Rds Microsoft Remote Desktop Services
- Rds Tracing For Windows Remote Desktop Services
- Microsoft Remote Desktop Assistant
- Microsoft Remote Desktop Services (rds) Session Host
- Microsoft Remote Desktop Services Training
RDS 2012: Which ports are used during deployment? To configure Remote Desktop Services correctly for internet access or any time where firewalls are used, it is useful to know what ports are required. The information / taxonomy is broken down by role service/component,.
Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure's cloud services. The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server. Nov 19, 2015 Microsoft Remote Desktop Services RDS allows users to access centralized applications and workstations in the data center remotely. Microsoft RDS is the new expanded and renamed Microsoft Terminal Services. In this post I will document the implementation of RDS in my home lab using an ‘all-in-one’ configuration. VBoring Blog Series. Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure's cloud services. The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server.
-->Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016
Each user and device that connects to a Remote Desktop Session host needs a client access license (CAL). You use RD Licensing to install, issue, and track RDS CALs.
When a user or a device connects to an RD Session Host server, the RD Session Host server determines if an RDS CAL is needed. The RD Session Host server then requests an RDS CAL from the Remote Desktop license server. If an appropriate RDS CAL is available from a license server, the RDS CAL is issued to the client, and the client is able to connect to the RD Session Host server and from there to the desktop or apps they're trying to use.
There is a licensing grace period of 120 Days during which no license server is required. Once the grace period ends, clients must have a valid RDS CAL issued by a license server before they can log on to an RD Session Host server.
Use the following information to learn about how client access licensing works in Remote Desktop Services and to deploy and manage your licenses:
- License your RDS deployment with client access licenses (CALs)
Understanding the RDS CAL model
There are two types of RDS CALs:
- RDS Per Device CALs
- RDS Per User CALs
The following table outlines the differences between the two types of CALs:
| Per Device | Per User |
|---|---|
| RDS CALs are physically assigned to each device. | RDS CALs are assigned to a user in Active Directory. |
| RDS CALs are tracked by the license server. | RDS CALs are tracked by the license server. |
| RDS CALs can be tracked regardless of Active Directory membership. | RDS CALs cannot be tracked within a workgroup. |
| You can revoke up to 20% of RDS CALs. | You cannot revoke any RDS CALs. |
| Temporary RDS CALs are valid for 52–89 days. | Temporary RDS CALs are not available. |
| RDS CALs cannot be overallocated. | RDS CALs can be overallocated (in breach of the Remote Desktop licensing agreement). |
When you use the Per Device model, a temporary license is issued the first time a device connects to the RD Session Host. The second time that device connects, as long as the license server is activated and there are available RDS CALs, the license server issues a permanent RDS Per Device CAL.
When you use the Per User model, licensing is not enforced and each user is granted a license to connect to an RD Session Host from any number of devices. The license server issues licenses from the available RDS CAL pool or the Over-Used RDS CAL pool. It's your responsibility to ensure that all of your users have a valid license and zero Over-Used CALs—otherwise, you're in violation of the Remote Desktop Services license terms.
An example of where one would use the Per Device model would be in an environment where there are two or more shifts using the same computers to access the RD Session Host(s). The Per User model would be best for environments where users have their own dedicated Windows device to access the RD Session Host(s).
To ensure you are in compliance with the Remote Desktop Services license terms, track the number of RDS Per User CALs used in your organization and be sure to have enough RDS Per User CALs installed on the license server for all of your users.
You can use the Remote Desktop Licensing Manager to track and generate reports on RDS Per User CALs.
RDS CAL version compatibility
The RDS CAL for your users or devices must be compatible with the version of Windows Server that the user or device is connecting to. You can't use RDS CALs for earlier versions to access later versions of Windows Server, but you can use later versions of RDS CALs to access earlier versions of Windows Server. For example, an RDS 2016 CAL or higher is required to connect to a Windows Server 2016 RD Session Host, while an RDS 2012 CAL or higher is required to connect to a Windows Server 2012 R2 RD Session Host.
The following table shows which RDS CAL and RD Session Host versions are compatible with each other.
| RDS 2008 R2 and earlier CAL | RDS 2012 CAL | RDS 2016 CAL | RDS 2019 CAL | |
|---|---|---|---|---|
| 2008, 2008 R2 session host | Yes | Yes | Yes | Yes |
| 2012 session host | No | Yes | Yes | Yes |
| 2012 R2 session host | No | Yes | Yes | Yes |
| 2016 session host | No | No | Yes | Yes |
| 2019 session host | No | No | No | Yes |
You must install your RDS CAL on a compatible RD license server. Any RDS license server can host licenses from all previous versions of Remote Desktop Services and the current version of Remote Desktop Services. For example, a Windows Server 2016 RDS license server can host licenses from all previous versions of RDS, while a Windows Server 2012 R2 RDS license server can only host licenses up to Windows Server 2012 R2.
The following table shows which RDS CAL and license server versions are compatible with each other.
| RDS 2008 R2 and earlier CAL | RDS 2012 CAL | RDS 2016 CAL | RDS 2019 CAL | |
|---|---|---|---|---|
| 2008, 2008 R2 license server | Yes | No | No | No |
| 2012 license server | Yes | Yes | No | No |
| 2012 R2 license server | Yes | Yes | No | No |
| 2016 license server | Yes | Yes | Yes | No |
| 2019 license server | Yes | Yes | Yes | Yes |
Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016
This article describes the roles within a Remote Desktop Services environment.
Remote Desktop Session Host
The Remote Desktop Session Host (RD Session Host) holds the session-based apps and desktops you share with users. Users get to these desktops and apps through one of the Remote Desktop clients that run on Windows, MacOS, iOS, and Android. Users can also connect through a supported browser by using the web client.
You can organize desktops and apps into one or more RD Session Host servers, called 'collections.' You can customize these collections for specific groups of users within each tenant. For example, you can create a collection where a specific user group can access specific apps, but anyone outside of the group you designated won't be able to access those apps.
For small deployments, you can install applications directly onto the RD Session Host servers. For larger deployments, we recommend building a base image and provisioning virtual machines from that image.
You can expand collections by adding RD Session Host server virtual machines to a collection farm with each RDSH virtual machine within a collection assigned to same availability set. This provides higher collection availability and increases scale to support more users or resource-heavy applications.
In most cases, multiple users share the same RD Session Host server, which most efficiently utilizes Azure resources for a desktop hosting solution. In this configuration, users must sign in to collections with non-administrative accounts. You can also give some users full administrative access to their remote desktop by creating personal session desktop collections.
You can customize desktops even more by creating and uploading a virtual hard disk with the Windows Server OS that you can use as a template for creating new RD Session Host virtual machines.
For more information, see the following articles:
Rds Tracing For Windows Remote Desktop Services
Remote Desktop Connection Broker
Remote Desktop Connection Broker (RD Connection Broker) manages incoming remote desktop connections to RD Session Host server farms. RD Connection Broker handles connections to both collections of full desktops and collections of remote apps. RD Connection Broker can balance the load across the collection's servers when making new connections. If RD Connection Broker is enabled, using DNS round robin to RD Session Hosts for balacing servers is not supported. If a session disconnects, RD Connection Broker will reconnect the user to the correct RD Session Host server and their interrupted session, which still exists in the RD Session Host farm.
You'll need to install matching digital certificates on both the RD Connection Broker server and the client to support single sign-on and application publishing. When developing or testing a network, you can use a self-generated and self-signed certificate. However, released services require a digital certificate from a trusted certification authority. The name you give the certificate must be the same as the internal Fully Qualified Domain Name (FQDN) of the RD Connection Broker virtual machine.
You can install the Windows Server 2016 RD Connection Broker on the same virtual machine as AD DS to reduce cost. If you need to scale out to more users, you can also add additional RD Connection Broker virtual machines in the same availability set to create an RD Connection Broker cluster.
Before you can create an RD Connection Broker cluster, you must either deploy an Azure SQL Database in the tenant's environment or create an SQL Server AlwaysOn Availability Group.
For more information, see the following articles:
- SQL database in Desktop hosting service.
Remote Desktop Gateway
Remote Desktop Gateway (RD Gateway) grants users on public networks access to Windows desktops and applications hosted in Microsoft Azure's cloud services.
The RD Gateway component uses Secure Sockets Layer (SSL) to encrypt the communications channel between clients and the server. The RD Gateway virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 and inbound UDP connections to port 3391. This lets users connect through the internet using the HTTPS communications transport protocol and the UDP protocol, respectively.
The digital certificates installed on the server and client have to match for this to work. When you're developing or testing a network, you can use a self-generated and self-signed certificate. However, a released service requires a certificate from a trusted certification authority. The name of the certificate must match the FQDN used to access RD Gateway, whether the FQDN is the public IP address' externally facing DNS name or the CNAME DNS record pointing to the public IP address.
For tenants with fewer users, the RD Web Access and RD Gateway roles can be combined on a single virtual machine to reduce cost. You can also add more RD Gateway virtual machines to an RD Gateway farm to increase service availability and scale out to more users. Virtual machines in larger RD Gateway farms should be configured in a load-balanced set. IP affinity isn't required when you're using RD Gateway on a Windows Server 2016 virtual machine, but it is when you're running it on a Windows Server 2012 R2 virtual machine.
For more information, see the following articles:
Remote Desktop Web Access
Microsoft Remote Desktop Assistant
Remote Desktop Web Access (RD Web Access) lets users access desktops and applications through a web portal and launches them through the device's native Microsoft Remote Desktop client application. You can use the web portal to publish Windows desktops and applications to Windows and non-Windows client devices, and you can also selectively publish desktops or apps to specific users or groups.
RD Web Access needs Internet Information Services (IIS) to work properly. A Hypertext Transfer Protocol Secure (HTTPS) connection provides an encrypted communications channel between the clients and the RD Web server. The RD Web Access virtual machine must be accessible through a public IP address that allows inbound TCP connections to port 443 to allow the tenant's users to connect from the internet using the HTTPS communications transport protocol.
Matching digital certificates must be installed on the server and clients. For development and testing purposes, this can be a self-generated and self-signed certificate. For a released service, the digital certificate must be obtained from a trusted certification authority. The name of the certificate must match the Fully Qualified Domain Name (FQDN) used to access RD Web Access. Possible FQDNs include the externally facing DNS name for the public IP address and the CNAME DNS record pointing to the public IP address.
For tenants with fewer users, you can reduce costs by combining the RD Web Access and Remote Desktop Gateway workloads into a single virtual machine. You can also add additional RD Web virtual machines to an RD Web Access farm to increase service availability and scale out to more users. In an RD Web Access farm with multiple virtual machines, you'll have to configure the virtual machines in a load-balanced set.
Microsoft Remote Desktop Services (rds) Session Host
For more information about how to configure RD Web Access, see the following articles:
Remote Desktop Licensing
Microsoft Remote Desktop Services Training
Activated Remote Desktop Licensing (RD Licensing) servers let users connect to the RD Session Host servers hosting the tenant's desktops and apps. Tenant environments usually come with the RD Licensing server already installed, but for hosted environments you'll have to configure the server in per-user mode.
The service provider needs enough RDS Subscriber Access Licenses (SALs) to cover all authorized unique (not concurrent) users that sign in to the service each month. Service providers can purchase Microsoft Azure Infrastructure Services directly, and can purchase SALs through the Microsoft Service Provider Licensing Agreement (SPLA) program. Customers looking for a hosted desktop solution must purchase the complete hosted solution (Azure and RDS) from the service provider.
Small tenants can reduce costs by combining the file server and RD Licensing components onto a single virtual machine. To provide higher service availability, tenants can deploy two RD License server virtual machines in the same availability set. All RD servers in the tenant's environment are associated with both RD License servers to keep users able to connect to new sessions even if one of the servers goes down.
For more information, see the following articles: