9/26/2023 0 Comments How to install jump desktopSet-Location RDS:\GatewayServer\SSLCertificate #Change to location where self-signed certificate is specified $capName = "RD-CAP-$(Get-Date -Format FileDateTimeUniversal)" Might be worth tightening up in terms of security. # Create RD-CAP with two user groups defaults permit all device redirection. If you need to find additional items, sl to the GatewayServer location you are interested in $x509Obj | Export-Certificate -FilePath "C:\Temp\$DomainName.cer" -Force -Type CERT # Export the cert to the desktop for use on clients $x509Obj = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -DnsName $DomainName $DomainName = Get-Content -Path "C:\Temp\FQDN.txt" -Raw This MUST installed in the LocalMachine Trusted Root store for RDP clients to see it. # Get the FQDN from the file created in the File resource Start-Transcript -Path "C:\Temp\ConfigureRemoteDesktopGateway.txt" -Append -Force -IncludeInvocationHeader # FQDN parm to disk on this node and read it in in the Script resource below # Because the DSC Script resources does _not_ accept parameters in its GetScript statement, we will write the compile-time Name = "NPAS-Policy-Server", "Web-ISAPI-Ext", "Web-Mgmt-Compat", "RSAT-NPAS", "RPC-over-HTTP-Proxy", "RSAT-RDS-Gateway", "RDS-Gateway", "Telnet-client") WindowsFeatureSet InstallRemoteDesktopGatewayFeatures MatchSource = $false # Only create the temp directory the first time the configuration is run Import-DscResource -ModuleName PSDesiredStateConfigurationįile LoggingDirectory # Create a directory for log files and for the cert $configText = InstallConfigureRemoteDesktopGateway # Note that parameters for the DSC configuration are initialized in the script below and passed to Azure DSC via Start-AzureRmAutomationDscCompilationJob # In the here-string that follows DO NOT USE any single quotes (') as this will mess up the here string. # DSC configuration script follows as a PowerShell "here string". But it sure was fun and I leave it to you to decide where on the POS-elegant spectrum it falls. I can’t decide, frankly, if it’s the worst POS code I’ve ever produced or the most elegant. So, to pass the FQDN to the DSC script when it is run on the target node, I used a DSC File resource whose only purpose is to write the incoming parm to disk so a Get-Content cmdlet in the Script resource can retrieve it. The DSC Script resource does not accept parameters in its GetScript specification.(Keep in mind, I wanted a single script, not one plus another file on disk.) To solve this, the actual DSC configuration is embedded in the running script as a here-string. That meant creating a file from the running script and storing it on disk. The most intricate part of the script is caused by the brain-dead AzureRM cmdlet Start-AzureRmAutomationDscCompilationJob.This is because the fully-qualified domain name of the RDG ( $FQDN) is passed from the running script to the DSC configuration by Azure DSC. Instead of passing a lot of parameters to the script, I’ve coded variables by topic in #region comments.Then you can close port 3389 in the Network Security Group and log in to the VM using its private address and the RDG as the gateway. You need to log in once on TCP 3389, retrieve the self-signed cert in c:\temp and add the self-signed certificate to the local client’s Trusted Root Certification Authorities. The Remote Desktop Gateway is all good-to-go.If you have any questions or comments about the script, please leave a comment below or contact me. So, sit back and watch it happen - it takes about 25 minutes to run. I’ve commented it extensively so you should be able to follow it. There’s so much going on that I will only list a few notes as bullets below. My “mother-of-all-Windows-jump-server scripts” is below. I wanted a script that would, from scratch and in one pass, create an Azure Vnet (and everything associated with it), launch a VM and then install and configure the RDG via PowerShell Desired State Configuration (DSC). You still had to create the VM and then login and run the script to install and configure Remote Desktop Gateway. I wanted a “pure” DevOps infrastructure-as-code approach, so I wrote one for Azure.īut even that script is incomplete. But it involves an administrator logging into the Remote Desktop Gateway (RDG) and configuring it via the UI. Certainly every time you add a new application and/or network container (either VPC or Vnet), you might need to add bastion hosts.Īn older post describing how to do it in AWS has become quite popular. It seems there’s a never-ending requirement to build jump boxes. It’s amazing to me how crucial this is in Windows environments. I’ve blogged a lot over the last few years on how to set up a Windows jump (or bastion) server in public clouds.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |