RemoteApp | Terminal Services Log

Building a custom RemoteApp Portal for Windows 2008 – Part 2

In my previous post I described how you could add filtering for RemoteApps. This post contains step-by-step instructions on how to build the portal.

Step 1. Create RemoteApp applications and .RDP files

I will assume you have Terminal Server with RemoteApp installed so I will skip that step.

1. Open TS RemoteApp Manager

2. Publish all Applications you want your users to see.

3. Select all Applications and then click “Create .RDP files”

ts-configuration2

4. All RDP files will be stored to Program Files > Packed applications

We are going to redistribute all these files to our portal.

Step 2. Creating security groups for accessing web portal.

I have created two Security groups Management and Sales. I added user user_management to the Management group and user_sales to Sales group. user_sales and user_management are also part of the Remote Desktop Users security group.

It is much easier to use security groups, later you will be able to add user to another group or a new user to the existing group. We will be using groups to configure permissions over virtual folders.

Step 3. Configure IIS security settings

iis-virtual-directories

For the purpose of this post I created two folders on my Default web site. These will be used to host RDP files and application images (icons).

Step 3.1. Copy all the RDP files of published applications for members of Management group

file-management

Step 3.2. Create default.asp file in the Management folder and paste the following code:

<%@ Language=VBScript %>
    <HTML>
    <head><title>Welcome to RemoteApp Portal</title></head>
    <BODY>
    <b>Welcome to RemoteApp Portal</b> <br><br><br>

    <%
    Dim objFileScripting, objFolder
    Dim filename, filename2, filecollection, strDirectoryPath, strUrlPath
        strDirectoryPath="c:\inetpub\wwwroot\Management\Applications\"
        strUrlPath="\Management\Applications\" 

        'get file scripting object
        Set objFileScripting = CreateObject("Scripting.FileSystemObject")
        'Return folder object
        Set objFolder = objFileScripting.GetFolder("c:\inetpub\wwwroot\Management\Applications\")
        'return file collection In folder
        Set filecollection = objFolder.Files
        'create the links
        For Each filename In filecollection
            filename=right(filename,len(Filename)-InStrRev(filename, "\"))
            filename2=replace(filename, ".rdp", "")
            Select Case filename2
            Case "Calc"
            Response.Write "<A HREF=""" & strUrlPath & filename & """>" & "<img src=""images/calculator.png"" ALIGN=center BORDER=0 >" & filename2 & "</A><BR><BR>"
            Case "EXCEL"
            Response.Write "<A HREF=""" & strUrlPath & filename & """>" & "<img src=""images/excel.gif"" ALIGN=center BORDER=0 >" & filename2 & "</A><BR><BR>"
        Case "WORD"
            Response.Write "<A HREF=""" & strUrlPath & filename & """>" & "<img src=""images/word.gif"" ALIGN=center BORDER=0 >" & filename2 & "</A><BR><BR>"
            Case Else
        Response.Write "<A HREF=""" & strUrlPath & filename & """>" & filename2 & "</A><BR><BR>"
        End Select
        Next
    %>
    </BODY>
    </HTML>

Download here script, images and example RDP files: remoteapp_user_filtering_example

The script lists all the RDP files in the current folder, and it displays each file with a small icon along with it. In case you would like to add additional icons just add them to images folder and tweak the code to display these.

Your application portal will look like this:

final-look

When a user clicks on one of these links new RDP application will start. (User will be prompted for username and password)

Step 4. Configuring authentication

In order to make sure that only members of Management group can see these applications do the following:

Step 4.1. – Permissions

1. Open IIS management

2. Choose Management Virtual Directory and then select Edit Permissions and then Security

3. In the security there are several users that we don’t want to access Management portal

4. Disable inheritable permission

5. In the Security tab choose Advanced, then Edit

6. Disable include inheritable permission from this object’s parent and choose to copy parent permission

7. Confirm this by choosing Apply

8. Now remove following users: Everyone, Trusted Installed, Users, Creator Owner

9. Add Management security group that we created in step 2

10. Confirm everything

Step 5.2. – Authentication

11. Now we will need to add authentication for the management group.

12. Click Management virtual directory and then choose Authentication

13. Disable Anonymous Authentication and enable Basic Authentication

Repeat the steps above for every group on your server.

To audit which application is being used by each user use Terminal Services Log !

June 30th, 2009 | Tags: remoteApp, scenarios, Terminal services
Posted in remoteApp | By: Frane Borozan | 1 Comment »

Windows 2008 Terminal Services RemoteApp user or group filtering – Part 1

The most wanted feature for Windows 2008 Terminal Services is RemoteApp user filtering. You don’t want all users to see all applications on the web portal. This feature will probably be released in Windows Server 2008 R2 but till then, you are out of luck.

Citrix Web Access and Grouping allows Citrix users to do the same, but this article I am going to focus on Window 2008 Terminal Services. I am going to describe how you could publish certain application to specific users or groups via RDP files.

To control published applications you could deploy:

MSI files via GPO or
or simply inform end users about RDP files they need to run

MSI approach works OK in the domains but in case you do not have a domain or you do not know how to configure group policies you will have to use RDP files. Distributing RDP files to your users might be a tricky business as these change over time and it might be too complicated to make sure everyone has the latest version.

Publishing files to a centralized portal

The easitest way to redistribute RDP files is to place these on the server (centralized portal). By default IIS does not support RDP file name extension. To solve this problem simply add the RDP extension in the MIME Types on the IIS server.

Follow these steps:

Navigate to the IIS manager
Select your website
Find MIME Types
Add RDP extension in the following format (File name Extension: .rdp ; MIME type: application/rdp)

iis-configuration

Now you are ready to deploy your RDP files from Program Files > Packed Programs (note you will need to create .rdp file in TS RemoteApp Manager for every published application) to root or some virtual directories on the IIS server.

In order to run the application go to the http://yourservername/application123.rdp or http://remoteapp.yourdomain.com/application123.rdp and you will be able to start the published application.

Configuring Portal Security

Problem: All applications are visible to the entire organization

When your RDP files are published to the server this might be a problem. Now every employee can connect to your server and run any RDP file you posted there.

In order to allow only a group of users to run an applications you will have to divide your applications to diferent subportals (virtual directories). As an example I created the following subportals:

http://yourservername/sales
http://yourservername/support
http://yourservername/management

These portals will be used by different groups of people. Each portal will contain different set applications as on picture below.

multiple-portals2

In order to secure your applications you will need configure security for these virtual folders. I have been using Basic Authentication but you may forms authentication, windows authentication or other.

When a user opens the http:// servername/management he(she) will be prompted for a username and password.

Upon authentication the following screen will be shown to him:

final-look

So what’s shown at the picture above? It is a customized TSWeb Access portal that shows the list of applications you are allowed to use. In the next post I am going to describe how to build one on your own.

Conclusion

Currently you cannot filter published applications by particular users. To overcome that limitation I created an RDP file for each published application and deployed these to a custom portal on your IIS. This method allows you to easily filter application by group or user.

In the next post I am going to describe how to build this portal step-by-step.

June 30th, 2009 | Tags: filteriing, how to, publishing, remoteApp
Posted in Windows2008, remoteApp | By: Frane Borozan | 5 Comments »

Terminal Services Log

Posts Tagged ‘remoteApp’