RDS 2012 External access for Session Hosts over different port to default 443

Similar Messages

• RemoteApp 2012 R2 Restrict Access to Session Host Desktop

  Here is our current situation: I have set up Remote Desktop Services on Server 2012 R2 and published RemoteApp programs. Everything works great with load balancing, collections, etc... and I have been very impressed. However, as it always has been an issue,
  I have always had the question of how to allow users to access RemoteApp applications on the session host without allowing them to RDP directly onto the server to access the server desktop. Obviously, you have to add them to remote desktop users group and
  they need to be allowed to access over RDP so I figure that the next best thing is to restrict access to the desktop should they manually type the name into an RDP client connection. I know you couldn't restrict them from using mstsc.exe because they need
  that to open the RemoteApp since it just uses RDP and I am aware of using GPO's to restrict access to drives and many other things but I would like to remove the desktop altogether. Would it be plausible to remove the GUI feature and restrict access to CMD
  and SCONFIG through Server Manager and still allow the session host to present RemoteApp applications or is there a better way to approach this? I figured if I just remove the GUI and access to cmd and sconfig then if they logged on, they would get a blank
  screen. Thank you in advance for your time!

  Hi,
  One technique for this is to set the Custom User Interface group policy setting to logoff.exe.  You would have the GPO apply to normal users, but not applied to Domain Admins (or other users that you need to have full desktop).
  User Configuration\Administrative Templates\System
  Custom User Interface     Enabled
  Interface file name: %systemroot%\system32\logoff.exe
  You should also use NTFS permissions, group policy settings, AppLocker, etc., to further restrict what users are able to do.
  -TP

• Users see all applications in RDS 2012 Web access in one-way trust domain environment

  Hello!
  We have RDS 2012 deployment in domainA.local. There is a one-way trust between domainA.local and domainB.local: A trusts B and B doesn't trust A.
  A user from domainB.local authenticates in Web-access interface (wa.domainA.local) and sees
  every published application in every collection in the deployment independently of UserGroups setting of collections and applications. This occurs for any domainB user.
  In the security log of wa.domainA.local we can find an event :
  An account failed to log on.
  Subject:
  Security ID:                IIS APPPOOL\RDWebAccess
  Account Name:                RDWebAccess
  Account Domain:                IIS APPPOOL
  Logon ID:                0x2C7B16
  Logon Type:                        3
  Account For Which Logon Failed:
  Security ID:                NULL SID
  Account Name:                
  Account Domain:                
  Failure Information:
  Failure Reason:                An error occurred during logon
  Status:                        0xC000005E
  Sub Status:                0x0
  Also in network trace on wa.domainA.local kerberos error could be found:
  On TGS-REQ for krbtgt/[email protected] there is an answer: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7), server name krbtgt/domainB.
  How to deal with this issue? The aim is to show only specified applications to domainB users.
  Any help would be appreciated.

  Hi,
  Thank you for your posting in Windows Server Forum.
  Please check below links might useful for your case.
  “After adding the RDS server’s computer account to the Builtin Windows Authorization Access Group domain group, the RemoteApp icons displayed perfectly.” (Quoted from
  this article)
  1. Remote APP list empty
  2. RD
  Web Access unable to access Source (RD Server)
  In respect to Kerberos Error, refer this link for troubleshooting.
  1. Troubleshooting Kerberos Authentication problems – Name resolution issues
  2. Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
  Hope it helps! 
  Thanks,
  Dharmesh

• Exchange 2010 .Disable external access for Autodiscovery and RPC

  Hi Team,
  Once i publish my Owa page in exchange 2010 .Automatically i was able to access.
  https://domainname.com/autodicovery
  https://domainname.com/rpc
  https://domainname.com/owa/oma
  I need to block access from external world to these websites.Pls help

  Hi,
  Before we go further, I'd like to confirm if you want to block external Outlook access. If yes, we can disable Outlook Anywhere since external Outlook access use Outlook Anywhere to connect to server.
  Additionally, there are three methods for external Outlook users to connect to Autodiscover service. If we don't add public A record and SRV record, Autodiscover cannot work.
  And we can separate web sites for internal access and external access and don't add Autodiscover and RPC virtual directories in the external access web site. and here is an article about OWA virtual directory, and you can refer to the article for Autodiscover
  and RPC:
  http://blogs.technet.com/b/messaging_with_communications/archive/2011/05/02/how-to-block-owa-for-external-users.aspx
  Thanks,
  Angela Shi
  TechNet Community Support

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• P2415Q - No display over DVI, HDMI. No menu. Worked perfectly for one month over display port

  Reason Line: Dell P2415Q. After one month working perfectly over display port, no display on screen over Display Port or HDMI, no response to menu buttons, backlight and power LED on but no image on screen.
  Problem Description
  The monitor worked out of the box for one month using the display port to mini display port cable provided with the monitor, which was plugged into my XFX 7970 and 7950 graphics cards. It supported 4K at 60Hz and was exceptional for photos, videos and games. On Wednesday the monitor stopped working, no image or menu is displayed on the monitor. I plugged in my old monitor to help diagnose via DVI from the same graphics card. When I press the power button on the Dell P2415Q monitor, the power LED lights up and the computer detects the monitor (as shown in the windows screen resolution menu). It sets it as a secondary display but the monitor remains black, I can see the power LED and backlight is on. No power saving mode popup appears on the monitor, when I press the menu buttons there is no response from the screen, it remains black. I repeated with a HDMI cable the same issue occurs with no response or image. I repeated and disabled crossfire (which allows the graphics cards to function independently) and tried the second graphics card with no response. I tested the HDMI cable I used on my old LG monitor, it works well. I have tried connecting a laptop over HDMI to the monitor too, with no response from the monitor. I have exhausted all the tests I can think of, I presume I will have to return the monitor for repair or replacement under warranty. A question to the dell rep and community - is there anything else I can try / do to get it working? 
  Monitor / Computer Details
  Monitor service tag: <removed>
  Computer: Non-Dell, self build about 2 years ago. Ivy Bridge i5, Gigabyte Sniper Motherboard, 16GB RAM, XFX 7970 GPU and XFGX 7950 GPU in crossfire, 256GB SSD, 860W Corsair AX power supply (860W on 12V rails). Windows 7, 64-bit. (Secondary Monitor LG D2342).
  Operating System: Windows 7, 64 Bit.
  Video Card: XFX 7970 and XFX 7950 in Crossfire (tested separately, monitor produces fault with both).
  Video Card Driver: 14.12 AMD Catalyst Driver (rolled back to older driver, monitor still produces fault).
  Video Card Output Ports: Tested with miniDP and HDMI on both cards, with crossfire enabled and disabled. Monitor still produces fault.
  Video Card Cable: miniDP to DP cable provided with monitor. HDMI cable, tested with alternate monitor to confirm it functions correctly.
  Monitor Menu Button: Non responsive, when power is turned on the computer successfully detects the Dell P2415Q monitor, the backlight turns on but no image appear on the screen. Pressing the menu buttons yields no result - menu does not appear on the screen. Power LED is on.
  Monitor Purchase: Purchased from Overclockers.co.uk March 2015.

  * Turn the monitor off
  * Disconnect all cables from the monitor including the power cable
  * Press the monitor power button in for 15 seconds
  * Reconnect the monitor cables and re-test. If still no go, your only option is to get it exchanged per the purchased warranty
  * But first the service tag must be transferred into your name using this form

• Use Same URL for Internal and External Access for CRM 2015 IFD

  I have setup a CRM2015 server for IFD access.
  ADFS and CRM are on separate servers.
  CRM server all roles
  ADFS 2.0 server.
  Using the internal URL I am able to access CRM without entering my details (as expected)
  Using the external URL I am authenticated by ADFS as expected and can sign in.
  We have an internal domain domain.local
  We have an external domain domain.com (the certificate is for *.domain.com)
  We have a DNS zone created internally for domain.com.
  CRM URLs
  internal : internalcrm.domain.com
  External : externalcrm.domain.com
  I would like all users to use the same link regardless of them being internal or external, but I would like so that any user who is on the domain is automatically logged in without entering their username and
  password. What is the best way to do this?
  I have tried creating a cname record on the internal domain.com zone pointing externalcrm.domain.com to internalcrm.domain.com but that didn't work, I still get the ADFS sign in page.
  Thanks

  So fair warning, what you're asking for isn't really a supported deployment method of CRM.
  That said, you should be able to do some DNS trickery internal to your network that points your "crm.domain.com" to "crm.domain.local" and then hopefully CRM will treat the connection as if it came from an internal network.
  Otherwise, you're likely going to have to accept that everyone gets the ADFS login page internal and external to your network.
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• I would like to record hypnosis apps to my IPAD.  I assume that I would use an external app for clearer voice over.  I wnat to record my hypnsis script over a background of binaural music.   How do I accomplish this?

  I would like to create my own customized hypnosis apps for my IPAD.  Ideally, I would use a good external mic and have another input for the binaural background music and brainwaves.  What equipment do I need to accomplish this on my IPAD or MACPRO ?  And how do you hook it up?

  I think I will do this.  I will use my apple ID and set face time and message to work independently.  That solves one problrem.  My other problem and maybe my bigger problem is that if I am using my apple ID, how do I iflter all of this so that my kids don't see my contacts, get my apps, etc. ?

• How to set correct audio output while using external screen for presentation purposes over a wire

  while trying to make a presentation or simply playing a video from my MacBookAir over thunderbolt/HDMI table to large screen I am experiencing problems with audio only being played from the MBA and not the soundsystem built in to that screen (unless using a VLS application and manually selecting the audio output target).
  Please help in finding how to steer audio output device  using 2in1 cable such as thunderbolt?

  Hi jar9,
  If you are not hearing audio over your HDMI/Thunderbolt connection, you may want to see if it is showing up as a selectable audio output as outlined in the following article:
  OS X Mavericks: If you can’t hear sound from your speakers
  http://support.apple.com/kb/PH13841
  Regards,
  - Brenden

• Two External Displays and Internal Display Over Different Connections

  Hi there.
  I'm going to be purchasing a rMBP in the very, very near future. However, I am unclear about how external displays work with this. My current display setup at work is two basic 1080p monitors that can be run over DVI, VGA or HDMI. I'd like to keep using these when I start using the rMBP but also gain the advantage of a third screen by using the internal display at the same time (so much space for activities!).
  One of the thunderbolt ports will need to be used for an Ethernet connection (there is no wireless here), so this leaves the setup needing to be one monitor run via Thunderbolt -> DVI and the other monitor run via HDMI.
  The internet in general isn't being entirely helpful with this. I'm looking for a clear answer of whether the rMBP will run the internal display and the two external displays using this setup under OS X. Some seem to believe that it won't work using different connection types, for example.
  Thanks for any help.

  Hello dljfield,
  Thanks for using Apple Support Communities.
  If you'd like to use multiple external displays with a MacBook Pro with Retina display, then please take a look at the information outlined below. A 15" MacBook Pro mid-2014 can support up to two external displays using different outputs.
  MacBook Pro (Retina, 15-inch, Mid 2014) - Technical Specifications
  OS X Yosemite: Connect multiple displays to your Mac
  Take care,
  Alex H.

• Ssrs security access for users on a different domain

  Hi
  We are using ssrs 2008 r2 and have added a new domain to our network as we are working with another company.
  Our original domain was say "DomainA" which can access all our reports, how do we give access to the new domain "DomainB" access to our reports?
  We are unable to add DomainB users to our AD security groups so I have created a windows groups called SSRS_DomainB_Users and given them access to our parent folder and also added them into site settings as a system user.
  What is the best way to deal with this?
  Users in DomainB will eventually be added to DomainA and DomainB will then be deleted.
  One of the users I am testing with gets an error message :
  User 'Domain name/user' does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed.
  Thanks

  Hi Nasa1999,
  According to your description, you want your reports can be accessed by user from different domain. Right?
  In this scenario, we should do Internet Deployment for your reports so that users from different domain can access the reports. Please the articles below:
  Planning for Extranet or Internet Deployment
  Using Reporting Services in an Internet/Extranet Environment
  SQL Server 2008 Reporting Services
  for Internet deployment
  Reference:
  SSRS reports
  global access
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou

• Using Windows 2008 R2 RD Session Hosts in Windows 2012 RD Deployments

  Just a couple of observations from our attempt to deploy Windows 2008 R2 RD Session Hosts as part of a Windows 2012 RD Deployment. Hopefully these save someone the angst of not finding answers in other documentation.
  1. Our first hurdle was trying to add a Windows 2008 R2 server (RD02) as a Session Host in the Remote Desktop Services area in Server Manager on our Windows 2012 RD Deployment server (RDCB01), which had the Connection Broker, Web Access and Session
  Host role services installed. After some side-tracking through AD issues, we eventually discovered that we had to manually add RD02 to the list of servers to manage in Server Manager on RDCB01. Then it was visible and could be selected.
  2. Now that we could, we tried to actually add the RD02 Windows 2008 R2 Session Host to the 2012 Deployment. This failed the previously unheard of compatibility tests with the error "Compatibility check failed" "The server is not running at least {0}". A
  list of requirements is shown:
  You will not be able to proceed with the installation unless ALL the following criteria are met:
  The server must be available by using Windows PowerShell remotely.
  The server must be running at least Windows Server 2012.
  The currently logged on user must be a member of the local Administrators group on the server.
  The server must not have a pending start.
  We were also concerned that we could not change many of the properties of Published Applications on our 2012 Publishing server. In our case changing an icon was critical for user acceptance to distinguish between application functions.
  It seems RDS is an all or nothing approach between 208 R2 and 2012 versions. The only thing we were able to get going in time was some limited Published Application capability.
  I agree with other posters in their assessments of wholesale changes to RDS in 2012, and a lack of readily available definitive information. 

  Hi,
  It seems that no official documents suggest that 2008 r2 could be involved with the 2012 rds infra.Even on the server 08 and 08r2,i don't suggest mixing them for potential incompatibility.
  Any further discussions about this issue are welcomed here for all of you.
  Regards,
  Clarence
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Certificate setup RDS 2012 R2

  Hi,
  I have set up an RDS 2012 R2 deployment for internal use. I plan to add a gateway server cluster for external access later (RDGW). That cluster will be placed in DMZ and use a public wildcard cert. It will connect external users to the farm. Internal or
  Direct Access (DA) users will use the Web Access servers to connect internally in the corp. LAN.
  For now, i have the following setup. Web Access role on 2 servers with DNS RR (RDWA). 2 clustered Connection Broker servers (RDCB), two Session Hosts (RDSH) and one licesning server. So a total of 7 servers (+ 2 GRGW servers in DMZ that are not set up
  yet).
  So, the issue is; I need to set up certificates. We have a CA in an AD top domain (our site is a sub.domain.com). We do not have access to that CA and need to order certs. from our corp. HQ. Ok, but what do i ask for? I need 3
  DER encoded binary X.509
  certs. That's the info i have. How can create a cert. request? See pictures below.
  This posting is provided "AS IS" with no warranties or guarantees and confers no rights

  Hi,
  Thank you for your posting in Windows Server Forum.
  Can you exactly let us know which certificate you want for your network (Self-signed or SSL)?
  As per my suggestion you can use wildcard or SAN certificate for your network which can be used for external network also. 
  If you want Self-signed certificate for internal use, you can create the certificate from Deployment properties of RDS page or IIS Manager as per below path.
  IIS Manager>Server Certificate>Create Self-Signed Certificate>Export the certificate on specified location then select the certificate in RDS installation process.
  But see that, the certificate is installed into computer’s “Personal” certificate store with its corresponding private key & it’s added under trusted root certificate authority.
  Please check below articles for detail.
  1. Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  2. Configuring RDS 2012 Certificates and SSO
  3. Minimum Certificate Requirements for Typical RDS implementation
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• RD Session Host - All drive letters are hidden from local admin

  Hi,
  I have Windows Server 2012 R2 environment with one RDS Gateway and tens of session host servers. I can logon to any of those SH servers with AD accounts and everything else is working fine but users cannot see SH servers local drives when they logon
  (drive letters C and D). There are no GPO's to prevent or hide these drive letters and user can access to those drives if they use file explorer's address bar (with typing "c:" or "d:"). So issue is with hidden drive letters in
  "This PC" not permissions or GPO. This PC shows only message "folder empty" for any domain user.
  Is this default behaviour of Server 2012 R2? How can i get those drive letters visible to all domain users?
  Users in Domain Admin group are only users how can see those drives and not even Domain Users how are members of SH servers local admin group cannot see those drive letters.
  Can someone help?
  Thank you!

  Hi,
  Based on your description, I agree with suggestion above. Suggest you should confirm the related group policy
  settings again.
  In GPME, please refer to the following path:
  User Configuration-> Policies-> Administrative Templates-> Windows Components-> File Explorer->
  Hide these specified drives in My Computer. And check if you config this setting.
  If issue still persists, please create a new domain user account (don’t add to domain admin group), then check
  if encounters the same issue when you logon with this new user account.
  Hope this helps.
  Best regards,
  Justin Gu

• Sharepoint 2013 on premise external access

  Hello,
  We have single sharepoint on premise and we need to enable external access to the users from different companies. How to make this possible without ADFS configuration? 

  Following links help you to start with
  Plan for user authentication methods in SharePoint 2013
  Authentication overview for SharePoint 2013
  Configuring Forms Based Authentication
  in SharePoint 2013
  Please 'propose as answer' if it helped you, also 'vote helpful' if you like this reply.