I manage several servers remotely and often need to connect to client computers to fix a problem or show someone how to accomplish specific tasks. In one case, the client computers are 200 miles away. In the past I've used Virtual Network Computing to access servers and clients alike. Using VNC requires opening a few non-standard ports in the firewall and, depending on firewall and network configuration, performing port forwarding. So, although VNC is free and wonderfully cross-platform, it nevertheless involves a bit of work to make systems accessible.
One other drawback to using a remote access solution like VNC is that you must install the server component on the remote computer and the client component on the local computer. That's often not a problem unless you need to manage a computer from a public computer or one on which you can't install the remote access client for other reasons. In these situations, the Remote Desktop Web Connection (RDWC) is a great alternative. Although RDWC doesn't eliminate the need to open ports in your firewall to enable access from the Internet, it does eliminate the need to install a remote access client. Here's how RDWC works, how you can use it to manage your servers and your workstations, and what you need to do to make it work through your firewall.
Remote Desktop Web Connection explained
RDWC is included with Windows Server 2003 and Windows XP. RDWC enables a computer on which it is installed to host Terminal Services Web Client connections from a Web browser. In other words, the client need not use the Remote Desktop Connection client or Terminal Services client to connect to the remote computer. Instead, the client can use a Web browser to initiate the connection.
RDWC comprises an ActiveX control, sample Web pages, and other files that enable a computer running Internet Information Services 4.0 or later to host remote connections. So, Windows Server 2003, Windows NT, Windows 2000, and Windows XP are all supported as the target server platform. The client must be running a Windows operating system with Internet Explorer 5.0 or later.
RDWC is a good solution for remote administration, but it's also a useful tool to enable you to connect to client computers for management and remote assistance. Beyond that, RDWC also offers an easy means for business partners, roaming users, and others to access a remote session without the need for you to deploy remote access client software.
How does RDWC work? When you install RDWC, Setup adds a Tsweb virtual directory to the Administration Web site on the target server. When you connect to that virtual directory, Internet Explorer automatically downloads a CAB file to your client computer if the RDWC ActiveX control is not already installed on it, or the version installed is older than the one hosted by the server. The ActiveX control installs automatically from the CAB file and a connection page appears. I'll explain the connection process from the client side shortly. First, let's get RDWC installed on your server. In this example I assume you're running Windows Server 2003, but I'll also cover other platforms, as well.
Configuring RDWC on Windows Server 2003
RDWC is included with Windows Server 2003 but is not installed by default. To install it, open the Add or Remove Programs applet in the Control Panel. Then, click the Add/Remove Windows Components button to launch the Windows Components Wizard. Click Application Server, click Details, and add Internet Information Services. Click Details, click World Wide Web Service, click Details, and add Remote Desktop Web Connection. Complete the wizard and allow Setup to install the specified components.
After Setup has finished, open the IIS Manager console and expand Web Sites\Default Web Site. You should see the Tsweb virtual directory there, and if you click it, you'll see the Msrdp.cab file listed in the right pane, along with a handful of other files, as seen in Figure A. There isn't any configuration required at IIS to get RDWC to accept connections. You do, however, need to enable remote connections for the server.
|RDWC adds a Tsweb virtual directory to the Default Web Site.|
Right-click My Computer and choose Properties to open the System Properties dialog box. Click the Remote tab and enable the option Allow Users to Connect Remotely to this Computer. By default, members of the Administrators group can connect remotely but others cannot. How you proceed at this point to enable other users to connect to the computer with RDWC depends on the server's configuration. First, let's look at the scenario of a stand-alone or member server.
If the server is not a domain controller, enabling users for RDWC is easy. On the Remote tab of the server's System Properties dialog box, as seen in Figure B. Next, click Select Remote Users. In the resulting Remote Desktop Users dialog box, click Add, enter the user name, and click OK. Repeat the process to add other existing accounts.
|Enable remote access on the Remote tab of the System Properties.|
When you add users in this way, Windows Server adds the users to the Builtin\Remote Desktop Users group. In fact, the Remote Desktop Users dialog box simply shows the members of this group and provides an interface through which you can modify its members. This group by default is assigned the right, Allow Log On Through Terminal Services, which enables members of the group to log on remotely through RDWC. If you prefer, you can add users to this group through the Local Users And Computers console rather than the System Properties dialog box. If the server is a member of a domain, you can also add domain accounts to the local Remote Desktop Users group to enable those users to connect through RDWC.
If the server is a domain controller, you need to take an additional step to allow users other than members of the administrators group to log on through RDWC. Open the Default Domain Controller Security Settings console by clicking Domain Controller Security Policy in the Administrative Tools folder. Locate the policy Local Policies\User Rights Assignment\Allow Log On Through Terminal Services. Open the policy and set it to Enabled. Next, add the Administrators group, Remote Desktop Users group, and any other individual users or groups that you want to have remote access to the domain controller. Naturally, you should be judicious in the accounts and groups to which you grant access.
Connecting to the server with RDWC
After you have installed RDWC on the server and configured accounts as necessary, it's easy to connect to the server. Open Internet Explorer on your workstation and browse to http://server/tsweb, where server is the host name of the target server you want to connect to. For example, if the server's host name is bart, connect to http://bart/tsweb.
Depending on your network configuration and where the server is located, you might need to use a fully qualified domain name (FQDN) in the URL. Check the properties for the Default Web Site on the target server to determine which host headers, if any, are assigned to the Default Web Site. Open the IIS Manager console from the Administrative Tools folder, right-click the Default Web Site, and choose Properties. Click Advanced on the Web Site tab and look in the Multiple Identities For This Web Site list to locate the host headers. If the only entry is Default, you can use the IP address of the server in place of the host name. Or, consider adding a host header specifically for RDWC.
When you connect to the URL, IIS displays a page that lets you specify the server to which you want to connect and prompts for a screen size, as shown in Figure C. If you choose the option Send Logon Information For This Connection, the page shows User Name and Domain fields. These fields are optional and only prepopulate the logon dialog box—they don't actually cause logon to occur.
|Enter the server's host name or IP address and click Connect.|
After you click Connect, you should see a logon dialog box appear. If you chose the Full Screen option, your display at this point looks exactly like a Remote Desktop Connection session. Press [Ctrl][Alt][Pause] to switch from Full Screen to a windowed view, where you'll see that you're actually making the connection from within Internet Explorer. Press [Ctrl][Alt][Pause] again to switch back to Full Screen mode, enter your logon credentials, and click OK. A desktop session should then appear and you can manage the server as if you were logged on at the local console, subject to the permissions and rights assigned to your account.
RDWC on other platforms
By itself, the capability to manage a server remotely through RDWC is very useful. However, RDWC doesn't limit you to access to that single server.
For example, let's assume you have installed RDWC on several servers in your enterprise and you want to be able to access all of them from your management workstation inside your network. When you connect to that server's Tsweb URL, just enter the host name of the computer you want to manage. As long as RDWC is configured on that target server, you should receive a logon prompt from it and be able to initiate a remote session to that server. Just make sure you specify a host name that can be properly resolved from your workstation, or specify the local IP address of the target server.
You also don't need to limit RDWC to Windows Server 2003 computers. You can run RDWC on Windows NT 4.0, Windows 2000 Professional and Server, and Windows XP Professional. Essentially, if the computer is running IIS 4.0 or later, you can install RDWC on it to enable remote access from a Web browser. To obtain RDWC for these earlier versions of Windows, download RDWC from Microsoft's Web site.
Using RDWC with NAT
It's a common misconception that RDWC eliminates the need to configure port forwarding to access computers behind a NAT-enabled firewall. You need to forward HTTP traffic to the computer, along with the port assigned for the client connection. The best solution if you need to access multiple computers behind a firewall is to use a VPN client to connect to the network. With that done, you can simply connect to any RDWC server using the default ports 80 and 3389 because NAT is no longer an issue.
If you do need to make RDWC work through NAT, you can certainly do so. For example, assume you already have a main server to which ports 80 and 3389 are already forwarded, enabling you to access that server from the Internet for RDWC. You add another server and want to also be able to access it through RDWC from the Internet. You must use different ports for HTTP and the client connection on this second server, so let's assume you're going to use 8081 for HTTP and 4115 for the client connection. That means port mapping these two ports in the firewall to the target computer.
In addition, you also need to configure the target computer's Web site to respond to the port you have chosen for HTTP. To do so, open the properties for the Web site, click the Web Site tab, and click Advanced. Click Add and add an identity that includes the specified port. You won't need to specify a host header name. As long as the appropriate port is forwarded to the computer for the incoming HTTP traffic, you'll be able to hit the server's Web page. Just specify the URL in the form http://public IP:port or http://hostname:port, such as http://126.96.36.199:8081 or http://www.techrepublic.com:8081.
Next, configure two settings on the server to enable it to listen on the appropriate port for the client connection. First, determine where the Tsweb virtual directory is located. Open the IIS console, right-click the Tsweb virtual directory, and note the path in the Local Path field on the Virtual Directory tab. Open the Default.htm file in that target directory in Notepad or other Web editor, as shown in Figure D.
|Add the RDPPort entry to Default.htm.|
Search for the group of lines that start with:
After the last of these lines, add the following new line (assuming port 4115 for this example):
MsRdpClient.AdvancedSettings2.RDPPort = 4115
While you're editing the Default.htm file, you might also want to make a few other changes to the HTML content of the page. For example, you might want to add the computer name, a security warning or disclaimer, or company logo to the file.
After you save the file, open the Registry Editor and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Edit the PortNumber value to correspond to the target port, which again in this example is 4115. Then, close the Registry Editor.
At this point, your server should be accessible from the outside world. Point Internet Explorer to http://public server:8081. Assuming you have configured NAT properly, you should see the RDWC connection page. In the Server field, enter the same public IP address or fully qualified host name you use for the server portion of the URL and click Connect (don't include the connection port number). The combination of port forwarding and the changes you made to Default.htm and the registry should cause the client connection to succeed.
Things to remember
If you are going to be providing remote access to any computer on your network, whether through RDWC or other mechanism, you should do everything you can to ensure that the systems are secure and that you are not opening the network to compromise. Obviously, you should consider carefully which users are granted remote access. Even administrators should have limited remote access to servers.
Also, don't forget that remote access through RDWC is essentially the same as physical access to a server and all of the applications and resources on that server. So, access to a single server could potentially give a remote user access to other computers on the network through various server management tools on the server (MMC consoles, for example) that support remote connections and management of computers across the network. Whether you make RDWC connections available from outside the network or only from inside the network, you should enforce strong passwords for all users who are given remote access.