Customizing RD Web Access
RD Web Access automatically customizes the view of RemoteApp programs and virtual desktops based on which ones the user has permission to access. Access to these resources is configured in the properties of the RemoteApp programs and collections.
Another simple customization for RD Web Access is placing RemoteApp programs into folders. If many RemoteApp programs are available, this makes it easer for users to find specific RemoteApp programs. This is configured in the properties of the RemoteApp program.
Some organizations like to customize the look of the RD Web Access site to include their company logo or an access policy. The files for the RD Web Access site are located in C:\Windows\Web\RDWeb\Pages. The simplest modification you can make is replacing images with your own. If you make more complex modifications, you will need to fine-tune the layout of the pages. When you customize the RD Web Access pages, you need to make the same customizations on all RD Web Access servers.
When you apply updates to RD Web Access servers, it is possible that the pages you've modified will be overwritten by the update. Make sure you have a backup of the modifications you've made.
There also are application settings for RD Web Access that you can configure in the Internet Information Services (IIS) Manager or the web.config file. You can modify the following settings:
This value specifies the time after which a user has to retype his or her credentials if the user connects to the RD Web Access portal from a private computer. By default, this value is 240 minutes, which means that a user has to reauthenticate with the portal after 4 hours.
This value specifies the time after which a user has to retype his or her credentials if the user connects to an RD Web Access portal from a public or shared computer. By default, this value is 20 minutes.
By default, this setting is set to false. If you enable it, users will be able to change their Active Directory Domain Services (AD DS) password on the RD Web Access portal, but only if their password has expired or if they must change their password at next sign-in. If neither of these prerequisites is met, users won't be able to change their password on the portal.
By default, this setting is set to false, which means that if a user clicks the Help link on the RD Web Access portal, he or she is directed to help information that is available on the Microsoft portal. If you set this value to true, local help information from an RD Web Access server will be used.
By default, this setting is set to true, which adds a Connect To A Remote PC tab on the RD Web Access portal. On this tab, you can specify the computer to which you want to connect, remote desktop size, and device redirection settings. By using this tab, you can connect to any computer that has Remote Desktop enabled, not only to RDS resources. If you set the ShowDesktops setting to false, the Connect To A Remote PC tab is hidden from the RD Web Access portal.
- xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, xPrinterRedirection:
These settings control if the Clipboard, drives, supported Plug and Play (PnP) devices, serial ports, and printers redirect by default from your client computer to the remote session. By default, only Clipboard and local printers redirect. These settings apply when connecting to RDS resources and when initiating a connection from the Connect To A Remote PC tab, but you can modify them if needed.
To modify application setting for RD Web Access by using IIS Manager, perform the following steps:
- In Server Manager, click Tools and click Internet Information Services (IIS) Manager.
- In IIS Manager, in the navigation pane, expand the server, expand Sites, expand Default Web Site, expand RDWeb, and click Pages.
- In the details pane, double-click Application Settings.
- Right-click the setting you want to change and click Edit.
- In the Edit Application Setting dialog box, in the Value box, enter the new value and then click OK.
- Close IIS Manager.
Changes to the Pages application take effect immediately. You don't need to restart the website. Users will see the changes if they refresh their browser.
Understanding device redirection
Device redirection is used to make resources from client devices available to a virtual desktop or RemoteApp programs. For example, device redirection can allow drive letters and printers in the client device to be accessible from within a virtual desktop or RemoteApp program. You can control which devices can be redirected from the properties of a collection. Allowing device redirection improves the user experience by simplifying the environment.
Redirection can be enabled for the following:
- Audio And Video Playback:
Enables audio generated by applications running in a remote session to be played on the local device.
- Audio Recording:
Enables applications running in a remote session to use a microphone connected to the local device.
- Smart Cards:
Enables applications running in a remote session to authenticate by using a smart card reader attached to the local device.
- Plug and Play Devices:
Allows various PnP devices, typically USB, to be redirected and accessible to applications running in a remote session. For example, an application may require a USB key to be inserted to verify license compliance, or a video camera could be used for video conferencing. USB drives and USB printers aren't in this category.
Allows access to local drive letters in the remote session. This allows users to save data to their local device. Some organizations disable this option because they consider it a security risk.
Allows users to copy and paste data between the remote session and their local device. This is important to provide full integration with the Windows Desktop for RemoteApp programs. Some organizations disable this option because they consider it a security risk.
PnP device redirection
PnP devices are redirected to the RD Session Host server when they are plugged in. The devices don't need to be plugged in when you start the session. For example, you can connect a USB video camera to a client device while the session is open. The USB video camera will be added to the session and accessible to applications.
Unlike some other redirection options, PnP device redirection isn't supported over multiple cascaded remote desktop connections. This typically isn't relevant for users, but it may be relevant for administrators who connect to a session-based virtual desktop and then, from that session-based virtual desktop, connect to other servers for remote administration.
Understanding printer redirection
When you connect to a virtual desktop or start a RemoteApp program, all local printers by default redirect to a remote session. This provides you with the same printer devices in the remote session as you can use locally. Printer redirection settings in a session collection are as follows:
- Allow Client Printer Redirection:
Enables printers installed on the client device to be used in the remote session.
- Use The Client Default Printing Device:
Configures the default printer in the session to be the same as the default printer configured on the client device. This makes printing in RemoteApp programs behave in the same way as in local applications.
- Use The Remote Desktop Easy Print Print Driver First:
Specifies that the Remote Desktop Easy Print driver is preferred over device-specific printer drivers.
Before Remote Desktop Easy Print was available, to redirect printers you needed to install printer drivers on the RD Session Host server that matched the printer drivers installed on clients. The printer driver on the RD Session Host server would generate the print job, which would be passed to the printer on the client for printing. If the correct printer driver was not installed on the server, then the printer was not available in the remote session. Remote Desktop Easy Print was introduced in Windows Server 2008.
Another concern before Remote Desktop Easy Print was the size of the print jobs being transferred between the clients and RD Session Host servers. Because the print jobs were generated with printerspecific drivers, some of the print jobs were very large. This is because some inexpensive printers do most of the processing in Windows and send a large rendered file to the printer. Large print jobs would cause printing to be slow, and in some cases they would saturate WAN or Internet connections. The Remote Desktop Easy Print driver provides two benefits:
- Eliminates print driver management on RD Session Host servers:
The Remote Desktop Easy Print universal driver acts as a proxy and redirects all printing-related work to the client, even if the drivers for the local printer aren't available on the RD Session Host server. Remote Desktop Easy Print renders the print document in XPS format on the RD Session Host server and then transfers it to the client, where the local printer driver prints the document. Because an XPS document is platform-independent and you can print it on any platform, there are no crossplatform compatibility issues when using Remote Desktop Easy Print.
- Reduces printing-related network traffic:
XPS-formatted print jobs generated by Remote Desktop Easy Print are smaller than many of the print jobs generated by printer-specific drivers. In some cases, the print job transferred between the RD Session Host and client device is reduced by over 90 percent.
Remote Desktop Easy Print is supported by Remote Desktop Connection 6.1 and newer. This is available in Windows XP SP3 and newer.
When a user is connected to an RD Session Host server to access RemoteApp programs or a sessionbased virtual desktop, you can perform some simple management of the connection. When you are viewing a collection in Server Manager, the Connections area has a list of connections to the collection. By default, Server Manager updates this list every 10 minutes. Remember to refresh the list to get the current list of connections.
The management options for a connection are as follows:
You can disconnect a user from a connection. Even if a session is in a disconnected state, it still runs, and the user can reconnect to the session later. By default, sessions that are in a disconnected state are never ended, but you can configure a time limit for such sessions.
- Log Off:
You always can sign out of a remote session, but if a session is in a disconnected state, this is the only available option. Signing out closes all the applications that run in the remote session without saving changes, and it signs out the user. This removes the user session, and if a user initiates a connection again, a new connection will be established.
- Send Message:
You can specify a message title and a message that is sent to the user who has an active remote session. A user can view only one message at a time and must acknowledge the message by clicking OK. If you send multiple messages to the same connection, the user receives the next message when he or she acknowledges the previous message.
You can enter into an active session and either view the session or take the control of it. When you select the Shadow option, by default, a user who is in the remote session is prompted for consent, which is a legal requirement in some environments. If the user refuses the request, you can't shadow that session. If you decide not to prompt for user consent, you can't use the Shadow option in a default RDS configuration. You must configure a Group Policy setting to be able to shadow a session without user consent. You should be aware that only administrators can shadow sessions. You can't delegate the ability to use the Shadow option to users who aren't members of the Administrators group.
Using Windows PowerShell to manage connections:
You also can use Windows PowerShell to manage connections. The following cmdlets can be used:
There is no Windows PowerShell cmdlet to start shadowing a session, but you can use mstsc.exe with the SessionID option. The Get-RDUserSession cmdlet displays the sessionID.
Shadowing connections was available in RDS for Windows Server 2008 R2 but was not available in RDS for Windows Server 2012 R2. It has been added back in Windows Server 2012 R2.