Windows 2008 Terminal Services RemoteApp user or group filtering – Part 1

The most wanted feature for Windows 2008 Terminal Services is RemoteApp user filtering. You don’t want all users to see all applications on the web portal. This feature will probably be released in Windows Server 2008 R2 but till then, you are out of luck.

Citrix Web Access and Grouping allows Citrix users to do the same, but this article I am going to focus on Window 2008 Terminal Services. I am going to describe how you could publish certain application to specific users or groups via RDP files.

To control published applications you could deploy:

MSI files via GPO or
or simply inform end users about RDP files they need to run

MSI approach works OK in the domains but in case you do not have a domain or you do not know how to configure group policies you will have to use RDP files. Distributing RDP files to your users might be a tricky business as these change over time and it might be too complicated to make sure everyone has the latest version.

Publishing files to a centralized portal

The easitest way to redistribute RDP files is to place these on the server (centralized portal). By default IIS does not support RDP file name extension. To solve this problem simply add the RDP extension in the MIME Types on the IIS server.

Follow these steps:

Navigate to the IIS manager
Select your website
Find MIME Types
Add RDP extension in the following format (File name Extension: .rdp ; MIME type: application/rdp)

iis-configuration

Now you are ready to deploy your RDP files from Program Files > Packed Programs (note you will need to create .rdp file in TS RemoteApp Manager for every published application) to root or some virtual directories on the IIS server.

In order to run the application go to the http://yourservername/application123.rdp or http://remoteapp.yourdomain.com/application123.rdp and you will be able to start the published application.

Configuring Portal Security

Problem: All applications are visible to the entire organization

When your RDP files are published to the server this might be a problem. Now every employee can connect to your server and run any RDP file you posted there.

In order to allow only a group of users to run an applications you will have to divide your applications to diferent subportals (virtual directories). As an example I created the following subportals:

http://yourservername/sales
http://yourservername/support
http://yourservername/management

These portals will be used by different groups of people. Each portal will contain different set applications as on picture below.

multiple-portals2

In order to secure your applications you will need configure security for these virtual folders. I have been using Basic Authentication but you may forms authentication, windows authentication or other.

When a user opens the http:// servername/management he(she) will be prompted for a username and password.

Upon authentication the following screen will be shown to him:

final-look

So what’s shown at the picture above? It is a customized TSWeb Access portal that shows the list of applications you are allowed to use. In the next post I am going to describe how to build one on your own.

Conclusion

Currently you cannot filter published applications by particular users. To overcome that limitation I created an RDP file for each published application and deployed these to a custom portal on your IIS. This method allows you to easily filter application by group or user.

In the next post I am going to describe how to build this portal step-by-step.

Tags: filteriing, how to, publishing, remoteApp

This entry was posted on Tuesday, June 30th, 2009 at 9:25 am and is filed under Windows2008, remoteApp. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.