Hi everyone,

Back in June of 2018 Microsoft published an exciting article on how to publish Remote Desktop services using Azure App Proxy, however, the instructions didn’t quite work and lead to a gateway error:

 

http://blog.ronnypot.nl/wp-content/uploads/2012/02/rwagateway1.jpg

After a lot of Googling and testing, I discovered an article where AdScientiamDei said they got the solution working by publishing two applications, one for the RDS workload and the other for the gateway.  With this information, I was able to get the solution running as well.  In this post, I’m going to update the original instructions to include the fix found by AdScientiamDei, here goes.

Requirements

These instructions make the same assumptions the original article made, but these are the two main ones:

  1. You need to have a functioning RDS environment, my example will be all role on a single server but the requirement is that the RD Gateway and RD Web endpoints must be on the same machine.
  2. Azure Application Proxy must already be enabled
  3. The Azure App Proxy agent must be installed, I put mine on the Gateway server and if you have multiple Gateway servers one on each.

Please read the original article for the rest of the requirements.

Deploy the joint RDS and Application Proxy scenario

After setting up RDS and Azure AD Application Proxy for your environment, follow the steps to combine the two solutions. These steps walk through publishing the two web-facing RDS endpoints (RD Web and RD Gateway) as applications and then directing traffic on your RDS to go through Application Proxy.

Publish the RD host endpoint

  1. Publish a new Application Proxy application for the RD Web endpoint with the following values:
    • Internal URL: https://<Internal FQDN of RDS Server>/rdweb/ (the trailing slash is important)
    • External URL: https://rds-<tenantname>.msappproxy.net/rdweb/ (This should be the default value but it’s in the drop-down list if not)
    • Pre-authentication method: Azure Active Directory
    • Translate URL headers: No
    • Application Body: No
  2. Assign users to the published RD application. Make sure they all have access to RDS, too.
  3. Leave the single sign-on method for the application as Azure AD single sign-on disabled. Your users are asked to authenticate once to Azure AD and once to RD Web, but have single sign-on to RD Gateway.
  4. Go to Azure Active Directory > App Registrations > Your application > Manage > Branding.
  5. Verify the Home-page URL field to points to your RD Web external endpoint https://rds-<tenantname>.msappproxy.net/rdweb/
  6. Publish a new Application Proxy application for the RD Gateway endpoint with the following values:
    • Internal URL: https://<Internal FQDN of RDS Server>/ (the trailing slash is important)
    • External URL: https://rdsgw-<tenantname>.msappproxy.net/
    • Pre-authentication method: Passthrough
    • Translate URL headers: Yes
    • Application Body: No
  7. Assign the same users to the published RD application.
  8. Leave the single sign-on method for the application as Azure AD single sign-on disabled. Your users are asked to authenticate once to Azure AD and once to RD Web, but have single sign-on to RD Gateway.

Direct RDS traffic to Application Proxy

Connect to the RDS deployment as an administrator and change the RD Gateway server name for the deployment. This configuration ensures that connections go through the Azure AD Application Proxy service.

  1. Connect to the RDS server running the RD Connection Broker role.
  2. Launch Server Manager.
  3. Select Remote Desktop Services from the pane on the left.
  4. Select Overview.
  5. In the Deployment Overview section, select the drop-down menu and choose Edit deployment properties.
  6. In the RD Gateway tab, change the Server name field to “rdsgw-<tenantname>.msappproxy.net”.
  7. Change the Logon method field to Password Authentication.

Follow steps 8 and 9 in the original article to get everything up and running.  The only issue i need to resolve now is the authentication pass though to work so the user is not prompted for a user name and password when opening an application but that has more to do with the RDS group policies that i don’t currently have in my lab.  Once I have that setup I’ll update this article 🙂

I hope this helps.