If you are an IT administrator in your department and wish to set up Windows Remote Desktop access to NWZ workstations (Windows PCs), please do not use the VPN gateways of the university for access from the Internet, but the Remote Desktop Gateway provided for this purpose.

In order to use the Remote Desktop Gateway and the Windows Remote Desktop Services on NWZ workstations (Windows PCs), some requirements have to be met on Windows and on the network.

There are three levels to be observed, the configuration of which is described below.

It is the responsibility of the IT administrator to secure such access point against unauthorized access.

  • Activate Windows Remote Desktop Services and Configure Windows Firewall

    Enabling Remote Desktop Services must be done through Group Policy. You can extend an existing Group Policy object, create a new one, or use the provided template "NWZ - Remote Desktop Services über Remote Desktop Gateway". The latter also automatically configures the firewall and ensures that the computer does not become inaccessible due to the power saving mode.

    © IVV Naturwissenschaften

    The settings to enable Remote Desktop Services are located in the group policy under Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections. Please use the "NWZ Group Policy" console at nwzCitrix.nwz.wwu.de to edit the Group Policy.

    © IVV Naturwissenschaften

    Double-click the "Allow users to connect remotely using Remote Desktop Services" setting, set it to "Enabled", and then click "OK".

    © IVV Naturwissenschaften

    In the group policy, open Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.

    © IVV Naturwissenschaften

    Double-click the "User authentication with network-level authentication is required for remote connections" setting, set it to "Enabled" and click "OK".

    © IVV Naturwissenschaften

    In the group policy, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security and right-click on "Incoming Rules". Select "New rule...".

    © IVV Naturwissenschaften

    Select "Remote Desktop" as the predefined rule type.

    © IVV Naturwissenschaften

    Select all rules by checking the box before the rule name and click "Next >".

    © IVV Naturwissenschaften

    Select "Allow connection" as action and click "Finish".

    © IVV Naturwissenschaften

    Then double-click on each of the three new Remote Desktop rules, respectively. Switch to the "Advanced" tab and restrict each of them to "Domain" and "Private" under "Profiles" by placing a check mark in the checkbox.
    Then click on "OK".

    © IVV Naturwissenschaften

    Switch to the "Area" tab and add the subnet of the RemoteDesktopGateways (192.176.5.192/27). This limits that connections. Only connections from this subnet are permitted.

    © IVV Naturwissenschaften

  • Configure Access Rules (ACLs) in NIC_online Net zone browser

    To enable access to Remote Desktop Services via the Remote Desktop Gateway for your network zone, please contact the NOC and specify the network zone according to the network zone browser or the IP subnets, you deem to be accessible. The sub-module "RDP-CORONA" will then be added to your ruleset.

    A general access rule is not possible. This would render the remote consoles of the central and decentralized Windows servers used only for administration accessible from the Internet.

  • Configure User Access to Windows Remote Desktop Service

    There is the option to configure the RDP user groups for all computers in an OU or explicitly for individual clients. We will discuss both configurations in this manual.

    The configuration must be done via group policy.

    You should create a new Group Policy object for this purpose.

    © IVV Naturwissenschaften

    Start the "NWZ Group Policy" console on nwzCitrix.nwz.wwu.de and create a new Group Policy Object according to your naming scheme or edit an existing one.
    When creating a new Group Policy object, please add your "group2" institute or workgroup to the permissions.

    © IVV Naturwissenschaften

    Right-click the Group Policy object and select "Edit". Then open the path Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.

    © IVV Naturwissenschaften

    Right-click on "Restricted Groups" and select "Add Group...".

    © IVV Naturwissenschaften

    Click on "Browse..."

    © IVV Naturwissenschaften

    Enter "Remote Desktop Users" as the group and check that you have not mistyped the group name by clicking on "Check names".
    Then click on "OK".

    In the next window confirm the entry by clicking on "OK".

    © IVV Naturwissenschaften

    Click on "Add" under "Members of this group".

    © IVV Naturwissenschaften

    Please use "Browse" to select your desired group or user.

    © IVV Naturwissenschaften

    You can enter groups, single or multiple users here. Handling of the dialog box is as before when selecting the group to be configured (Check names).

    Only click "OK" when you have entered all desired groups and users.


    © IVV Naturwissenschaften

    In the next window confirm the entry by clicking on "OK".

    © IVV Naturwissenschaften

    The configuration of the restricted group is now complete, click "OK".

    If you do not want the configuration to apply to all computers of the OU and sub-OUs, but only to individual clients, you must copy your GPO and use the security filtering of the GPO for assignment.

    In this case, please follow the steps below, which are marked as "[Optional] Configuration of individual clients".

    © IVV Natruwissenschaften

    [Optional] Configuration of individual clients

    Switch to the "Area" tab and click "Add" under Security Filtering.

    Under "Object Types" activate only "Computers".

    You can then enter the relevant Client. The dialog box is operated in the same way as before (Check Names).

    Do not click 'OK' until you have entered all the required computers.

    In the next window confirm the entry by clicking "OK".

    © IVV Naturwissenschaften

    [Optional] Configuration of individual clients

     Select "Authenticated Users" and click "Remove" to ensure that the GPO is only active on the stored computers.

  • Configure power saving settings

    Tests have shown in several other IVVs that the energy saving settings can cause the computer to become inaccessible for the remote desktop. End users are advised of the problem of manually shutting down the computer in the instructions linked below.

    To modify the power saving settings configured in Windows, you can use the following Group Policy object:

    "NWZ Energiesparplan Höchstleistung".

    This should ensure that the computers do not go into power-saving mode and remain accessible. Please note the correct link order of the Group Policy objects if you want to change your own power saving settings with this policy. Power-saving policies distributed through Microsoft Endpoint Configuration Manager are overridden by Group Policy settings.

    For configuration of power saving options in the BIOS/EFI of the PC, please consult the documentation of the respective manufacturer to disable it.

End User Guide for Using the Windows Remote Desktop Service

After successful configuration of Windows Remote Desktop Services, please provide your users with the following instructions for using the service. Please remember to inform the users about the full computer name and the user accounts and passwords to be used.

The following link is not otherwise published , as its use requires prior configuration by the IT administrator, as well as additional individual information and, if necessary, instructions. You may pass it on.

https://www.uni-muenster.de/NWZ/en/Hilfe/Nutzer/Anleitungen/Windows/RDSRDG/windowsrdsueberrdg.html