Once upon a time, when the trees were tall, and I was a young and green system administrator, I had the opportunity to implement a terminal server on Windows 2000. I then thought that it would be nice if no separate client was needed to connect to the server. As time passed, the trees grew, the deer on the sweater let go of the horns, and I - the beard, solutions for working in the terminal through the browser began to appear on the market. But they were either unstable, or expensive, and trial implementations went a long way.
A little more time passed, gray hair appeared in the beard, and there were much more HTML5-based solutions. And I wanted to make a brief overview of the free options - both for novice system administrators, and for those who missed this moment, like me.
So, you want to let employees to terminalki through the browser or to administer servers through it? Welcome to cat.
The convenience of connecting without an individual client can hardly be overestimated - the browser is on almost any user device. In addition to user convenience, there is a security aspect: since such a client is a web service, it is much easier to protect it. Indeed, sticking out a classic RDP with interesting vulnerabilities is just so rather dangerous, working through a VPN is not always convenient, and fail2ban services and a non-standard port, although they help, do not give 100% protection. While the web service can be protected by certificate authorization and other two-factor authentication methods.
It is believed that using RDS-Gateway with wrapping RDP traffic through HTTPS and installing certificates on clients is good protection. In fact, this is not so - the installation of certificates for RDS-Gateway is needed to authenticate not the client, but the server. You can verify this by trying to connect to third-party RDP clients. Of course, some bots looking for open RDP will weed out this way. But fail2ban solutions are also necessary in this case.
I’ll leave the security setting outside the scope of this article and move on to specific implementation examples. We will test on a terminal server based on Windows Server 2019, we will use 1C 7.7 as an application for checking RemoteApp. Because we can.
Not so long ago, Microsoft finally released its solution for connecting to RDP through a browser. Let's start with him.
Microsoft Remote Desktop Web Client
Installation and configuration of the client is described in detail in the documentation , I will give the basic steps under the spoiler.
Client installation from MS.Preparation . The roles of the Remote Desktop Gateway and / or the connection broker must be assigned a certificate that clients would trust. Yes, it’s about the usual operation of an RDP client through https. You can have a public trusted certificate, you can use an internal CA, and for testing purposes, you can use a self-signed one.
You may need to update the PowerShellGet module first.
This is done by the command:
Install-Module -Name PowerShellGet -Force
After that, you need to restart the console, and to install the client it will be enough to run the commands:
Install-Module -Name RDWebClientManagement Install-RDWebClientPackage
In the process, Nuget can be downloaded to install modules from the repository, the server must be connected to the Internet. Yes, Windows is already mature and can repository.
Now you need to configure the certificate for this client. This is done by the command:
Import-RDWebClientBrokerCert cert.cer
Where cert.cer is the path to the remote desktop broker certificate in cer format.
Now you can publish the client with the command:
Publish-RDWebClientPackage -Type Production -Latest
After installation, the client becomes available via a link of the form:
https://trm.contoso.com/RDWeb/webclient/index.html
After a successful login, all RemoteApp applications published in the collection are visible.
Published applications in the browser.
Let's try to start 1C by connecting Firefox with Kubuntu .
Kubuntu, Firefox, 1C 7.7.
You can run other published applications. In this case, they will work in one window, and the top panel will be something like a taskbar.
1C, Paint and WordPad.
In general, everything looks nice and convenient, a full-fledged desktop is also supported. Printing works in the form of sending to a virtual PDF printer and then downloading the file by the browser. The clipboard for text also works, although the need to confirm browser access to the clipboard is a little annoying.
Confirmation of copying from remote desktop.
But what is not yet available is the transfer of files from the server to the server, and this is a significant fly in the ointment. Summarize.
Pros:
- Relatively simple setup.
- Installation on a Windows server can be done directly on the desktop gateway.
- Transparent and convenient operation of RemoteApp.
- Support print and clipboard for text.
Minuses:
- It is necessary to deal with certificates.
- Lack of file sharing support.
Well, let's see what the opensource world will offer us.
Apache guacamole
Perhaps one of the most famous solutions. But version 1.0 appeared relatively recently. Its disadvantages include the lack of official Windows support as an installation point - you need a separate linux machine or a Docker image. Documentation is available, as usual, on the official website . It is worth noting that in addition to RDP, the solution supports browser access to ssh, telnet and vnc servers.
If you don’t want to build a fresh version from source and deal with dependencies, you can use ready-made installation scripts, such as the guac-install script. But - as usual - the editors are not responsible for third-party scripts.
After installation, according to the documentation, you need to somehow create users and configure connections. I used work with MySQL as a repository of users and their settings and set up this whole thing through a web interface. Through it, you can create and configure users, connections and groups that allow you to make common connections for different users.
Setting up a simple RDP connection.
It is worth noting that if we want to connect transparently by logging in only through the web interface, we will either need to manually create a connection for each user by entering their password (!), Or make a more complicated installation. For example, use Active Directory to store settings and authorize the database, which will require modification of the AD schema. Or configure authorization through LDAP, also creating users in a classic database like MySql .
Without complex installations, you will have to create separate web-interface users or do one thing in common. In this case, if you do not specify a username and password in the connection settings, then you must disable NLA security on the server. Not very comfortable.
In addition to a full desktop, there is also support for RemoteApp. An important nuance is that you need to register the program name in the settings in the same way as in the RDP file.
Configure RemoteApp.
And if everything was done correctly, our "seven" will open in the browser.
And again 1C 7.7 in the browser.
Printing works the same way: PDF is downloaded, but - unlike the solution from MS, there is the possibility of file exchange with the server.
In fact, Apache Guacamole launches freerdp and can browse folders from its Linux machine to the Windows server.
Redirected disk in 1C.
In turn, you can download or upload a file from a browser through a special menu. In this menu, you can also configure mouse emulation and on-screen keyboard. It is called by the keyboard shortcut Ctrl + Alt + Shift.
Work with files.
The text clipboard also works, but a little inconveniently (it infuriates much more than the solution from MS). Modern browsers paired with Apache Guacamole make it easy to copy text from a remote application using Ctrl + C, but to paste text from a local machine you will need to use the menu by Ctrl + Alt + Shift.
But almost “out of the box” implemented two-factor authentication (especially if you do the installation with a third-party script). For example, using the TOTP algorithm.
Let me briefly recall: TOTP (Time-based One-time Password Algorithm) is an algorithm for generating one-time passwords based on time. At the first login, the user will be asked to read a two-dimensional barcode or write a set of characters, “feed” them to the application (for example, Google Authenticator ). And based on this character set (security string), the application will generate a new code number every 30 seconds to enter.
In general, the decision made the impression of a more thoughtful and complete, if not for some difficulty in setting up for normal operation. To summarize.
Pros:
- Support for text clipboard and print.
- File sharing support.
- Support for touchscreens in the form of custom emulation of the mouse and keyboard.
- Ability to record a session in a video file.
Minuses:
- The need for a separate machine or container.
- Difficult to configure, especially for a specialist who is not familiar with Linux.
- Not very convenient operation of the text clipboard.
On the open spaces of the network, I found another little-known project that launches freerdp and displays the result through a browser. Let's try it too.
Myrtille
The project with all the documentation is located on the author’s github . Unlike Guacamole, Myrtille is installed on Windows, and even practically in the "Next - Next - OK" mode. Install, launch the browser.
Windows in the browser.
In addition to RDP, SSH and connection to the Hyper-V virtual machine are supported. The connection management menu is called up by the button with three dots in the upper left corner.
Connection Management Menu.
Work with files is done through the web interface - the Files button allows access to the user's My Documents folder for uploading and downloading files. However, if Myrtille is not installed on a terminal server, you will have to configure folder redirection. Printing, unlike the other two solutions, immediately opens a window with a PDF print dialog.
Things are a little worse with RemoteApp when the application runs in normal mode. To run the unfortunate 1C, you need to form a link of the form:
https: // myserver / Myrtille /? __EVENTTARGET = & __ EVENTARGUMENT = & server = server & domain = domain & user = user & passwordHash = passwordHash & program = program
In which you need to explicitly specify the user and his password (or password hash). The program must be written in the same way as in the RDP file - in the case of our 1C, it will be || 1cv7l . All parameters must be URL-encoded .
And the third time 1C in the browser.
To get the password hash, you can also use myrtille by simply following the link (by executing a GET request):
https: //server/myrtille/GetHash.aspx? password = password
Two-factor authentication is also available “out of the box” and is based on oliveinnovations.com .
To work in a domain environment, the application has a separate mode of operation - Enterprise mode. To enable it, you must specify the domain name and the group of administrators (users who can configure connections) during installation (or later, in configuration files). Then, when logging in, only a username and password will be requested, and the administrator can create predefined connection configurations for user groups. This will allow us to make a convenient shortcut to launch 1C.
Creating a connection in the Enterprise mode control panel.
Now the user at the entrance will see the connections available to him and launch 1C by button, and not by a strange link with a password.
The interface when a normal user logs on.
Unfortunately, at the moment I could not get the text clipboard to work in modern browsers - the work is only on the clipboard button and only to the side from the server to the local PC.
Total
Pros:
- Easy installation on Windows.
- Support for almost everything you need, such as printing and file transfer.
- The ability to connect to the application or desktop immediately via the link.
- It is possible to work in compatibility mode (HTML4).
Minuses:
- While the text clipboard does not work normally.
- Working with files is convenient only if the service is installed directly on the terminal server.
Instead of an afterword
Of course, there are other solutions, including paid ones. Here are some of the most popular ones without touching monsters like Xen Desktop:
They already have support for printers and working with files, but in principle, free solutions more or less reached a similar level.
According to the results of the study, I decided to dwell on a solution from MS, since the transfer of files in my case was not needed (more precisely, it was categorically not needed).