How to setup Windows RemoteApp in AWS
You’re organization may need a Windows remote app server to stream client/server applications to your users. This will give them anywhere access to the applications. Businesses often stream accounting or other database applications using a remote app server. In most cases, If you move your on premise Windows domain controller and file server to AWS using TrueStack Direct Connect, you will need a remoteapp server or another solution like Citrix or Windows Remote Desktop to access these apps unless you have a dedicated circuit with enough bandwidth to run these apps across the VPN. Apps like Microsoft Office will work fine with TrueStack Direct Connect and won’t require streaming, but a client / server database like Quickbooks will require a remote app solution.
Here’s how you can to set up Windows RemoteApp in AWS.
- AWS account. If you don’t have one get a free tier account.
- 3 Windows EC2 instances. You can start with t2.micro instances with 50GB of GP2 storage. We recommend server 2012 R2
- Remote Desktop volume or SPLA licenses.
- 3rd party SSL Certificate
These general instructions assume you understand Windows server and domain set up and usage.
- Set up a Window Domain Controller on one server. We recommend making the domain name the same as your public domain name so you can use a certificate that will match it. For example, if your public domain name is wedoit.com then make your Windows domain the same and name your Gateway server as a subdomain (see below), ie. host.wedoit.com. You’re Windows AD server can be named anything you want.
- Make sure all of your 3 EC2 instances are in the same security group. In the AWS security group, create a rule for All Traffic to the LAN AWS IP. For example All Traffic, Protocol ALL Port Range 0 – 65535 Source Custom 10.0.0.0/24. This will allow traffic between all of your instances in the security group which will be required to add the other 2 servers to the domain.
- In the security group the other ports you need to open are:
- UDP 3391 to anywhere
- RDP 3389 to you only – in the Source field choose my IP
- HTTPS 443 TCP to anywhere
- Add the other 2 Windows 2012 R2 servers as member servers. Add them as managed servers in server manager.
- Provision the 2nd server as a RD Gateway. In your public DNS create a subdomain, ie host.wedoit.com. Name your 2nd RD Gateway server the same as your subdomain ie “host” so the domain name of the server would also be “host.wedoit.com”.
- Make the RD Gateway also a licensing server and install your RDP Licenses there.
- Purchase a 3rd party SSL certificate and install it on the Gateway. Use a certificate name that is the same as your public subdomain from above, ie. host.wedoit.com.
- Open inbound ports TCP 443 and UDP 3391 through the Windows firewall to the Gateway server.
- Install your program on the 3rd server.
- Provision the 3rd server from the RD Gateway Server Manager as a RD Session Host. At the RD Gateway in Server Manager publish the RemoteApp Program from the 3rd server.
- Set up users in the Active Directory server and add the users to a group.
- Give the group permissions on the Gateway server / Collection under User Assignments for the RemoteApp Program
- Log on to your domain /RDWeb ie https://host.wedoit.com/rdweb as one of the users to try it out
- Depending on the software, give users local admin rights on the 3rd RemoteApp Program server so they won’t have permissions issues with the software. Lock down RDP 3389 so they can’t log directly into the server
- Snapshot the server periodically and backup the data somewhere to S3 or to another volume or a 3rd party backup solution.
- Use a subdomain redirector so your end-users have an easier URL to access – this way you don’t have to spell out https://host.wedoit.com/rdweb on the phone. Use something like wedoit.cloud and have it redirect to https://host.wedoit.com/rdweb
- Here’s a blog that tells how to embed the domain name in IIS so the user isn’t prompted to logon with the domain name at the sign in page. https://msfreaks.wordpress.com/2014/07/22/properly-removing-the-domain-prefix-requirement-from-rd-web-access-2012-r2/
- You may become annoyed by calls about pop-ups asking for your user/domain again after they sign-in. First, use Internet Explorer which will require installing the applet before connecting. If that’s installed you won’t get the second credentials prompt. Other browsers won’t accept the applet. You can avoid this by deploying RemoteApp to domain connected computers only, but that’s a hassle.
- Windows Remote App will work on a MAC and other browsers, but the users will get the domain/username second credential prompt. They can check “Remember my password” to avoid this. For MACs install the Windows Remote Desktop app first.
- You may be annoyed by how long it takes to sign in. You can speed this up by giving more resources to the Gateway server, move up to a t2.medium or higher on a larger hard drive The logon time is also dependent on the end-user’s available bandwidth.
- You may notice that some Remote-app servers and maybe the gateway server slow down over time. In AWS click on the monitoring tab of the EC2 instance and see what the CPU Credit balance is. If it’s low, you’ll notice that if you restart the server or turn it off for a while it will go up. This indicates that the server is low on IOPS or CPU resources. Basically the server is being overloaded. To create a baseline you’ll need to take into consideration the number of users, how long they’re using the server and how many apps are on the server.
- You can start by Increasing the size of the root volume to 600GBS for maximum throughput. I usually move it up to 100 or 200GBs incrementally to see how performance improves.
- You can move up to a server with more vCPUs and memory
- You can isolate your server and users onto different servers. I usually run each remote app program on a different server and make sure that the users only have access to remote app software that they need.
- Set the servers to auto-restart at 3 or 4am nightly.
- To support your users use the Shadow view feature in server manager. Right-click a connected user and choose Shadow to see their software session.
- Set disconnected sessions to log the user off after 1 hour so that they don’t burn up RD licenses but don’t set a limit for Active or Idle sessions so that they don’t get booted out in the middle of their work.
- Use the AWS Calculator to pre-determine your cost.
Now that you’ve moved your app off the of your on-premise server, move you on-prem server to AWS or Azure using TrueStack Direct Connect, a VPN management server made to connect Windows and Mac computers to Windows domain controllers and file server in your AWS or Azure clouds.