How to publish RemoteApp applications successfully with UAG

A new feature of UAG 2010 is the publishing of a RemoteApp application on a single RDS server or by using an RDS connection broker. You can find the necessary steps to publish RemoteApps in the TechNet library at https://technet.microsoft.com/en-us/library/ee441339.aspx.

Although this step-by-step guide covers all basic configuration points, you have to consider some more important configuration settings in a real-world deployment with external and unmanaged clients.

1. RDS server certificate from a trusted public issuer

As soon as external and unmanaged clients access your portal and RemoteApps, you have to carefully examine the RDS server certificate. By default, a self-issued (self-signed) certificate is used. The recommendation from the RDS team is to use a public certificate (which means a certificate issued by one of the trusted public certification authorities). Please see https://technet.microsoft.com/en-us/library/cc770833.aspx for more information.

2. RDS server certificate from an internal PKI

However, if you plan to use a certificate from your internal PKI, you have to ensure that:

  • Both AIA and CDP are accessible both internally and externally. To test if the AIA and CDP are accessible, you can use the following command:
    certutil –v –urlfetch -verify <RDSServer>.cer
  • The certificate of the issuer is installed in the local computer’s trusted root certification authorities store (the user’s store doesn’t suffice, it must be the local computer’s store).

If you still have a problem getting the RemoteApps working because of problems with the CRL, you can ignore revocation errors by modifying the appropriate registry key on a Windows 7 client:

  • DWORD key: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
  • Location: HKLM\\System\\CurrentControlSet\\Control\\LSA\\CredSSP
  • Value: 1

3. Digitally signing RemoteApp applications

Another good idea is the digital signing of your RemoteApp applications, for example to help protect against manipulated .rdp files or to reduce the number of displayed confirmation dialogs (also called Web SSO). The digital signing process is described at https://technet.microsoft.com/en-us/library/cc754499.aspx. Digitally signed apps can be exported and imported in UAG like unsigned RemoteApps.

Author:
Dominik Zemp, Tech Solution Prof, Microsoft Switzerland

Reviewer:
Meir Feinberg, Technical Writer, Forefront Edge