What is the Remote Desktop Services Best Practices Analyzer (BPA) tool?
The tool was designed to help in determining configuration and operational problems in Remote Desktop Services.
Will the BPA tool assist in Remote Desktop Gateway configurations?
Yes. The BPA tool will assist in many Remote Desktop Services configuration issues. This article will only be focusing on Remote Desktop Gateway.
How do you run the Best Practice Analyzer?
To run the Best Practices Analyzer against the Gateway service you must open Server Manager on the server, expand Roles and highlight Remote Desktop Services. In the details pain you will notice a “Best Practices Analyzer” section. To run the analyzer, or update after you have made suggested changes, click on “Scan This Role” on the right side of the logs.
Note: Keep in mind that the BPA tool is only available to Server 2008 R2 users. The updates for the Remote Desktop Services BPA will come down in your Automatic Updates. If you notice that you aren’t seeing the options in your Server Manager then it is possible you are not fully up to date. You can install the following stand-alone update to have access to the RDS BPA:http://www.microsoft.com/downloads/details.aspx?FamilyId=f6caef13-8500-43fa-93a9-640be441b925&displaylang=en
What are the Possible Errors or Compliances that may be seen? In other words what types of tests are ran?
There are 2 concepts covered in the BPA: Configurations and Operations. Each area has topics it covers that produce a compliant or noncompliant log. Here is a list of possible Compliant and/or Noncompliant states for each topic:
- RDS: Members of an RD Gateway server farm should be available on the network and configured identically
- RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority
- RDS: The RD CAP stored on the server running NPS must be configured correctly to support RD Gateway
- RDS: The RD Gateway server must be configured to use a valid SSL certificate
- RDS: The RD Gateway server must have at least one RD CAP enabled
- RDS: The RD Gateway server must have at least one RD RAP enabled
- RDS: The RD Gateway server should be configured to allow an adequate number of simultaneous connections
- RDS: The RD Gateway server should be configured to allow connections from all supported clients
- RDS: The RD Gateway server should be configured to allow new connections
- RDS: The RD Gateway server must be able to contact Active Directory Domain Services
- RDS: The RD Gateway server must be able to contact the server running NPS
- RDS: The Remote Desktop Gateway service must be running on the RD Gateway server
- RDS: The Web site that the RD Gateway server is configured to use must be started on the Web (IIS) server
Using Best Practice Analyzer to configure your basic Gateway environment
Can you utilize the BPA to help configure your Gateway server for standard single server environment? The answer is yes you can! The only thing it will not be able to assist with is the perimeter firewall configuration. For assistance with that and other advanced configurations you can always utilize the Step-by-step guide that is available at the following link:
The question you should be asking yourself to start the process is:
What should I expected to see in the BPA output if Gateway is installed on a Server in the domain but not configured?
In a default install of Gateway Services on a domain joined 2008 R2 server you will see that the following are automatically compliant:
- The RD Gateway server must be able to contact Active Directory Domain Services
- The RD Gateway server should be configured to allow an adequate number of simultaneous connections
- The RD Gateway server should be configured to allow connections from all supported clients
- The RD Gateway server should be configured to allow new connections
- The Remote Desktop Gateway service must be running on the RD Gateway server
- The Web site that the RD Gateway server is configured to use must be started on the Web (IIS) server
- The RD Gateway server must have at least one RD CAP enabled
- The RD Gateway server must have at least one RD RAP enabled
- The RD Gateway server must be configured to use a valid SSL certificate
By using the Best Practice Analyzer you can walk step-by-step in configuring a basic setup of Remote Desktop Gateway. Go through each noncompliant error resolving the issue at hand. Keep in mind that to get depth information regarding the log you can double click on it (to copy the log you can highlight the log in question and choose “Copy Result Properties” from the menu at the right of the logs). When you open an error log you will see the issue at hand, the impact it causes, a resolution, and a link to a help page that will give detailed resolution procedures (keep in mind that to use the detailed resolutions you must have an internet connection on the server).
Here is an example of an expanded error log:
Once you have gone through each of the noncompliant logs and resolve the configuration issue rerun the BPA tool. You should notice that all the errors have changed to a success log:
Note: The BPA analyzer tool is for Configuration and Operational data. It is best used in conjunction with other troubleshooting tools when fighting problems in your environment.
BPA’s Configuration Logs
The following BPA logs revolve around configuration problems in your Gateway environment.
Certificates are currently one of the main problem points in configuring Remote Desktop Gateway. These are the three specific Logs you should expect to see when configuring your certificates in Gateway:
1. No certificate is bound to Gateway:
Note: You may also see this error when the certificate you have bound to the Gateway service doesn’t have the Fully Qualified Domain Name of the Gateway Server as either the Subject or as a Subject Alternative Name.
2. What to expect when using a Self-signed Certificate created in the RDG Manager:
Note: Self-signed certificates are only to be used for pilot or test environments. This warning provides technical data supporting reasons for this.
3. What to expect when an internal Certificate Authority or a Public Certificate Authority has assigned the certificate that is bound:
Note: This just notates that the certificate that is bound is not a self-signed certificate by looking at the “Issued By” portion and checking to see if there is a matching Trusted Root Certificate in the store. It does not state that the bound certificate is in a functional state. Further troubleshooting with additional tools may be required.
Connection Authorization and Resource Authorization Policies (CAP & RAP)
The BPA tool will only determine if there is a CAP and/or RAP rule enabled. It will not go into details about specific administratively configured issues within CAP and RAP rules. Here are the basic logs that can be seen:
Note: If you are seeing errors when trying to connect that lead you to CAP or RAP configuration issues refer to available logging tools and TechNet articles to troubleshoot.
The best practices tool will also be able to let you know if you have configured all your CAP policies to “Deny Access” in Network Policy services:
Note: CAP Policies are stored as policies in Network Policy Server (Formerly known as RADIUS), and can be store in NPS locally or in an already existing Central NPS Server. RAP Policies are stored as an XML file on the local server.
This is the error you will see in the Best Practices Analyzer when you are configured in a similar manner as above:
If you go inside the Gateway Management MMC and go into the properties of the server you will notice that the General tab is dedicated to Maximum Connections. You can limit the maximum allowed simultaneous connections to a specific number, allow the maximum, or disable new connections:
When limiting the connection to 1 as shown above you will produce a specific warning in the BPA tool as it is not a suggested configuration:
If you disable new connections, not only will the BPA tool give you the warning seen above you will also see the warning involving new connections:
Note: You should be able to dictate the problems seen above as the Remote Desktop Client actually provides a very good verbatim error on this as seen below. If used prior to placing the Gateway server into production the BPA tool will be able to stop this from becoming a problem.
Client error when RD Gateway Server is not configured with enough connections:
Support for Down-level Remote Desktop Clients
One of the new features in Remote Desktop Gateway (available in Server 2008 R2) is the ability to stop users from connecting through the Gateway if they are not using the latest version of RDC client (RDC 7.0 or above). BPA will let you know if you have this option set.
Here is the location in Gateway Management properties to turn this feature on:
Here is the warning given by the BPA tool:
RD Gateway Farm Configurations
There are a couple events that the BPA tool can determine when utilizing RD Gateway farms. One of those being when you have a mix match of Operating Systems running Gateway within the farm you have created (Server 2008 R2 and Server 2008). The other being a Gateway server in the farm is unreachable. Here is an example of what you will see in the logs for these two issues.
Note: Remember the more information link! By clicking on that you will be able to find technical details to resolve your issue.
BPA’s Operational Logs
The prior BPA logs we’ve been reviewing deal with configuration problems in your Gateway environment. The ones covered below deal with operational issues that stop the Gateway server from performing as needed or in a manner that could cause problems in client communications. These issues will be more along the lines of not being able to communicate with Active Directory or services that RD Gateway needs to operate properly being down.
RD Gateway Services
The BPA tool can assist in letting you know if your RD Gateway service has stopped on the server. Here are the logs you will see regarding that event:
RD Gateway Web Site
RD Gateway and Internet Information Services are integrated very tightly. When you install RD Gateway you will see IIS is installed with site information for Rpc and RpcWithCert. Gateway will utilize IIS for creation of RPC over HTTPS tunnels for client to server communications. If the Web Site is stopped or if IIS is down the BPA will produce the following logs:
Network Policy Services
Network Policy Server is another key component utilized by RD Gateway. Not only does Gateway store all its Connection Authorization Policies as NPS policies but also Network Access Protection (NAP) configuration information. When a local NPS service stops, and your Gateway is configured to utilize a local CAP store, you will typically see that the Gateway service will stop as well. If you utilize a central NPS server and the Gateway service can’t communicate with it, you will see the following log when you run the BPA tool:
– Brett Crane