Microsoft RD Web Access

From Swivel Knowledgebase
Revision as of 15:59, 14 November 2017 by RWithey (talk | contribs) (Installation)
Jump to: navigation, search


Introduction

This filter allows you to protect Windows Remote Desktop Services (RDS) Web Access with Swivel authentication.

Prerequisites

Swivel version 3.x or 4.x

Windows Server 2012 R2 or Windows Server 2016 with RDS Web Access already installed

Microsoft.Net Framework version 4.5, full edition (rather than client-only) installed

A version compatible with Windows Server 2008 is also available. This requires Microsoft.Net framework 4.0 only.

Swivel Server Configuration

The only configuration you need to do on the Swivel server is to ensure that the RDS server is configured as an Agent for Swivel (under Server -> Agents), and if you are using the TURing image, that under Server -> Single Channel, the option Allow session request by username is set to Yes.


Installation

You can download the Windows Server 2016 filter from here and the Windows Server 2012 R2 filter from here. The version compatible with Windows Server 2008 is available from here.

Installation consists of a single executable, RDSWebFilterInstaller.exe. In most cases you can accept the default settings during installation. When you get to the destination folder, make sure that the RDS web root folder is selected correctly. In most cases, C:\Windows\Web\RDWeb will be correct, but make sure if your configuration is not a default installation that the right folder is selected.


RDSWebDestFolder.png

Configuration

When installation is completed, you will be presented by the configuration page, as shown here.


Config.png


Configuration Options

PINsafe URL: https or http Swivel IP or hostname: port 8080 for virtual or hardware appliances and software installs / install context: pinsafe

Note: do not use the “:8443/proxy” URL, as that is not valid for authentication.

Allow self-signed certificates Check box, Check the box to ignore certificate errors

Agent Secret: and Confirm Secret: The shared secret entered on the Swivel instance under Server/Agents

RDS Web Pages Folder: Change allows a new path to be specified

Language folder: en-US, If your first language is not English, and you are using a different set of pages from en-US, make sure you change the language folder to match the one you are using.

Show TURing image check box, tick to display the TURing image

Show Request String check box, tick to display a button to request the dual channel security string to send to the user

The following settings you will probably not need to change, unless you have customised your login page. In this case, make sure that any images, scripts or stylesheets you have added are listed under the Excluded URLs. An entry beginning with “./” will match any path that ends with the remaining part of the path: for example, “./renderscripts.js” will match the file renderscripts.js wherever it is in the web hierarchy. Any files not listed under Excluded URLs, or the logon or logoff path, will be blocked by the Swivel filter, until you have authenticated to Swivel.

Logon URL: default: /RDWeb/Pages/en-US/Login.aspx

Logoff URL: default: /RDWEB/Pages/en-US/Logoff.aspx

Excluded URLs: list of URLs for which authentication is excluded. NOTE: URLs must be entered one per line, but unfortunately, it is not possible to enter new lines into this box. To change it, you must therefore copy the current list into a text editor, make any changes required and then paste the new list back.

If you need to change any of these settings later, a link to the configuration program is provided on the shortcut menu.

Changes to Existing Files

The installer will make modifications to three files within the RDS web hierarchy:

  • Login.aspx from within the language folder. The appropriate buttons to display a TURing image are added if required. If you have significantly altered the login page, the installer may not be able to make its changes. Contact Swivel Secure for advice in this case.
  • Renderscripts.js. A new function is added to display a TURing image, or to request a message on demand.
  • Web.config. The Swivel filter is added as a new module, and the Swivel server details are stored under appSettings.

Additionally, the filter copies two DLLs to the bin folder of RDWeb/Pages: the filter itself and the Swivel client. It also copies a TURing image proxy, pinsafe_image.aspx, to the language folder.


Troubleshooting

We have seen in one instance, a problem whereby the TURing image could not be displayed even though the settings were correct, and the TURing image could be directly requested from the RDS Web server to the Swivel virtual or hardware appliance. The conclusion in this case was that the problem was due to permissions issues with the RDSWeb application pool account. Although we were unable to identify the exact problem, we resolved it by changing a setting on the application pool (under Advanced Settings) to enable Load User Profile.

Uninstalling

An uninstall program is provided, so you can either uninstall from the Windows Control Panel, or from the uninstall link on the shortcut menu.

The uninstall process requires that the files login.aspx.sav and renderscripts.js.sav, which are created when the appropriate files are modified, remain in their initial locations. These are the original files, without the PINsafe modifications. If these files do not exist, the filter cannot be properly uninstalled.