2012 Terminal Server Configuration

There are many steps to commission a new 2012 Terminal Server from the ground up, but I wanted to detail a couple of sections that are easy to overlook, and can lead to head-banging.

1) Install the Remote Desktop Services role via Server Manager:
Installation Type: Remote Desktop Services Installation
Deployment Type: Standard Deployment
Deployment Scenario: Session-based Desktop Deployment
Role Services: Remote Desktop Connection Broker, Remote Desktop Web Access
RD Connection Broker: LOCALHOST-NAME (to install it on the server itself)
RD Web Access: LOCALHOST-NAME (to install it on the server itself)

2) Configure the Deployment:
Once roles are installed, you will need to configure the RD Gateway, RD Licensing, RD Web Access and Certificates settings. Open Server Manager > select Remote Desktop Services in the left pane > Tasks > Edit Deployment Properties

RD Gateway
Use these RD Gateway server settings:
Server name: rds.your-public-domain.com
Check ‘Use RD Gateway credentials for remote computers’
Check ‘Bypass RD Gateway server for local addresses’

RD Licensing
Select your RD licensing mode

RD Web Access
RD Web Access Server:LOCAL-SERVER-NAME.internal-domain.local
URL: https://LOCAL-SERVER-NAME.internal-domain.local/RdWeb

Create new certificate… > rds.your-public-domain.com > enter password > OK
Set all Role Services to use the newly created self-signed certificate.

NOTE: Obviously you will want to purchase and install publically trusted certificate as opposed to using the self-signed, but self-signed will work for testing purposes.

3) RD Gateway Manager Policy Setup
You’ll need to create a Connection Authorization Policy and Resource Authorization Policy. In this example, we will have this TS box opened up to pretty much anyone with a domain account.

Start > Control Panel > Administrative Tools > Remote Desktop Desktop Services > Remote

Desktop Gateway Manager. Expand Server > expand Policies.

Connection Authorization Policy
Create a new policy using the Custom, not the Wizard:

General Tab
Policy name: RDG_CAP_AllUsers
Check ‘Enable this policy’

Requirements Tab
Check ‘Password’
User group membership: Domain Users (or any group you wish to permit access)
Client computer group membership: *leave blank*

Device Redirection Tab
Enable device redirection for all client devices

Timeouts Tab
All boxes unchecked

Click OK

Resource Authorization Policy
Create a new policy using the Custom, not the Wizard:

General Tab
Policy name: RDG_AllDomainComputers
Description: All domain computers
Check ‘Enable this policy’

User Groups Tab
Add ‘Domain Users’

Network Resource Tab
Allow users to connect to any network resource

Allowed Ports Tab
Allow connections only to port 3389

Click OK

4) NPS (Network Policy Server)
Upon installation of your roles in step 1, the NPS role should also have been installed to your 2012 server. The policies that you created in RD Gateway Manager (step 3) should be automatically imported into NPS, which will handle the policy enforcement. If you expand Policies > Network Policies you should see the RDG_CAP_AllUsers policy we created in the previous step. Also, under Connection Request Policies, you should see TS GATEWAY AUTH POLICY listed and configured with NAS Port Type as Virtual (VPN), Authentication Provider is Local Computer.

Lastly, and this is very easy to overlook, make sure to righ-click ‘NPS (Local)’ and ‘Register server in Active Directory’. You will not be able to connect externally without doing this.

NOTE: If you are receiving this error:

Remote Desktop can’t connect to the remote computer “RDS.Domain.Local” for one of these reasons:


Odds are you haven’t registered your NPS Server with Active Directory. Please double-check this by doing the last item in step 4.

5) Install Applications
This step is somewhat ambiguous as different software vendors have different requirements for TS enviroments. Certain programs can be installed as Administrator and published without issues. I have had other (older applications) that need to be installed using the change user command in order to work for accounts other than the account installing it (Administrator). I thought this method was nolonger needed in 2008R2 and up, but I’ve come across some applications that still won’t run correctly after install without doing it.

To install a program using the change user command, perform the following:

a. Log into TS as the administrator and close all applications and user sessions.
b. Open a Command prompt.
c. Type change user /install and press ENTER.
d. Install the program.
e. At the command prompt, type change user /execute when installation is complete.

6) Publish RemoteApp
You can choose which applications you want to show up on the Remote Web Access webpage when users login. Choose/Add them by doing the following:

a. Open Server Manager > Remote Desktop Services > Collections > QuickSessionCollection
b. Under RemoteApp Programs > select Tasks > Publish RemoteApp Programs
c. This will launch the list of installed and available applications to post publish to the

Remote Web Access Portal. You can also modify whether certain already-published apps are visible via RD Web Access.

7) Accessing TS/Remote Web Access
At this point, you should be operational. In this example, we have assigned a self-signed certificate, which in order to work for testing, will need to be installed into the Trusted Root Authorities on whatever machine you’re testing from. Here are a couple of things that I wanted to mention, that are more outside the scope of this article, but don’t want to forget when testing:

– Export self-signed cert out of IIS into a .cer file so you can install into Trusted Root Certification Authorities on the machine you’re testing
– Make sure you open the required 443 ports on your firewall for outside testing
– Make sure you create a public DNS record for rds.public-domain.com to point to your correct public IP address, or modify your hosts file on the machine you’re testing from


8) Creating an .RDP File For Launching a RemoteApp
This feature seems to have been pulled from 2012/R2 as they want people to hit RemoteApps via the Remote Web Access page. Sometimes though, you need to deploy an RDP file to people easily (email). This is the method I have found to create the RDP file:

a. On your Windows7/8 PC, open Control Panel > RemoteApp and Desktop Connections > click Access RemoteApp and desktops to launch setup wizard
b. URL:  https://rds.public-domain.com/RDWeb/Feed
c. Once successfully configured, you can navigate to:


to find your newly created RDP file. You can copy/rename and distribute this file as needed.

Leave a Reply

Your email address will not be published. Required fields are marked *