none
Can 2016 RDS Connection Broker or Gateway redirect users to collections based on permissions? RRS feed

  • Question

  • I'm in the process of building a 2016 RDS Test Environment ahead of us decommissioning our old 2008 R2 terminal servers. What I'd like to know is if it's possible for users to RDP (usually via thin client) to a single DNS address and have the CB or GW redirect said user to the server collection the user has access to. For example, user Tony Stark is in R&D and RDPs into RDSFarm1, then gets directed to a RDSH server in the R&D collection, while user Nick Fury is in Management and RDPs into RDSFarm1, then gets directed to a RDSH server in the Management collection. I realize something like this is possible when using RDWeb, but I do not want users to launch RDP session desktops this way, especially with older thin clients. Not we also aren't publishing RemoteApps. Is this configuration possible or should I hard code thin clients to connect to specific RDS servers/collections, as we're doing now in our 2008 R2 environment?
    Monday, November 4, 2019 3:14 PM

All replies

  • Hi,

    We can assign users and groups to collections in order to restrict user/group to log onto specific collection(RD SHs).

    Assign users and groups to collections:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-user-management#assign-users-and-groups-to-collections

    Screenshots as below:


    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 5, 2019 1:40 AM
    Moderator
  • Hi Eve, I understand that's where I can grant users rights to certain collections, but is there any mechanism in the Gateway or Connection broker where users in my company can RDP to a singular DNS address and one of those servers will redirect the user to the collection they are granted access to, as per the example in my original post?
    Tuesday, November 5, 2019 3:37 PM
  • Hi,

    There is no built-in mechanism to redirect users based on which collection they have access to.  Starting with Windows Server 2012, it is expected that clients will make their initial connection to the broker and during this connection the client will send a hint that contains the target collection.  The broker uses this hint along with load/potential existing connection to decide which host to redirect the client to.

    For things to work as best as possible you should use thin clients that have been updated to properly support Windows Server 2012 RDS or later (preferably 2016 in your case).  As a workaround you could set things up using the old method of having separate FQDNs pointing to the RDSH servers for each collection, however, please understand there may be issues.  For example, when client makes initial connection to RDSH it may load profile and then when it is redirected to different RDSH it receives temporary profile due to profile being locked.

    Thanks.

    -TP

    Tuesday, November 5, 2019 3:54 PM
    Moderator
  • Hi TP,

    Thanks for the advice. First, do you know specification I should look for to determine compatibility? Is it the version of RDP or something else? I know many of our existing thin clients are HP Linux based units and am not sure if that's an immediate disqualifier. Second, as of now when I attempt to RDP into the Broker it gives me a desktop on said broker instead of redirecting me to a RDSH server. Do you know why that could be?

    Thanks! 

    Tuesday, November 5, 2019 4:01 PM
  • Also, can anybody suggest any in-depth guides on how to properly set up multi-server session desktop RDS environments? Almost every online guide I come across is very basic, often covering single-server Quick Deployment setups. 
    Wednesday, November 6, 2019 1:01 PM
  • Hi TP,

    Thanks for the advice. First, do you know specification I should look for to determine compatibility? Is it the version of RDP or something else? I know many of our existing thin clients are HP Linux based units and am not sure if that's an immediate disqualifier. Second, as of now when I attempt to RDP into the Broker it gives me a desktop on said broker instead of redirecting me to a RDSH server. Do you know why that could be?

    Thanks! 

    Hi,

    Unfortunately the manufacturers usually don't make it easy.  What I normally do is dig into the admin/deployment/configuration manuals and from that I can usually tell.  For example, you might look at the configuration parameters and see that there is an option to select a Microsoft broker and collection.  A non-MS operating system on the device is not an immediate disqualifier.

    I like to first determine if the model properly supports making the initial connection to the broker and then being redirected. After that I look to determine if it supports displaying a list of published RemoteApps/Desktops the user has access to or is the broker support limited to "configure the broker/collection and I will connect to that as full desktop".

    Once done with the brokering you can dig into features to see if it supports some of the newer RDP capabilities, is it suitable for video playback, how many monitors at what resolution, ports, redirections, management software, warranty, other protocols besides RDP, planned support for Windows Virtual Desktop, etc.  Ordering some trial units and conducting full tests of expected use cases is a must.

    In regards to getting a desktop if you attempt to manually connect to the broker, that is expected.  When you manually connect using mstsc.exe there is no place in the GUI to specify the target collection hint I mentioned above so the assumption is you are making a normal connection to the broker.  In production environment the broker doesn't have RDSH installed, so by default only admins would be able to connect in this way whereas non-admins would get an error.

    If you only had one collection for all users you could configure the broker's registry with a default collection to use if the client doesn't provide a hint during the connection process.  In your case you will have multiple so it isn't a viable workaround.

    -TP


    Thursday, November 7, 2019 4:13 AM
    Moderator
  • TP, when I was trying to do some research via YouTube on how to properly set up collections, I came across this vid that claims (but does not go into detail) the broker can do this. It's at 17m53s. Is this legit or is the author mistaken?

     youtube [dot] com/watch?v=jab4yynNmN0#t=17m53s

    Thursday, November 7, 2019 2:00 PM
  • TP, when I was trying to do some research via YouTube on how to properly set up collections, I came across this vid that claims (but does not go into detail) the broker can do this. It's at 17m53s. Is this legit or is the author mistaken?

     youtube [dot] com/watch?v=jab4yynNmN0#t=17m53s

    Hi,

    The author gave high level overview--he did not say that people could connect and be redirected based solely on groups or similar.  If he did (which again, he didn't in the short clip I watched) then he would be incorrect.

    The normal redirection method works the way I described it to you above.  To make the broker behave differently would require someone writing a custom broker plugin.

    Have you looked at modern thin clients?  Often the manufacturers will send a loaner demo unit to you at no charge if you are prospective customer.

    -TP

    Thursday, November 7, 2019 11:42 PM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang   

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 1:28 AM
    Moderator
  • Hi,

    Is there any update?

    Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 19, 2019 2:07 AM
    Moderator