Full Supply

Enable the Web Client for  HTML

To use the HTML5 web client for RDS, which offers a modern user interface (Figure 3) and is no longer based on an ActiveX add-in, install the client with the following PowerShell commands on the RD Web Access server:

Install-Module -Name RDWebClientManagement
Install-RDWebClientPackage
Import-RDWebClientBrokerCert <path to CER file>
Publish-RDWebClientPackage -Type Production -Latest

Figure 3: With the HTML5 client, application sharing looks more modern.

It is a good idea here also to customize the URL that you have shared in App Proxy so that employees are then automatically redirected to the HTML5 variant.

When you import the broker certificate in the third step, you need to specify the certificate for your publication without the private key in CER format. If you have not yet installed PowershellGet on the server, do so first:

Install-Module -Name PowershellGet -Force

When you set up the initial share in App Proxy, a share is created in the path https://websession.contoso.com/RDWeb , which automatically starts the traditional web interface. If you want to switch to the HTML5 web client, you can change the URL in App Proxy with PowerShell. To do this, you need the AAD PowerShell module and Application Administrator permissions:

Import modules AzureAD
Connect-AzureAD
Get-AzureADApplication | ? {$_.AppID -eq "033deed3-eddf-459a-a8c4-99b067f6186b" } | Set-AzureAD Application-Homepage https://websession.contoso.com/RDWeb/webclient

The AppID you are looking for is the Application ID created during App Proxy publishing and stored with the Enterprise application object in Properties . When the application object has accepted the new home page, adjust the associated Enterprise application object. This time, take the object ID of the Enterprise application, for example:

Set-AzureADServicePrincipal -ObjectId 4c2e134a-9884-4716-81e8-36a1eaea1b2b -Homepage https://websession.frickelsoft.net/RDWeb/webclient

Give the AAD a few minutes to apply the changes and test the connection again. To do this, open an Incognito window and go to https://myapplications.microsoft.com for a user who should be able to access the RD services. Log in with valid credentials and then select the RD services from the list of published applications. You should be taken immediately (with SSO) to the HTML5 web client.

Conclusions

Existing Remote Desktop implementations can be published with relative ease thanks to App Proxy. Having the right certificates and adjusting the internal and external names for the web components is important. With Azure Active Directory publishing mode as pre-authentication, you can now protect the entire RD web app as an application with Conditional Access. At the same time, you can force all employees either to use multifactor authentication or, alternatively, to work from a known, healthy device when connecting to Remote Desktop by publication.