How to Configure Remote Desktop Web Access on Windows Server 2019
Remote Desktop Web Access (RD Web Access) provides a web portal through which users can access RemoteApp programs and session desktops without installing any software other than a web browser or the Remote Desktop client. Users navigate to an HTTPS URL, authenticate with their domain credentials, and see a personalised list of published applications and desktops they are authorised to use. RD Web Access is a standard component of Windows Server 2019 RDS deployments and integrates with the RD Connection Broker for session management.
Installing the RD Web Access Role
The RD Web Access role installs an IIS-based web application on the server. Install it on a server that will serve the portal — this can be the Connection Broker server or a dedicated web server for larger deployments.
# Install RD Web Access and required dependencies
Install-WindowsFeature -Name RDS-Web-Access -IncludeManagementTools
# Verify installation
Get-WindowsFeature -Name RDS-Web-Access, Web-Server, Web-WebSockets
# The role also installs IIS if not already present
Get-WindowsFeature -Name Web-Server | Select-Object Name, InstallStateAfter installation, the RD Web Access portal is accessible at https://server-name/RDWeb. The default page requires users to enter their credentials to see their published resources.
Adding RD Web Access to an RDS Deployment
Add the Web Access server to your RDS deployment managed by the Connection Broker using the Add-RDServer cmdlet.
# Add the Web Access server to the deployment
Add-RDServer `
-Server "rdweb01.corp.local" `
-Role RDS-WEB-ACCESS `
-ConnectionBroker "rdcb01.corp.local"
# Verify the web access server was added
Get-RDServer -ConnectionBroker "rdcb01.corp.local" | Where-Object { $_.Roles -contains "RDS-WEB-ACCESS" }Configuring the SSL Certificate for RD Web Access
RD Web Access must use HTTPS with a valid SSL certificate to protect user credentials. Configure the certificate using the Set-RDCertificate cmdlet, which installs the certificate for all RDS roles simultaneously or for individual roles.
# Import the certificate PFX first
$CertPassword = ConvertTo-SecureString -String "CertPassword123" -AsPlainText -Force
$Cert = Import-PfxCertificate -FilePath "C:Certsrds.corp.com.pfx" `
-CertStoreLocation "Cert:LocalMachineMy" `
-Password $CertPassword
# Apply the certificate to RD Web Access
Set-RDCertificate `
-Role RDWebAccess `
-ImportPath "C:Certsrds.corp.com.pfx" `
-Password $CertPassword `
-ConnectionBroker "rdcb01.corp.local" `
-ForceYou can also use the IIS Manager to bind the certificate directly to the Default Web Site or the RDWeb application’s HTTPS binding.
# Bind the certificate to IIS via PowerShell WebAdministration module
Import-Module WebAdministration
# Remove the existing self-signed certificate binding
Get-WebBinding -Name "Default Web Site" -Protocol "https" | Remove-WebBinding
# Add binding with the new certificate
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -IPAddress "*"
$Binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$Binding.AddSslCertificate($Cert.Thumbprint, "My")Customising the RD Web Access Portal
The RD Web Access portal can be customised with company branding. The web application files are located at C:WindowsWebRDWeb. Modify the logo, CSS, and page titles to match your organisation’s branding.
# RD Web Access files location
$RDWebPath = "C:WindowsWebRDWeb"
# Key files for customisation:
# Pagesen-USlogin.aspx - Login page
# Pagesen-USdefault.aspx - Main application list page
# Pagesen-USRDWebClient - HTML5 web client files
# App_ThemesDefault - CSS and image files
# Replace the company logo (must be PNG, recommended 200x50px)
Copy-Item -Path "C:Brandingcompany-logo.png" -Destination "$RDWebPathPagesen-USimageslogo.png" -ForceConfiguring the Web Client (HTML5 RDP)
Windows Server 2019 includes the modern HTML5 Remote Desktop Web Client, which allows users to connect to RDS resources directly in a browser without the legacy ActiveX or Java plugins. The web client requires the RDWebClientManagement PowerShell module.
# Install the RD Web Client management module
Install-Module -Name RDWebClientManagement -Force
# Install the latest RD Web Client
Install-RDWebClientPackage
# Publish the Web Client (makes it accessible at /RDWeb/webclient)
Publish-RDWebClientPackage -Type Production -Latest
# Get the currently installed package version
Get-RDWebClientPackageUsers can access the HTML5 client at https://rdweb.corp.com/RDWeb/webclient. This is particularly useful for users on macOS, Linux, Chromebook, or mobile devices.
Configuring Authentication Options
By default, RD Web Access uses forms-based authentication where users enter their domain credentials on the login page. You can also configure Windows Integrated Authentication for users on the internal network (auto-login with their Windows credentials) or configure ADFS for Single Sign-On.
# Configure Windows Integrated Authentication for internal users
# This is done via IIS Manager on the RDWeb application
Import-Module WebAdministration
# Disable Anonymous Authentication
Set-WebConfigurationProperty `
-Filter "system.webServer/security/authentication/anonymousAuthentication" `
-Name "enabled" `
-Value "False" `
-Location "Default Web Site/RDWeb"
# Enable Windows Authentication
Set-WebConfigurationProperty `
-Filter "system.webServer/security/authentication/windowsAuthentication" `
-Name "enabled" `
-Value "True" `
-Location "Default Web Site/RDWeb"Publishing Resources to RD Web Access
Published RemoteApp programs and session desktops automatically appear on the RD Web Access portal once they are published via the Connection Broker. Users see only the resources they are authorised to access based on the security groups configured on each RemoteApp or desktop collection.
# Publish a RemoteApp program to a collection
New-RDRemoteApp `
-CollectionName "StandardApps" `
-ConnectionBroker "rdcb01.corp.local" `
-DisplayName "Microsoft Word 2019" `
-FilePath "C:Program FilesMicrosoft OfficerootOffice16WINWORD.EXE" `
-Alias "word2019" `
-ShowInWebAccess $true `
-UserGroups @("CORPRD Users", "CORPDomain Users")
# Publish a full desktop session
New-RDSessionCollection `
-CollectionName "FullDesktop" `
-SessionHost "rdsh01.corp.local" `
-ConnectionBroker "rdcb01.corp.local"
Set-RDSessionCollectionConfiguration `
-CollectionName "FullDesktop" `
-ConnectionBroker "rdcb01.corp.local" `
-UserGroup @("CORPRemote Desktop Users")Configuring Multi-Factor Authentication Integration
For enhanced security, integrate RD Web Access with Azure MFA (via Azure AD Application Proxy or NPS extension) or third-party MFA solutions. The NPS Extension for Azure MFA can be configured on the network policy server to add MFA to RADIUS-based authentication for RD Gateway, which also protects Web Access sessions routed through the gateway.
# Install the Azure MFA NPS Extension (requires .NET 4.5+ and NPS role)
# Download from: https://aka.ms/mfanpsextension
# Run the installer, then configure using the NPS Extension setup script
# Configure NPS to require MFA for RD Gateway connections
# This is done via NPS Policies pointing to the RD Gateway server's RADIUS requests
netsh ras show registeredMonitoring RD Web Access Sessions
Monitor web access usage through IIS logs and RDS management tools.
# View IIS access logs for RD Web Access
Get-Content "C:inetpublogsLogFilesW3SVC1u_ex$(Get-Date -Format 'yyMMdd').log" |
Where-Object { $_ -like "*RDWeb*" } |
Select-Object -Last 50
# Get all active RDS sessions (from Connection Broker)
Get-RDUserSession -ConnectionBroker "rdcb01.corp.local" |
Select-Object UserName, SessionId, SessionState, HostServer, IdleTime |
Format-Table -AutoSizeConclusion
Remote Desktop Web Access on Windows Server 2019 provides a clean, browser-based portal for accessing RDS resources. The HTML5 web client eliminates dependency on ActiveX or thick clients for most use cases. Proper SSL certificate configuration, integration with the Connection Broker for application publishing, and optional MFA enforcement create a secure and user-friendly remote access experience. Customising the portal branding and configuring appropriate authentication methods ensures the RD Web Access deployment meets both security requirements and user experience expectations.
