Introduction

We have recently added a new way to access the existing Remote Desktop platform, which we are calling "Remote Desktop Webclient". It is different to the current RDP method used by the present Cloud Apps portal (https://cloud.colchester.gov.uk) and is accessed from a different webpage.


The new method enables access to exactly the same applications and desktops but all access is through a web-browser, so it's inherently less complex and as a result more secure.


The Remote Desktop Webclient route is Microsoft’s recommended access channel and their preferred route, and in-time will hopefully enable us to remove all publicly exposed elements of the current RDS platform completely, which will remove and secure the platform's current exposure.   


However, as the user-experience and interface is somewhat different to what we’re used to with the Cloud Apps portal, we initially performed a proof of concept pilot for ICT staff only, this stage is now complete.


The second stage will be to include service champions, to gather more feedback, which should enable the necessary supporting documentation to be created and any teething issues to be discovered and rectified.


Ideally we'll then be able to roll this out as the preferred and only access channel in the future, which will enable the eventual removal of the less secure 

aspects of the current platform, which is still open to attack from hackers on a daily basis.




Technical Details

We have installing the HTML5 (web-browser-based) access channel to RDS, this is additionally secured by a separate Azure App Proxy and enables an alternate secure route.  The Azure App Proxy secures an internal application by effectively fronting it with Microsoft Azure AD which means the application remains secure and safe inside the Corporate network, lowering the current risk exposure.

 

   

 





 


How do I use it

On a Corporate laptop, you should always be signed into your Microsoft account, so it should just be a matter of accessing a new URL rather than https://cloud.colchester.gov.uk as you do now.


I suspect that it will help to have a desktop shortcut to load this new access channel, to do that just follow the steps laid out below: 

Once we are out of a proof of concept stage I can automate the roll out a desktop shortcut to staff laptops.


  1. Access the following URL https://myapps.microsoft.com/
  2. Type "web"  into the Search bar
  3. On the search results for "Remote Desktop Webclient", select the three dots at the end of the results to get further options 
  4. Select "Copy Link"


         



To create a desktop shortcut on your laptop:

  1. Right click on the background wallpaper of your laptop screen
  2. Select New
  3. Select Shortcut

       


Then follow the steps below: (as shown in images)

  1. Paste previously copied value into field
  2. Click Next 
  3. Type in name "Remote Desktop Webclient"
  4. Click Finish


       



To load it, double click your newly created desktop shortcut "Remote Desktop Webclient" or select the link from MyApps.


 


On access to the new website, you will be prompted to login, in much the same way you did when you previously signed in to the Cloud Apps portal.


             


If you permit the browser to store and save you username or username and password (which is only recommended on a Corporate issued laptop), you will cut down the need to re-enter them when using this website and launching the new method of accessing Cloud Apps sessions, Multi-Factor Authentication (MFA) acceptance is still required to launch every Cloud App, in the same way that the old cloud portal works. 


One positive, is that the new website won't re-ask you to re-enter your username and password as you launch each application as the old method did.



 

 

Warning - "Error on loading" - just a warning - ignore!

Sometimes, whilst initially loading the web site the first access can be a little slow, this is because it has to establish a more secure connection and sometimes the following message is shown while the site is loading, this can be ignored...


 


New web-based secure Portal

Once loaded, a site which looks familiar to Cloud Apps will load.  The folders are navigated in the same way as they were when using the Cloud Apps portal. 


As you will have seen on the demo when the website loads, sometimes the icon are drawn and then vanish, I would suggest that you wait a few seconds for the webpage to stabilise (ie complete loading) before you start to select an option to launch.


 

 


Warning - "Missing icons"

As visible on the screen above on occasion not all of the icons get their images displayed correctly, but they should still work as intended.



Launch 

Select either a Desktop (Live Desktop) or one of the published applications which you wish to run, in the normal manner, by clicking it with the mouse.

 



Known Issue - "Non-responsive icons"

On occasion, I have seen an issue whereby clicking on an icon, doesn’t seem to do anything, this can normally be resolved by clicking back on the "Work Resources" option and then re-entering the folder and re-trying, another way to resolve this is to re-load / refresh the webpage, but if you already have programs running in the browser tab then refreshing the page will close the connection to them, although they'll continue to run .  I suspect that this could relate to trying to load an option before the web-page has fully loaded and has stabilised.   This is the main issue which we have discovered with the new portal and I am continuing to work with Microsoft Support to investigate this intermittent issue, and identify what is causing this to rectify it.



Access local resources

When you first establish a connection, you will be prompted to pass-through options (ie Microphone and Clipboard), it is recommended to not passthrough the Microphone, as shown below: 

  1. Un-tick the Microphone
  2. Tick "Don't ask me again for connections to this computer"
  3. Select Allow 


Desktops:

 

Published Applications: 

This will give you the additional option of sharing clipboard, which should leave ticked:

 


In the same way as you would with a Cloud App connection, as per normal at this stage, you should be sent an MFA Approve / Deny notification to your primary authentication device (normally Approve / Deny through the Microsoft Authenticator application on your smart phone), which you will need to Approve for the session to load further.


           


 

This will then launch a webpage nearly identical to the RDP sessions we have previously used:

 

 

Its possible to launch multiple Applications and Desktops if you have access, from one browser tab, as you can do now, although they will all launch within a single browser window, as shown below, and can be accessed using the tool bar tabs, which I've highlighted with the numbers as shown below:

 



Warning - "Danger refreshing browser tab"

Once you have Desktops and Application sessions open in the browser, if you chose to refresh the page or <F5> you will get the following prompt, and if you select Reload then you lose connections to your running sessions, and will need to relaunch them from the site and re-MFA, you will still connect to the old RDP sessions, so no work would be lost - you just need to reconnect, in the same way that you would to a disconnected or closed one of the previous RDP sessions without signing out first.

 

         




Warning - "All Applications missing"

If you find all your applications missing, simply click on the Arrow which is next to the word "Work Resources" and they'll be displayed, you have simply hidden them by accident.

           




Top Menu Bar

Whilst initially it may appear that the browser method has limited screen-real estate in comparison to the original RDP connection method, if you full-screen and un-pin the navigation bar then they are effectively identical, although initially limited to a single screen.


 

  1. Home – back to Cloud Apps site
  2. Flip back to launched Applications or Desktops
  3. Pin or unpin the top bar – useful for creating more screen real estate
  4. Full Screen
  5. Settings (see section below - although most settings are pre-set)

 


Settings – options

  1. Enable Native screen resolution - In sessions running on a high-DPI displays, native resolution can provide higher-fidelity graphics and improved text clarity.
  2. Dark Mode – for menus and site
  3. Reset user settings – which effectively wipes cookies related to this site.

 

 



Internal Access

For users who still access and predominantly use Live Desktop, they still access the internal Cloud Apps portal in the normal way, this new Web Client access channel is only needed for access which originates from outside of the Corporate network (ie on initial access from your laptop from home or in Rowan House).


The limited number of users who access from PCs which are still on and inside the Corporate network, will not see this new way of accessing channel and will continue to simply use the current Cloud Apps portal.




Screen Real-estate

The screen can be easily re-sized as would any browser window. However, it can’t easily be made to span multiple monitors, which I know that RDP sessions could do, so I expect people to complain about this – it’s a current limitation.  


You are able to manually stretch a browser window so that it spans multiple screens, but this obviously works best if your multiple screens are the same size and aligned. Although adjusting the browser windows size does adjust the RDP session resolution in a dynamic way, much better than the RDP method was ever able to do.

 

 

You can toggle back to the Cloud Apps site by clicking the Home button on the top task bar




Loading Multiple Tabs

As I tried to show in the session, you are able to load multiple separate browser tabs to run multiple applications, but only with certain combinations of applications this is tied to which server they from behind the scenes.  This can be useful when you have multiple screens and would like to benefit from having applications open together or on different screens.


I will aim to compile a list of what can be run in separate browser tabs to assist for the most common combinations of applications


  • Revs and Bens will run in its own browser tab.
  • Housing applications will run in their own browser tab.
  • Elections applications will run in their own browser tab.
  • Finance applications and Civica will all run in the same browser tab.
  • Live Desktop will run in its own browser tab.
  • You will be able to use Live Desktop to load Finance apps (ie Efin/Eproc) from the "CBC Application" folder shortcuts to have them run separately, run alongside a separate Finance tab, although Finance apps only permits a single login to each).



Warning - "Stale / Expired Sessions"

On returning to an old session, ie a day later, if you leave your laptop on overnight, you may find that is has timed out, this is likely to display one of the following spurious error messages, simply refresh the page to reload it.


1) 

     

 


2)

   




 

 

Additional available Shortcuts

 

Shortcut key

Description

(Windows) Ctrl+Alt+End
 (MacOS) fn+control+option+delete

Inject Ctrl+Alt+Del in the remote session.

Alt+F3

Injects Windows key in the remote session.

Alt+Page up

Switches between programs from left to right in the remote session. (Windows shortcut is Alt+Tab.)

Alt+Page down

Switches between programs from right to left in the remote session. (Windows shortcut is Alt+Shift+Tab.)

 

 

Thanks