Windows RDS RemoteApp Launcher

PAM can be used to launch published RDS RemoteApps in a secure RDP session.

Using this feature, not only can it reduce the amount of effort one has to go through with traditional RemoteApp launching but it does so using the Privileged Session Management features of PAM to enable video and event recording, auditing, permissions, workflow approval and notifications.

 

If you are looking to preserve your native RemoteApp functionality but to do so in a more controlled and audited nature, then PAM is the solution for you.

For our Linux users, PAM also supports a similar feature where remote commands like connecting to a MySQL database can be automatically sent upon login. Read more about it here.

Cases and scenarios

The following use cases and scenarios are covered when configuring System to use your Windows RemoteApp infrastructure.

  • Provides end-users the ability to securely launch Remote Applications without having to use the traditional RDS Web Access portal.
  • Easily capture video and keystroke recordings of all activity during their remote application sessions.
  • Quickly share access using permissions and workflows to ensure users have access to the remote applications during the times when they need it the most.

Remote App Launcher Work

Remote App Launcher works with your existing Windows Desktop Services RemoteApp environment by:

  • Creating a secure connection to your Windows Desktop Services RemoteApp host.
  • Launching the defined published RemoteApp without requiring additional user input or authentication.
  • Once launched, enabling controls (mouse and keyboard) for the user so they can utilize the remote application.
  • Recording keystrokes and (optionally) video of the user’s session with the remote application.
  • Retaining full support of native RDS Administrative Connections options including monitoring, Send Message, Shadow, Disconnect and Logout.

Pre-requisites

To use the RDS RemoteApp Launcher, the following pre-requisites are required:

  • Fully implemented, configured and working Windows Remote Desktop Services deployment. If you have not deployed a Windows Remote Desktop Services host yet, there are many online tutorials available with this one being an example: http://www.concurrency.com/blog/w/rds8-quick-and-easy,-remoteapp-on-windows-server-2
  • The credentials entered into the System record must be included in the Collections properties as a member of User Group.
  • The credentials entered into the System record must be able to connect to the RDS host server using RDP.
  • The RemoteApp must be Published and the RemoteApp program location must be defined in the System record.
  • This feature only works when connecting to a Windows RDS host server using Published RemoteApps.

1. Configure System to RemoteApps

To configure System to launch your published RemoteApps:

  1. Login to the PAM with a System Administrator account.
  2. Navigate to Administration > Record Types and click the New Record Type button.
  3. Enter the following values to create your new record type:
    • Name: Windows Remote App or another name of your choosing

    • Description: (optional) Enter a description of this record type

    • Session Manager: RDP

    • Parent Type: Windows Host

  4. Click the Save button to save your new record type.

  5. Now click the Add Field button to create a custom field for this new record type. Use the following values for this new field:

    • Field Type: String

    • Name: Command

    • Display Name: RemoteApp Program Location or another name of your choosing

    • Order: 800

    • Helper: (optional) Enter the full path to the published RemoteApp on the RDS server

  6. Click the Save button to save your new field.

  7. Click the Save button to save your new record type.

    PAM-RemoteApp-Launch-Record-Type

    Your record type is now ready to be used to create your Windows RemoteApp records.

2. Create a record

To create a record used to launch your published RemoteApps:

  1. Login to the PAM and navigate to the container where you will create your Windows Remote App record.
  2. Click the Add Record button and select your new Record Type from the dropdown menu.
  3. Create your record using the following values as guidance:
    • Name: Enter a name for your record

    • Description: (optional) Enter a description of your record

    • Host: Enter the host name or IP address of your Windows RDS host

    • Port: Enter the RDP port of your Windows RDS host (default is 3389)

    • User: Enter your domain user account. The same username you would use to login to the RD Web Access portal.

    • Password: Enter your domain password. The same password you would use to login to the RD Web Access portal.

    • RemoteApp Program Location: Enter the path of the published RemoteApp that will be launched on the RDS server from this record. For example, C:\Windows\system32\calc.exe or %SYSTEMDRIVE%\Windows\system32\calc.exe

    Please consult with your Windows RDS Administrator if you need assistance with any of the values specific to your Remote App environment.

  4. Click the Save and Return button to save your new record.

    PAM-RemoteApp-Launch-Record

3. Testing Record

With the new record saved, you are ready to test your configuration. Return to this record’s View and click the Connect button to test this record’s function.

The expected result is that System will launch a remote RDP session to your RDS host, authenticating using the User and Password stored in the record.

Once the remote session is established, it will immediately launch the published RemoteApp that was defined in the RemoteApp Program Location field of the record.

You can now use the RemoteApp and when finished, simply Exit or Close the RemoteApp and the System session will complete.

 

PAM-RemoteApp-Launch-Session

Troubleshooting

Possible errors and decisions.

  • The remote session to your RDS server fails with connection error 519
    • This failure is usually caused by an incorrect host, port or domain credentials stored in the record. Please verify that your User and Password are accurate and confirm with your RDS Administrator that the Host and Port are accurate. You should also make sure that RDP access to this host is available and your domain account is permitted to connect with this RDP session.
  • The remote session to your RDS server connects but the RemoteApp fails to launch with the error “The system cannot find the file specified. This initial program cannot be started:”
  • PAM-RemoteApp-Launch-Error-Incorrect-Path-Location

    This failure indicates that the path to the published Remote App in the System record is incorrect. Please verify this path and file name with your RDS Administrator to confirm its accuracy.
  • The remote session to your RDS server connects but the RemoteApp fails to launch with the error “Access is denied. This initial program cannot be started:”

    PAM-RemoteApp-Launch-Error-App-Not-Published

    This failure indicates that the Remote App that you attempted to launch is not published.

    Please verify that this Remote App is published with your RDS Administrator.