locked
Remote destop service through WAP and ADFS RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    We want to authenticate our Remote Desktop Services using Web Application Proxy and ADFS. Our WAP servers are in DMZ with no domain connection and ADFS and RD server are in internal network.

    I have done installation using this link http://blog.tmurphy.org/2015/06/securing-rd-gateway-with-web.html?showComment=1456825504896#c264322045990361403

    Authentication works now from external network as long as we can try to start RemoteApp from RD Web Access but then comes error "Remote desktop cannot connect to remote machine fff.fff.ff"

    Possibilities:
    1. User account is not contained in RD gateway user list
    2. Yoy maybe have defined remote machine as NETBios format

    Documentation is quite confusing. Is this because WAP servers are not domain connected or what could be the reason?

    From internal network we can start and use RemoteApps. Our Office 365 authentication goes through same WAP and ADFS machines and it works

    ~ Jukka ~

     

    Tuesday, March 1, 2016 10:45 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    In RD Gateway Manager, Properties of your RD RAP, Network Resource tab, please select Allow users to connect to any network resource.  Later, if you prefer, you may create an RDG-managed group with all the required names and select that instead.  After making the change please test again from an external PC via RD Web Access.

    Thanks.

    -TP

    • Proposed as answer by Amy Wang_ Tuesday, March 15, 2016 12:52 PM
    • Marked as answer by Amy Wang_ Tuesday, March 22, 2016 9:17 AM
    Thursday, March 10, 2016 5:24 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jukka,

    If your Web Application proxy server is domain-joined, then it must be able to able reach Domain Controllers for authentication.

    If WAP is not domain-joined, it also needs network connectivity to AD FS server through port 443.

    Here are some related articles below for you:

    Step 1: Plan the Web Application Proxy Infrastructure

    https://technet.microsoft.com/en-us/library/dn383648.aspx?f=255&MSPPError=-2147217396

    Configure the Web Application Proxy Infrastructure

    https://technet.microsoft.com/en-us/library/dn383644.aspx

    In addition, if further assistance is required regarding AD FS, here is a dedicated AD FS forum below:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS

    Best Regards,

    Amy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 2, 2016 8:50 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Amy,

    As i said, we have working WAP + ADFS deployment now. WAP servers are not domain connected and ADFS servers of course are. Authentication goes through port 443. Office 365 cloud authentication goes through those servers now.

    My question affects Remote Desktop Service, not ADFS directly. We want to use WAP for pre-authenticate RDS connections. It doesn't work now now because RemoteApps do not start from RD Web Access.

    WAP servers are in DMZ zone and we don't want to open firewall ports to make those servers domain connected

    So is it necessary WAP servers to be domain connected because of Remote Desktop Gateway?

    ~ Jukka ~

    Wednesday, March 2, 2016 2:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jukka,

    According to this blog below, firewall port 443 between the WAP server and RD Gateway/RD Web Access server also needs to be open.

    Securing RD Gateway with Web Application Proxy - Part 2

    http://blog.tmurphy.org/2015/06/securing-rd-gateway-with-web.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    It doesn't work now now because RemoteApps do not start from RD Web Access.

    Please ensure that you have completed required steps for pre-authentication to work:

    Publishing Applications with SharePoint, Exchange and RDG

    https://technet.microsoft.com/en-us/library/dn765486.aspx

    Best Regards,

    Amy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 3, 2016 5:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Yes WAP needs to be connected to the domain in order to authenticate RDG with preauthentication. There is no other way.
    • Proposed as answer by Amy Wang_ Tuesday, March 8, 2016 2:52 AM
    • Unproposed as answer by Amy Wang_ Thursday, March 10, 2016 6:38 AM
    Thursday, March 3, 2016 11:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Finally clear answer. Thanks.

    Still it doesn't sound very wise to open firewall ports from DMZ to connect WAP servers to domain. Is there some kind of arguments why is it safe to do that?

    Or some kind of recommendations how to do it?

    We have no AD in our DMZ. All servers in there are in workgroup 

    ~ Jukka ~ 

    Tuesday, March 8, 2016 1:17 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    In RD Gateway Manager, Properties of your RD RAP, Network Resource tab, please select Allow users to connect to any network resource.  Later, if you prefer, you may create an RDG-managed group with all the required names and select that instead.  After making the change please test again from an external PC via RD Web Access.

    Thanks.

    -TP

    • Proposed as answer by Amy Wang_ Tuesday, March 15, 2016 12:52 PM
    • Marked as answer by Amy Wang_ Tuesday, March 22, 2016 9:17 AM
    Thursday, March 10, 2016 5:24 AM