Application
      Back to home
      1. Support Center
      2. Safous ZTA Admin Guide
      3. Application

      Native RDP to Older Versions of Windows Server

      This article provides an overview of the solutions and workarounds necessary to enable Native RDP on older versions of Windows Server.

      Prerequisites

      • Windows Server version
        1. Windows Server 2008 R2
        2. Windows Server 2012 R2
      • You have the appropriate administrative access to configure those servers

      Native RDP to Windows Server 2008 R2

      To enable Native RDP to Windows Server 2008 R2, you must install SP1 update pack from Microsoft.

      1. Access your Windows 2008 R2 server, either using Safous Web RDP or other available options.
      2. Open Server Manager, then click Configure Remote Desktop.
      3. Click Allow connections, select enabled users, click apply then click OK to close.
      4. Open a browser and go to this Microsoft update catalog page.
      5. Click the Download button
      6. A new browser window will pop up. Choose the file that has the .exe extension, and your download will begin automatically.
      7.  Once the file is downloaded, open the file and install the update. You will be asked to restart the server once the installation process has finished.
      8. Once you have restarted the server, wait until the update is completed.
      9. Login to your Safous tenant's user portal (e.g. https://login.<tenant>.ztna.safous.com)
      10. Click Native on the Windows Server 2008 R2 app.
      11. You will be directed to the Native RDP page, and the RDP file will be downloaded automatically.
      12. Open the downloaded RDP file, then click Connect. Now you can successfully do Native RDP to the server.

      Native RDP to Windows Server 2012 R2

      Windows Server 2012 R2 cannot use the default certificate generated when enabling remote connection to the server. The workaround for this is to issue another certificate for the server and apply it for Remote connection.

      1. Enabling Remote Desktop

      1. Access your Windows 2012 R2 server, either using Safous Web RDP or other available options.
      2. Open Server Manager > Local Server > Remote Desktop. Ensure that the Remote Desktop status is Enabled.

        If it is Disabled, click on it, then click Allow connections, Select enabled user, click apply, then click OK to close.
      3. Open command prompt as an Administrator and enter certlm.msc
      4. Expand the Remote Desktop > Certificates folder. Notice that now your server has installed the default generated certificate.
      5. To verify whether the server is using the default certificate or not for Remote Desktop connection, open Powershell as an Administrator and run this command.
        Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices
      6. Open the generated certificate and look for the value of the certificate's thumbprint property. Compare it to the value of the thumbprint displayed on the output of the command. If it matches, then the server is currently using the default certificate for Remote Desktop connection.

      2. Create and Issue Certificate

      1. Expand the Personal folder in the Certificates. Right-click then All Tasks, select Advanced Operations and Create Custom Request.
      2. Click next on the Certificate Enrollment wizard.
      3. Select the option Proceed without enrollment policy then click Next to continue.
      4. On Template option, select (No Template) Legacy Key and PKCS #10 on Request format option. Click next.
      5. Expand Details section by clicking on the arrow pointing down and then click on Properties button.
      6. On General tab, type in Friendly Name for your SSL certificate and Description (optional). Click on Subject tab to continue for the next entries.

      7. On the Subject tab, select "Common Name" from the drop-down list under the Type option for your server's Fully Qualified Domain Name (FQDN) (e.g. windows2012.test.example). In the value field beneath the Common Name option, enter your domain name and then click the Add button. The CN field will be populated in the information box on the right side of the Add button.

      8. If Subject Alternative Names (SAN) are necessary for the certificate, select "DNS" from the drop-down menu under the "Type" option in the Alternative Name section. Enter your Active Directory (AD) domain name in the corresponding value field and click the "Add" button. Repeat this process until all required SAN entries are added. Once completed, proceed by clicking on the "Extensions" tab.

      9. Expand the Extended Key Usage section by clicking the downward arrow to reveal the available options. Then, select "Server authentication" from the list and click the "Add" button to include it.

      10. Expand the Key Type section by clicking the downward arrow next to it, and then select the Exchange option from the list of available Key Types. 
      11. Click the downward arrow in the Cryptographic Service Provider section to reveal the list of available CSPs. Ensure that only the option for Microsoft RSA SChannel Cryptographic Provider (Encryption) is selected.
      12. Expand the Key Options section by clicking the down arrow button. Ensure that the minimum key size is set to 2048 bytes, and select the checkbox for "Make Private Key Exportable." Once these settings are configured, click "Apply," then "OK," and proceed by clicking the "Next" button to continue.


         
      13. Select the "Browse" button to choose the destination folder for saving the certificate signing request (CSR). Enter a suitable file name and ensure that the "Base 64" option is selected. Once you have made these selections, click the "Finish" button to complete the process. Your CSR will now be successfully generated.
      14. Copy the CSR file to a CA to issue the certificate. You can use an internal ADCS server or an external CA.
      15. Issue the certificate for the CSR using Web Server template.

      3. Install Certificate

      1. Copy the issued certificate to the Windows 2012 R2 server.
      2. Install the issued certificate.
      3. Choose Local Machine then click Next
      4. Choose Place all certificates in the following store, click browse, then Personal. Click Next to continue.
      5. Click Finish.
      6. Open command prompt and enter certlm.msc. This time look inside the Personal\Certificates folder. Ensure that your installed certificate is present there.
      7. Copy the certificate to the Remote Desktop\Certificates folder.

      4. Set Certificate for Remote Desktop

      1. After ensuring that the certificate is installed, we need to set the new installed certificate to be the certificate used by the server for Remote Desktop connection. To do that, open the installed certificate and check for its thumbprint value.
      2. Open command prompt as an Administrator.
      3. Copy the value and paste it to command prompt, then remove the ? symbol and whitespace from the thumbprint.
      4. To set the new installed certificate to be the certificate used by the server for Remote Desktop connection, run this command on the command prompt:
        wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="thumbprint"

      5. Verify whether RDP is using the new certificate or not by running this command:
        Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices
      6. If it has been changed to the new certificate, then you should be able to Native RDP to the server now.

      5. Test Native RDP

      1. Login to your Safous tenant's user portal (e.g. https://login.<tenant>.ztna.safous.com)
      2. Click Native on the Windows Server 2012 R2 app.
      3. You will be directed to the Native RDP page, and the RDP file will be downloaded automatically.
      4. Open the downloaded RDP file, then click Connect. Now you can successfully do Native RDP to the server.