Share via

How do I set up Azure AD Application Proxy to publish RDWeb on a Windows Server 2025 Remote Desktop deployment

Roman Hishchak 0 Reputation points
2025-11-25T12:09:51.4666667+00:00

I need help diagnosing an issue with Remote Desktop Services deployed on Windows Server 2025.

Infrastructure

  • On-premises environment running on Hyper-V

Domain contoso.local (on-prem), synchronized with Azure AD using Azure AD Connect

In Azure, the domain contoso.com is used

On the Connection Broker server, the following roles are installed:

RD Connection Broker

  RD Gateway
  
     RD Web Access
     
        RD Licensing
        
        The RDS server has the Session Host role installed
        
        For external access, I’m using **Azure AD Application Proxy** with MFA
  • Have valid SSL certificates from a DNS provider are in place

Problem Description

When accessing RDWeb via HTML5:

I can log in to the RDWeb portal

RemoteApps are visible

Apps run successfully when launched through HTML5

If I download and run an RDP file, the session also starts correctly

However, after publishing RDWeb through Azure Application Proxy, RemoteApps stop discovering/appearing correctly. When launching a RemoteApp(Calculator), I intermittently receive the message: “The connection to the remote PC was lost…”

What I Have Checked

  • Verified certificates on the Gateway / Broker / Web Access roles
  • Firewall and port forwarding are configured correctly
  • App Proxy itself works — the portal is accessible

Any recommendations or examples of working configurations would be greatly appreciated.I need help diagnosing an issue with Remote Desktop Services deployed on Windows Server 2025.

Windows for business | Windows Server | User experience | Remote desktop clients
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-25T12:10:05.26+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To set up Azure AD Application Proxy to publish RDWeb on a Windows Server 2025 Remote Desktop deployment, you need to ensure that the configuration aligns with the requirements and best practices for using Azure AD Application Proxy with Remote Desktop Services (RDS). Here are some steps and considerations based on your description:

    1. Ensure Compatibility: Verify that both the RD Web and RD Gateway endpoints are located on the same machine with a common root. This is crucial for a single sign-on experience between the two applications.
    2. Publish the RD Web Application: When publishing the RD Web application through Azure AD Application Proxy, make sure to set the following:
      • Internal URL: This should point to your RD Web endpoint (e.g., https://<rdhost>.com/RDWeb).
      • External URL: This is automatically populated but can be modified as needed.
      • Pre-authentication method: Set this to Microsoft Entra ID.
      • Translate URL headers: Disable this option to avoid issues with URL translation.
    3. FQDN Consistency: Use the same internal and external Fully Qualified Domain Name (FQDN) for RD Web. If they differ, it can lead to websocket errors and connection issues.
    4. Check RDP File Configuration: Ensure that the RDP files generated for RemoteApps are correctly configured to use the external URL of the RD Gateway. If the RDP files are pointing to an incorrect address, it could lead to connection issues.
    5. Firewall and Port Configuration: Confirm that the necessary ports for RDS and Azure AD Application Proxy are open. Common ports include 443 for HTTPS and others specific to RDS.
    6. Session Host Configuration: Make sure that the Session Host role is properly configured to allow RemoteApps to be published and accessed through the RD Web.
    7. MFA Configuration: Since you are using MFA, ensure that it is correctly set up and does not interfere with the session establishment for RemoteApps.
    8. Logs and Diagnostics: Check the logs on the RD Gateway and Connection Broker for any errors that might provide more insight into the connection issues. Look for any specific error codes or messages that could indicate where the problem lies.
    9. Testing with Different Browsers: Sometimes, browser compatibility can affect the behavior of RD Web. Test accessing RDWeb from different browsers to see if the issue persists.

    If the problem continues after checking these configurations, consider reaching out to Microsoft support for more in-depth diagnostics specific to your environment.

    References:

    0 comments
  2. Daphne Huynh (WICLOUD CORPORATION) 505 Reputation points Microsoft External Staff Moderator
    2025-11-26T02:50:42.25+00:00

    Welcome to the Microsoft Q&A Platform!

    Thank you for asking your question. When publishing RDWeb through Azure AD Application Proxy on Windows Server 2025, intermittent RemoteApp connection failures are usually caused by missing prerequisites in the proxy configuration or backend RDS roles. I would like to provide you some key points to check with a sample working setup.

    Key Points:

    1. Enable WebSockets in Azure Application Proxy

    RemoteApp/RDWeb requires WebSockets for session establishment. If disabled, connections may fail randomly.

    2. Verify the Application Proxy Connector

    Ensure the connector is healthy and the external RDWeb URL is reachable over HTTPS only.

    3. Check Azure AD Registration & Conditional Access

    Please ensure:

    • RDWeb is registered as an enterprise application
    • Users are assigned
    • MFA requirements match your Conditional Access policies

    4. Validate Certificates

    RDWeb and RD Gateway must use valid, trusted SSL certificates to avoid TLS negotiation issues.

    5. Review RD Gateway CAP/RAP Policies

    Confirm users are explicitly allowed by connection and resource authorization policies.

    6. Check Session Host & RD Broker Health

    Session hosts must be reachable and the RD Broker must route sessions correctly.

    7. DNS Round Robin for HA

    Works for RDWeb and RD Gateway—but remember it's not intelligent load balancing.

    Session persistence is handled by the RD Broker.

    8. Outbound Connectivity (Port 443)

    Reverse-connect transport requires outbound 443 from session hosts to Azure.

    Working Configuration Example:

    • RDWeb published through Azure Application Proxy with WebSockets enabled
    • RDWeb registered in Azure AD with Conditional Access enforcing MFA
    • RD Gateway and RDWeb split on separate servers and load-balanced via DNS round robin
    • RD Broker in HA mode backed by SQL Server
    • Session Hosts in collections with RemoteApps published
    • Publicly trusted SSL certificates on RDWeb and RD Gateway
    • Outbound 443 open from Session Hosts to Azure
    • Required internal ports open between RDWeb ↔ RD Gateway ↔ RD Broker ↔ Session Hosts

    References: Publish Remote Desktop with Microsoft Entra application proxy

    I hope these steps above can help you align with a stable and fully supported deployment when integrating RDS with Azure AD Application Proxy and MFA.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.