Working with RD Web Access in Windows Server 2012 R2

Introduction to RD Web Access

So far in this series we have talked about how to successfully deploy and manage a Microsoft Windows Server 2012 VDI environment. But the overall success of your deployment will be measured by end-user satisfaction. Providing an easy path for users to easily discover the resources available to them is essential.

This is where RD Web Access comes into play.  RD Web Access delivers VDI resources (RemoteApps or full desktops) to end users. You publish these resources, and RD Web Access makes them easily discoverable for end users in these ways:

  • On the RD Web Access web site.
  • In the Start Menu of Windows 7 and Windows 8 clients that have the RemoteApps and Desktop Connections (RADC) configured. See more about RADC in the “RADC and Windows 8” section.
  • In the modern Remote Desktop app on Windows 8 clients that have RADC configured.

In this article, we’ll look at how publishing works, what’s new in Windows Server 2012 and the Modern Remote Desktop Connection application, and how to customize RD Web Access.

How Publishing Works

At a high level, here’s how the pieces work together. You use RDMS to publish resources for the collection (recalling that a collection consists of homogenous servers). RD Connection Broker keeps track of all available resources. The RD Web Access role service queries RD Connection Broker for all available resources and RD Connection Broker returns the results. RD Web Access takes that data and produces two data streams:

  • Hypertext Markup Language (HTML) data that RD Web Access web portal displays as web pages.
  • An Extensible Markup Language (XML) feed consumed by RemoteApps and Desktop Connections (a Control Panel applet available on Windows 7 and Windows 8 clients) or by the modern Remote Desktop app on Windows 8 clients.


Figure 1: RD Web Access queries RD Connection Broker for a list of available resources and makes them available to end users through its web portal and by RADC.

Links to RDP files that will open each available resource appear on the RD Web Access web portal and on RADC configured client Windows 7 Start Menus, Windows 8 Start Screens and the modern Remote Desktop app accordingly.

So far, that’s very similar to publishing applications in Windows Server 2008 R2. That’s a bit deceptive, though: through a simplified architecture, RD Web Access now makes it easier to publish and discover applications.

What’s new for RD Web Access in Windows Server 2012

In Windows 2012 RD Web Access has been updated in many ways. We will first look at some general design changes to the role service and then we will focus on portal specific and RADC specific changes.

Overall design changes include:

  • You install RD Web Access to one or multiple servers from RDMS
  • RD Web Access now only queries RD Connection Broker for available resources
  • RD Web Access is now the only RemoteApp delivery mechanism offered (no more creating MSI and RDP files in RemoteApp Manager)
  • You now configure RD Web Access SSL certificates from a central location – RDMS

Install RD Web Access From RDMS

Just like all other RDS role services in Windows Server 2012 you install the RD Web Access using RDMS on your deployment server to one or multiple destination servers. Open RDMS, and click on the RD Web Access plus sign icon in the Deployment Overview section (shown in Figure 2).


Figure 2: Start installing RD Web Access by clicking the RD Web Access plus sign icon in the Deployment Overview section of RDMS.

This starts the Add RD Web Access Servers wizard.  Choose destination servers running Windows Server 2012 from the pool, add them to the Selected window, and click Next. Then click the Add button.  When the installation is finished click Close.

Note: You can also install RD Web Access using PowerShell. We will cover installing RDS role services using PowerShell in a later article.

RD Web Access Queries RD Connection Broker Only

If you have used RD Web Access on Windows Server 2008 R2, you know that to configure the RD Web Access web portal to show available resources, you logged on as an administrator, selected the Administration tab and provided the name of a server(s) to query for available resources.  This source could be either RD Connection Broker or one or more individual RD Session Host servers.  In 2012 RD Web Access only queries RD Connection Broker for resources; RDMS makes this connection automatically when you install RD Web Access. The Administration tab on the web portal is no longer needed and is gone.

New RemoteApp Publishing Methods

In Windows 2008 R2 you could deliver RemoteApps three ways:

  • The RD Web Access web portal
  • RemoteApp and Desktop Connections (RADC) on Windows 7 clients made RemoteApps appear in the user’s Start Menu by connecting with the XML feed.
  • Use RemoteApp Manager on your RD Session Host servers to create .MSI or .RDP files. You would distribute these files to clients (via Group Policy for MSI files or file share for RDP files).

In Windows Server 2012 creating MSI or RDP files using the RemoteApp Manager UI is no longer an option – RemoteApp Manager is gone. Now you deliver RemoteApps through the RD Web Access web portal, RADC (also available for Windows 8) or through the modern Remote Desktop app, which you can download from the Microsoft store on Windows 8 machines.

The modern Remote Desktop app performs the same function as RADC:  it puts RemoteApp icons alongside your other applications. It also leverages the XML feed to get the application data. However, you cannot remove or manually refresh the feed source using the modern application. To remove or manually refresh the signup, use the RADC Control Panel applet.

Certificate Management with RDMS

Certificate Management for RD Web Access has also been simplified in Windows 2012. In 2008 R2 if you wanted to secure your RD Web Access Website you had to manually install a certificate on the server and then add the certificate in IIS for the website (or script these processes).

In Windows 2012 you deploy SSL certificates to RD Web Access servers using RDMS on your deployment server. Add the certificate to the Deployment Properties / Certificates tab / RD Web Access role service entry in RDMS and RDMS deploys the certificate to the RD Web Access server and binds the certificate to the default website in IIS. If you have multiple RD Web Access servers, RDMS deploys the certificate to all of them when you configure the RDMS deployment setting.

RD Web Access Web Portal Changes in 2012

We’ve told you that the RD Web Access portal no longer has the Administration tab it used to in Windows 2008 R2. Here are a few other changes to the RD Web Access web portal in Windows Server 2012:

  • Web Single Sign-On is enabled by default for RDP 8 clients
  • Resources can be grouped into folders
  • The web portal now functions on other browsers (not just Internet Explorer)

Web SSO by Default

With Windows Server 2008 R2 you could configure Web Single Sign-on (Web SSO) to launch RemoteApps from RD Web Access; you logged on once to the RD Web Access web portal and no additional logon was required to launch a published RemoteApp. However, many conditions needed to be met in order for Web SSO to work. With Windows Server 2012 Web Single Sign-On works without configuration so long as both the RD Connection Broker and RD Session Host are running Windows Server 2012 and the clients are running RDP version 8 (available on Windows 7 and Windows 8).

Note: If these requirements cannot be met, you can still configure Web-SSO the same way you did in Windows Server 2008 R2.

Organize Resources in Folders

In Windows 2008 R2 all available RemoteApps and full desktop links appeared on the RD Web Access in the alphabetical order, RemoteApps first, then full desktop connections next. You could not group any of the resources or arrange them in any way. This was inconvenient for users with lots of RemoteApps as it could be hard to find the right icons.

In Windows Server 2012 you can organize published Remote Apps and Desktops into folders that display on the RD Web Access portal. To create a new folder, open RDMS and then open the properties of a previously created RemoteApp. Add a new name to the RemoteApp Program Folder drop-down menu (shown in Figure 3), or select an existing folder from the list.


Figure 3: Create a new folder by adding a new name to the RemoteApp Program Folder drop-down menu.

The folder will show up in RD Web Access as shown in Figure 4. The resources in it will appear when you click to open the folder.


Figure 4: You can group RemoteApps and Full desktop connections into folders on the RD Web Access portal.

Folders work outside of RD Web Access, too. The modern Remote Desktop app shows folders as new columns instead of actual folders. The name of the folder is the column heading and grouped resources appear under the corresponding column as shown in Figure 5.


Figure 5: The Remote Desktop Modern UI shows RD Web Access web portal subfolders as new columns.

Password Reset Available for Users

In Windows Server 2012 the capability for users to reset their (expired) passwords is now standard. It is disabled by default but you can enable it by configuring Internet Information Services (IIS) on the server running RD Web Access.

To enable the RD Web Access password reset option:

  1. Open IIS on your RD Web Access server and browse to Sites / Default Web Site / RDWeb / Pages.
  2. Select Application Settings.
  3. Open the PasswordChangeEnabled setting and change the value to True.

Now, when a user tries to logon to RD Web Access supplying an expired password RD Web Access will redirect that user to the password.aspx page where the user can change his password.

TIP: User’s passwords don’t have to be expired in order to reset their passwords using the password.aspx page. You can make the password reset functionality permanently available from the login page by adding a hyperlink to the password.aspx webpage. To do this,


  1. Open the login.aspx page in Notepad and find this code:


<table width=”300″ border=”0″ cellpadding=”0″ cellspacing=”0″>


<td width=”130″ align=”right”><%=L_PasswordLabel_Text%></td>

<td width=”7″></td>

<td align=”right”>

<label><input id=”UserPass” name=”UserPass” type=”password” runat=”server” size=”25″ autocomplete=”off” /></label>







  1. Add this code directly beneath it:



<td align=”right”>

<a href=”password.aspx” target=”_blank”>Click Here</a> to reset your password.




The login.aspx page will now contain a hyperlink (shown in Figure 6) that will open the password.aspx page in a new tab (depending on how your browser is set).


Figure 6: You can add a link to change a user’s password to the RD Web Access Login page.

Cross-Browser Platform Support

Up until Windows Server 2008 R2, the RD Web Access web portal was only supported on clients running Windows and using Internet Explorer (IE). New in Windows Server 2012, the ActiveX control is no longer required to use the portal. This means you can now use browsers such as Chrome, Firefox, and Safari to use the portal.

The actual experience you get when you access the portal from different browsers varies slightly, but all browsers will allow you to at least download an RDP file, open it, enter your credentials and launch the RemoteApp or Full desktop connection. Here are two major differences in the portal experience using IE versus other browsers:

  1. Internet Explorer is still the only browser that supports Web SSO. This is because Web SSO still requires ActiveX. Without ActiveX, RD Web Access falls back to downloading RDP files and users will be prompted for credentials.
  2. The Remote Desktops tab, while available and functional using IE, is not available when using other browsers. If you edit the URL to point to the desktops.aspx page, it opens, but does not actually work.

RADC in Windows 8

With Windows Server 2008 (R2) clients running Windows 7 could discover their RDS resources by using the RADC Control Panel applet. The user would input the RD Web Access Web Feed URL into this applet, and the icons for their Remote Apps and full desktops would appear in the Start Menu. Setting this up wasn’t simple: the user had to open RADC in the Control Panel and enter a long and exact URL. You could use Group Policy to configure the RADC URL, but this only worked for managed devices.

With Windows Server 2012, Windows 8 clients can configure RADC by entering a corporate e-mail address instead of the complex web feed URL—and everyone knows their email address. You add a TXT DNS entry to your public facing DNS zone containing the web feed URL. When a user enters their email address, the URL is retrieved based on the domain suffix of the email address.

The DNS Record should look like this:

Type      Name                    Value
TXT         _msradc               https://<FQDN_To_RDWA>/RDWeb/Feed/webfeed.aspx

Note: It does not matter what the email address prefix is. The suffix is what is used to locate the DNS TXT entry. So user Freek Berson could type in a fake email address and as long as the DNS zone contains the TXT file pointing to the RD Web Access feed URL, the Freek will get the feed.

Once the URL is retrieved, the user provides credentials once and shortcuts to their Remote Apps and Desktops are created in the Start Menu (Windows 7), on the Start Screen (Windows 8) or inside the modern Remote Desktop app (Windows 8). The shortcuts launch .RDP files that are stored in the location C:\Users\<username>\AppData\Roaming\Microsoft\Workspaces\<Workspace ID>\Resource.

Customizing the Web Portal

One of the most popular questions regarding the RD Web Access web portal is: How do I tweak it? In Windows Server 2012 Microsoft made some improvements to the site so that it is now easier to customize.

One of the biggest improvements is that the RD Web Access portal is built using Cascading Style Sheets (CSS). Using CSS you can make changes to an element’s font, color and other formatting and those changes are reflected for that element across the whole site. This can affect text, borders, button formatting, backgrounds etc.

The RD Web Access web portal default file location is: C:\windows\web\rdweb. Most of the files that you will touch when tweaking the web portal are located in the \Pages subfolder. The following table describes some of the key sub-folders and files:

File or Folder Name Description
File Site.xsl The portal’s main style sheet. It is used to customize the XML content that will be delivered as HTML pages
File Renderscript.js A JavaScript file used for more advanced customizations
File tswa.css The style sheet that controls the site’s text and image formatting
Folder en-US Contains the portal ASPX pages (this folder name reflects your language so could be different for you).
Folder images All Images used throughout the site are stored here.


Changing Web Portal Imagery

You may replace any image with an image of your own. For example:

  • Replacing logo_02.png changes the image in the upper left hand corner of the pages (shown in Figure 7).


Figure 7: logo_02.png is the logo in the upper left corner of the RD Web Access web portal.

  • Replacing logo_01.png changes the image in the upper right hand corner of the pages (shown in Figure 8).


Figure 8: logo_01.png is the logo in the upper right hand corner of the RD Web Access web portal.

  • Changing bg_globe_01.jpg changes the big globe background image of the whole site
  • Changing banner_01.jpg changes the main page banner where the company main logo and the default words “Work Resources” are located.

There are two ways replace images:

  1. Backup and then overwrite an image in the Images folder with one of your own with the same name as the original
  2. Drop a new image into the Images folder and then change the text in Site.xsl page to reflect the new image name.

Tip: Make sure the resolution is at least as large and the height and width ratio match the image you are replacing.

Changing Text Strings:

Most of the site’s common text strings are stored in two different places:

  • En-us\RDWAstrings.xml contains text strings that appear on multiple pages as shown in Figure 9.


Figure 9: Text that appears on multiple pages is contained in the RDWAStrings.xml file.

  • You can change text strings specific to a certain page (for example to default.aspx) by modifying those pages.


Note: Modifying the “Work Resources” page title requires a different approach. While this string is used in multiple places it is not controlled by the RDWAStrings.xml file. Use the following PowerShell command to modify it:

Set-RDWorkspace [-Name] <string> [-ConnectionBroker <string>]  [<CommonParameters>]

Q & A


Q: I have heard that you can publish RemoteApps from Windows 7 and Windows 8 VMs.  How do these RemoteApps get delivered by RD Web Access?

A: It’s also possible to publish RemoteApps running on a Windows 7 or 8 virtual machine. In Windows 2012 you do this by creating a Virtual Desktop Collection, rather than a Session Collection. The RD Connection Broker queries the VM as part of the Virtual Machine-Based Desktop Deployment, retrieves the Remote Apps published on the Virtual Machines and makes them available just as RemoteApps on RD Session Host servers.

Q: When I publish or un-publish RemoteApps and full desktop connections or add/remove a folder the changes are updated in the RD Web Access portal with a simple refresh but the RADC feed does not seem to update. Why?

A: The RADC feed does update, it just takes a day to do so. This is by design. When you configure RADC on a client machine a set of scheduled tasks that update the feed get created. You can adjust these scheduled tasks to update the client RADC feed more or less frequently as you need.  The scheduled tasks (shown in Figure 10) are located in the Task Scheduler on the client machine at:

Task Scheduler Library / Microsoft / Windows / RemoteApps and Desktop Connections Update / <Username>


Figure 10: Tasks that refresh the RADC feed are located in Task Scheduler.


Application discovery is an essential part of a successful VDI deployment. In this article, we’ve reviewed how RD Web Access works, what’s new in Windows Server 2012 (including a much simpler administrator and user experience and broader browser support) and how to add some common customizations to RD Web Access. At this point, you should be ready to publish RemoteApps and desktops to the collection you’ve created.

You’ve got a basic deployment together now. In the next article in this series, we’ll dig a bit deeper, explaining how to make your VDI deployment highly available.

Important articles

Article PDF Download

Here is this article in PDF format.

By |April 22nd, 2014|Tags: |

About the Author: