How to Set Up RDS Web Access on Windows Server 2012 R2
RD Web Access provides a web portal where users can access their RemoteApp programs and desktops from any web browser without installing the full Remote Desktop client. Users navigate to the portal URL, authenticate with their Active Directory credentials, and click on published applications or desktops to launch them through the browser’s RDP client plugin or the standalone Remote Desktop client. This guide covers the installation, SSL certificate configuration, customisation, and troubleshooting of RD Web Access on Windows Server 2012 R2.
Prerequisites
- An RDS deployment with RD Connection Broker and at least one Session Collection
- IIS 8.5 (installed automatically with RD Web Access)
- An SSL certificate for the web server’s FQDN (commercial CA or internal PKI)
- DNS entry for the RD Web Access server FQDN resolving to the server’s IP
- Port 443 open through any firewalls between clients and the RD Web Access server
Step 1 — Install RD Web Access
Install the RD Web Access role service. If RD Web Access is part of your existing RDS deployment created through Server Manager’s RDS wizard, it may already be installed. To add it separately:
Install-WindowsFeature -Name RDS-Web-Access -IncludeManagementToolsThis also installs IIS and the required web server components. Add the RD Web Access server to the RDS deployment:
Add-RDServer -Server "rdwa.domain.com" -Role "RDS-Web-Access" -ConnectionBroker "rdcb.domain.com"Step 2 — Configure SSL Certificate
RD Web Access must use HTTPS in production. Configure the SSL certificate for the IIS site:
# Import a PFX certificate:
$CertPassword = ConvertTo-SecureString -String "CertPassword123" -AsPlainText -Force
$Cert = Import-PfxCertificate -FilePath "C:Certsrdwa.domain.com.pfx" -CertStoreLocation "Cert:LocalMachineMy" -Password $CertPassword
# Bind the certificate to IIS:
Import-Module WebAdministration
New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -HostHeader "rdwa.domain.com"
$Binding = Get-WebBinding -Name "Default Web Site" -Protocol https
$Binding.AddSslCertificate($Cert.Thumbprint, "My")Alternatively, use IIS Manager to bind the certificate via the GUI: Site Bindings > Add > HTTPS > Select certificate.
Step 3 — Configure the Connection Broker Source
RD Web Access must know which Connection Broker to query for the list of published RemoteApp programs and desktops. Configure this via the RD Web Access management page:
- Open IIS Manager on the RD Web Access server
- Navigate to Default Web Site > RDWeb > Pages
- Open Application Settings
- Set DefaultTSGateway to the FQDN of the RD Connection Broker
Via PowerShell on the RD Web Access server:
Set-WebConfigurationProperty -PSPath "IIS:SitesDefault Web SiteRDWebPages" -Filter "appSettings/add[@key='DefaultTSGateway']" -Name "value" -Value "rdcb.domain.com"Step 4 — Configure the RD Web Access Feed URL
The RD Web Access feed URL is used for RemoteApp and Desktop Connections (Group Policy distribution). The feed is located at:
https://rdwa.domain.com/RDWeb/Feed/webfeed.aspxSet this URL in the RDS deployment settings:
Set-RDDeploymentGatewayConfiguration -ConnectionBroker "rdcb.domain.com" -GatewayMode DoNotUseStep 5 — Verify RemoteApp Programs Appear in the Portal
Ensure that published RemoteApp programs have ShowInWebAccess set to $true:
Get-RDRemoteApp -ConnectionBroker "rdcb.domain.com" | Where-Object { $_.ShowInWebAccess -eq $false } | Set-RDRemoteApp -ShowInWebAccess $true -CollectionName "General Desktop" -ConnectionBroker "rdcb.domain.com"Step 6 — Configure Forms-Based Authentication
By default, RD Web Access uses forms-based authentication (a login page). Ensure the login page is accessible and returns the correct portal after authentication. The RD Web Access site uses ASP.NET for authentication.
To check IIS authentication settings on the RDWeb application:
Get-WebConfiguration -PSPath "IIS:SitesDefault Web SiteRDWeb" -Filter "system.webServer/security/authentication/formsAuthentication"Step 7 — Customise the RD Web Access Portal
RD Web Access branding can be customised by modifying the web application files. The portal files are located in:
C:WindowsWebRDWebPagesKey files for customisation:
login.aspx: The login pagedefault.aspx: The main application page after loginRDWAStrings.en-US.dll: Text strings (can be replaced with custom localisation)
To change the company logo, replace the images in the images subdirectory. Always back up original files before making changes.
Step 8 — Test the RD Web Access Portal
From a client machine, open a browser and navigate to:
https://rdwa.domain.com/RDWebLog in with Active Directory credentials. Published RemoteApp programs and desktops should appear. Click on a RemoteApp to launch it — the browser will either use the built-in RDP plugin (Internet Explorer) or prompt to open the downloaded .rdp file (Chrome, Firefox).
Step 9 — Configure IIS Security Settings
Harden the RD Web Access IIS site:
# Disable HTTP (force HTTPS only):
Get-WebBinding -Name "Default Web Site" -Protocol http | Remove-WebBinding
# Enable HSTS header (requires URL Rewrite module):
Add-WebConfigurationProperty -PSPath "IIS:SitesDefault Web Site" -Filter "system.webServer/httpProtocol/customHeaders" -Name "." -Value @{name='Strict-Transport-Security'; value='max-age=31536000; includeSubDomains'}Troubleshooting RD Web Access
# Check IIS site status:
Get-Website -Name "Default Web Site"
# Check IIS application pool:
Get-WebConfiguration -PSPath "IIS:AppPools" | Select-Object name, state
# View IIS error logs:
Get-Content "C:inetpublogsLogFilesW3SVC1*.log" -Tail 50Users see a blank application list: Verify the Connection Broker FQDN is correctly configured in the RDWeb application settings and that firewall rules permit traffic from the RD Web Access server to the Connection Broker on port 5985 (WinRM).
Summary
RD Web Access on Windows Server 2012 R2 provides the browser-based entry point for the RDS infrastructure, giving users a centralised portal to access all their published applications and desktops. Proper SSL certificate binding, Connection Broker integration, and IIS hardening are essential for a secure and functional deployment. Once configured, RD Web Access seamlessly bridges user browsers to the RDS backend, supporting both internal users and remote access scenarios when combined with RD Gateway.
