > “Tasks” > “New Share“.


We will use the “SMB Share – Quick” option:

Specify the “Share Location“, set to the folder you created earlier:

Specify the “Share name“:

Review additional settings, I left them default:

Review permissions, again I left them default:

Review the details, and “Create” to confirm and apply changes:

You will now see the Share in Server Manager > File and Storage Services > Shares:

Now that the share is setup you can configure/add UPD’s to the existing Session Collections.

Log onto your RD Connection Broker, DC2.tsdomain.local and navigate to your Collections, select the Session Collection you want to add UPD’s to and from the Properties box > “Tasks” > “Edit Properties“:

In the Session Collection properties, select “User Profile Disks“:

Configure User Profile Disks:

– Check the “Enable User Profile Disks” tick box

– Set the “Location” to the share created previously

– Set the Max size of the disks

– Set the Data settings:

You can choose to store ALL user settings or only certain profile folders. I chose the “All User Settings” option by default.

If you scroll down further, you have the option of included custom folders outside the default options:

I left this blank as I have no requirement for this. Click Ok/Apply to confirm the change. Once complete you should see the VHD Template in the share directory:

When you then login as a user you will see their UPD created after they login from the template:

That’s it, User Profile Disks are now enabled, meaning which ever Session Host they connect to, their profile will follow.


About thangletoan

Hallo Aloha

Posted on 12/10/2012, in RD Web App, Remote App, Remote Assistant, Remote Desktop, Remote Desktop Host Server, RemoteFX and tagged , , . Bookmark the permalink. Bạn nghĩ gì về bài viết này?.

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: