Remote Desktop Services (Published/RemoteAPP) + Azure App Proxy Connector?

Dan Haddad 1 Reputation point
2022-07-04T20:03:25.447+00:00

I'm looking for some suggestions on the best route here enabling access to an on-premise legacy application for remote workers.

Currently, we use the following:

  • Remote Desktop Services - Typical deployment (gateway/web/broker/hosts)
  • The entire RDS setup is only available to local devices (or VPN connected) - No WAN access
  • Users connect to the corp dmz with a sonicwall vpn, with the profile pushed out by intune
  • The remote apps are published into their start menu, through the control panel "remoteApps and Desktop Connections"

While this solution works, it has issues:

  • VPN Dropouts happen, uses think it is a RDS issue.
  • If the users local network is on the same subnet as our DMZ it's an issue.
  • (sometimes) many authentication prompts (vpn, RDWeb, then App itself)

I started looking at migrating to the HTML5 Web Client + Azure App Proxy. It seems that...

  • Remove the need for the VPN or complexities along with it
  • Reduce the number of authentication prompts users get
  • Keep the RDS deployment inside our LAN/DMZ

However - For the less tech savvy end-users, it offers a less native experience since the apps are not in their start menu. In browser apps also make it harder to multi task between local apps and other browser apps.

Question: Is it possible to publish "RemoteApps" to users, while using Azure App Proxy? Is there any other suggestion on using the AppProxy to reduce the need for VPN clients while keeping the RDS experience native?

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,707 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,141 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Dirk Haex 81 Reputation points
    2022-07-06T15:02:50.593+00:00

    You could publish the RDS gateway into DMZ and secure it with Azure MFA (Azure AD Premium P1 required).
    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

    Done this multiple times, only requirement is:

    • Azure MFA via Azure AD Premium P1
    • NPS server + Azure MFA Extension
    • Microsoft Authenticator Push Notification as preferred MFA method.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.