Using RDS RemoteApp from the Internet without VPN

If you’re running a Remote Desktop Services (RDS) server behind a firewall, using internal names, you’ll notice that even though you can publish the RDS website and log in from the Internet, it’s not so easy to connect to a published RemoteApp. The reason is that by default, the .rdp file used to establish the session will not use the external (published) name, but the internal name instead:

The same can also be found when analyzing the .rdp file:

As you can see, there is already an “alternate full address” property available. All we have to do is substitute the value in this property with the public name. This setting can’t be set in the GUI. You have to use PowerShell or set it directly in the registry. The recommended way to do it is using PowerShell, by specifying this setting in the session collection’s configuration.

First, let’s see what the session collection’s name is:

From there, get the content of CustomRDPProperty – this is the current configuration:

This can also be found in the REG_SZ “CustomRDPSettings” in “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\CentralPublishedResources\PublishedFarms\<Your Collection>\DeploymetSettings”. Each setting ends with a line break, so we’ll have to add one after our setting, too.

Let’s add the current setting to a variable:

Create a new variable which contains the old settings previously stored in the $OldRDPCustomSettings plus the new alternate full address. The “`n” at the end will add a line break:

Now overwrite the current custom RDP settings with the content of our variable:

The setting should be active immediately for new sessions. Go ahead, test it:

That’s it, now you’re able to leverage RemoteApp from anywhere in the world by just connecting to your RDP Gateway server over a web (SSL) connection, no VPN needed!


Leave a Reply

Your email address will not be published. Required fields are marked *