This tutorial describes how to set up an xRDP server to connect to Ubuntu Linux with the lightweight graphical Xforce UI using the RDP protocol. This can be very handy when you need to connect to Linux operating systems with graphical interface from Windows using Remote Desktop.
What is xRDP?
xRDP is Microsoft’s free and open-source implementation of RDP (Remote Desktop Protocol) which allows non-Microsoft Windows operating systems (such as Linux and BSD) to provide a fully functional RDP-compatible remote desktop.
Installation and Setup
Connect to your ubuntu server via SSH and perform a system update:
sudo apt-get update
sudo apt-get upgrade -y
Install and enable the xRDP utility:
sudo apt-get install xrdp
sudo systemctl enable xrdp
sudo systemctl restart xrdp
Xrdp Installation
Install the xfce environment:
sudo apt-get install xfce4 xfce4-terminal
Open RDP port to be able to connect remotely:
sudo ufw allow 3389/tcp
Reboot the xRDP server for the changes to take effect:
sudo /etc/init.d/xrdp restart
Connecting to an Ubuntu Server via RDP
If you don’t know the IP address of the Ubuntu server, you can check it by entering the command:
Ifconfig -a
Ifconfig -a
In our test case it is 10.0.0.2. To connect open the Windows Remote Desktop Connection (mstsc.exe). Enter the IP address of the server and click Connect:
Remote Desktop Connection
A security warning will appear. Click Yes:
RDP Certificate Error
In the opened window, select Xorg as the session, enter the username and password for the user and click OK:
Xrdp Login
This will connect to the xforce desktop.
Xforce Desktop
If it shows a black screen when connecting to xrdp you need to go into the /etc/xrdp folder, and make changes to the startwm.sh file.
sudo nano /etc/xrdp/startwm.sh
We need to add:
unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
Before the line:
test -x /etc/X11/Xsession && exec /etc/X11/Xsession
Troubleshooting Errors with Xrdp
After making the changes you have to restart the XRDP service:
sudo systemctl restart xrdp
Now you can run mstsc.exe again and connect to our ubuntu server.
Active Directory Recycle Bin enables a feature for administrators to restore deleted objects.
Finding Domain Naming Master Server
We recommend enabling Recycle Bin feature on your DC with Domain Naming Master role. In order to get what domain controller holds this role, you need to use netdom.exe application with following parameters (run it in cmd):
netdom.exe query fsmo
Alternatively, this can be achieved in PowerShell console under elevated privileges:
Import-Module ActiveDirectory
Get-ADForest | Format-List DomainNamingMaster
How to Enable Recycle Bin in AD Administrative Center.
To do this, you need a domain admin user account. Start AD Administrative Center(start->run->dsac.exe).
Click on your domain name and in the “Tasks” pane click “Enable Recycle Bin…“.
Alternatively, right-click your domain in overview, and click “Enable Recycle Bin…”.
The confirmation window appears, which tells us that Recycle Bin can only be enabled once without a disabling option. Click OK.
After enabling the bin we need to refresh ADAC window click OK in appeared warning and refresh ADAC by clicking on refresh button in top right corner of the window:
You will see that new container named “Deleted Objects” appears near “Computers” container.
How to Enable Recycle Bin in PowerShell Console.
Recycle Bin can also be enabled with PowerShell console. You need to run PowerShell.exe under elevated permissions and type in the following code:
Replace office, local, office.local with your own domain parameters. System will ask for confirmation, type in “y” to continue and “Deleted Objects” container appears.
So now after an AD object is deleted it’s “isDeleted” attribute is set to “true”, however it’s “isRecycled” attribute is untouched. With these parameters deleted object moves to “Deleted Objects” from where you can easily restore it by right-clicking it and selecting restore.
In 60 days the recycle lifetime expires, and “isRecycled” parameter changes to “true“, in this case an object is deleted permanently.
When you join a computer to the Active Directory domain or create a user, all these objects will be placed in default containers – Computers and Users. In order to place your new objects to relevant OUs with proper group policies you need to change their default location. This tutorial will show you how to do that.
Modification the default location for new user and computer objects is possible in Windows Server 2003 and above. And you need to have a user account with domain admin rights and perform commands directly from the server not from a management workstation.
By default design, new computers are stored in Computers container and new users in the Users container because containers can’t have policies linked, so even if there is a problem with AD because of GPOs there should be a possibility to join a device and sign in to it without group policies.
Modifying the Default Location for User and Computer Objects
First, we need to create or decide the OUs to which we want to redirect. One for computers another for users. In our example it will be Employees and Workstations. For this purpose, Microsoft created redirusr.exe and redircmp.exe which are located in %SystemRoot%\System32 folder.
Run Command Prompt (cmd.exe) as administrator, run the following commands, replacing the values for your environment:
Logon scripts can be very handy when we need certain actions been done with a user logon such as mapping a network drive. This tutorial will show you how to assign a logon script using Group Policies.
In order to do that your account must have Domain Admin rights, delegated “edit GPO settings” rights or be an owner of the GPO.
There are four types of script you can use with Group Policy:
Logon scripts (User Configuration)
Logoff scripts (User Configuration)
Startup scripts (Computer Configuration)
Shutdown scripts (Computer Configuration)
In this example we will be focused on Logon Scripts.
Assigning Logon Scripts via Group Policy Management Console
Run Group Policy Management Console (GPMC.msc) on a domain workstation or server where it is installed.
In the left pane, expand your domain Forest -> Domains and then navigate to the domain where you want to assign a logon script.
Expand the domain name and then expand the Group Policy Objects.
Select the GPO or create a new one for assigning a script. Right-click GPO and select “Edit”.
Editing a Group Policy Object
• The window with Group Policy Management Editor (gpedit.msc) appears. • Expand User Configuration -> Policies -> Windows Settings. • Then select Scripts and double click «Logon». • In the Logon window, click the Add… button. • The “Add a Script” window appears:
• Type path to your script in the “Script Name:” field or browse to its location by clicking on “Browse…” button. • In the “Script Parameters:” field, type any optional script parameters. • Click “OK” to save the script settings and “OK” to close the “Logon Properties” window. • Close the Group Policy Management Editor and link your policy to and organizational unit (OU) where you want logon scripts to run. • To do that click on an organizational unit and then click on “Link an Existing GPO”.
• Choose the GPO we’ve just edited and click “OK”. After that right-click on the Organizational Unit and select “Update Group Policy”. In the appeared windows click on “Yes”.
Now all workstations in the OU will get our group policy with logon script and after reboot and user login the script will be executed.
In this article we will cover the installation and configuration of the OpenVPN server based on Linux CentOS, and show how to connect two remote computers (or offices) behind NAT into one network using OpenVPN server. We will also use certificates for encrypted connection. If you are a Windows user, check out the guide about configuring VPN in Windows server operating system.
Contents
What is OpenVPN
How to Install OpenVPN and Easy-RSA
How to Configure Easy-RSA and Issue a Certificate
How to Create Keys and Certificates for the OpenVPN Server
How to Configure OpenVPN Server
How to Configure Firewall with OpenVPN
How to Connect Computers and Networks using OpenVPN
What is Open VPN
Virtual Private Network (VPN) – a set of technologies that allow you to build a secure network over public networks or the Internet. With a VPN, you can consolidate Internet-divided segments of networks into a single local network. OpenVPN – one of the implementations of open source VPN technology based on SSL/TLS. With the help of OpenVPN it is possible to connect in a single network both remote offices and separate local PCs, which are behind firewall with Network Address Translation (NAT).
How to Install OpenVPN and Easy-RSA
First thing you need to do is to connect the ExtraPackagesforEnterpriseLinux (EPEL) repository and update the system:
When the system is updated, you need to use the yum package manager to install OpenVPN and Easy-RSA to implement a Public Key Infrastructure (PKI) infrastructure on the VPN server.
sudo yum install openvpn easy-rsa -y
Easy-RSA Installation
How to Configure Easy-RSA and Issue a Certificate
Copy all the Easy-RSA scripts into /etc/openvpn/:
sudo cp -r /usr/share/easy-rsa /etc/openvpn/
Let’s go to /etc/openvpn/easy-rsa/3/ and create a file named vars there:
cd /etc/openvpn/easy-rsa/3/
sudo nano vars
Let’s fill this file with the following parameters (you can edit the location and company parameters for yourself):
Press Ctrl+x to exit the file then y to save it and then hit Enter. The file must be executable, so next step is to execute the following:
sudo chmod +x vars
How to Create Keys and Certificates for the OpenVPN Server
Before creating the key, we need to initialize the Public Key Infrastructure (PKI) directory and create the CA key:
cd /etc/openvpn/easy-rsa/3/
sudo ./easyrsa init-pki
Initializing PKI Directory
Now let’s create a CA key:
sudo ./easyrsa build-ca
After running the command, we will need to specify a password to generate the certificates and key. The password will be required in the future to sign the certificates.
Creating CA Key
After that the system will ask to enter Distinguished Name (DN) enter your server and domain name for example server.domain.com and create a server key with nopass option which disables the password for domain.com:
sudo ./easyrsa gen-req server.domain.com nopass
Creating Server Key
During the certificate issuance process, you will be asked to enter Common Name, just press Enter to continue.
Sign the domain.com key using our CA certificate:
sudo ./easyrsa sign-req server server.domain.com
Server Key Signing
First you need to confirm the request by typing “yes”. After that you will need to enter the password that we set when the CA certificate was issued:
To make sure that the certificates were generated without errors, run the command:
Let’s move on to the settings of the OpenVPN configuration file. First let’s create the OpenVPN configuration file named server.conf:
sudo cd /etc/openvpn/ && nano server.conf
Change the contents of the file to the following:
# Specify port, protocol and device
port 1194
proto udp
dev tun
# Specify path to server certificates
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.domain.com.crt
key /etc/openvpn/server/server.domain.com.key
# Paths to CRL and DH keys
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
# Specify the network IP and mask which the VPN clients will enter
server 10.0.2.0 255.255.255.0
push "redirect-gateway def1"
# Enter the target DNS servers
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Allow users to connect with the same key
duplicate-cn
# TLS security
tls-auth /etc/openvpn/server/ta.key 0
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other config
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# Log file path
log-append /var/log/openvpn.log
verb 3
Then we save the file. I specified the default UDP port 1194 for the VPN server, but for OpenVPN you can specify any free port on the server.
How to Configure Firewall with OpenVPN
What remains is to configure firewall rules to allow connection and routing between segments.
If you are using Firewalld, you must first activate the kernel module forwarding:
Let’s check the IP settings of the network interface:
sudo ip a
3: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.0.2.1 peer 10.0.2.2/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::932a:e40b:ac2f:6b2/64 scope link flags 800
valid_lft forever preferred_lft forever
As you can see, the network specified in the configuration has been added to the tun0.
These are the minimum settings you need to make for OpenVPN to work.
How to Connect Computers and Networks using OpenVPN
How to connect to the OpenVPN server from two remote computers that are connected to the Internet via NAT, and organize a private network between them? To connect a Windows computer to the OpenVPN server you will need the official client from that can be downloaded from the official site. The installation is straightforward, so we will focus on the configuration.
After you have installed the client, you need to go to the configuration file, which you need to create along the way:
C:\Program Files\OpenVPN\config
Create a file with the name Client.ovpn and add the following content to it:
client
dev tun
proto udp
remote publicVPNserverIP 1194
resolv-retry infinite
nobind
block-outside-dns
perist-key
persist-tun
mute-replay-warnings
remote-cert-tls server
tls-client
auth SHA512
tls-auth "C:\Program Files\OpenVPN\config.key" 1
remote-cert-eku "TLS Web Server Authentication"
ca "C:\Program Files\OpenVPN\config\ca.crt".
cert "C:\Program Files\OpenVPN\config\admin.crt".
key "C:\Program Files\OpenVPN\config\admin.key".
cipher AES-256-CBC
comp-lzo
verb 3
As you can see we need the client, security and server certificates and keys we created earlier to configure. They need to be downloaded from the OpenVPN server and placed in a C:\Program Files\OpenVPN\config\ directory.
After that we connect through the shortcut Open VPN client in the tray:
On the second computer behind the NAT, we need to do the same thing by first creating a certificate for the second user. After connection the second computer has IP address in the same network:
Once connected, both computers are on the same network and ping each other. Both connected VPN clients can exchange packets and transfer files directly to each other. This way, we were able to combine two PCs located in different parts of the world into one local network.
On your OpenVPN server you can create an unlimited number of keys and certificates for users. If you need a new certificate, run the following commands in /etc/openvpn/easy-rsa/3:
sudo ./easyrsa gen-req client name nopass
sudo ./easyrsa sign-req client name
Remember to periodically revoke client certificates if they are not used to keep your network secure.
In this article, we’ll step by step describe how to deploy the Direct Access (DA) remote connection service on Microsoft Windows Server. Before we get started, let’s take a quick look at what the Direct Access service is. The Direct Access component was first introduced by Microsoft in Windows Server 2008 R2 and was designed to provide transparent access for remote computers to internal company network resources. When connecting through a DA, the user can take full advantage of the enterprise and domain services, and the IT support staff can manage and keep the computers up to date in terms of security. At its core, Direct Access is a lot like a traditional VPN connection to the corporate network. You can also call it “always on VPN”.
Difference Between Direct Access and VPN
Let’s look at the basic difference between Direct Access and VPN:
In order to establish the Direct Access connection, the user does not need to start the VPN client – the connection is made automatically when there is Internet access.
To establish a connection between the DA client and the server, you need to open port 443.
The user’s computer must be in an Active Directory domain.
The communication channel between the remote PC and the corporate gateway is encrypted with robust algorithms using IPsec.
It is possible to organize two-factor authentication using a one-time password system.
Difference Between the First Version of Direct Access and Latest
What are the major differences between the new Windows Server versions of Direct Access and the first version on Windows 2008 R2? The main difference is the reduced requirements for the related infrastructure. For example, here are some differences:
The Direct Access server no longer needs to be an edge server, it can now be behind NAT.
If you’re using Windows 8 Enterprise and later as the remote client, you don’t need to deploy an internal PKI infrastructure (client authentication will be handled by the Kerberos proxy located on the DA server).
Having IPv6 on the internal network of the organization is not necessary.
New Direct Access supports OTP (One Time Password) and NAP (Network Access Protection) without requiring Unified Access Gateway (UAG) deployment.
Direct Access Installation Requirements
Here are infrastructure requirements to deploy Direct Access based on Windows Server:
Active Directory domain and domain administrator rights.
A dedicated (recommended) DA server running Windows Server 2012 R2 and later, included in a Windows domain. The server has 2 network cards: one is on the internal corporate network and the other is on the DMZ network.
Dedicated DMZ subnet.
The external DNS name or IP address available from the Internet that Direct Access clients will connect to.
Traffic redirection configuration from TCP port 443 to DA server address.
Deployed PKI infrastructure for certificate issuance. The certificate authority must publish the Web Server certificate template and allow it to be auto-enrolled (Not needed for Windows 8 and above).
Clients must run Windows Professional / Enterprise edition.
AD Group that will consist of computers that are allowed to connect to the network via Direct Access.
Installing Remote Access Server Role
First we need to start the Server Manager console and use the Add Roles and Features wizard to install the Remote Access role.
Remote Access Server Role
As part of the Remote Access role, you must install the Direct Access and VPN (RAS) service.
Direct Access Role Services
Leave all other settings by default and restart the server after installation.
Configuring the Direct Access Service in Windows Server
Once the Remote Access service has been installed, open the Tools ⇒ Remote Access Management snap-in.
Remote Access Management Snap-in
The remote access console will start. Click on DirectAccess and VPN ⇒ Run the Remote Access Setup Wizard. Now we only need to install Deploy DirectAccessonly role.
This should open a window in the right half of which you can see the four steps (Step 1 – 4) of the DA service configuration graphically.
Remote Access Setup
Step One: Remote Clients
Let’s say that we’re deploying full DirectAccess for client access and remote management.
Now you need to specify the AD security group that will contain the computer accounts that are allowed to connect to the corporate network via Direct Access (in this example, we will use alwayonvpn group).
Security Group of Direct Access
Enable DirectAccess for mobile only option – allows you to limit connection via DA only for mobile devices (laptops, tablets). This feature is implemented by polling clients via WMI.
The Force Tunneling option – means that remote clients when accessing any remote resources (including regular websites) always use DA servers (all external client traffic goes through the corporate gateway).
On the next step we need to specify a list of internal network names or URLs from which the client can check (Ping or HTTP request) that he is connected to the corporate network. You can also specify the help desk email address and the name of the DirectAccess connection (so that it will appear on the client’s network connections).
If necessary, you can enable the Allow DirectAccess clients to use local name resolution option, which allows the client to use the company’s internal DNS servers (DNS server addresses can be obtained by DHCP).
Direct Access Client Setup
Step Two: Remote Access Server
The next step is to configure the Remote Access server. In our example we will have an edge server (firewall) with two network cards, so we need to select – Behind an edge device (with two network adapters), one of which is on the corporate network and the other is connected directly to the Internet or DMZ subnet. You also need to provide the external DNS name or IP address on the Internet (which is where port 443 is pinged to the external interface of the DirectAccess server) that the DA clients should connect to.
Network Topology Options
Then you must specify which NIC will be considered Internal (LAN) and which External (DMZ).
Now we need to generate a DA server certificate. To do this, create a new mmc snap-in, and add the Certificates console that manages local computer certificates.
Computer Certificates Snap-in
In the Certificate Management Console, request a new personal certificate by clicking on Certificates (Local Computer) ⇒ Personal ⇒ Certificates and selecting All Tasks ⇒ Request New Certificate…
Request New Certificate
Request a certificate through the Active Directory Enrollment Policy. We are interested in a certificate based on the Web Servers template.
In the new certificate request settings on the Subject tab, let’s fill out the fields that identify our company and on the Private Key tab, let’s specify that the certificate private key can be exported (Make private key exportable).
Certificate Creation Options
Save the changes and request a new certificate from CA. Request and generate a new certificate.
Return to the DirectAccess server settings window and click the Browse button to select the generated certificate. Specify our certificate.
In the next step of the wizard, we’ll select a method for authenticating Direct Access clients. Specify that authentication with Active Directory credentials (username/password) is used. Select the checkbox of Use computer certificates and Use an intermediate certificate. Click the Browse button to specify the certificate authority that will be responsible for issuing client certificates.
DirectAccess Client Authentication Settings
Step Three – Infrastructure Servers
The third stage contains configuration of infrastructure servers. We need to specify the address of the Network Location Server, which is located inside the corporate network. Network Location Server (NLS) – is a server through which the client can determine that it is on the internal network of the organization, i.e. you do not need to use DA to connect. NLS server can be any internal web server (even with a default IIS page), the main requirement is that the NLS server must not be accessible from outside the corporate network.
Network Location Server
Now let’s specify a list of DNS servers for name resolution by clients. It is recommended to leave the option Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended).
Then specify the DNS suffixes of internal domains in order of priority of their use.
Management settings window we will keep default.
Step Four – Application Servers
In this step we will configure application servers. This phase allows you to configure additional authentication and traffic encryption between the back-end application servers and DA clients. In this example we do not need this, so let’s leave the option Do not extend authentication to application servers.
This completes the Remote Access role configuration wizard, so we just need to save the changes.
After you finish, the wizard will create two new group policies – DirectAccess Client Settings and DirectAccess Server Settings that are attached to the root of the domain. You can either leave them as they are, or link them to the desired OU.
Direct Access Group Policies
Test Direct Access on the Windows Client
To test how Direct Access works from the client side, let’s add a computer with Windows Enterprise OS to our direct access group (alwaysonvpn) and update Group Policy via gpupdate /force on it.
Disconnect the laptop from the corporate network and connect to the Internet via public Wi-Fi. The system automatically connects to the corporate network via DirectAccess. The connection name will be displayed in Network & Internet Settings.
You can verify if there is a DirectAccess established using the PowerShell command:
Get- DAConnectionStatus
If it returns ConnectedRemotely, then the DA is connected to the corporate network
Let me remind you that VPN is a common protocol that allows you to organize a secure encrypted remote connection of a user to the corporate network via public networks (Internet). The technology is quite complex and requires proper configuration on both sides of the communication tunnel (the VPN client and the server).
Create a VPN Connection in Windows
Go to Control Pannel -> Network and Sharing Center. You can do this also by typing the search phrase “Network” in the search panel (Win+S).
Select the “Set up a new connection or network” option.
Select “Connect to a workplace“, and click Next.
Select the first option – Use my Internet connection (VPN).
In the Internet address field, specify the IP address or DNS name of the host that should accept your incoming VPN connection. Also specify the name of this connection.
Press Create and Done. Now you can close the network settings.
Connect via VPN in Windows
Press Win + I and click on the Network and Internet icon at the top of the panel, which will open the network connections.
Navigate to VPN tab. Here is the list of all VPN connections created on this computer. Select the connection you need and click Connect.
Specify the VPN username and password.
How to change Properties of VPN Connection
Left-click on the VPN connection that you need to edit and select the Additional Properties menu.
Alternatively, go to Control Panel -> Network and Internet-> Network Connections. Open the connection properties of needed VPN connection.
There are a lot of different settings that you need to change in the VPN Connection Properties window depending on the VPN server that you are using or the settings set by your ISP. For example the provider accepts PPTP VPN, in this case we go to the Point to Point Tunneling Protocol ( PPTP ) in Security tab (Dending on the parameters of the VPN server, you may have to set a number of other parameters as well).
sysadminpoint 