Deploy a Windows Server application server-Bastionhost(Bastionhost)-阿里云帮助中心

Windows Server deployment

The RemoteApp service is not supported on Windows Server 2000/2003. We recommend that you use Windows Server 2016, Windows Server 2019, or Windows Server 2022.
The Windows Server can be a physical machine or a virtual machine.
Application management and maintenance relies on Remote Desktop Services (RDS). The service has a default trial period of 120 days. After the trial period expires, you must activate Remote Desktop Licensing to continue using the service.
Warning
Remote Desktop Services (RDS) has a free trial period. After the trial period expires, application management and maintenance features become unavailable. To use the service long-term, you must purchase a Client Access License (CAL) from Microsoft and activate Remote Desktop Licensing on the application server.

The following describes the use cases for each CAL type:
- Per Device CAL: Purchase licenses based on the maximum number of concurrent connections for application management and maintenance. One O&M connection requires one license. We recommend this license type because the number of concurrent users is typically smaller than the total number of O&M personnel.
- Per User CAL: Purchase licenses based on the number of O&M users who require application management and maintenance. One user requires one license. This type is suitable for scenarios in which the number of concurrent O&M users is the same as the total number of O&M personnel.

Recommended application server configuration

Parameter	1–10 concurrent connections	11–20 concurrent connections	21–50 concurrent connections	51–100 concurrent connections	100+ concurrent connections
CPU	4-core	4-core	8-core	8-core	16-core
Memory	8 GB	16 GB	16 GB	32 GB	64 GB
System disk	200 GB	200 GB	300 GB	300 GB	500 GB

RemoteApp

RemoteApp, a feature integrated into Windows Server since 2008, allows users to access remote applications and desktops. With RemoteApp, users can run applications published on a remote server without installing them locally. Managing applications with Bastionhost requires logging on to the application server and launching a client on that server. This process depends on RemoteApp.

Step 1: Create an AD domain

Log on to the Windows Server 2019 server.

If you use an ECS instance, you can connect to it in multiple ways. For more information, see Select an ECS remote connection method.
Click the Start icon, select Server Manager, and on the Dashboard page, click Add roles and features.
Follow the wizard and keep the default settings unless otherwise specified.
- Installation Type: Select Role-based or feature-based installation.
- Server Roles: Select Active Directory Domain Services.
- Features: Select .NET Framework 3.5 Features and .NET Framework 4.7 Features.
After the features are installed, restart the server.

Step 2: Promote to a domain controller

On the Dashboard page, click Promote this server to a domain controller.
Follow the wizard and keep the default settings unless otherwise specified.
- Deployment Configuration: Specify a root domain name, such asexample.com.
- Domain Controller Options: Enter a password for Directory Services Restore Mode (DSRM). The password must contain uppercase and lowercase letters, digits, and symbols.
- DNS Options: Ignore the warning and click Next.
After the installation is complete, restart the server. After the restart, check whether the server is in the domain.

On the System Properties page, check that the domain field displays example.com. This indicates that the server has successfully joined the domain.

Step 3: Install Remote Desktop Services (RDS)

Log on to the server using a domain account or the Administrator account.

If the domain isexample.com, the domain account isexample. The password is the same as the password of the Administrator account.
Click the Start icon, select Server Manager, and on the Dashboard page, click Add roles and features.
Follow the wizard and keep the default settings unless otherwise specified.
- Server Roles: Select Remote Desktop Services.
- Role Services: Select Remote Desktop Session Host and Remote Desktop Licensing.
  
  Make sure that Remote Desktop Web Access is also selected.
- Confirmation: Select Restart the destination server automatically if required.

Step 4: Install the RemoteApp service

Log on to the server using a domain account or the Administrator account.

If the domain isexample.com, the domain account isexample. The password is the same as the password of the Administrator account.
Click the Start icon, select Server Manager, and on the Dashboard page, click Add roles and features.
Follow the wizard and keep the default settings unless otherwise specified.
- Installation Type: Select Remote Desktop Services installation.
- Deployment Type: Select Quick Start.
- Deployment Scenario: Select Session-based desktop deployment.
- Server Selection: Select the destination server and click Next.
  
  If a compatibility error occurs, run theEnable-PSRemotingcommand in Windows PowerShell as an administrator. After the command runs, return to the server selection page and click Next.
```
PS C:\Users\Administrator> Enable-PSRemoting
WinRM has been updated for remote management.
WinRM is configured to receive requests on this computer.
Created a WinRM listener on HTTP://* to accept WS-Man requests to any IP on this machine.
PS C:\Users\Administrator>
```
- On the Confirmation page, select Restart the destination server automatically if required (R). This action deploys the RD Connection Broker and RD Web Access role services on the server.
- After the deployment is successful:
  
  The deployment progress page shows that the Remote Desktop Services role services, session collection, and RemoteApp programs are successfully deployed. The bottom of the page displays the access URL for the RD Web Access site.

Step 5: Adjust application server policies

Adjust local group policy

Open the Run dialog box and entergpedit.msc.
Go to , and then configure the connection and session time settings for the Remote Desktop Session Host.
1. Connection settings
  - Allow users to connect remotely by using Remote Desktop Services: Set to Enabled.
  - Limit the number of connections: Select Enabled, and enter 999999 as the maximum number of allowed RD connections.
  - Set Restrict Remote Desktop Services (RDS) users to a single RDS session to Disabled.
  - Allow remote start of unlisted programs: Set to Enabled.
2. Session time settings
  
  Time limit for disconnected sessions: Set to Enabled and end disconnected sessions after 1 minute.

Hide IE address bar

Open the Run dialog box and entergpedit.msc.
Go to , and set Enforce full-screen mode to Enabled.

After configuring this setting, open Internet Explorer to verify that the address bar is hidden.

Disable Windows Defender Firewall

Go to and disable the firewall.

In the Domain network settings, Private network settings, and Public network settings sections, select Turn off Windows Defender Firewall.

Disable IE Enhanced Security Configuration

Click the Start icon and select Server Manager.
In the left-side navigation pane, click Local Server, and then turn off IE Enhanced Security Configuration.

Set RD licensing mode

Click the Start icon, select Server Manager, and on the Remote Desktop Services page, double-click RD Licensing.
Select the destination server, click Next, and follow the wizard to complete the remaining steps.
Return to the Remote Desktop Services page and select .
Set the RD Licensing mode to Per Device, select the Remote Desktop Licensing server, and click Apply.

Enable Remote Desktop

Go to and click Allow remote access.
On the Remote tab, select Allow remote connections to this computer, clear Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended), and click OK.