Benefits to splitting RDS Roles?

Forums › IT Pro and developers › Benefits to splitting RDS Roles?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#288786 23-Jul-2021 09:04

In a deployment of a single Remote Desktop Server, is there any benefit in installing the connection broker and/or web access roles on a separate management server (rather than on the actual RDS)?

For peformance reasons I'd like the RDS server to have as little on it as possible, but don't want to add complexity to the setup if not really getting any benefit.

Thanks

Home: Work:
Home Work

clinty

1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

#2748575 23-Jul-2021 09:26

How many users will be using the RDS?

Clint

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2748585 23-Jul-2021 09:41

Keeping the session host separate will make your life easier in the future when it gets sick, or you need to replace it/upgrade etc. Other roles are fine together in small deployments imo.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2748645 23-Jul-2021 09:54

clinty:

How many users will be using the RDS?

Clint

Only about 30 users.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2748652 23-Jul-2021 10:12

gbwelly:

Keeping the session host separate will make your life easier in the future when it gets sick, or you need to replace it/upgrade etc. Other roles are fine together in small deployments imo.

Thanks.

Basic setup is 3 servers:

DC (only one domain controller at this point)
Management + File/Print Server
RDS

I want to keep the DC and RDS as clean as possible, so the idea was to put everything else on the third "management" server.

The environment (and budget) isn't big enough to have dedicated servers for everything. So would the following be the best approach:

RD Connection Broker - Management + File/Print Server
RD Web Access - Management + File/Print Server
RD Gateway - Management + File/Print Server
RD Licensing - Management + File/Print Server
RD Session Host - RDS Server

EDIT: It just occurred to me, won't RD Web Access and RD Gateway both want port 443?

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2748661 23-Jul-2021 10:42

Your constraints are going to make this a bit difficult to do securely. RD Web and RD Gateway are fine on the same box, as the FQDN will be the same for both so you don't need separate certs and bindings.

The big issue is the lack of a web application proxy and MFA.

Perhaps you should look into Remote Desktop Gateway Services in Azure. Then you can do pre-authentication including MFA with Azure AD

Kraven

738 posts

Ultimate Geek
+1 received by user: 190

#2748664 23-Jul-2021 10:45

Paul1977:

Basic setup is 3 servers:

DC (only one domain controller at this point)
Management + File/Print Server
RDS

I assume these are VMs on a single physical host? If so, then you should have Windows Server licensing for four VMs, so why not just add another VM to run the Connection Broker, Gateway, etc.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2748668 23-Jul-2021 10:53

gbwelly:

Your constraints are going to make this a bit difficult to do securely. RD Web and RD Gateway are fine on the same box, as the FQDN will be the same for both so you don't need separate certs and bindings.

The big issue is the lack of a web application proxy and MFA.

Perhaps you should look into Remote Desktop Gateway Services in Azure. Then you can do pre-authentication including MFA with Azure AD

@gbwelly The site is using Microsoft 365 Premium and syncing users with Azure AD Connect. I'm a bit new to the Azure stuff, but does 365 Premium and Azure AD Connect give us the ability to proxy it through Azure as you suggest without additional costs?

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2748686 23-Jul-2021 12:32

Paul1977:

gbwelly:

Your constraints are going to make this a bit difficult to do securely. RD Web and RD Gateway are fine on the same box, as the FQDN will be the same for both so you don't need separate certs and bindings.

The big issue is the lack of a web application proxy and MFA.

Perhaps you should look into Remote Desktop Gateway Services in Azure. Then you can do pre-authentication including MFA with Azure AD

@gbwelly The site is using Microsoft 365 Premium and syncing users with Azure AD Connect. I'm a bit new to the Azure stuff, but does 365 Premium and Azure AD Connect give us the ability to proxy it through Azure as you suggest without additional costs?

I guess I should take a step back and check -you are wanting users to be able to use the service from outside the organisation via the internet right?

If the consumers will be on the LAN or using it via a VPN, then you can keep it super simple, no MFA, no WAP etc.

Regarding making it available over the internet with Azure then you're halfway there already. If they have 'Business' Premium them they are entitled to use MFA already (and hopefully they already are!!).

Here is a link about setting up Azure application proxy: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services

As for cost I couldn't tell you, but I suspect it will be super cheap, perhaps mainly just the egress costs for the data leaving Azure.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2748709 23-Jul-2021 13:03

gbwelly:

I guess I should take a step back and check -you are wanting users to be able to use the service from outside the organisation via the internet right?

If the consumers will be on the LAN or using it via a VPN, then you can keep it super simple, no MFA, no WAP etc.

Regarding making it available over the internet with Azure then you're halfway there already. If they have 'Business' Premium them they are entitled to use MFA already (and hopefully they already are!!).

Here is a link about setting up Azure application proxy: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-integrate-with-remote-desktop-services

As for cost I couldn't tell you, but I suspect it will be super cheap, perhaps mainly just the egress costs for the data leaving Azure.

Thanks, was just looking over that link you sent already!

Primarily over a site-to-site ipsec vpn to our hosting provider, but will have a requirments for some users to access from home or other locations.

Could use VPN on the remote client devices, but thought RD Gateway might be a more seamless user experience.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2748809 23-Jul-2021 16:22

In testing using an Azure App Proxy is pretty far from seamless.

It only seems to work by accessing the RDWeb page via the Azure App Proxy WITH INTERNET EXPLORER ONLY and launching the RDP shortcut from there. Any other web browser doesn't work, and trying to directly use a preconfigured RDP shortcut doesn't work either.

What I really want is for the user to have a shortcut on their desktop that direct connects the RDP session over 3389 when on the internal network, but connect through RDGateway via Azure App Proxy when not on internal network.

Is this even possible, or am I wasting my time?

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2748825 23-Jul-2021 17:10

I wouldn't even try using Internet Explorer, it has a habit of hiding problems with it's geriatric active-x powers.

Don't get too frustrated, RDS has been causing me gray hairs for 11 years. Have a look through this link, perhaps you'll find the nugget of info to get things sorted:

https://parveensingh.com/publish-rds-environment-with-azure-ad-application-proxy/

Be worth looking through the comments too, sounds like there is at least one person with the IE symptom too.

All I can say is all the frustrations I have had in the past are related to host names, particularly regarding internal/external mismatches.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2749788 26-Jul-2021 09:50

gbwelly:

I wouldn't even try using Internet Explorer, it has a habit of hiding problems with it's geriatric active-x powers.

Don't get too frustrated, RDS has been causing me gray hairs for 11 years. Have a look through this link, perhaps you'll find the nugget of info to get things sorted:

https://parveensingh.com/publish-rds-environment-with-azure-ad-application-proxy/

Be worth looking through the comments too, sounds like there is at least one person with the IE symptom too.

All I can say is all the frustrations I have had in the past are related to host names, particularly regarding internal/external mismatches.

Agreed, and I only tried it on IE after researching the error I was getting in Chrome. The issue seems to be Azure AD pre-authenication vs pass-through pre-authentication.

Also, reading the comments it sounds like it's relatively trivial to bypass MFA entirely with this method.

I'll keep investigating, but I think I'll look into VPN solution that I can integrate with Azure MFA to see if they can provide a better solution.