Antivirus exclusions for RDS 2012 R2
Hi all,
I have a RDS 2012 R2 envirionment. 8 SH servers, 2 WA servers, 2 CB servers (in HA), 1 GW server, 1 x two node Fail over cluster containing the UPD disk files (among other things).
I've been surfing the net to find antivirus exclusions specific to RDS 2012 R2 but didn't find much. Aside from the regualr OS exclusions, are there any specific exclusions for RDS, specifically Session Host Servers? Any special considurations for UPD?
Thanks!
Jesmat.
Hi Jesmat,
Thank you for posting in Windows Server Forum.
There is previous version for “Terminal Service Antivirus Exclusions” is available but sorry to inform that “Antivirus
Exclusions for RDS server 2012 R2” is still
not published as Microsoft team is in the process of publishing. Please check
this article for information.
Hope it helps!
Thanks,
Dharmesh
Similar Messages
-
SCCM 2012 Antivirus Exclusions for Servers and Workstations
Hii,
Just sharing the antivirus exclusions for Configuration Manager 2012 Servers and workstations as well.
Please share if anything is missing.
McAfee Exclusion's for Configuration Manager 2012:
1. C:\Windows\TEMP\BootImages
and subfolders.
2. Directories:
%allusersprofile%\NTUser.pol
%systemroot%\system32\GroupPolicy\registry.pol
%windir%\Security\database\*.chk
%windir%\Security\database\*.edb
%windir%\Security\database\*.jrs
%windir%\Security\database\*.log
%windir%\Security\database\*.sdb
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%programfiles%\Microsoft Configuration Manager\Inboxes\*.*
%programfiles(x86)%\Microsoft Configuration Manager\Inboxes\*.*
%systemroot%\system32\GroupPolicy\Machine\registry.pol"
%systemroot%\system32\GroupPolicy\User\registry.pol"
\SCCMContentLib
\SMSPKG
\SMSPKGC$
\SMSPKGSIG
\SMSSIG$
\Program Files\SMS_CCM\ServiceData
\Program Files\SMS_CCM\Logs
\Program Files\Microsoft Configuration Manager\Logs
\Program Files\Microsoft Configuration Manager\Install.map
\ConfigurationManager DB
\SMSPKGSIG
\SCCMContentLib
\Sources
\SCCMImages
\DatabaseBackup
\SMSPKGE$
\SMSPKGSIG
\SMSSIG$
3. Processes that will be excluded:
Configuration Manager 2012 processes that will be excluded are:
Smsexec.exe
Ccmexec.exe
CmRcService.exe
Sitecomp.exe
Smswriter.exe
Smssqlbbkup.exe
4. SQL Server Exclusion's:
SQL Server 2012 Processes exclude from virus scanning
%ProgramFiles%\Microsoft SQL Server\MSSQL11. <InstanceName>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSRS11. <InstanceName>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSAS11. <InstanceName>\OLAP\Bin\MSMDSrv.exe
SQL Server data files
*.mdf
*.ldf
*.ndf
SQL Server backup files
These files frequently have one of the following file-name extensions:
*.bak
*.trn
Full-Text catalog files
%Program Files%\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\FTData
Analysis Services backup files
C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup
C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log
5. IIS Exclusions:
* .ida
%systemroot%\IIS Temporary Compressed Files
%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
6. WSUS Exclusions:
*.cab
\WSUS\WSUSContent
\WSUS\UpdateServicesDBFiles
\SoftwareDistribution\Datastore
\SoftwareDistribution\Download
Reference Links:
https://community.mcafee.com/thread/59504
http://www.systemcenterblog.nl/2012/05/09/anti-virus-scan-exclusions-for-configuration-manager-2012/
http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx
http://support.microsoft.com/kb/309422
http://support.microsoft.com/kb/821749
http://support.microsoft.com/kb/817442
http://support.microsoft.com/kb/900638/en-us
http://technet.microsoft.com/en-us/library/dd939908(WS.10).aspx#av
McAfee Exclusions for workstations:
Turn off scanning of Windows Update or Automatic Update related files
Turn off scanning of the Windows Update or Automatic Update database file (Datastore.edb). This file is located in the following folder:
%windir%\SoftwareDistribution\Datastore
Turn off scanning of the log files that are located in the following folder:
%windir%\SoftwareDistribution\Datastore\Logs
Specifically, exclude the following files:
Res*.log
Edb*.jrs
Edb.chk
Tmp.edb
Turn off scanning of Windows Security files
Add the following files in the %windir%\Security\Database path of the exclusions list:
*.edb
*.sdb
*.log
*.chk
*.jrs
Turn off scanning of Group Policy related files
Group Policy user registry information. These files are located in the following folder:
%allusersprofile%\
Specifically, exclude the following file:
NTUser.pol
Group Policy client settings file. This file is located in the following folder:
%Systemroot%\System32\GroupPolicy\
Specifically, exclude the following file: Registry.pol
For the configuration manager clients the following exclusion will be added:
%windir%ccmcache
\SoftwareDistribution\Datastore
\SoftwareDistribution\Download
Reference Links:
http://support.microsoft.com/kb/822158/en-us
Regards, Syed Fahad AliThanks for sharing this.. Many people will find this useful.
http://www.enhansoft.com/ -
Antivirus exclusions for updating Flash Player
We are trying to get it so that all of our PC's can automatically update Flash Player (due to all of the recent updates) rather than have me download the redistributable and push it out over Zenworks.
When we do this, McAfee ePO 8.8i is apparently blocking the Flash Player install.
What do we need to list as an exception/exclusion from McAfee so that we can accomplish the updates? My List would be:
InstallFlashPlayer.exe
FlashUtil*_ActiveX.exe
install_flashplayer*.exe (maybe install_flashplayer*aih.exe?)
FP_AX_CAB_INSTALLER64.exe
My concern with using the wildcards is the enormous amount of spyware that might be introduced because of this. Is there anything else I can do?
Here are the lines from the Access Protection log:
10/10/2011
8:07:20 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Delete
10/10/2011
8:07:35 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:07:38 AM
Blocked by Access Protection rule
NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\Macromed\Flash\FlashUtil10v_ActiveX.exe
\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:07:45 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Delete
10/10/2011
8:07:56 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:07:57 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:07:57 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:08:04 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\7A.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:13:54 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\VNQ6E7G4\install_flashplayer11x32ax_gtbd_aih[1].exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/10/2011
8:13:54 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\VNQ6E7G4\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:13:57 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:13:58 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:13:59 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/10/2011
8:14:34 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\VNQ6E7G4\install_flashplayer11x32ax_gtbd_aih[1].exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/10/2011
8:14:35 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temporary Internet Files\Content.IE5\VNQ6E7G4\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:14:37 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:14:38 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/10/2011
8:14:38 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32ax_gtbd_aih[1].exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/11/2011
10:48:42 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Delete
10/11/2011
10:48:43 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\WINDOWS\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/11/2011
10:49:05 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\<user>\Local Settings\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/11/2011
10:49:05 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\<user>\Local Settings\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : Execute
10/11/2011
10:49:14 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\371.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/11/2011
10:49:14 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\371.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/11/2011
10:49:14 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\371.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/11/2011
10:49:14 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\371.dir\InstallFlashPlayer.exe
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/11/2011
10:49:26 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\DOCUME~1\<user>\LOCALS~1\Temp\371.dir\InstallFlashPlayer.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/12/2011
8:05:12 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\My Documents\Downloads\install_flashplayer11x32_mssd_aih.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/12/2011
8:05:13 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32_mssd_aih.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\ZoneMap\AutoDetect
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/12/2011
8:05:14 AM
Blocked by Access Protection rule
<Computername>\<user>
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32_mssd_aih.exe
\REGISTRY\USER\S-1-5-21-431391153-592018285-4164930105-1040\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version
Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings
Action blocked : Create
10/12/2011
8:05:14 AM
Would be blocked by Access Protection rule (rule is currently not enforced)
<Computername>\<user>
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\<user>\Local Settings\Temp\install_flashplayer11x32_mssd_aih.exe
Common Standard Protection:Prevent common programs from running files from the Temp folder
Action blocked : ExecuteHi Ulendal,
Unfortunately, we cannot make a guarantee on specific file names for our installers, or that they will keep the same file names in the future.
However, great effort is going into improving the current update experience in a future release.
Thanks,
Stephen -
Hi,
We want to run two factor login for RDS 2012 R2 web by using cidway, is this possible?Hi,
Thank you for your posting in windows Server Forum.
You can use 2 factor authentication for RD Web with RD gateway setup on your network, so that you can work seamlessly and can enjoy the function of RD gateway pluggable authentication. For that you on client system you can install new RDP 8.1 and enjoy full
feature.
What's New in Remote Desktop Services for Windows Server 2012 R2
Customizing RD Gateway authentication and authorization schemes
In addition, you can also refer below thread.
RDS 2012 2 Factor Authentication
For 3rd party authentication, you need to contact their customer support whether they support the feature to access with Windows Server feature or not.
Hope it helps!
Thanks,
Dharmesh -
App-V 5.x antivirus exclusions
For App-V 4.x Microsoft have documented recommended antivirus exclusions. Are there any similar recommended antivirus exclusions for App-V 5.x?
Hello,
App-V 5.0 does not have any recommended antivirus exclusions.
Nicke Källén | The Knack| Twitter:
@Znackattack -
Crystal Report Server - Antivirus Exclusions
Does SAPBO have a list of antivirus exclusions for the Crystal Report Server's - Application Directories, Files, Databases, or other objects that need to be exculded from 'Real-Time' and 'Shcheduled' scans? If so where is it? I have querired all the forums with no results on the exclusions list.
We deployed a new version of McAfee 8.5.1i patch-level 7 that caused CRS to stop functioning properly for 12 hours.Agreed, the root cause in this case was an incorrect set of exclusions that allowed a Full Virus Scan to touch database .mdf and ldf files.
We had originally set up the exclusions according to all Microsoft SQL Server 2005 and IIS standards for Anti-Virus exclusions, and then subsequently installed Crystal Report Server some time after that with no negative impact.
The upgrade we just performed however removed the exclusions and caused the CRS to have issues. My experience with defining exclusions has been to go to the vendors of all the installed products and ask for their techncal documenation on the anti-virus exclutions and best practices. Because I had never done so before I thought now would be a good time.
SAP/BO are not alone by not having an 'Official' document on this matter, but if we are to continue to be #1 then having high expectations goes with the territory.
Thanks Question Asked and Answered -
RDS 2012- connect to session collection trough mstsc.exe on XP SP3
Hi!! i need to connect to a session collection based on rds 2012 directly trough mstsc.exe on xp sp3 clients... xp don't support remoteapp and desktop connection and my users can't use internet explorer to connect trough rd web Access..
Thanks!Hi,
What you could do is upgrade Windows XP with the latest Remote Desktop Client available for Windows XP (http://support.microsoft.com/kb/969084)
Then extract the .RDP file you want from the RDS 2012 environment (or specify the properties manually in a .RDP) file.
Recently I wrote on article on the distribution of Remote Apps and desktops in Windows Server 2012, that might be useful:
http://virtualizationadmin.com/articles-tutorials/vdi-articles/general/distribution-of-remote-apps-and-desktops-in-windows-server-2012.html
Also, more info on the .RDP properties specifically needed for RDS 2012:
http://microsoftplatform.blogspot.nl/2012/04/rd-connection-broker-ha-and-rdp.html
Kind regards,
Freek Berson
The Microsoft Platform
Twitter
Linked-in
Wortell company website -
Antivirus software exclusions for DFS and Hyper-V
I am rolling out an updated antivirus solution to our DFS server and Hyper-V (Windows 2008 and 2012) and I am curious of the following:
1. What are the exclusion suggestions for Hyper-V servers? I found a URL that showed the exceptions to add but I thought there would be more for Hyper-V to exclude.
2. What are the specific exclusions to include for a DFS server? I read somewhere that there were some DFSR hidden folders that need to be included but I would like to know if there is an official suggestion from Microsoft of what files/folders need
to be excluded.Hi,
Anti-virus software should exclude Hyper-V specific files which listed in the article below:
Hyper-V: Anti-Virus Exclusions for Hyper-V Hosts
http://social.technet.microsoft.com/wiki/contents/articles/2179.hyper-v-anti-virus-exclusions-for-hyper-v-hosts.aspx
For the DFS antivirus exclusion, you could refer to the article below:
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows
http://support.microsoft.com/kb/822158/en-us
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
File & directory exclusion for Exchange 2010 in antivirus
Hi
I'm running Exchange 2010 servers.
Can someone told me what would be the exclusion should be done in terms of file level & directory level for exchange 2010 in antivirus.
Thanks in Advance
Anuj GuptaHi,
Let’s begin with the following article:
http://blogs.technet.com/b/davmcg/archive/2012/02/04/exchange-server-2010-and-antivirus-exclusions.aspx
The article lists the individual files and extensions of antivirus in Exchange 2010.
And here is more reference:
http://blogs.technet.com/b/mspfe/archive/2011/05/05/exchange_2d00_server_2d00_recommendations_2d00_for_2d00_file_2d00_level_2d00_antivirus_2d00_scanners.aspx
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Best practice for RDGW placement in RDS 2012 R2 deployment
Hi,
I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
Farm works great for LAN and VPN users.
Now i want to add two domain joined RDGW servers.
The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
Should i:
- set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
- place RDGW in the DMZ, opening all those required ports into the LAN
- place the RDGW in the LAN, then port forward port 443 into it from internet
Any help is greatly appreciated.
This posting is provided "AS IS" with no warranties or guarantees and confers no rightsHi,
The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
beneath article for more information.
RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
RDS 2012 External access for Session Hosts over different port to default 443
Hello there
I am having problems solving this problem as you may see on other posts, so I am going to try again.
I have two Server 2012 machines for RDS. Server 1 one with all roles (Gateway, Broker, Session host etc.) and second machine, Server 2 as a session host only. I am running RDWeb Apps, with CA certificate installed and
everything works fine internally.
Due to limitations on the router I had to change the default SSL port on the gateway (Server 1) to 4043. I have this and 3391 for UDP open to Server 1 from the router.
Working externally, I can login to the RDS site and open apps form Server 1, but when I try to open an app installed on Server 2, I get a certificate error. The error is:
“Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address
and the certificate subject name do not match. Contact your network administrator for assistance".
The certificate address the error points to is referring to is an SBS 2011 cert for RWW and email. Experimenting, if I use 443 on the Server 1
gateway instead of 4043 and change the router accordingly, it then works. I can open apps form both session hosts externally . But not if is set to 4043.
For the record Server 2 session host also gives this error:
Event ID: 1280 Warning Microsoft Windows TerminalServcies-session broker client
Remote Desktop Services failed to join the Connection Broker on server sever-vm1.local.
Error: Current async message was dropped by async dispatcher, because there is a new message which will override the current one.
Because everything works fine using default 443, I figure this is a communication or firewall issue between the gateway and the session host on Server 2.
Can anyone help here?
Many Thanks
MIS5000Hi,
Thanks for your comment.
Have you check the connection on your second server?
Can you ping the server 2 from server 1?
As from the event ID 1280 it seems there is some network connectivity to RDCB server. Also please “Add the RD Session Host server to the Session Broker Computers group” & RDWeb server's computer account needs to be a member of the local TS Web Access Computers
group on your RDSH server. You can get the detailed information from this article.
In addition, do you have certificate purchased and install from trusted root authority. There is some requirement to use certificate for RDS environment, please consider following points.
1. The certificate is installed into computer’s “Personal” certificate store.
2. The certificate has a corresponding private key.
3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.
You can get more details regarding certificatehere.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Pagefile exclusion for VHDs is not functional System Center DPM 2012 R2
The Release Notes for Data Protection Manager in System Center 2012 R2 state that:
Pagefile exclusion for VHDs is not functional
Description: Pagefile exclusion for virtual hard disk files (VHDs) is not functional.
Workaround: None.
I feel silly asking this in the forums, but my mind just can't wrap around the fact that this feature (that was just recently added in DPM 2012 SP1) is broken in the new release of 2012 R2. Does anyone with actual knowledge of the product have any
additional info on this issue? Do we need to wait for a service pack to fix it or are there possibly ANY workarounds or situations where it might be used?
TIAHi,
This is a documentation error and will get it addressed. DPM 2012 R2 RTM does still support page file VHD exclusion same as DPM 2012 SP1.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights. -
Hi,
I'm trying to make following work (with no success for now).
Issue
> Excel crashed when It loads the ESSBase’s (xla or xll) add-in.
For the purpose of my tests, I’m handling the app-v packages using the powershell commandlets
(no SCCM / no App-V Infrastructure)
Environment
On top of a Win 2012 r2 remote desktop session host server, I :
- installed App-V 5.0 SP2 client for RDS
- (added/published globally) Excel as a packaged app-v app
- (added/published globally) ESSBase as a packaged app-v app
- (added/Enabled it Globally) a Connection Group (witch includes both the above appv packages)
Connection group’s XML looks like below :
Commandlets I'm using :
import-module
appvclient
#Add packages
Add-AppvClientPackage
-Path C:\ExcelEss\EXcel\EXcel.appv
-DynamicDeploymentConfiguration
C:\ExcelEss\EXcel\Excel_DeploymentConfig.xml
Add-AppvClientPackage
-Path C:\ExcelEss\ESSBASE\ESSBASE.appv
-DynamicDeploymentConfiguration
C:\ExcelEss\ESSBASE\ESSBASE_DeploymentConfig.xml
#Publish packages Globally
Publish-AppvClientPackage
-Global -Name
Excel
Publish-AppvClientPackage
-Global -Name
ESSBASE
#Publish Group
Get-AppvClientPackage
| Stop-AppvClientPackage
Add-AppvClientConnectionGroup
C:\ExcelEss\MyTestGroup1.xml
| `
Enable-AppvClientConnectionGroup
-Global
Any help please ?
MCTS Windows Server Virtualization, ConfigurationIssue fixed, details below
Upgrade to App-V SP3
- upgrade of the App-V Client for RDS from version 5.0 SP2 to 5.0 SP3 (RDS VM)
- uninstall of the App-V 5.0 SP2 sequencer and install of the App-V 5.0 sequencer SP3
(App-V Sequencer VM)
Sequencing
- Install/Sequencing of Excel 2007 as a 1st distinct App-V Package
- Install/Sequencing of Oracle ESSBase Excel Add-In as a 2nd distinct App-V Package
> I chose type: Add-On or Plugin (second option)
*this time I forced Oracle Add-In to install under C:\Prog~files (x86)\Oracle
and no more under
C:\Oracle
- *at the end of the add-In package’s sequencing phase I ensured to have
mscomctl.ocx
somewhere on the sequencer VM and then run a cmd then
‘regsvr32 mscomctl.ocx’
when editing the Connection Group’s XML file, I updated the schema
from
xmlns=http://schemas.microsoft.com/appv/2010/virtualapplicationconnectiongroup
to
xmlns=http://schemas.microsoft.com/appv/2014/virtualapplicationconnectiongroup
Explanation:
http://technet.microsoft.com/en-us/library/dn858700.aspx#BKMK_update_schema_cg
Deployment
Add-AppvClientPackage -Path .\Excel\Excel.appv
Add-AppvClientPackage -Path .\ESSBase\ESSBase.appv
Publish-AppvClientPackage -Global ESSBase
Publish-AppvClientPackage -Global Excel
Add-AppvClientConnectionGroup -Path .\MyTestGroup1.xml
Enable-AppvClientConnectionGroup –Global
Although I modified couple of things at once (see red stars above) in this last attempt
to make this work - I can't really distinguish what step fixed it but - I guess the upgrade to SP3 was a must do step anyway -
Working !
Thanks.
MCTS Windows Server Virtualization, Configuration -
Certificate Requirement for Microsoft RDS 2012
Hi All,
I planning to deploy RDS VDI and remote app service, Please help me to understand the certificate
requirement for server authentication, publication, SSO , etc.
Internet URL is
https://RDSVDI.domain.net
My servers are in .local
RD Licensing Server--------RDSLICSVR.Domain.LOCAL
RD Connection Broker-----RDSCB.Domain.LOCAL
RD Web Access------------RDSWEBSVR.Domain.LOCAL
RD Session Host-----------RDSSHSVR.Domain.LOCAL
RD Visualization Host-------RDSVHSVR.Domain.LOCAL
RD Gateway Server -------RDGWSVR.Domain.LOCAL
What kind of Certificate do i required to launch Desktop and RemoteApp without any error.Hi,
1. I would recommend a wildcard certificate (*.domain.net) purchased from a trusted public authority such as GoDaddy, VeriSign, Thawte, etc. This wildcard certificate would be used for all RDS purposes.
2. On the internal network you will need to create a DNS zone for domain.net with A records pointing to the private ip addresses, similar to the following:
rdsvdi.domain.net --> private ip address of your RD Web server
rdscb.domain.net --> private ip address of your RD Connection Broker
rdsgwsvr.domain.net --> private ip address of your RD Gateway server (this is only needed if you want to use RDG for internal users)
3. On the Internet you will need DNS records similar to the following:
rdsvdi.domain.net --> public ip address for your RD Web server
rdgwsvr.domain.net --> public ip address for your RD Gateway server
4. You will need to change the published FQDN for your RDS deployment to rdscb.domain.net using the cmdlet below:
Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
5. You may need to modify your RD RAP in RD Gateway Manager. For example, you could edit the properties of the RD RAP, Network Resource tab, and select Allow users to connect to any network resource.
6. You should make sure that all client PCs have RDP 8.1 Client (6.3.9600) installed for best results connecting to Server 2012 R2.
7. For domain-joined PCs you may choose to set the SHA thumbprint of your certificate via group policy setting so that they will not be prompted when launching RemoteApps.
8. It is preferred for users to use IE to connect to RD Web Access and select the Private option if possible (as long as the PC is not public). When prompted they should Allow the Activex control to run.
-TP -
RDS 2012 Deplyment RDG crashing
Hi All,
I hope someone out there can help us. We have a RDS 2012 deployment with the following configuration (.N.B. all servers are VMs on vSphere 5.5 Enterprise and brand new Dell servers and we have zero network issues as these have been fully checked several
times)
2 x RD Connection Brokers (2012 R2)
2 RD Licence Servers (2012 R2)
1 x RD Web Access (2012 R2)
1 x RD Gateway server (2012 R2)
2 x Session collections, one with 10 Session Hosts and one with 4 session hosts (all session hosts are 2012, not R2)
We are experiencing a very very strange situation where the RDG simply stops procession connections randomly. there are absolutely no errors, warnings or critical events logged in ANY of the event logs (and we have trawled through every single one of them!(and
the service does not stop or crash in the traditional sense. we also cannot launch the gateway manager console when this happens. if we restart the service then all is fine and users can reconnect. we have even replaced the gateway with a brand new box and
the issue still prevails. All clients that connect through the RDG are a minimum on Windows 7 and have at least RDP 8.0 installed
Has anyone else seen this? it is becoming a real issue for us and people are losing faith, as they doHi Richard,
Thank you for posting in Windows Server Forum.
Have you installed any anti-virus software? Please try to disable the antivirus software to see if same issue exists. Also you can check with Performance monitor and see whether you can find anything useful part for further troubleshooting. In addition, please
check the server & PC’s NIC and other driver (If facing issue with remote connection), whether it’s compatible and updated to latest version.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Maybe you are looking for
-
Hi, sorry if this is a silly question, but when I'm viewing my desktop on the home computer from work (as in I've connected by finding my computer in the finder and hit the "Share Screen" button - is there any way to turn off the display at home? It
-
JCOP : can't set a new key set (put-key pb)
Hi! I have this brand new cell phone out of the box , and I've been asked to install a javacard applet on it. I did it for other phones already, but I can't manage to install my app on this one. For new phones I have to install a new key set. That's
-
In trying to reactivate disk 3 of a raid mirror failed redundancy I get the error - The disk configurationis not insyncwith the in-memory configuration. The drive is accessible but I have no idea which of drive 2 and 3 are in use, drive 2 has unspeci
-
Instance Terminated due to error 340
Hi, My catalog database instance terminated suddently. The alert log is showing the following error. LGWR: terminating instance due to error 340 Instance terminated by LGWR, pid = 29359 What is the reason? Thanks, Kavitha
-
How to verify VPLS mac-address forwarding
I think VPLS know how to forward by mac-address. but how to verify it ? for example I show mac-address vlan 100. But I can not find a command to verify How mac-address is forwarding ? at 6509: PA_C76_1>sh mpls l2transport vc Local intf Local circuit