none
Publish RDS 2016 Infrastructure through Azure AD Proxy

    Pertanyaan

  • Hello,

    I followed the steps in this documentation to deploy AAD Proxy with my RDS farm and noticed some issue without clear explanations in the steps documented here :

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services

    My infrastructure is as follow :

    - x1 Azure VM with the roles : RD GW, RD Web, AAD PRoxy connector

    - x1 Azure VM with the role : RDSH

    Collection is published and I can connect to the RD Web publshed through myapps.microsoft.com without any issue, since I click on the RD resource I got this error :

    Your computer can't connect to the remote computer because authentication to firewall failed due to missing firewall credentials.

    When I revert the pre-authentication to "0" the message is slightly different :

    RD Gateway seems to be temporarly unavailable.

    If you need more details on URL configured on AAD App Proxy or TS CAP/RAP, certificates etc feel free to ask.


    Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.

    13 Juni 2018 11:32

Jawaban

  • Hi,

    You'll need to use Passthrough authentication so that RD Gateway will work with AAD App Proxy.  Currently AAD App Proxy doesn't allow you to disable HTTPOnly which breaks the ability to use IE + ActiveX control to pass the cookie to the RDP client.

    Please not that when using Passthrough authentication unauthenticated traffic can reach your RD Gateway.  For example, someone could manually enter the correct FQDN for the RDG into the Remote Desktop client and AAD App Proxy would not stop them from talking to the RDG.  Of course they still need to authenticate to the RDG itself.

    Thanks.

    -TP

    14 Juni 2018 10:29
    Moderator
  • I finallly figure it out.

    So I will leave my notes here in order to help people who tried to publish RDS 2016 RDGW & RDWEB through Azure AD App Proxy.

    I'll then make a linkedin article to share the whole process because it's far beyond the official DOCS (technet).

    - Publish /RPC/ vdir in a separated Azure App Proxy Cloud App (Passthrough required)

    - Publish your External URL and not the MSAPPPROXY uri made by Azure App Proxy , this differ from the docs article and I think generate issues with the certificate mapped on RDS service

    The full steps will be documented on my linkedin article.

    Thanks for your time the case could be closed


    Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.


    15 Juni 2018 11:42

Semua Balasan

  • Hi,

    You'll need to use Passthrough authentication so that RD Gateway will work with AAD App Proxy.  Currently AAD App Proxy doesn't allow you to disable HTTPOnly which breaks the ability to use IE + ActiveX control to pass the cookie to the RDP client.

    Please not that when using Passthrough authentication unauthenticated traffic can reach your RD Gateway.  For example, someone could manually enter the correct FQDN for the RDG into the Remote Desktop client and AAD App Proxy would not stop them from talking to the RDG.  Of course they still need to authenticate to the RDG itself.

    Thanks.

    -TP

    14 Juni 2018 10:29
    Moderator
  • Do you mean the following link (precisly the title) and steps listed are fake :) ?

    https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services

    Thanks for explanation about passthrough and security concerns, I won't use passthrough authN because my goal is to increase security by using AAD Conditional Access on the frontline of RDS, and btw it's not working even if I set another App Registration dedicated to the RD GW's URL with passthrough :

    https://rdgw-tenantname.msappproxy.net/RPC/.

    Connections seem to come in RD GW I see them in logs I pass succefully CAP & RAP policies, but now the unexplaining issue is about "credential delegation".

    So I tested the fix suggested in the link below , by downgrading settings in GPEDIT/delegated credential/... no success :(

    Could you help ?


    Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.





    14 Juni 2018 20:37
  • Hi,

    Azure relate product is beyond the support scope on this forum, if possible, I would recommend you to post on Azure forum, and relate product expert may provide you more suggestion.

    Azure Community Support:
    https://azure.microsoft.com/en-us/support/community/

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    15 Juni 2018 6:17
    Moderator
  • I finallly figure it out.

    So I will leave my notes here in order to help people who tried to publish RDS 2016 RDGW & RDWEB through Azure AD App Proxy.

    I'll then make a linkedin article to share the whole process because it's far beyond the official DOCS (technet).

    - Publish /RPC/ vdir in a separated Azure App Proxy Cloud App (Passthrough required)

    - Publish your External URL and not the MSAPPPROXY uri made by Azure App Proxy , this differ from the docs article and I think generate issues with the certificate mapped on RDS service

    The full steps will be documented on my linkedin article.

    Thanks for your time the case could be closed


    Kévin KISOKA - MCITP Entreprise Messaging Administrator, MCTS Hyper-V Server Virtualization I do not represent the organisation I work for, all the opinions expressed here, are my own. This posting is provided AS IS with no warranties or guarantees and confers no rights.


    15 Juni 2018 11:42
  • Hi,

    Based on what you said above, you are now okay with using Passthrough auth?  In your design, the RD Gateway security isn't really enhanced.  Of the two, the RD Gateway is the more critical one since it carries the RDP traffic whereas RD Web Access only delivers .rdp files that contain settings.

    The reason I mention it is in my conversations with people ever since AAD App Proxy has been released they usually come to the conclusion that it provides only a minor amount of added security for RDS deployment.  If they add the ability to turn off HTTPOnly it would be nice, however, it still would have limitation of using IE with ActiveX only.

    Remote Desktop Modern Infrastructure (RDmi) will be a better solution since the RDG isn't domain-joined and reverse connections are made so that no inbound ports are required for the RD Session Hosts.  MFA and conditional access work since the client needs to use AAD to authenticate.  Unfortunately RDmi isn't publically available yet but should be later this year.

    -TP

    15 Juni 2018 12:24
    Moderator