-->
Where applicable. A Remote Desktop Connection (RDC) client can exist in a variety of forms. Thin-client hardware devices that run an embedded Windows-based operating system can run the RDC client software to connect to an RD Session Host server. When remote desktop gets serious, you need a serious tool to do the job. NoMachine satisfies any work-from-home (WFH) or enterprise remote access scenario and scales to fit your unique IT delivery needs. Be in control of your own data, hosted desktops, corporate computers and applications, where they're kept and how they're accessed.
Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016
This article describes the roles within a Remote Desktop Services environment.
Remote Desktop Session Host
The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows, MacOS, iOS, and Android. Users can also connect through a supported browser by using the web client.
You can organize desktops and apps into one or more RD Session Host servers, called 'collections.' You can customize these collections for specific groups of users within each tenant. For example, you can create a collection where a specific user group can access specific apps, but anyone outside of the group you designated won't be able to access those apps.
For small deployments, you can install applications directly onto the RD Session Host servers. For larger deployments, we recommend building a base image and provisioning virtual machines from that image.
You can expand collections by adding RD Session Host server virtual machines to a collection farm with each RDSH virtual machine within a collection assigned to same availability set. This provides higher collection availability and increases scale to support more users or resource-heavy applications.
In most cases, multiple users share the same RD Session Host server, which most efficiently utilizes Azure resources for a desktop hosting solution. In this configuration, users must sign in to collections with non-administrative accounts. You can also give some users full administrative access to their remote desktop by creating personal session desktop collections.
You can customize desktops even more by creating and uploading a virtual hard disk with the Windows Server OS that you can use as a template for creating new RD Session Host virtual machines.
For more information, see the following articles:
Remote Desktop Connection Broker
Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to RD Session Host server farms. RD Connection Broker handles connections to both collections of full desktops and collections of remote apps. RD Connection Broker can balance the load across the collection's servers when making new connections. If RD Connection Broker is enabled, using DNS round robin to RD Session Hosts for balacing servers is not supported. If a session disconnects, RD Connection Broker will reconnect the user to the correct RD Session Host server and their interrupted session, which still exists in the RD Session Host farm.
You'll need to install matching digital certificates on both the RD Connection Broker server and the client to support single sign-on and application publishing. When developing or testing a network, you can use a self-generated and self-signed certificate. However, released services require a digital certificate from a trusted certification authority. The name you give the certificate must be the same as the internal Fully Qualified Domain Name (FQDN) of the RD Connection Broker virtual machine.
You can install the Windows Server 2016 RD Connection Broker on the same virtual machine as AD DS to reduce cost. If you need to scale out to more users, you can also add additional RD Connection Broker virtual machines in the same availability set to create an RD Connection Broker cluster.
Before you can create an RD Connection Broker cluster, you must either deploy an Azure SQL Database in the tenant's environment or create an SQL Server AlwaysOn Availability Group.
For more information, see the following articles:
- SQL database in Desktop hosting service.
Remote Desktop Gateway
Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure's cloud services.
Remote Application Hosting
The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server. The RD Gateway virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 and inbound UDP connections to port 3391. This lets users connect through the internet using the HTTPS communications transport protocol and the UDP protocol, respectively.
The digital certificates installed on the server and client have to match for this to work. When you're developing or testing a network, you can use a self-generated and self-signed certificate. However, a released service requires a certificate from a trusted certification authority. The name of the certificate must match the FQDN used to access RD Gateway, whether the FQDN is the public IP address' externally facing DNS name or the CNAME DNS record pointing to the public IP address.
Remote Desktop Hosting Provider
For tenants with fewer users, the RD Web Access and RD Gateway roles can be combined on a single virtual machine to reduce cost. You can also add more RD Gateway virtual machines to an RD Gateway farm to increase service availability and scale out to more users. Virtual machines in larger RD Gateway farms should be configured in a load-balanced set. IP affinity isn't required when you're using RD Gateway on a Windows Server 2016 virtual machine, but it is when you're running it on a Windows Server 2012 R2 virtual machine.
For more information, see the following articles:
Remote Desktop Web Access
Remote Desktop Web Access (RD Web Access) lets users access desktops and applications through a web portal and launches them through the device's native Microsoft Remote Desktop client application. You can use the web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and you can also selectively publish desktops or apps to specific users or groups.
RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext Transfer Protocol Secure (HTTPS) connection provides an encrypted communications channel between the clients and the RD Web server. The RD Web Access virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 to allow the tenant's users to connect from the internet using the HTTPS communications transport protocol.
Matching digital certificates must be installed on the server and clients. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority. The name of the certificate must match the Fully Qualified Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the externally facing DNS name for the public IP address and the CNAME DNS record pointing to the public IP address.
For tenants with fewer users, you can reduce costs by combining the RD Web Access and Remote Desktop Gateway workloads into a single virtual machine. You can also add additional RD Web virtual machines to an RD Web Access farm to increase service availability and scale out to more users. In an RD Web Access farm with multiple virtual machines, you'll have to configure the virtual machines in a load-balanced set.
For more information about how to configure RD Web Access, see the following articles:
Remote Desktop Licensing
Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD Session Host servers hosting the tenant's desktops and apps. Tenant environments usually come with the RD Licensing server already installed, but for hosted environments you'll have to configure the server in per-user mode.
The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all authorized unique (not concurrent) users that sign in to the service each month. Service providers can purchase Microsoft Azure Infrastructure Services directly, and can purchase SALs through the Microsoft Service Provider Licensing Agreement (SPLA) program. Customers looking for a hosted desktop solution must purchase the complete hosted solution (Azure and RDS) from the service provider.
Small tenants can reduce costs by combining the file server and RD Licensing components onto a single virtual machine. To provide higher service availability, tenants can deploy two RD License server virtual machines in the same availability set. All RD servers in the tenant's environment are associated with both RD License servers to keep users able to connect to new sessions even if one of the servers goes down.
For more information, see the following articles:
RDS SUMMARY:
We get many questions about Remote Desktop Services on our hosted Windows Servers and below is a summary of many of our blog post, issues and links to helpful solutions and discussions.
Most clients that use Remote Desktop Services (RDS) use full “desktop sessions” where each user has their own desktop session to modify/customize the desktop, open their programs, save files, open MS Office documents (if Office is installed), etc. User can share files with other users through the use of public folders. Desktop sessions are the default method in RDS and are typically easy to use from any device with the Microsoft Remote Desktop Connection client which is built-in on Windows PCs and can be downloaded for MACs, iphone, android, etc. If you need to share and save files, interface with Office, install several applications, or have full desktop features, you will likely want to use regular/full desktop sessions without adding the advanced configurations and complexity of RemoteApp (see RemoteApp section below). In 2012 R2, during the installation of RDS, “Session Virtualization” is akin to desktop session.
INSTALLING APPS and PRINTER/DRIVE REDIRECTION: install your application using the proper RD install mode via control panel instead of double-clicking on the exe file.
RD CLIENT DOWNLOADS: Links to download remote desktop clients for MAC/iphone/ipads and Android. We recommend you look the for the most recent version if these links are out of date.
LOGIN ISSUES: Don’t check the box in user properties “change password upon login” and other items:
LOGOFF DISCONNECTED SESSIONS: For Windows Server 2012R2 only. Much easier to change these settings in 2008R2 via RDS GUI without following these steps. We recommend you utilize these steps to logoff disconnected sessions.
RDS LICENSING: Is your hosting provider providing the RDS user licenses? If you have your own licensing that you wish to use (Office, SQL Server, RDS, etc.), use our dedicated servers.
LAUNCH PROGRAM AUTOMATICALLY UPON LOGIN – to launch a single program without using RemoteApp
WINDOWS UPDATES TIMING: For Windows Server 2012R2 only, use link below to adjust timing of Windows Updates and reboots.
Hosted Remote Desktop Services
SHADOW SESSIONS: For Windows Server 2012R2 workgroup mode only, see link. Shadowing sessions in 2008R2 is easy and doesn’t require steps below.
REMOTEAPP:
Instead of a full desktop session for each user, RemoteApp is a feature in RDS where the user doesn’t get a desktop session but rather just an application as if it is running on the end-user’s desktop. While RemoteApp can be a great feature, there are some limitations as noted below (difficult use for MAC users, no desktop session to save/share Office and other files, etc.). Setup and use of RemoteApp differs in Windows Server 2008R2 and 2012R2. If you have MAC users, your only option if you want to use RemoteApp is Windows 2012R2 with the RDWeb role service installed as well as joining to a domain. An alternative to RemoteApp in some situations is to configure user properities to have a program automatically start upon login or desktop sessions that have been configured via group policies to hide some desktop features or icons.
Regular/Full desktop sessions are typically much easier to use than RemoteApp especially if you wish to interface with MS Office, share documents with other users, customize shortcuts or your desktop, etc., but RemoteApp is beneficial in certain use cases where you don’t want the user to logon to the server desktop and wish to only provide access to a specific program. In 2012R2, RemoteApp requires some advanced configurations such as requires joining to a domain and you’ll want to install certificates, etc.
RemoteApp in Windows Server 2008R2:
Works in workgroup mode (doesn’t require joined to domain controller like 2012R2). Managed through the RemoteApp Manager in administrative tools. Use the RemoteApp wizard to publish an application as a Remote App. There are several methods to distribute Remote Apps in 2008R2 of which two are:
- Distribute a RDP file to the user (no longer available in 2012R2). Create a .rdp file in the Remote App Manager (click on the Remote App and click on “create .rdp file) then manually distribute to user(s) as needed.
- RDWeb website where users access the specified program via a URL. You need to install the RDWeb access role service which installs IIS too. RDWeb Access website on 2008R2 requires client browser to have ActiveX enabled and therefore doesn’t work on Chrome, Firefox or any browser other than Internet Explorer (which may require adding URL to compatibility settings or trusted sites to avoid “browser not support” error message) and therefore basically excludes MAC users. https://technet.microsoft.com/en-us/library/cc731508.aspx
RemoteApp in Windows Server 2012R2:
Remote App Manager doesn’t exist in 2012R2 and in order to view the RDS section in Server Manager, the server must be joined to a domain. Distribution methods: the ability to create a RDP file to distributed via the RemoteApp wizard is NO longer available. Use the RDWeb method or other methods such as Web Feed URL method via control panel on end-user’s local PC are still available.
- RDWeb URL – 2012R2 no longer requires ActiveX and therefore should be much more accessible from other browser types. When enabled, you can access the RD Web Access Web site at https://IPADDRESS/rdweb.
- However, in 2012R2, to distribute Remote App programs via the RD Web page, the RDWeb server role must be installed which requires the server be joined to a domain first, or the Active Directory Domain Controller role installed on the server first which is usually not recommended to do on the same server (and won’t even load on 2012 but will on 2012R2).
Links to some of our blog posts on RemoteApp: