How to Configure Remote Desktop Web Access on Windows Server 2016

How to Set Up Windows Server 2016 Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) is a role service in Windows Server 2016 Remote Desktop Services that provides a web-based portal for users to access RemoteApp programs, session-based desktops, and virtual desktops from any device with a web browser. Instead of distributing .rdp files or configuring client settings manually, users simply navigate to the RD Web Access URL, log in, and click an application or desktop icon to launch an RDP connection. This tutorial covers installing RD Web Access, integrating it with RD Connection Broker, customising the portal, and securing the site with SSL.

How RD Web Access Works

RD Web Access is an IIS-hosted web application that queries the RD Connection Broker for the list of available RemoteApp programs and desktops. When the user clicks an item in the portal, the browser downloads a .rdp file or launches the Remote Desktop ActiveX control, which establishes an RDP connection routed through the RD Connection Broker. On modern browsers that do not support ActiveX (Chrome, Firefox, Edge on non-Windows), the .rdp file is downloaded and opened by the local mstsc.exe client. The portal also supports Single Sign-On (SSO) when properly configured with domain authentication.

Step 1: Install the RD Web Access Role Service

RD Web Access can be installed on a dedicated server or on the same server as another RDS role. Install it using PowerShell:

Install-WindowsFeature -Name RDS-Web-Access -IncludeManagementTools

This installs the IIS web server role as a dependency and deploys the RDWeb application to the Default Web Site under the path /RDWeb. No restart is required.

Step 2: Add RD Web Access to the RDS Deployment

If you have an existing RDS deployment managed by Server Manager, add the RD Web Access server to the deployment. In Server Manager > Remote Desktop Services, click the Tasks menu next to RD Web Access in the Deployment Overview and select Add RD Web Access Servers. Select the server and click Add. This configures the Web Access server to query the Connection Broker for published resources.

Add-RDServer -Server "rdweb.domain.local" -Role RDS-Web-Access -ConnectionBroker "rdbroker.domain.local"

Step 3: Configure the IIS SSL Certificate

RD Web Access should always be served over HTTPS. Import your SSL certificate into the server’s Personal certificate store (see the RD Gateway tutorial for import commands), then bind it to the IIS Default Web Site. Open IIS Manager, click on the Default Web Site, select Bindings, and add or edit the HTTPS binding to use your certificate.

Using PowerShell to bind the certificate to IIS:

$cert = Get-ChildItem -Path "Cert:LocalMachineMy" | Where-Object {$_.Subject -like "*rdweb.contoso.com*"}
New-WebBinding -Name "Default Web Site" -Protocol "https" -Port 443 -HostHeader "rdweb.contoso.com"
$binding = Get-WebBinding -Name "Default Web Site" -Protocol "https"
$binding.AddSslCertificate($cert.Thumbprint, "My")

Step 4: Configure the RD Web Access Portal

Once installed, access the portal at https://rdweb.contoso.com/RDWeb. You will see the default Microsoft RemoteApp and Desktop Connections login page. Users authenticate with domain credentials.

Configure the Connection Broker that RD Web Access queries by editing the web.config or using the IIS Manager configuration. For deployments configured through Server Manager, this is handled automatically. To verify or manually set the Connection Broker address in the RDWeb configuration:

Set-RDDeploymentGatewayConfiguration -ConnectionBroker "rdbroker.domain.local" -GatewayMode DoNotUse

Step 5: Publish Resources to the Portal

Resources visible in the portal come from the collections defined on the RD Connection Broker. Add RemoteApp programs and desktops to collections using Server Manager or PowerShell. Add a full desktop to a collection:

Set-RDSessionCollectionConfiguration -CollectionName "DesktopCollection" -ShowInWebAccess $true -ConnectionBroker "rdbroker.domain.local"

Add a RemoteApp program to a collection:

New-RDRemoteApp -CollectionName "DesktopCollection" -DisplayName "Microsoft Word" -FilePath "C:Program FilesMicrosoft OfficerootOffice16WINWORD.EXE" -ShowInWebAccess $true -ConnectionBroker "rdbroker.domain.local"

Verify the published apps:

Get-RDRemoteApp -CollectionName "DesktopCollection" -ConnectionBroker "rdbroker.domain.local" | Select-Object DisplayName, FilePath, ShowInWebAccess

Step 6: Customise the RD Web Access Portal

The RD Web Access portal can be customised with your organisation’s logo, colours, and text. The web application files are located at C:WindowsWebRDWeb. The CSS and image files in this directory control the appearance of the portal. Replace the logo.png file (located in C:WindowsWebRDWebPagesimages) with your organisation’s logo at the same dimensions (248×50 pixels by default).

To customise the portal title and additional text, edit the Web.config file or the resource (.resx) files in the Pagesen-US directory:

notepad "C:WindowsWebRDWebPagesen-USRDWAStrings.en-US.resx"

Step 7: Enable Single Sign-On

Single Sign-On (SSO) allows users who are already authenticated to a domain-joined Windows client to access the RD Web portal and launch applications without re-entering their credentials. SSO requires Windows Authentication to be enabled on the RDWeb IIS application and a Group Policy setting to allow credential delegation to the RDS servers.

Enable Windows Authentication in IIS:

Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" -Name enabled -Value $true -PSPath "IIS:SitesDefault Web SiteRDWeb"
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" -Name enabled -Value $false -PSPath "IIS:SitesDefault Web SiteRDWeb"

Configure credential delegation via Group Policy on client computers: Computer Configuration > Administrative Templates > System > Credentials Delegation > Allow delegating default credentials. Add the RDS servers to the TERMSRV/* rule.

Step 8: Test and Validate

From a client machine, browse to https://rdweb.contoso.com/RDWeb. Log in with domain credentials. The portal should display the available RemoteApp programs and desktops. Click a RemoteApp to launch it. The browser will download an .rdp file or prompt to open mstsc.exe. Verify the application opens and that you can interact with it normally. If using a Gateway, verify that the .rdp files contain the correct gateway settings.

RD Web Access transforms remote application delivery from a complex per-client configuration task into a simple web portal experience. Combined with RD Connection Broker and RD Gateway, it provides a complete, secure, and user-friendly remote access solution for Windows Server 2016 environments.