No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionAccess Desktop Solution V100R006C20 Application Virtualization User Guide 09 (FusionSphere V100R006C10 or Earlier)

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring RDS Licensing and Security Policies

Configuring RDS Licensing and Security Policies

Scenarios

Configure RDS authorization and security polices on the AD domain server by setting group policies.

After VMs are added to application groups, you need to configure the RDS service authorization function of the APS server on the AD domain server to ensure that users obtain RDS service authorization of the RD Licensing server when accessing applications published by the APS server. Otherwise, users cannot use shared desktops or remote applications after a trial period of 120 days.

Before publishing applications on the APS server, harden the security by configuring security policies of the APS server to ensure secure access of authorized users.

Prerequisites

  • You have logged in to the AD domain server as a domain administrator.
  • RDS service authorization options and security policies have been obtained.

Data

Table 2-14 lists the data to be obtained.

Table 2-14 Data to be obtained

Parameter

Description

Example Value

Name

Identifies an APS server organization unit (OU) in the application virtualization scenario.

SBCOU

Name

Identifies a group policy of the APS server. The name consists of digits, letters, and underscores (_), and cannot exceed 30 characters.

SBCGRP

License servers to use

Specifies the server that provides the RDS service authorization function to the APS server, that is, the RD Licensing server.

192.168.1.60

Procedure

Create an APS server OU.

In the application virtualization scenario, control authorization and set security policies for the APS server by setting group policies. In this case, an independent OU must be created for the APS server.

  1. On the active AD domain server, choose > Administrative Tools > Active Directory Users and Computers.

    NOTE:

    The following uses the AD domain server running Windows Server 2012 R2 as an example.

    The Active Directory Users and Computers window is displayed.

  2. In the navigation tree, right-click Domain name and choose New > Organizational Unit.

    The New Object-Organizational Unit dialog box is displayed.

  3. Enter the name of the application virtualization OU to be created, for example, SBCOU, and click OK.
  4. Add the APS server to the new OU.

Create the APS server group policies.

  1. On the active AD domain server, choose .

    The Windows PowerShell dialog box is displayed.

  2. Enter gpmc.msc to go to the Group Policy Management window.
  3. Right-click the application virtualization OU and choose Create a GPO in this domain, and Link it here.
  4. In the displayed dialog box, enter the group policy name, for example, SBCGRP.
  5. Click OK.

Configure the RDS service authorization function of the APS server.

  1. Right-click the new group policy and choose Edit from the shortcut menu.

    The Group Policy Management Editor window is displayed.

  2. In the navigation tree, choose Computer Configuration > Policy > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Licensing.
  3. In the Licensing area, right-click Use the specified Remote Desktop license servers and choose Edit.

    The Use the specified Remote Desktop license servers dialog box is displayed.

  4. Set parameters as shown in Figure 2-21, and click OK.

    Figure 2-21 Use the specified Remote Desktop license servers

  1. In the Licensing area, right-click Set the Remote Desktop licensing mode and choose Edit.

    The Set the Remote Desktop licensing mode dialog box is displayed.

  2. Set parameters as shown in Figure 2-22, and click OK.

    NOTE:

    The licensing modes include Per Device and Per User. Select the licensing mode based on the actual remote desktop licensing mode.

    Figure 2-22 Set the Remote Desktop licensing mode

(Optional) Configure APS server security policies.

For the APS server, two security policies are available. Table 2-15 provides the specific operations and application scenarios of the two security policies.
Table 2-15 Security policies

Security Policy

Operation

Application Scenario

Common office mode

  • Use all applications provisioned by the administrator.
  • Enable Control Panel and system settings.
  • Enable Task Manager.
  • Enable the Internet control panel function.
  • Enable powershell.exe and cacls.exe.
  • Disable the Windows updating, registry editing, CLI, and Run functions.
  • Disable the Shut Down, Restart, Sleep, and Hibernate functions.

Scenarios that do not have high security requirements and do not require the application virtualization advantages to improve office efficiency.

Security isolation mode

  • Use specified Windows applications.
  • Disable most system settings.

Scenarios that have high security requirements and must strictly control application and session rights.

  1. Right-click the new group policy and choose Edit from the shortcut menu.

    The Group Policy Management Editor window is displayed.

  2. Set APS server security policies for common office or security isolation mode.

    For details about how to configure all security policies of the APS server, see FusionAccess_aps_security_policy.

  3. The following uses the Prohibit access to the Control Panel policy as an example to describe how to configure the security policy.

    1. In the navigation tree of the Group Policy Management Editor window, choose User Configuration > Policies > Administrative Templates > Control Panel.
    2. In the right pane, right-click Prohibit access to the Control Panel and choose Edit.
    3. Select Enabled and click OK.

Set access rights of the APS server administrator.

  1. In the navigation tree of the Group Policy Management window, choose Forest:Domain name > Domains > Domain name > APS server OU > Group Policy name.

    NOTE:

    The name of the APS server group policy by following instructions provided in Create the APS server group policies, for example, SBCGRP.

    The Group Policy Management Console dialog box is displayed.

  2. Click OK.

    The APS server group policy is displayed in the right pane.

  3. Click the Delegation tab and click Add.

    The Select User, Computer, or Group dialog box is displayed.

    NOTE:

    This policy applies to all users by default. You need to deny this policy to the APS server administrator, helping the administrator maintain the APS server.

  4. Enter the APS server domain account and click Check Names.

    The queried domain account is displayed.

  5. Click OK.

    The Add Group or User dialog box is displayed.

  6. Set permission of a group or user to Read and click OK.

    The APS server group policy window is displayed.

  7. Click Advanced.

    The Group policy name Security Settings dialog box is displayed.

  8. Select the APS server domain account, and select Deny in Apply group policy, as shown in Figure 2-23.

    Figure 2-23 Denying the policy to the APS sercer domain account

  1. Click Apply.

    The Windows Security window is displayed.

  2. Click Yes.
  3. Click OK.

Refresh the policy.

  1. Click .

    The Windows PowerShell dialog box is displayed.

  2. Run the following command to refresh the policy:

    gpupdate /force

  3. Press Enter. No further action is required.

    If the following information is displayed, the policy is successfully refreshed:

    Updating Policy... 
     User Policy update has completed successfully. 
     Computer Policy update has completed successfully.
    NOTE:
    • Other component servers will synchronize the new policy. The synchronization mechanism determines the specific synchronization time.
    • The new policy is synchronized after component servers are restarted.

Download
Updated: 2019-09-29

Document ID: EDOC1000182383

Views: 15244

Downloads: 125

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next