Configuring RemoteApps with Windows Terminal Server

Background

A Terminal Server virtualizes an actual Windows desktop environment experience using a Remote Desktop Protocol (RDP) session created for each user that connects to it. A Terminal Server authenticates the user connections against the Active Directory list of users of groups that are maintained by your domain controller. With Terminal Server, it is also possible to create and publish RemoteApp.

Terminal Server RemoteApp refers to applications deployed via Terminal Services and managed by the RemoteApp manager in Windows Server 2008 onwards. With RemoteApp, you can "lock down" the Windows desktop to limit users to a single Windows application. Unlike a remote desktop environment, RemoteApp restricts the user from running other applications, browsing the network, etc. This allows you to safely expose your existing Windows applications without the worry of a user doing something out of their permissions.

A RemoteApp is deployed in one of three ways:

1. A .RDP file is distributed to users via a network share or direct sharing.

2. A Windows Installer package that installs a shortcut to the RemoteApp on the client Start menu and may also associate local file extensions with the RemoteApp.

3. Terminal Server Web Access.

With Safous, you can easily access RemoteApp applications published in your terminal server. We provide you the options to enable access via web or native RDP application like any other RDP application. The difference is that the access is limited to only the application you published in the terminal server. This article will explain the necessary steps to do that.

Prerequisites

Before you continue with the subsequent steps, please make sure that you satisfy the following conditions:

• Have configured Active Directory Domain Services in your environment.
• Have configured Active Directory IdP in Safous Admin portal (for SSO).
• Have proper administrative access to add Windows Remote Desktop Services roles and features to enable Terminal Server in your domain.

1. Setting Up Terminal Server

In order to publish/create RemoteApp, we need to set up the terminal server first. If you already have an existing terminal server, you can skip this part and continue straight to part 2. Publish RemoteApp in Terminal Server. If you do not have an existing terminal server, please follow the steps listed down below to set up the terminal server.

1. Login to your server with credentials that have proper administrative access
2. Open Server Manager
3. Click Add Roles and Features.
   
4. Click Next on the Wizard
   
5. Select Role-based or feature-based installation and click Next
   
6. Ensure that you have selected the correct server then click Next
   
7. Select Remote Desktop Services and click Next
   
8. Click Next to continue
   
9. Click Next
   
10. Select Remote Desktop Session Host then click Next
    
11. Ensure that the installation selections match the image below. Click Confirm to continue.
    
12. Wait until the installation process is done. After the installation process is done and completed successfully, you will be notified to restart the server.
    
13. Restart the server and login back to the server once it's up.
14. Open Server Manager. Notice that now there is a Remote Desktop Service listed on the left bar.
    
15. Click the Add roles and features button once again.
16. Click Next
    
    
17. This time select the Remote Desktop Services installation and click the Next button.
    
18. Choose whether you want to proceed with standard deployment across multiple servers or quick deployment only in one server then click the Next button. In this example, we select the Quick start to only install on one server.
    
19. Select Session-based desktop deployment and click the Next button
    
20. Select your server
    
21. Click Restart the destination server automatically if required, then click Deploy.
    

22. Wait until the deployment of the installation is done. Once done and completed successfully, restart the server again. 

23. After restart, the terminal server setup is done. But please don't log out of the server yet, as we still need to publish the RemoteApp.

2. Publish RemoteApp in Terminal Server

After setting up the terminal server, we can continue to publish the RemoteApp of our choice. To do that, please follow the steps listed down below.

1. Open Server Manager
2. Click Remote Desktop Services
   
3. Click your created collections
   
4. On RemoteApp Programs section, click Tasks, then click Publish RemoteApp Programs.
   
5. Select a program of your choice then click on the Next button.
   
6. Confirm the list of program(s) that you want to publish and click the Publish button.
   
7. Wait until the publishing process is done. Once done, you can close the Wizard.
   
8. Your new published app should now be listed in the RemoteApp Programs section
   

3. Create RDP application in Safous Admin portal and Configure RemoteApp

After publishing a RemoteApp, you can create an RDP application to enable user to access the RemoteApp published in the terminal server. To do that, please follow the steps listed down below:

1. Login to Safous Admin portal.
2. Navigate to Settings > ZTNA > Applications > Application. 
   
3. Click on the New Application button, then fill in the fields:
   
   • For the configuration of field (1) to (10), please refer to this article.
   • (11) In Initial Program field, please fill in the alias of the RemoteApp you published in the terminal server and put || as prefix (e.g. ||chrome).
     
     You can also choose to list multiple initial programs by putting comma as a delimiter to the list (e.g. ||chrome,||Calculator,||Paint)
     
   • (12) Single sign on is optional, but it is highly recommended to enable it as the RemoteApp can only be accessed with an account listed in AD.
4. Once you are done, click on the Save button.
   
5. Authorize user's access to the RemoteApp by binding the application to a new or an existing policy. For more details about the topic, please refer to this article.
   • Note: User must be non-Administrator. 

4. Access RemoteApp via Safous Web RDP

If you want to access RemoteApp via Safous Web RDP, you can do that easily by following the steps listed down below.

1. Go to your tenant's user portal (e.g. https://login.<tenant>.ztna.safous.com)
2. Click the app that you have created
   
3. The RemoteApp will appear. 

5. Access RemoteApp via Safous Native RDP

If you want to access RemoteApp via Safous Native RDP, you can do that easily by following the steps listed down below.

1. Go to your tenant's user portal (e.g. https://login.<tenant>.ztna.safous.com)
2. Click "Native" in the app that you have created.
   
3. You will be directed to download the RDP client app. 
   • If only one RemoteApp is listed in the application's configuration, RDP client will be automatically downloaded for the RemoteApp.
     
   • If multiple RemoteApps are listed in the application's configuration, the list of the RemoteApp RDP client will be available for you to select and download.
     
4. Once downloaded, open the RDP client and verify whether the Type, Path, and Name of the RemoteApp from the RDP client you downloaded is correct or not. 
   
   
   • If it is correct, you can just click on the Connect button.
   • If it is incorrect, please try to download the file again.
5. Once connected, then the RemoteApp will appear.