Using Azure App Proxy with RDWeb

With the release of the new Azure App Proxy connector Microsoft decided to finally officially support the App Proxy for the (new) RDWeb Client.

I’ve been waiting for this for some time now because the only way to use the new client was by using the plugin for NPS which wasn’t sufficient as it only supported authentication after you where logged in on the RDWeb Client. It also didn’t support the App Proxy so you still had to open up the HTTPS port to the RDWeb server on your firewall.

Now that it’s here it was time to start writing a blog about it. With some new ideas I’ve gotten from my previous blog about the App Proxy (Securing & using SSO for OWA & ECP with the Azure App Proxy) it was time to start writing this blog.

Now let’s start by summing up some pro’s and con’s this solution has to offer you, what you’ll need in your environment and the steps that need to be taken in order to get it up and running.

Pro’s and cons

Pro’s
  • No more open firewall ports!
    • Port 443 open to the public? No way bro…
  • Pre-authentication
    • You will be able to leverage Conditional Access which (as we all know) enables MFA, SSO and other conditions for Microsoft 365 cloud resources. You can even have specific rules for the RDWeb App as it will be published as an Enterprise Application in Azure.
  • Less attack surface
    • Because there are no patches that need to be installed in order to keep the internet facing OS, IIS and RDS components secure.
  • Include RDWeb in your Company Portal
    • Users will be able to reach the RDWeb Client from the My Apps portal
  • The RDWeb Client is based on HTML5 and therefore compatible with almost every internet browser.
  • You can load balance and “cluster” the App Proxy
    • The App Proxy will allow you to install multiple instances who are aware of each other.
Con’s
  • No SSO support between App Proxy and RDWeb
    • There currently is no support for SSO between Azure App Proxy and the HTML5 RDWeb Client. I’ve tried to let it work based on Windows Integr. Auth. and Form Based but there was no way to send the credentials to the RDWeb Client.

      Sidenote The RD Gateway does however work with SSO and will allow you to only access the RemoteApps through the App Proxy.

Prerequisites

You will need 3 servers in your environment.

A Domain Controller which is responsible for the usual stuff like DNS name resolving and Active Directory.
The other 2 servers are the App Proxy (be sure to implement multiple servers because the more servers you have, the better your HA and LB will get) and of course the RDS server to host the RD Gateway and RD Web services.

You will also need the latest release of the App Proxy which enables support for the RDWeb Client and AD Connect to sync your accounts.

On Windows Server 2019 you will need to disable HTTP2 (Link).

An Azure AD Premium P1 license is also required to make use of the App Proxy.

Remember to allow outbound access from the App Proxy connector server(s) to the URL’s and ports used by Azure (Link).

Data flow

The principal of the App Proxy is to tunnel traffic through the App Proxy connector you install on a server which is located inside your LAN. This connector communicates with the Azure front-end to deliver a sort of kiosk in which the web application runs.
I’ve demonstrated this in the above data flow schema.

Now, let’s get this party started!

In order to leverage the App Proxy we will need to take the following steps:

Install the RDWeb Client

Set the RD Licensing to Per User

Enable and install the Azure App Proxy

Add the application to Azure

Configure the RD Gateway and published RDP to use Azure App Proxy for Pre-Auth

Set the Homepage URL

Assign the application

The end result

Install the RDWeb Client

In order to leverage the usage of the HTML5 client you’re going to download, install and activate the client via Powershell.

In the video I’ve used the following commands:

Install-Module -Name PowerShellGet -Force
Install-Module -Name RDWebClientManagement
Install-RDWebClientPackage
Import-RDWebClientBrokerCert PATH

Where PATH is the location of the certificates CER file

Publish-RDWebClientPackage -Type Production -Latest
Set the RD Licensing to Per User

The HTML5 client will require you to use the Per User license for RDS services so we’ll need to change that setting. Of course you’ll need the appropriate licenses so be sure to have sufficient licenses installed on your RD Licensing server.

Enable and install the Azure App Proxy

To start using the App Proxy you will simply need to enable the functionality and install the App Proxy connector on one or multiple servers. In this blog I’ve only used one server which is sufficient for basic demo purposes.

Add the application to Azure

To make the application available and enable the usage of the App Proxy for RDWeb we will need to add it to Azure and and define the parameters like configuring the URL of the (RDS) server and set the URL of the application for the outside world. In this video I’m using an appproxy.ms.net address but you can also create a URL with your own domain like app.domain.com. The only thing you will need to do then is upload a valid 3rd party certificate for the URL.

Configure the RD Gateway and published RDP to use Azure App Proxy for Pre-Auth

The RD Gateway and RDP file make up the “back-end” where you’ll connect with to start the published RD Web app. These 2 components will need to malformed in order to be in line with the App Proxy structure. You will set the RD Gateway advertised name and the pre-authentication server address to the App Proxy’s URL so that when connecting to the application the RDWeb will stay inside the App Proxy “kiosk” and will not notice any changes to the destination being the RD Gateway.

In this video I’ve used the following commands:

Set-RDSessionCollectionConfiguration -CollectionName COLLECTIONNAME -CustomRdpProperty "pre-authentication server address:s:AZUREAPPURL`nrequire pre-authentication:i:1"

AZUREAPPURL is the URL you are using for your application like https://rdweb.msappproxy.net/

COLLECTIONNAME is the name of your RDS collection like MyRDScollection

You can check if the command applied the correct settings by running the following command:

(get-wmiobject -Namespace root\cimv2\terminalservices -Class Win32_RDCentralPublishedRemoteDesktop).RDPFileContents
Set the Homepage URL

The Homepage URL is the one that’s going to used for the published app in the My Apps portal and points the tile to the right internal URL of the RDWeb server.

Assign the application

To also make the application visible in the MyApps portal you’ll also need to assign it to your users. There is an option to make it available to all users but assigning it to specific users or groups gives you control over which users need which applications.

The end result

Now that you’ve set the correct settings it’s time to enjoy the show!

I hoped you liked reading and viewing this blog!

And if you have any questions, feel free to post a reply!

Dit vind je misschien ook leuk...

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

%d bloggers liken dit: