application launcher & session recording€¦ · the following roadmap outlines the steps to...
Post on 13-Aug-2020
4 Views
Preview:
TRANSCRIPT
Installation and Configuration Guide
Application Launcher & Session Recording
5.5.3.0
Copyright © 2003–2017 Lieberman Software Corporation.
All rights reserved.
The software contains proprietary information of Lieberman Software Corporation; it is provided
under a license agreement containing restrictions on use and disclosure and is also protected by
copyright law. Reverse engineering of the software is prohibited.
Due to continued product development this information may change without notice. The
information and intellectual property contained herein is confidential between Lieberman Software
and the client and remains the exclusive property of Lieberman Software. If there are any
problems in the documentation, please report them to Lieberman Software in writing. Lieberman
Software does not warrant that this document is error-free.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or otherwise without the
prior written permission of Lieberman Software.
Microsoft, Windows, Word, Office, SQL Server, SQL Express, Access, MSDE, and MS-DOS are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries. Other brands and product names are trademarks of their respective owners.
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
(310) 550-8575
Support: https://liebsoft.zendesk.com
Website: http://www.liebsoft.com
iii
Contents
CHAPTER 1 INTRODUCTION ...................................................................................................1
1.1 Limited Warranty ..................................................................................................................... 2
1.2 License Agreement ................................................................................................................... 2
CHAPTER 2 START HERE: INSTALLATION AND UPGRADE ROADMAP ........................................5
2.1 Installation Roadmap ............................................................................................................... 5
2.2 Upgrade Roadmap .................................................................................................................... 6
2.3 Planning Your Session Recording Installation .......................................................................... 6
CHAPTER 3 INSTALLING APPLICATION LAUNCHER & SESSION RECORDING PREREQUISITES .... 11
3.1 Understanding Prerequisites ..................................................................................................12
3.1.1 Recommended Knowledge ............................................................................................12 3.1.2 Product Requirements Overview ...................................................................................12 3.1.3 Application Launcher Requirements ..............................................................................15 3.1.4 Session Recorder Requirements.....................................................................................15 3.1.5 Media Server Requirements ...........................................................................................16 3.1.6 Service Account Requirements ......................................................................................17 3.1.7 Port Requirements .........................................................................................................19
3.2 Step 1. Install Remote Desktop Services ................................................................................21
3.2.1 Installing Remote Desktop Services for 2012 R2 ............................................................21 3.2.2 Installing Remote Desktop Services for 2008 R2 ............................................................37
3.3 Step 2. Install Desktop Experience .........................................................................................47
3.3.1 Installing Desktop Experience for 2012 R2 .....................................................................47 3.3.2 Installing Desktop Experience for 2008 R2 .....................................................................51
3.4 Step 3. Install the Application Launcher and Session Recording Software ............................56
3.4.1 Session Recording and the Application Launcher ..........................................................56 3.4.2 Session Recording on the Transcoder Host ....................................................................68 3.4.3 Session Recording Media Server ....................................................................................79
3.5 Step 4. Setup RDS for Application Launching .........................................................................85
3.5.1 Configuring Remote App for 2012 R2 ............................................................................85 3.5.2 Configuring Remote App for 2008 R2 ............................................................................91
3.6 Step 5. Configure IIS to Host Recorded Sessions ....................................................................97
CHAPTER 4 CONFIGURING APPLICATION LAUNCHING AND SESSION RECORDING .................. 99
4.1 Configure an Application Launch Server Logon Account .....................................................100
4.2 Configure the Web Launcher Settings ..................................................................................126
4.3 Configure the Application Launch Server Settings ...............................................................129
iv Contents
4.4 Configure the Application Launch Server Host ....................................................................134
4.5 Configure Session Recording Settings ..................................................................................135
4.6 Configure the Web Application Settings for Session Playback.............................................140
4.7 Configure Applications for Launching ..................................................................................143
4.7.1 Adding Application Launching Scripts ..........................................................................143 4.7.2 Configuring Lieberman RED Identity Management to Launch Applications ................144 4.7.3 Variables for App Launching .........................................................................................149 4.7.4 Maintaining Application Launching Scripts ..................................................................151 4.7.5 Multi-Tab Support ........................................................................................................153 4.7.6 Multi-Tab Support Configuration .................................................................................157
4.7.6.1 Multi-Tab AutoIT Script Examples ......................................................................................... 162
4.8 Configure Application Sets ...................................................................................................166
4.9 Shadow Accounts .................................................................................................................172
CHAPTER 5 USING APPLICATION LAUNCHING ..................................................................... 183
5.1 Setting User Permissions to Launch Applications ................................................................183
5.2 Using the Application Launcher ...........................................................................................184
CHAPTER 6 AUDITING APPLICATION LAUNCHING ............................................................... 189
CHAPTER 7 UPGRADING APPLICATION LAUNCHER & SESSION RECORDING SOFTWARE ....... 191
CHAPTER 8 INDEX .............................................................................................................. 193
1
Application Launcher is designed to launch a wide range of programs and processes. The web
application user will click a link in the web application (or follow a series of steps via the REST or
SOAP APIs or PowerShell), and be connected to a target endpoint through a jump server using
specific credentials that are not disclosed to the user. Additionally, the application launcher
provides free session recording to capture the entire session in a video that can be played back later
through a streaming media server.
The goal of application launching is to put a user into a privileged session, limiting that user to just
the application and the singular connection.
IN THIS CHAPTER
Limited Warranty ...................................................................................... 2
License Agreement .................................................................................... 2
There are many components to make the application launcher and session recording function:
• Lieberman RED Identity Management along with stored and secured credentials.
• Lieberman RED Identity Management Web Application.
• Lieberman RED Identity Management Web Service.
• Microsoft Expressions Recording Software for recording and video transcoding.
• Streaming Media Services for IIS.
• Internet Information Services (IIS) to host the web application, web service, and streaming
media services.
• Jump Server running Microsoft Remote Desktop Services (RDS).
Session recording audits the user's actions during a session and can be helpful when developing
training procedures. Visually recording an administrator's actions can help satisfy the requirements
Chapter 1 Introduction
2 Introduction
of auditing mandates. Session recording will only function for applications launched via the jump
server.
1.1 LIMITED WARRANTY The media (optional) and manual that make up this software are warranted by Lieberman Software
Corporation to be free of defects in materials and workmanship for a period of 30-days from the
date of your purchase. If you notify us within the warranty period of such defects in material and
workmanship, we will replace the defective manual or media (if either were supplied).
The sole remedy for breach of this warranty is limited to replacement of defective materials and/or
refund of purchase price and does not include any other kinds of damages.
Apart from the foregoing limited warranty, the software programs are provided "AS-IS," without
warranty of any kind, either expressed or implied. The entire risk as to the performance of the
programs is with the purchaser. Lieberman Software does not warrant that the operation will be
uninterrupted or error-free. Lieberman Software assumes no responsibility or liability of any kind
for errors in the programs or documentation of/for consequences of any such errors.
This agreement is governed by the laws of the State of California.
Should you have any questions concerning this Agreement, or if you wish to contact Lieberman
Software, please write:
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
You can also keep up to date on the latest upgrades via our website at http://www.liebsoft.com or
e-mail us at: sales@liebsoft.com.
1.2 LICENSE AGREEMENT This is a legal and binding contract between you, the end user, and Lieberman Software
Corporation. By using this software, you agree to be bound by the terms of this agreement. If you
do not agree to the terms of this agreement, you should return the software and documentation, as
well as all accompanying items promptly for a refund.
1. Your Rights: Lieberman Software Corporation hereby grants you the right to use a single copy of
Lieberman RED Identity Management to control the licensed number of systems and/or devices.
2. Copyright. The SOFTWARE is owned by Lieberman Software Corporation and is protected by
United States copyright law and international treaty provisions. Therefore, you must treat the
Introduction 3
software like any other copyrighted material (e.g. a book or musical recording) except that you may
either (a) make one copy of the SOFTWARE solely for backup and archival purposes, or (b) transfer
the SOFTWARE to a single hard disk provided you keep the original solely for backup and archival
purposes. The manual is a copyrighted work. Also-you may not make copies of the manual for any
purpose other than the use of the software.
3. Other Restrictions: You may not rent or lease the SOFTWARE. You may not reverse engineer,
de-compile, or disassemble the SOFTWARE that is provided solely as executable programs (EXE
files). If the SOFTWARE is an update, any transfer must include the update and all prior versions.
When used lawfully, this software periodically transmits to us the serial number and network
identification information of the machine running the software. No personally identifiable
information or usage details are transmitted to us in this case. The program does not contain any
spyware or remote control functionality that may be activated remotely by us or any other third
party.
Lieberman Software Corporation
1875 Century Park East, Suite 1200
Los Angeles, CA 90067
310.550.8575
Support: https://liebsoft.zendesk.com
Website: http://www.liebsoft.com
5
This chapter outlines what is required to install or upgrade application launcher and session
recording for Lieberman RED Identity Management.
IN THIS CHAPTER
Installation Roadmap ................................................................................ 5
Upgrade Roadmap ..................................................................................... 6
Planning Your Session Recording Installation ........................................... 6
2.1 INSTALLATION ROADMAP The following roadmap outlines the steps to follow to install application launching and session
recording for Lieberman RED Identity Management.
1) Install and register Lieberman RED Identity Management, the web application and web service.
2) Make note of the web service URI as it will be required for the application launcher and session
recording to work.
3) Understand the product requirements prior to installation. Prepare for the installation by
Planning Your Session Recording Installation and reading Understanding Prerequisites.
4) Install the application launcher and optionally the session recording software.
5) Install streaming media services for IIS.
6) Configure application launching settings via the management console.
Chapter 2 Start Here:
Installation and Upgrade
Roadmap
6 Start Here: Installation and Upgrade Roadmap
2.2 UPGRADE ROADMAP The following roadmap outlines the steps to follow to upgrade application launching and session
recording for Lieberman RED Identity Management.
7) Upgrade Lieberman RED Identity Management, the web application and web service.
8) Make note of the web service URI as it will be required for the application launcher and session
recording to work.
9) Understand the product requirements prior to installation. Prepare for the upgrade by reading
Understanding Prerequisites.
10) Upgrade the application launcher and optionally the session recording software.
2.3 PLANNING YOUR SESSION RECORDING INSTALLATION The application launching capability of Lieberman RED Identity Management is a licensed capability
which requires an Application Launch Server (also called a jump server). An Application Launch
Server in the context of Lieberman RED Identity Management is a Windows Remote Desktop
Session Services machine that will proxy connections to specific target systems.
The general configuration for application launcher includes the Lieberman RED Identity
Management installation, and a separate (recommended) jump server or multiple jump servers to
launch the applications. When session recording is enabled for an application there are four steps to
be concerned with:
• Recording - The Session Recorder component on the Application Launch Server records the
session and copies the resulting file(s) for video transcoding to the machine/folder functioning
as the video transcoder.
• Transcoding - The Video Transcoding Service component compresses the raw video file and
processes it for streaming. We recommend installing the transcoding component on a machine
not functioning as a the jump server due to potential storage and CPU usage concerns, however
a single server configuration is fully supported. Transcoding videos requires significant overhead
in terms of CPU usage. The transcoder service will then copy the final files to permanent
storage.
• Storage - A transcoded file will be moved to permanent storage. This could be the file system of
the transcoder or another system or device that will provide access of the final files to the
streaming media services machine.
Start Here: Installation and Upgrade Roadmap 7
• Streaming - The Media Server component streams the video files for viewing on demand and
will require access to the storage where the video files will be located. This machine may be a
shared machine or a separate machine.
High Availability
High availability for any of these components is achieved by deploying multiple instances of them
and configuring load balancing. For example:
• Jump Server - The application launcher relies on Microsoft remote desktop services (RDS). RDS
uses Network Load Balancing (NLB) to achieve high availability.
• Transcoding - Transcoding may occur on the jump server or another machine. If transcoding is
performed on the jump server and the jump server is already configured as part of a NLB
cluster, simply install the transcoder on each host. If the transcoder is installed on another
machine that is not the jump server, then install multiple transcoders and have them pointing to
shared storage where the recorder will place the raw non-transcoded files.
• Storage - To retain multiple live copies of the recorded sessions, use a replicated storage
solution like the Distributed File System (DFS) to have the data replicate.
• Streaming - Have multiple instances of the media server (IIS) configured as an NLB cluster which
points to the same shared storage.
Do keep in mind, the recorded files are simply video files located in the file system of the host
operating machine. A simply backup strategy can also go a long way towards simplifying the
deployment process. Also note that while each component is spelled out separately above, most
installations combine roles.
Deployment Strategy
There are several permutations for deployment strategies when working with the application
launcher session recording. Without session recording the strategy is fairly easy to understand as
there are really only three pieces: the main solution installation, jump server, target server. Once
the included session recording is added into the design is when several more deployment
permutations must be considered.
Following are three potential deployment scenarios.
8 Start Here: Installation and Upgrade Roadmap
Deployment 1 places the recording, transcoding, and streaming components on the Application
Launch Server.
Start Here: Installation and Upgrade Roadmap 9
Deployment 2 places the recording and transcoding components on the Application Launcher
Server, and the streaming component on the web server. This deployment may make sense if the
CPU on the Application Launcher Server is powerful and can quickly process the raw video for
streaming. Note that this deployment model does not require IIS on the Application Launch Server.
10 Start Here: Installation and Upgrade Roadmap
Deployment 3 places the recording component on the Application Launch Server, and the
transcoding and streaming components on the web server. Of the three models presented, this
model is recommended, provided that the web server is sized to handle the demands placed on it
by the video transcoding service.
11
This chapter documents the installation prerequisites for Lieberman RED Identity Management
Application Launcher and Session Recording. Based on your starting host system configuration, your
actual installation experience may vary.
The following topics are not covered in this guide:
• Installation of Windows
• Installation of Microsoft .Net Framework
• Installation of Lieberman RED Identity Management
IN THIS CHAPTER
Understanding Prerequisites ................................................................... 12
Step 1. Install Remote Desktop Services .................................................. 21
Step 2. Install Desktop Experience ........................................................... 47
Step 3. Install the Application Launcher and Session Recording
Software ................................................................................................... 56
Step 4. Setup RDS for Application Launching .......................................... 85
Step 5. Configure IIS to Host Recorded Sessions ..................................... 97
Chapter 3 Installing
Application Launcher & Session
Recording Prerequisites
12 Installing Application Launcher & Session Recording Prerequisites
3.1 UNDERSTANDING PREREQUISITES This section describes the requirements and prerequisites necessary to install Application Launching
and Session Recording for Lieberman RED Identity Management.
3.1.1 Recommended Knowledge
While Lieberman Software provides documentation and support to set up and configure Application
Launching and Session Recording for Lieberman RED Identity Management in conjunction with the
various technologies that it uses, product administrators should have knowledge in the following
areas:
• Knowledge of the Windows
• IIS web server technologies
• Network administration
• System administration
Lieberman RED Identity Management component host servers should be patched, secured, and
properly configured in conjunction with your corporate patching strategy to help ensure that the
password store system will not be compromised.
3.1.2 Product Requirements Overview
Application launcher and session recording components can and should be (resources permitting)
distributed across multiple systems. The primary components are:
• Lieberman RED Identity Management - Includes the web application and web service.
• Application launcher - The jump server host that will launch the applications and connect to the
target systems on the requesting user's behalf.
• Session recording - optional. Records sessions launched via the jump server.
Transcoder - performs conversion of the raw files to a format playable by auditors.
Streaming media server - streams the finalized video recordings to the auditor.
If any components will be shared on a single host, then simply combine the requirements. The
application launcher in particular should be placed on a separate system, relative to Lieberman RED
Identity Management to improve resource utilization.
Installing Application Launcher & Session Recording Prerequisites 13
The product is supported in a physical, virtual (cloud), or physical-virtual mixed environment. The
virtual host platform is irrelevant to the support of the product. All virtualization platforms are
supported. Virtual host and virtual machine configurations, however, can severely impact or impede
the ability of the product to work because virtual host and guest configurations do affect every
component of the virtual guest that is running the product.
15
3.1.3 Application Launcher Requirements
This section covers requirements for the application launcher tier of Lieberman RED Identity
Management and does not include requirements for session recording.
Platform Requirements
A Windows Server operating system is required for any installation of the application launcher. The
solution is fully supported on a physical server or a virtual machine, regardless of the virtual host
platform. All service pack levels and editions are supported except where specifically noted. We
recommend using Windows Server 2012 R2 as the host platform.
Supported versions of Windows Server are:
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
Hardware and Software Requirements
In addition to the requirements needed to support the host system, the product itself requires at
least the following:
• Web Service installed and configured with a valid and trusted SSL certificate. Any certificate
error will cause this functionality to not work.
• Microsoft .Net Framework 4.5.2 or later.
• Remote Desktop Services.
• Remote Desktop Services licensing. Please contact your Microsoft representative for more
information.
• Desktop Experience and related components.
• RAM and CPU sizing considerations relative to the number of simultaneous expected users and
applications being launcher. Please refer to Microsoft documentation for sizing considerations
when using remote desktop services.
• Additional software requirements relative to the programs being launched.
3.1.4 Session Recorder Requirements
This section covers requirements for the session recording software for use with the application
launcher in Lieberman RED Identity Management.
16 Installing Application Launcher & Session Recording Prerequisites
Platform Requirements
A Windows Server operating system is required for any installation of the session recording
component. The solution is fully supported on a physical server or a virtual machine, regardless of
the virtual host platform. All service pack levels and editions are supported except where
specifically noted. We recommend using Windows Server 2012 R2 as the host platform.
Supported versions of Windows Server are:
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
Hardware and Software Requirements
In addition to the requirements needed to support the host system, the product itself requires at
least the following:
• Microsoft .Net Framework 4.5.2 or later.
• Microsoft .Net Framework 3.5 SP1.
• Desktop Experience and related components.
• Multi-core CPUs.
• 2GB of RAM or more.
3.1.5 Media Server Requirements
This section covers requirements for the streaming media services required to play back recorded
sessions using the included session recording software.
Platform Requirements
A Windows Server operating system is required for any installation of streaming media services. The
solution is fully supported on a physical server or a virtual machine, regardless of the virtual host
platform. All service pack levels and editions are supported except where specifically noted. We
recommend using Windows Server 2012 R2 as the host platform.
Supported versions of Windows Server are:
• Windows Server 2012 R2
• Windows Server 2012
Installing Application Launcher & Session Recording Prerequisites 17
• Windows Server 2008 R2
Hardware and Software Requirements
In addition to the requirements needed to support the host system, the product itself requires at
least the following:
• Internet Information Services (IIS).
• 2GB of RAM or more.
3.1.6 Service Account Requirements
Multiple service accounts may be used during this process. If one service account is used for more
than one component, combine the rights and permissions requirements for the account.
Application Launcher Service Accounts
The application launcher uses a single account to log into the jump server on behalf of the user and
launch a given application. This account should be a domain joined account. This account can be
managed by Lieberman RED Identity Management provided it is not also running deferred or zone
processing services as well. This account has no explicit requirements other than to be allowed to
remote desktop to the jump server host. This typically only requires membership in the Remote
Desktop Users group on the jump server.
Other considerations for this service account are:
• If the web service is leveraging Windows Integrated Authentication, this account must be able
to connect to the web service without being prompted for a username and password.
• There can be no SSL trust issues when connecting to the web service with this account.
• This account may require additional permissions on the jump server depending on the
application being launched. For example, if the application being launched requires
administrative privileges to run on the jump server, this service account must have
administrative group membership on the jump server.
Session Recording Service Accounts
Session recording service account requirements vary based on the actual deployment.
DEPLOYMENT: ALL ROLES ON SAME SERVER
• If session recording and transcoding and media service roles are installed on the jump server, it
is sufficient to configure the application to use "Local System" as no network access is required.
18 Installing Application Launcher & Session Recording Prerequisites
DEPLOYMENT: RECORDER ROLE ON JUMP SERVER, MEDIA SERVER AND TRANSCODER SERVICES ON A SEPARATE HOST
• Jump Server login account must have network access and modify permissions to the Source
share on the transcoder host.
• On the jump server, Session recording service account, should be configured as Network Service
as it won't be used in this scenario.
• Session recording services may be disabled post install through the Windows services snap-in as
it won't be used in this scenario.
• Transcoding host service account may be configured as Local System or a named account. If
running as a named account, this account must be granted logon as a service. No network
access will be required from the transcoder host for the video files as the media server is on the
same host.
• Transcoding host service account must be granted modify access to the Source, Working, and
SessionRecording directories on the transcoder host. The actual paths will be defined during
installation.
DEPLOYMENT: RECORDER ROLE ON JUMP SERVER, TRANSCODER ON A SEPARATE HOST, MEDIA SERVER ON A SEPARATE HOST WITH LOCAL STORAGE
• Jump Server login account must have network access and modify permissions to the Source
share on the transcoder host.
• On the jump server, Session recording service account, should be configured as Network Service
as it won't be used in this scenario.
• Session recording services may be disabled post install through the Windows services snap-in as
it won't be used in this scenario.
• Transcoding host service account must be configured as a named account.
• Transcoding host service account account must be granted logon as a service.
• Transcoding host service account must be granted modify access to the Source and Working
directory on the transcoder host. The actual paths will be defined during installation.
• Transcoding host service account must be granted write access to the SessionRecording share
on the media server host.
Installing Application Launcher & Session Recording Prerequisites 19
DEPLOYMENT: RECORDER ROLE ON JUMP SERVER, TRANSCODER ON SEPARATE HOST, MEDIA SERVER ON SEPARATE HOST WITH REMOTE STORAGE
• Jump Server login account must have network access and modify permissions to the Source
share on the transcoder host.
• On the jump server, Session recording service account, should be configured as Network Service
as it won't be used in this scenario.
• Session recording services may be disabled post install through the Windows services snap-in as
it won't be used in this scenario.
• Transcoding host service account must be configured as a named account.
• Transcoding host service account account must be granted logon as a service.
• Transcoding host service account must be granted modify access to the Source and Working
directory on the transcoder host. The actual paths will be defined during installation.
• Transcoding host service account must be granted write access to the SessionRecording share
on the storage system the media server host is connecting to.
• If the storage system for the media server is a remote server rather than the local, configure the
SessionRecording virtual directory in IIS with network credentials valid on the remote storage
system and grant read permissions to that directory for the account.
It is possible to configure every component to use the same service account. Because there are
different access requirements to the different components, this is a recommended setup. However,
this can make the configuration and maintenance unnecessarily complex. Therefore, using a single
service account for all components is fully supported and most often the deployed methodology.
3.1.7 Port Requirements
Application launcher and session recording make use of a small number of well known ports. Actual
port usage will vary based on your specific configurations.
Note: The following ports are the standard well known ports for the various protocols.
These ports may have been changed on the target systems. It is the solution
Administrator's responsibility to determine if any of the target ports have been
changed and reflect that changed port when password change jobs or account
discovery jobs are performed.
• 53 - TCP/UDP, outbound, DNS - used for name resolution to target hosts.
20 Installing Application Launcher & Session Recording Prerequisites
• 88 - TCP/UDP, outbound, Kerberos - used by jump server to authenticate login user when
authenticating with Kerberos.
• 443 - TCP, outbound, HTTPS - used by the application launcher and web service to communicate
with the Lieberman RED Identity Management web service.
• 445 - TCP, outbound, SMB - used by session recording components to copy recorded files to
other session recording component hosts when hosted across multiple servers.
• 464 - TCP/UDP, outbound, Kerberos - used by jump server to authenticate login user when
authenticating with Kerberos.
• 3389 - TCP/UDP, inbound, RDP - used by the end user to connect to a stream remote
applications installed on the jump server to their desktop.
• 389/636 - TCP, outbound, LDAP/LDAPS - used by the jump server to communicate with active
directory during login of the application launcher login account.
• Other - TCP/UDP, outbound, unknown - ports leveraged by the launched application will require
ports specific to their function and are not defined by Lieberman RED Identity Management.
If web services or the web application on on non-default ports for their HTTP/S configuration, the
firewalls must be configured to allow communication on those ports.
Installing Application Launcher & Session Recording Prerequisites 21
3.2 STEP 1. INSTALL REMOTE DESKTOP SERVICES The following sub-sections document how to install Remote Desktop Services on both a Windows
Server 2008 R2 and Windows Server 2012 (R2) host. If multiple Application Launch Servers will be
employed, Lieberman RED Identity Management does not require them all to run on the same
operating system, but they do all need to be Windows Server 2008 R2 or later (2012 R2
recommended).
Lieberman RED Identity Management will use a singular logon account to connect to the application
launch server. This account will be used to launch applications. It does not necessarily need to be an
administrator unless a specific application requires administrative rights to run. If the account is not
configured as an administrator of the application launch host, it will need to be granted the rights to
logon via remote desk services. This is typically granted by adding the account to the Remote
Desktop Users local group.
3.2.1 Installing Remote Desktop Services for 2012 R2
This section covers installation of the prerequisites on a Windows Server 2012 and Windows Server
2012 R2 host which will function as an Application Launch Server for the purposes of launching
applications.
1) Open Server Manager and select Add Roles and Features.
22 Installing Application Launcher & Session Recording Prerequisites
2) Click Next on the Before You Begin page.
Installing Application Launcher & Session Recording Prerequisites 23
3) On the Select installation type page select Remote Desktop Services installation then click
Next.
4) On the Select deployment type page, choose a deployment type and click Next.
24 Installing Application Launcher & Session Recording Prerequisites
5) The steps present go through a standard deployment where the admin will be required to
configure a collection post RDS installation. The Quick Start method will be faster while
automatically creation a collection, but it will also add and publish additional applications that
are unnecessary and will not provide any configuration options.
Installing Application Launcher & Session Recording Prerequisites 25
6) On the Select deployment scenario page, select Session-based desktop deployment, the click
Next.
26 Installing Application Launcher & Session Recording Prerequisites
7) Click Next on the Role Services page.
Installing Application Launcher & Session Recording Prerequisites 27
8) On the Specify RD Connection Broker server page, select the server from the Server Pool field,
then add it to the selected computer field by clicking the right arrow head between the two
fields.
28 Installing Application Launcher & Session Recording Prerequisites
9) Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 29
10) On the Specify RD Web Access server page, select the server from the Server Pool field, then
add it to the selected computer field by clicking the right arrow head between the two fields.
30 Installing Application Launcher & Session Recording Prerequisites
11) Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 31
12) On the Confirm selections page, click Deploy. Restart the host if required.
13) After restarting, open Server Manager and click on Remote Desktop Services from the right
pane, then click on Collections from the center pane. A new collection must be made to publish
the Lieberman RED Identity Management application launcher program used to launch software
from the Application Launch Server.
14) At the top right corner, select Tasks and click Creation Session Collection.
32 Installing Application Launcher & Session Recording Prerequisites
15) On the Before you begin page, click Next.
16) On the Name the collection page, supply a friendly name for the collection and click Next.
Installing Application Launcher & Session Recording Prerequisites 33
The collection name should be 16 characters or less (due to Microsoft design limitations).
34 Installing Application Launcher & Session Recording Prerequisites
17) On the Specify RD Session Host server page, select the server from the Server Pool field, then
add it to the selected computer field by clicking the right arrow head between the two fields.
Then click Next.
18) A proxy account to connect to the Application Launch Server prior to launching the selected
application. This account will either need to be added to a group which can RDP to the target
Application Launch Server and launch subsequent applications, or should be added directly as a
user which can connect to the RD Session host server. Description of this account is covered in
the parent section, 1. Installing Remote Desktop Services.
Installing Application Launcher & Session Recording Prerequisites 35
19) Click Next to continue.
36 Installing Application Launcher & Session Recording Prerequisites
20) On the Specify user profile disks page, click Next.
Installing Application Launcher & Session Recording Prerequisites 37
21) On the Confirm selections page, click Create.
22) An empty collection will be created. The installation and configuration of the launcher
application will be described later in this document.
3.2.2 Installing Remote Desktop Services for 2008 R2
This section covers installation of Remote Desktop Services on a Windows Server 2008 R2 host as
required for Application Launch Server services.
38 Installing Application Launcher & Session Recording Prerequisites
1) Start Server Manager and select Add Roles. Click Next on the welcome page and select Remote
Desktop Services then click Next.
Installing Application Launcher & Session Recording Prerequisites 39
2) Click Next on the Introduction to Remote Desktop Services page.
40 Installing Application Launcher & Session Recording Prerequisites
3) On the Select Role Services page, select Remote Desktop Session Host, then click Next.
Installing Application Launcher & Session Recording Prerequisites 41
4) Click Next on the Uninstall and Reinstall Applications for Compatibility page.
42 Installing Application Launcher & Session Recording Prerequisites
5) On the Specify Authentication Method for Remote Desktop Session Host page, choose the
option that best suits your company's needs. The option to Require Network Level
Authentication will provide greater security but may only work properly for newer hosts and if
all incoming connections are properly verified. The option Do not require Network Level
Authentication will provide greater compatibility for all connecting system but may reduce
overall security of the Application Launch Server. Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 43
6) On the Specify Licensing Mode page, a remote desktop session license mode must be selected.
If RDS client access licenses are not yet available but will be soon, select Configure later. If
unsure about what option to choose, select Configure later, and then contact your Microsoft
licensing services manager. RDS will function for 120 days without a proper licensing server. If
RDS CALs are available, then choose the proper Per Device or Per User model for your
organization.
7) A proxy account to connect to the Application Launch Server prior to launching the selected
application. This account will either need to be added to a group that can RDP to the target
Application Launch Server and launch subsequent applications, or should be added directly as a
user that can connect to the RD Session host server. Description of this account is covered in the
parent section, 1. Installing Remote Desktop Services.
44 Installing Application Launcher & Session Recording Prerequisites
8) Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 45
9) On the Configure Client Experience page, it is recommended to leave all options deselected.
Click Next to continue.
46 Installing Application Launcher & Session Recording Prerequisites
10) On the Confirm Installation Selections page, examine the installation selections. If everything is
correct, click Install. The server will need to reboot after installation
The installation and configuration of the launcher application will be described later in this
document.
Installing Application Launcher & Session Recording Prerequisites 47
3.3 STEP 2. INSTALL DESKTOP EXPERIENCE If you are not going to enable session recording, you do not need to install the Desktop Experience
feature. If you plan to enable session recording, install the Desktop Experience feature now.
Microsoft Desktop Experience is included with Windows Server 2008 R2 and 2012 R2. If you
installed Windows Server as a Server Core installation, Desktop Experience is not yet installed on
your server. If you installed a Full Windows Server installation, Desktop Experience may already be
installed on your server. For more information about Desktop Experience, see the following
TechNet article: https://technet.microsoft.com/en-us/library/dn609826.aspx (see
https://technet.microsoft.com/en-us/library/dn609826.aspx -
https://technet.microsoft.com/en-us/library/dn609826.aspx)
Desktop Experience is already installed with full installations of Windows Server 2016.
If you install the video transcoding service and the Application Launcher & Session Recorder
components on separate systems, install the Desktop Experience on the Application Launch Server
and the system that runs the video transcoder. You do not need to install Desktop Experience on
the streaming media server.
3.3.1 Installing Desktop Experience for 2012 R2
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
48 Installing Application Launcher & Session Recording Prerequisites
1) On the Features Page, expand User Interfaces and Infrastructure, and select Desktop
Experience.
Installing Application Launcher & Session Recording Prerequisites 49
2) If prompted for additional components, click Add Features.
50 Installing Application Launcher & Session Recording Prerequisites
3) Add any other requirements that other applications that will be launched from this system may
require (such as .net framework 3.51 or 4.x) and click Next.
Installing Application Launcher & Session Recording Prerequisites 51
4) Continue through to the end of the wizard. Click Close when done. Installation of the Desktop
Experience will require a restart of the host.
3.3.2 Installing Desktop Experience for 2008 R2
If session recording will be configured then the Desktop Experience must be installed. To add the
Desktop Experience, open Server Manager and select Add Features.
52 Installing Application Launcher & Session Recording Prerequisites
1) On the Features Page, select Desktop Experience.
Installing Application Launcher & Session Recording Prerequisites 53
2) If prompted for additional components, click Add Required Features.
54 Installing Application Launcher & Session Recording Prerequisites
3) Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 55
4) Once the installation is complete, click Close and restart the server.
56 Installing Application Launcher & Session Recording Prerequisites
3.4 STEP 3. INSTALL THE APPLICATION LAUNCHER AND SESSION RECORDING SOFTWARE This step covers the installation of the application launcher and the optional session recoding
feature.
• If you are not installing the session recording feature, skip the sections titled Session Recording
on the Transcoder Host and Session Recording Media Server.
• Start the installation process by following the steps outlined in Session Recording and the
Application Launcher.
• If you are installing the session recording feature, complete all sections under this chapter.
An Application Launch Server in the context of Lieberman RED Identity Management is a Windows
Remote Desktop Session Services machine (formerly Terminal Services) that will proxy connection
attempts made to specific target systems. The Application Launch Server will have all programs used
to connect to target systems installed on it. A proxy account will be used to connect to the
Application Launch Server. This account can and should be managed by Lieberman RED Identity
Management, but automated password management for this account, while recommended, is not
necessary as a static un-stored password may also be used.
The Session Recording software records sessions performed through the jump serve functionality.
Recorded sessions are copied from the Application Launch Server to a machine functioning as a
video transcoder. The transcoder converts videos from the raw format to one that can be played
back by the machine functioning as a streaming media server.
This section outlines the installation of session recording for application launching on two separate
machines functioning independently.
3.4.1 Session Recording and the Application Launcher
To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the
machine that will function as the transcoder and launch the installer.
Installing Application Launcher & Session Recording Prerequisites 57
1) Click Next on the welcome page.
58 Installing Application Launcher & Session Recording Prerequisites
2) Read and accept the license agreement to continue installation. Then click Next to continue.
3) Enter the full SSL-secured URL to the web service. Web Services are installed separately,
typically on the web application server. The application launcher web service is installed with
the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
4) Click Test to validate the URL. Any certificate issues must be corrected before installation can
properly succeed. If the web page does not appear at all, validate the URL and try again or install
Web Services.
Installing Application Launcher & Session Recording Prerequisites 59
5) If the page tests without issue or errors, click Next to continue.
6) If session recording WILL NOT be enabled, select to install:
Application Launcher
For the Application Launch Server host, if session recording WILL BE enabled, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Application Launcher
7) Select the installation directory. Click Next to continue.
60 Installing Application Launcher & Session Recording Prerequisites
If session recording components are not enabled, clicking Next will install the application
launcher software and complete the installation.
8) If session recording components are being installed, the next dialog will configure the session
recording paths:
The destination directory is where completed video files will be placed once being transcoded. If
this machine is functioning as the transcoder host as well and the the media server will be a
separate machine, specify the network path to the SessionRecording share on the media server
host.
Installing Application Launcher & Session Recording Prerequisites 61
9) Click Next on the video transcoder paths.
10) On the Application Launch Server host, set the service identity to run as a Specific User,
Network Service, or Local System.
Local system offers the benefit of already having proper access and no password management
requirements. If the transcoder is running on a separate system and Local system is used, then
the computer account of the Application Launch Server host must be granted Modify access to
the source directory on the transcoder host.
Network service provides for less rights than Local system and offers the benefit of already
having proper access and no password management requirements. If the transcoder is running
on a separate system and network service is used, then the computer account of the
Application Launch Server host must be granted Modify access to the source directory on the
transcoder host. "NT Authority\Network Service" must also be granted Modify access to the
Session Recording directory.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files
(Modify).
62 Installing Application Launcher & Session Recording Prerequisites
Running as a specific user is recommended for running the File Watcher service on the
Application Launch Server host when the transcoder is on a separate system.
11) Click Next to continue.
Installing Application Launcher & Session Recording Prerequisites 63
12) Click Install to continue.
64 Installing Application Launcher & Session Recording Prerequisites
13) Click Finish to complete the first part of the installation.
If session recording components were not selected during the installation process, the installer will
now end its routine. If any of the session recording components were selected, a separate
installation for the Microsoft Expressions recorder will be initiated automatically.
Installing Application Launcher & Session Recording Prerequisites 65
1) Accept the License agreement for the Microsoft Expressions recorder.
2) Click Next on the Enter product key page. There is no product key to enter.
66 Installing Application Launcher & Session Recording Prerequisites
3) Elect to join the Microsoft customer experience or not. Click Next to continue.
4) Select to install Expression Encoder 4 and click Install.
Installing Application Launcher & Session Recording Prerequisites 67
5) Click Finish to complete the installation.
6) This installation will take additional actions that are not visible in the installer:
A [Domain] Local security group will be created called WriteRecordingGroup. If the installation is
taking place on a domain controller, the group is created in the Users container. This group may
be safely deleted from the Application Launch Server host if it is also functioning as the
transcoder host.
The Domain Admins group will be added to this WriteRecordingGroup.
The installer will create and share the following directory:
%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy
compiled session recordings from the Application Launch Server to the transcoder host. This
scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.
This share directory will be required when configuring the Application Launch Server host for
app launching with session recording. If the transcoder and Application Launch Server host is
the same system this share can be safely deleted.
The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be
used by the Application Launch Server hosts to copy raw session recording files to the
transcoder host(s). This scenario would apply if using the Expressions 4 recording software. This
share directory will be required when configuring the Application Launch Server host for app
68 Installing Application Launcher & Session Recording Prerequisites
launching with session recording. If the transcoder and Application Launch Server host is the
same system this share can be safely deleted.
Each of the shared directory share permissions will be set to allow the WriteRecordingGroup
"Full Control". Minimum permissions required are "Change".
3.4.2 Session Recording on the Transcoder Host
Skip this step if you are not using the included session recording software.
1) To begin installing the session recording software on the machine that will function as the video
transcoder, open the SupplementalInstallers sub-folder from the installation directory, typically
"%programfiles (x86)\Lieberman\Roulette". Copy ERPMRemoteLauncherInstaller.exe to the
machine that will function as the transcoder and launch the installer.
2) Click Next on the welcome page.
Installing Application Launcher & Session Recording Prerequisites 69
3) Read and accept the license agreement to continue installation. Then click Next to continue.
4) Enter the full SSL-secured URL to the web service. Web Services are installed separately,
typically on the web application server. The application launcher web service is installed with
the standard ERPMWebService installer package. The URL is typically
https://webserverHost/ERPMWebService/WebLauncherBackEndService.svc.
Click Test to validate the URL. Any certificate issues must be corrected before installation can
properly succeed. If the web page does not appear at all, validate the URL and try again or install
Web Services.
70 Installing Application Launcher & Session Recording Prerequisites
5) If the page tests without issue or errors, click Next to continue.
6) For the transcoder host, select to install:
Microsoft Expression 4 Encoder SP2
Session Recorder and File Watcher Service
Installing Application Launcher & Session Recording Prerequisites 71
7) Select the installation directory. Click Next to continue.
8) The destination directory is where completed video files will be placed once being transcoded. If
this machine is functioning as the transcoder host as well and the the media server will be a
separate machine, specify the network path to the SessionRecording share on the media server
host. If this machine will also be the media server, the default path is correct.
72 Installing Application Launcher & Session Recording Prerequisites
9) Click Next to continue.
10) On the transcoder host, set the service identity to run as either Local System or as a Specific
User.
Local system offers the benefit of already having proper access and no password management
requirements.
Running as a specific user will offer the path of least privilege but will require configuring NTFS
permissions on the Source directory from the previous step for read, write, and delete files
(Modify).
Running the File Watcher service as Local System is recommended on the transcoder host.
Installing Application Launcher & Session Recording Prerequisites 73
11) Click Next to continue.
74 Installing Application Launcher & Session Recording Prerequisites
12) Click Install to continue.
Installing Application Launcher & Session Recording Prerequisites 75
13) Click Finish to complete the first part of the installation.
14) After the initial installation is complete, A separate installation for the Microsoft Expressions
recorder will be initiated automatically.
76 Installing Application Launcher & Session Recording Prerequisites
15) Accept the License agreement for the Microsoft Expressions recorder.
16) Click Next on the Enter product key page. There is no product key to enter.
Installing Application Launcher & Session Recording Prerequisites 77
17) Elect to join the Microsoft customer experience or not. Click Next to continue.
18) Select to install Expression Encoder 4 and click Install.
78 Installing Application Launcher & Session Recording Prerequisites
19) Click Finish to complete the installation.
IMPORTANT NOTES REGARDING THIS INSTALLATION!
This installation will take additional actions that are not visible in the installer:
• A [Domain] Local security group will be created called WriteRecordingGroup. If the installation
is taking place on a domain controller, the group is created in the Users container.
• The Domain Admins group will be added to this WriteRecordingGroup.
• The installer will create and share the following directory:
%inetpub%\wwwroot\SessionRecording as SessionRecording. This directory is used to copy
compiled session recordings from the Application Launch Server to the transcoder host. This
scenario would apply if using the FFMPeg video recorder rather than the Expressions recorder.
If the transcoder component is installed on the Application Launch Server, or if the Expression
session recorder is the only used session recorder, this share may be safely deleted. This share
directory will be required when configuring the Application Launch Server for app launching
with session recording.
• The installer will create and share the following directory: %programfiles
(x86)%\Lieberman\Roulette\LaunchApp\Transcoders\Source as Source. This directory will be
used by the Application Launch Server to copy raw session recording files to the transcoder
host(s). If the transcoder component is installed on the Application Launch Server, this share
Installing Application Launcher & Session Recording Prerequisites 79
can be safely deleted. This scenario would apply if using the Expressions 4 recording software.
This share directory will be required when configuring the Application Launch Server for app
launching with session recording.
• Each of the shared directory share permissions will be set to allow the WriteRecordingGroup
"Full Control". Minimum permissions required are "Change".
3.4.3 Session Recording Media Server
Skip this step if you are not using the included session recording software.
Streaming Media Services is used to provide smooth streaming of the recorded sessions from the
streaming host (typically the web application server) to the client's browser and video player.
Installation of this component is only required if session recording will be used.
To begin installing the streaming media software on the machine that will function as the streaming
video server, open the SupplementalInstallers sub-folder from the installation directory,
typically %programfiles (x86)\Lieberman\Roulette. Copy IISMEdia64.msi to the machine that
will function as the streaming video server and launch the installer.
The installation of IIS Media services requires a basic stock installation of IIS to be available on the
same host server.
80 Installing Application Launcher & Session Recording Prerequisites
1) Click Next on the welcome page.
Installing Application Launcher & Session Recording Prerequisites 81
2) Read and accept the terms of the license agreement, then click Next.
82 Installing Application Launcher & Session Recording Prerequisites
3) Leave the default options selected then click Next.
Installing Application Launcher & Session Recording Prerequisites 83
4) Click Install.
84 Installing Application Launcher & Session Recording Prerequisites
5) Click Finish.
Installing Application Launcher & Session Recording Prerequisites 85
3.5 STEP 4. SETUP RDS FOR APPLICATION LAUNCHING The section details configuring Remote App on the remote session host to launch the application
launcher. The application launcher is a boot strapper used to launch and provide authentication
information for configured applications.
When a user uses the "Launch App" links in the web application, the launcher is called first. It will
obtain the necessary credential information for the application to launch, and then launch the
application from the Application Launch Server. In turn, VDI will display the remote application on
the user's workstation as if it were a local application.
3.5.1 Configuring Remote App for 2012 R2
Open Server Manager and click the Remote Desktop Services link on the left pane. Then click
Collections. Select the collection to configure the application launcher application.
86 Installing Application Launcher & Session Recording Prerequisites
1) In the REMOTEAPP PROGRAMS area, click Tasks and select Publish RemoteApp Programs.
Then click Add on the Publish RemoteApp programs dialog.
Installing Application Launcher & Session Recording Prerequisites 87
2) Select LiebsoftLauncher.exe from the application launcher installation location on the
Application Launch Server (configured in step 3 previously). The default directory for this file is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.
88 Installing Application Launcher & Session Recording Prerequisites
3) On the Confirmation page, click Publish.
4) Once the LiebsoftLauncher application is published, right-click on it in the RemoteApp Programs
list and select Edit Properties.
Installing Application Launcher & Session Recording Prerequisites 89
5) On the General tab, set the Show the RemoteApp program in RD Web Access dialog to No.
Although everything will work fine if this is not done, there is no need to publicize this
application.
90 Installing Application Launcher & Session Recording Prerequisites
6) On the Parameters tab, set the Command-line Parameters option to Allow any command-line
parameters. The LiebsoftLauncher will differ every single time it is run based on many factors
including session IDs, programs being run and parameters included when launching the
programs.
Installing Application Launcher & Session Recording Prerequisites 91
7) On the User Assignment tab, it is highly recommended to change the User Assignment option
to be a specific user or group of users. Specifically, you will be connected to the server as a
pre-designated account (which can be managed by Lieberman RED Identity Management). This
is the only account that will require access to run the program. This account will be covered
later in the Configuring Application Launching section. The account assigned here will require
any permissions and rights to launch the desired programs.
8) Click OK when done.
3.5.2 Configuring Remote App for 2008 R2
Open Server Manager and expand the Remote Desktop Services > RemoteApp Manager nodes in
the left pane.
92 Installing Application Launcher & Session Recording Prerequisites
1) In the RemoteApp Programs area, right-click and select Add RemoteApp Programs. Click Next
on the Welcome page then click Browse on the Choose programs to add to the RemoteApp
Programs list page.
Installing Application Launcher & Session Recording Prerequisites 93
2) Select LiebsoftLauncher.exe from the application launcher installation location on the
Application Launch Server (configured in step 3 previously). The default directory for this file is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp. Then click Next.
94 Installing Application Launcher & Session Recording Prerequisites
3) On the Review Settings page, click Finish.
4) Once the LiebsoftLauncher application is added, right-click on it in the RemoteApp Programs list
and select Properties.
Note: CAUTION! DO NOT CHANGE THE ALIAS value.
5) De-select the check box for RemoteApp program in RD Web Access. Although everything will
work fine if this is not done, there is no need to publicize this application.
Installing Application Launcher & Session Recording Prerequisites 95
6) Set the Command-line arguments option to Allow any command-line parameters. The
LiebsoftLauncher will differ every single time it is run based on many factors including session
IDs, programs being run and parameters included when launching the programs.
96 Installing Application Launcher & Session Recording Prerequisites
7) On the User Assignment tab, it is highly recommended to change the User Assignment option
to be a specific user or group of users. Specifically, the app launch software will connect to the
server as a pre-designated account (which should be managed by Lieberman RED Identity
Management). This is the only account that will require access to run the program. This account
will be covered later in the Configuring Application Launching section. The account assigned
here will require any permissions and rights to launch the desired programs.
8) Click OK when done.
Installing Application Launcher & Session Recording Prerequisites 97
3.6 STEP 5. CONFIGURE IIS TO HOST RECORDED SESSIONS This step is only required if session recording has been enabled. If session recording is not enabled,
then do not perform this step. This will likely be configured on the same system where Streaming
Media Services was installed.
When an application is launched using the Application Launch Server and that application is
configured to also record the session, the recorded sessions will first be placed into a pre-configured
directory on the machine that will ultimately host the videos for later playback. When using the
Microsoft Expressions session recorder, the files will first be copied locally to the file system. The
File Watcher Service will then move the raw files to a share called "Source" on a machine that is
configured as the video transcoder as an XESC file. Once the raw XESC files are copied to the
transcoder, the File Watcher service on that machine will transcode the videos to WMV format and
move the compiled files into the "SessionRecording" share on the same system. It is this directory
that will be hosted in IIS and made available via the web application.
To configure IIS on the machine that will host (stream) the compiled videos, not much work is
required as the application launcher installer will have configured most of the required elements:
The default website will have a new virtual directory added to it called SessionRecording. This
directory will point to %inetpub%\wwwroot\SessionRecording.
The only change that may need to be made is to set the authentication scheme to anonymous. To
do this, open IIS, expend the default website, and open the Authentication area. Right click on the
authentication types and enable Anonymous Authentication and disable all others.
99
Following installation, there are five mandatory configuration steps that are required to use the
application launcher and the session recorder. The following steps are mandatory. The remaining
steps in this sections are optional.
1) Configure an Application Launch Server Logon Account (on page 100)
2) Configure the Web Launcher Settings (on page 126)
3) Configure the Application Launch Server Settings (on page 129)
4) Configure the Application Launch Server Host (on page 134)
5) Configure Applications for Launching (on page 143)
IN THIS CHAPTER
Configure an Application Launch Server Logon Account ...................... 100
Configure the Web Launcher Settings .................................................. 126
Configure the Application Launch Server Settings ................................ 129
Configure the Application Launch Server Host ..................................... 134
Configure Session Recording Settings ................................................... 135
Configure the Web Application Settings for Session Playback ............. 140
Configure Applications for Launching ................................................... 143
Configure Application Sets .................................................................... 166
Shadow Accounts .................................................................................. 172
Chapter 4 Configuring
Application Launching and
Session Recording
100 Configuring Application Launching and Session Recording
4.1 CONFIGURE AN APPLICATION LAUNCH SERVER LOGON ACCOUNT Application launcher uses a standard logon account to log on to the target Application Launch
Server and launch the LiebsoftLauncher application. The LiebsoftLauncher application then launches
the target application and connects to a web service (WebLauncherBackendService.svc) to obtain
the necessary program settings and credentials.
Logon Account Requirements
The logon account has the following requirements:
• A domain account is recommended, but the logon account can be a local account.
• The account needs to be able to remotely log on to the target Application Launch Server. That
means that if the account is not an administrator, it must be added to the Remote Desktop
Users group on the Application Launch Server.
• Because the user account launches the LiebsoftLauncher application upon login, be sure that
the account has the permissions required for the launch. Set the permissions in RemoteApp
settings, which typically are found in Server Manager under the Roles > Remote Desktop
Services heading. The permissions can be assigned directly to the user, or assigned to a group
that the user belongs to.
• The account needs all of the same rights necessary to launch the final target application. It does
not necessarily need local or domain admin privileges.
Securing the Logon Account
The password for application launching should have its password rotated frequently by Lieberman
RED Identity Management, for example daily or weekly. (Setting the rotation schedule to hourly
could possibly invalidate the logon account's session). Follow the basic procedures for a Windows
account password change as depicted in the administrator's guide. Presuming this account does
nothing other than provide the logon session for the application launcher, there is no requirements
for password propagation, so turn off password propagation for the password change job. We
recommend keeping the password length to 80 characters or less because some versions of
Windows will not allow longer passwords to be used via RDP.
Configuring Application Launching and Session Recording 101
RECOMMENDED POLICY SETTINGS FOR THE LOGON ACCOUNT
This account can be heavily locked down as it generally doesn't need access to anything other than
the application being locked.
If this account is located in Active Directory, we recommend placing the account into an
organizational unit (OU) by itself or with other similarly locked down accounts. On this OU, create a
policy and modify the User Settings portion of the policy to lock down this logon account. There is
no need to place the Application Launch Servers in this OU as the policies that lock down the user
experience are user based, not system based.
Following are some of the settings recommended to lock down the session. All policies should be
tested to ensure they do not interfere with the required operation of a target application:
User Configuration > Policies > Windows Settings >
Security Settings > Software Restriction Policies
Policy Setting
Enforcement
Apply Software Restriction Policies to the following All software files
except libraries
(such as DLLs)
Apply Software Restriction Policies to the following users All users
When applying Software Restriction Policies Ignore certificate
rules
Trusted Publishers
Trusted publisher management Allow all
administrators and
users to manage
user's own Trusted
Publishers
Caution: When launching an application, this account will be able to do anything that the
target application lets it do.
102 Configuring Application Launching and Session Recording
Certificate verification None
Software Restriction Policies/Security Levels
Default Security Level Disallowed
Software Restriction Policies/Additional Rules >> Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot% Security Level =
Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ProgramFilesDir% Security Level =
Unrestricted
C:\Program Files
(x86)\Lieberman\Roulette\RemoteAppLauncher\LiebsoftLaunche
r.exe
Security Level =
Unrestricted
User Configuration | Policies | Administrative Templates
Control Panel
Prohibit access to Control Panel and PC settings Enabled
Control Panel/Display
Disable the Display Control Panel Enabled
Control Panel/Printers
Configuring Application Launching and Session Recording 103
Browse a common web site to find printers Disabled
Browse the network to find printers Disabled
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Hide "Get Programs" page Enabled
Hide "Installed Updates" page Enabled
Hide "Programs and Features" page Enabled
Hide "Set Program Access and Computer Defaults" page Enabled
Hide "Windows Features" Enabled
Hide the Programs Control Panel Enabled
Control Panel/Regional and Language Options
Hide Regional and Language Options administrative options Enabled
Hide the geographic location option Enabled
Hide the select language group options Enabled
Hide user locale selection and customization options Enabled
Desktop
104 Configuring Application Launching and Session Recording
Don't save settings at exit Enabled
Hide and disable all items on the desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Hide Network Locations icon on desktop Enabled
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Enabled
Prohibit adjusting desktop toolbars Enabled
Prohibit User from manually redirecting Profile Folders Enabled
Remove Computer icon on the desktop Enabled
Remove Properties from the Computer icon context menu Enabled
Remove Properties from the Recycle Bin context menu Enabled
Remove Recycle Bin icon from desktop Enabled
Turn off Aero Shake window minimizing mouse gesture Enabled
Network/Network Connections
Ability to change properties of an all user remote access connection Disabled
Prohibit access to properties of a LAN connection Enabled
Prohibit access to the Remote Access Preferences item on the Advanced
menu
Enabled
Prohibit changing properties of a private remote access connection Enabled
Prohibit connecting and disconnecting a remote access connection Enabled
Prohibit renaming private remote access connections Enabled
Configuring Application Launching and Session Recording 105
Network/Offline Files
Remove "Make Available Offline" command Enabled
Remove "Work offline" command Enabled
Network/Windows Connect Now
Prohibit access of the Windows Connect Now wizards Enabled
Start Menu and Taskbar
Add Search Internet link to Start Menu Disabled
Add the Run command to the Start Menu Disabled
Clear history of recently opened documents on exit Enabled
Clear history of tile notifications on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
106 Configuring Application Launching and Session Recording
Do not search for files Enabled
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down, Restart, Sleep, and
Hibernate commands
Enabled
Remove Clock from the system notification area Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Configuring Application Launching and Session Recording 107
Remove Downloads link from Start Menu Enabled
Remove drag-and-drop and context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Disabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
108 Configuring Application Launching and Session Recording
Remove the Action Center icon Enabled
Remove the battery meter Enabled
Remove the networking icon Enabled
Remove the volume control icon Enabled
Remove user folder link from Start Menu Enabled
Remove user's folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show "Run as different user" command on Start Disabled
Turn off all balloon notifications Enabled
Turn off automatic promotion of notification icons to the taskbar Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off user tracking Enabled
Start Menu and Taskbar/Notifications
Turn off notifications network usage Enabled
System/Ctrl+Alt+Del Options
Remove Change Password Enabled
Remove Task Manager Enabled
Configuring Application Launching and Session Recording 109
System/Internet Communication Management/Internet
Communication settings
Turn off access to the Store Enabled
Turn off downloading of print drivers over HTTP Enabled
Turn off handwriting recognition error reporting Enabled
Turn off Help Experience Improvement Program Enabled
Turn off Help Ratings Enabled
Turn off Internet download for Web publishing and online ordering
wizards
Enabled
Turn off Internet File Association service Enabled
Turn off printing over HTTP Enabled
Turn off the "Order Prints" picture task Enabled
Turn off the "Publish to Web" task for files and folders Enabled
Turn off the Windows Messenger Customer Experience Improvement
Program
Enabled
Turn off Windows Online Enabled
System/Removable Storage Access
All Removable Storage classes: Deny all access Enabled
CD and DVD: Deny read access Enabled
CD and DVD: Deny write access Enabled
110 Configuring Application Launching and Session Recording
Floppy Drives: Deny read access Enabled
Floppy Drives: Deny write access Enabled
Removable Disks: Deny read access Enabled
Removable Disks: Deny write access Enabled
Tape Drives: Deny read access Enabled
Tape Drives: Deny write access Enabled
WPD Devices: Deny read access Enabled
WPD Devices: Deny write access Enabled
System/Windows HotStart
Turn off Windows HotStart Enabled
Windows Components/Add features to Windows 8
Prevent the wizard from running. Enabled
Windows Components/App runtime
Block launching desktop apps associated with a file. Enabled
Block launching desktop apps associated with a protocol Enabled
Windows Components/Application Compatibility
Configuring Application Launching and Session Recording 111
Turn off Program Compatibility Assistant Enabled
Windows Components/Attachment Manager
Hide mechanisms to remove zone information Enabled
Windows Components/AutoPlay Policies
Disallow Autoplay for non-volume devices Enabled
Prevent AutoPlay from remembering user choices. Enabled
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Turn off Autoplay Enabled
Turn off Autoplay on All drives
Windows Components/Credential User Interface
Do not display the password reveal button Enabled
Windows Components/Desktop Gadgets
Restrict unpacking and installation of gadgets that are not digitally
signed.
Enabled
Turn off desktop gadgets Enabled
Turn Off user-installed desktop gadgets Enabled
112 Configuring Application Launching and Session Recording
Windows Components/Digital Locker
Do not allow Digital Locker to run Enabled
Windows Components/Edge UI
Turn off switching between recent apps Enabled
Turn off tracking of app usage Enabled
Windows Components/File Explorer
Display confirmation dialog when deleting files Enabled
Display the menu bar in File Explorer Enabled
Do not allow Folder Options to be opened from the Options button on
the View tab of the ribbon
Enabled
Do not display the Welcome Center at user logon Enabled
Do not request alternate credentials Enabled
Hide these specified drives in My Computer Enabled
Restrict all drives
Hides the Manage item on the File Explorer context menu Enabled
No Entire Network in Network Locations Enabled
Prevent access to drives from My Computer Enabled
Restrict all drives
Configuring Application Launching and Session Recording 113
Prevent users from adding files to the root of their Users Files folder. Enabled
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove CD Burning features Enabled
Remove File Explorer's default context menu Enabled
Remove File menu from File Explorer Enabled
Remove Hardware tab Enabled
Remove Security tab Enabled
Remove the Search the Internet "Search again" link Enabled
Turn off display of recent search entries in the File Explorer search box Enabled
Turn off Windows+X hotkeys Enabled
Windows Components/File Explorer/Common Open File Dialog
Hide the common dialog back button Enabled
Hide the common dialog places bar Enabled
Hide the dropdown list of recent files Enabled
Windows Components/File Explorer/Explorer Frame Pane
Turn off Preview Pane Enabled
Turn on or off details pane Enabled
Configure details pane Always hide
114 Configuring Application Launching and Session Recording
Windows Components/File Explorer/Previous Versions
Prevent restoring previous versions from backups Enabled
Windows Components/IME
Turn off history-based predictive input Enabled
Turn off Internet search integration Enabled
Windows Components/Internet Explorer
Automatically activate newly installed add-ons Disabled
Configure Media Explorer Bar Enabled
Disable the Media Explorer Bar and auto-play feature Enabled
Auto-Play Media files in the Media bar whenEnabled Disabled
Disable AutoComplete for forms Enabled
Disable changing accessibility settings Enabled
Disable changing Advanced page settings Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing Calendar and Contact settings Enabled
Disable changing certificate settings Enabled
Disable changing connection settings Enabled
Configuring Application Launching and Session Recording 115
Disable changing home page settings Enabled
Home Page Define a home
page if necessary
Disable changing language settings Enabled
Disable changing Messaging settings Enabled
Disable changing ratings settings Enabled
Disable changing Temporary Internet files settings Enabled
Disable Import/Export Settings wizard Enabled
Disable Internet Connection wizard Enabled
Do not allow users to enable or disable add-ons Enabled
Identity Manager: Prevent user from using Identities Enabled
Notify users if Internet Explorer is not the default web browser Disabled
Pop-up allow list Enabled
Enter the list of sites here. Define allowed
sites list if
applicable such as
*.microsoft.com
Prevent "Fix settings" functionality Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not
commonly downloaded from the Internet
Enabled
Prevent changing pop-up filter level Enabled
116 Configuring Application Launching and Session Recording
Prevent changing proxy settings Enabled
Prevent changing the default search provider Enabled
Prevent configuration of how windows open Enabled
Select where to open links Open in existing
Internet Explorer
window
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode On
Prevent participation in the Customer Experience Improvement
Program
Enabled
Prevent per-user installation of ActiveX controls Enabled
Prevent running First Run wizard Enabled
Select your choice Go directly to
home page
Search: Disable Find Files via F3 within the browser Enabled
Search: Disable Search Customization Enabled
Specify default behavior for a new tab Enabled
New tab behavior Home page
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off add-on performance notifications Enabled
Configuring Application Launching and Session Recording 117
Turn off browser geolocation Enabled
Turn off configuration of pop-up windows in tabbed browsing Enabled
Select tabbed browsing pop-up behavior Force pop-ups to
open in a new tab
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 On
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off suggestions for all user-installed providers Enabled
Turn off tabbed browsing Enabled
Turn off the auto-complete feature for web addresses Enabled
Turn off the quick pick menu Enabled
Turn on Suggested Sites Disabled
Turn on the auto-complete feature for user names and passwords on
forms
Disabled
Windows Components/Internet Explorer/Accelerators
Turn off Accelerators Enabled
118 Configuring Application Launching and Session Recording
Windows Components/Internet Explorer/Browser menus
Disable Open in New Window menu option Enabled
Disable Save this program to disk option Enabled
File menu: Disable closing the browser and Explorer windows Enabled
File menu: Disable New menu option Enabled
File menu: Disable Open menu option Enabled
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Help menu: Remove 'Send Feedback' menu option Enabled
Help menu: Remove 'Tour' menu option Enabled
Hide Favorites menu Enabled
Tools menu: Disable Internet Options... menu option Enabled
Turn off Print Menu Enabled
Turn off Shortcut Menu Enabled
View menu: Disable Full Screen menu option Enabled
View menu: Disable Source menu option Enabled
Windows Components/Internet Explorer/Delete Browsing History
Disable "Configuring History" Enabled
Configuring Application Launching and Session Recording 119
Days to keep pages in History 1
Windows Components/Internet Explorer/Internet Control Panel
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled
Windows Components/Internet Explorer/Internet Control
Panel/Advanced Page
Allow active content from CDs to run on user machines Disabled
Allow software to run or install even if the signature is invalid Disabled
Do not allow resetting Internet Explorer settings Enabled
Empty Temporary Internet Files folder when browser is closed Enabled
Windows Components/Internet Explorer/Internet Control
Panel/General Page
Start Internet Explorer with tabs from last browsing session Disabled
120 Configuring Application Launching and Session Recording
Windows Components/Internet Explorer/Internet Control
Panel/General Page/Browsing History
Allow websites to store application caches on client computers Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Browsing
Turn off details in messages about Internet connection problems Enabled
Turn on script debugging Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Multimedia
Allow Internet Explorer to play media files that use alternative codecs Disabled
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Searching
Prevent configuration of search on Address bar Enabled
When searching from the address bar Do not search
from the address
bar
Prevent configuration of top-result search on Address bar Enabled
When searching from the Address bar Disable top result
search
Configuring Application Launching and Session Recording 121
Windows Components/Internet Explorer/Internet Settings/Advanced
settings/Signup Settings
Turn on automatic signup Disabled
Windows Components/Internet Explorer/Internet
Settings/AutoComplete
Turn off URL Suggestions Enabled
Turn off Windows Search AutoComplete Enabled
Turn on inline AutoComplete Disabled
Windows Components/Internet Explorer/Security Features/Restrict
File Download
All Processes Enabled
Internet Explorer Processes Enabled
Windows Components/Internet Explorer/Toolbars
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
122 Configuring Application Launching and Session Recording
Show Search button Disabled
Show Favorites button Disabled
Show History button Disabled
Show Folders button Disabled
Show Fullscreen button Disabled
Show Tools button Disabled
Show Mail button Disabled
Show Font size button Disabled
Show Print button Disabled
Show Edit button Disabled
Show Discussions button Disabled
Show Cut button Disabled
Show Copy button Disabled
Show Paste button Disabled
Show Encoding button Disabled
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled
Display tabs on a separate row Enabled
Hide the Command bar Enabled
Hide the status bar Enabled
Configuring Application Launching and Session Recording 123
Lock all toolbars Enabled
Lock location of Stop and Refresh buttons Enabled
Turn off Developer Tools Enabled
Turn off toolbar upgrade tool Enabled
Windows Components/Location and Sensors
Turn off location Enabled
Windows Components/Microsoft Management Console
Restrict the user from entering author mode Enabled
Windows Components/Network Sharing
Prevent users from sharing files within their profile. Enabled
Windows Components/Presentation Settings
Turn off Windows presentation settings Enabled
Windows Components/Sound Recorder
Do not allow Sound Recorder to run Enabled
124 Configuring Application Launching and Session Recording
Windows Components/Tablet PC/Accessories
Do not allow printing to Journal Note Writer Enabled
Do not allow Snipping Tool to run Enabled
Do not allow Windows Journal to be run Enabled
Windows Components/Tablet PC/Hardware Buttons
Prevent Back-ESC mapping Enabled
Prevent launch an application Enabled
Prevent press and hold Enabled
Turn off hardware buttons Enabled
Windows Components/Windows Error Reporting
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Prevent removable media source for any installation Enabled
Prohibit rollback Enabled
Windows Components/Windows Logon Options
Set action to take when logon hours expire Enabled
Configuring Application Launching and Session Recording 125
Set action to take when logon hours expire Logoff
Windows Components/Windows Mail
Turn off the communities features Enabled
Turn off Windows Mail application Enabled
Windows Components/Windows Media Center
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Player
Prevent CD and DVD Media Information Retrieval Enabled
Prevent Music File Media Information Retrieval Enabled
Windows Components/Windows Media Player/Networking
Hide Network Tab Enabled
Windows Components/Windows Media Player/Playback
Prevent Codec Download Enabled
Windows Components/Windows Messenger
126 Configuring Application Launching and Session Recording
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
Windows Components/Windows Mobility Center
Turn off Windows Mobility Center Enabled
Windows Components/Windows Update
Do not adjust default option to 'Install Updates and Shut Down' in Shut
Down Windows dialog box
Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down
Windows dialog box
Enabled
4.2 CONFIGURE THE WEB LAUNCHER SETTINGS To configure the web launcher settings for the web application, open the management console and
go to Settings | Manage Web Application | Application Launch in the management console.
Configuring Application Launching and Session Recording 127
The "Launch Application with Credentials Settings" dialog opens.
Configuring the Global Settings
The Global tab identifies the URL for the web service and other related settings that are used when
launching applications.
LAUNCHER WEB SERVICE CONFIG
• Web service URL – The URL of the application launcher web service. When the web service is
installed (typically on the web application server), a web service is normally created at
[site]/erpmwebservice. The web service is called WebLauncherBackendService.svc. Enter
the full URL in the Web service URL field, including the protocol and port if applicable. The
typical URL is:
https://erpmwebservername.yourdomain.com/erpmwebservice/weblauncherbackendserv
ice.svc.
128 Configuring Application Launching and Session Recording
• Test Connection – Click to verify that the web service URL is correct and the web service is
properly responding to requests.
Important: There should be no certificate or access errors when accessing this URL in a
browser. Test the URL to verify that it works for users that will be accessing the
web server. The best test is to log in to the Application Launch Server using the
Application Launch Server login account (configured in the previous section) and
attempt to access the URL (provided below). If the account is prompted for
credentials or certificate errors, the application launcher will fail.
LAUNCHER RELATED WEB APP OPTIONS
• Enable launching applications using stored passwords in the web application – Required to
enable remote launching. If this option is not selected, then the Launch Application option will
be unavailable in the website.
REMOTE LAUNCH
• Enable launching applications on a remote server – Enable the configured applications to
launch via an Application Launch Server rather than launching only locally on the client. When
the option is enabled and an application is configured to use an Application Launch Server, the
applications can instead launch from the Application Launch Server and will use RemoteApp to
display the program's UI to the user's desktop as if it were a native application.
OTHER SETTINGS
• [Script Launch] Path to script files on client systems – The path that the script automation files
will be copied to (manual copy). This path is used when local launch (rather than via the
Application Launch Server) will be used to launch web-based applications such as Twitter,
Facebook, or other web-based programs. If local launching of these sorts of applications will not
be launched directly from a client's machine (rather than via the Application Launch Server) it
will not be necessary to configure this path. The default location where these scripts are found
is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation.
• Sign generated RDP files with certificate identified by thumbprint – When RDP files are
generated, they will be signed with the identified certificate. This helps avoid
unknown/untrusted RDP connection warnings and errors. For this option to function, the
following must be true:
The certificate needs to be on the client workstation to generate RDP files to connect to the
Application Launch Server.
Configuring Application Launching and Session Recording 129
The certificate also needs to be on the Application Launch Server if RDP connections are
configured to go through the Application Launch Server.
The certificate must be accessible to the user that’s running the process creating and launching
the RDP file.
The security policy of the machine must be configured to require signed RDP files for this setting
to have any effect (it is not by default).
4.3 CONFIGURE THE APPLICATION LAUNCH SERVER SETTINGS From the management console, navigate to Settings | Manage Web Application | Application
Launch in the management console. Select the Remote Servers tab.
Configuring Remote Servers
The Remote Servers tab identifies the available Application Launch Servers and other related
settings that will be used for launching applications. The option Enable launching applications on a
remote server must also be selected on the Global tab to make use of these servers.
130 Configuring Application Launching and Session Recording
The first time this dialog is opened, there will be no remote servers configured for application
launching.
Configuring Application Launching and Session Recording 131
To add a new server, click the Add button in the lower right area of the dialog.
CONFIGURING THE "REMOTE APPLICATION SERVER CONFIGURATION" DIALOG
The following fields are mandatory:
• Server configuration identifier – The friendly name of the server as it will appear in the
application launcher configuration.
• Remote server system name – The actual name of the Application Launch Server. This should
be the name (FQDN or simple name or IP) as can be reached from the client systems that will be
initiating the session.
• Use RemoteApp to launch the liebsoft launcher on the server – This option must be selected to
remotely launch applications from the Application Launch Server using RemoteApp as available
in Windows Server 2008 R2 and newer.
132 Configuring Application Launching and Session Recording
Launcher path on jump server – The path to the launcher component on the jump server. This
option will be unavailable if the option to Use RemoteApp to launch the liebsoft launcher on
the server is enabled.
Use RemoteApp connection broker (RDS 2012+ only)
o Connection broker – The fully qualified domain name (FQDN) of the connection
broker. For example, 2k8r2-3.demo.msft.
o Load balancer info – The loadbalanceinfo value from the .rdp file. For example,
tsv://MS Terminal Services Plugin.1.lsc.example.
• Use integrated Windows credentials to login to the jump server – When used in conjunction
with a Windows Server 2012 Application Launch Server that is properly configured for web
single server sign on and where the web application is also configured for use with integrated
authentication and where the user actually logs in using integrated authentication, then this
feature will connect to the Application Launch Server using the user's credentials rather than a
specific Application Launch Server login. The login user must have proper permissions to launch
the application and RDP to the server.
• Prompt for login credentials to application server – Will cause credentials to not be
automatically provided when connecting to the Application Launch Server. The user performing
the application launch must provide credentials that are valid for the Application Launch Server.
Login credential system name – This value must be populated. If the application launcher will be
using stored (managed) credentials to log into the Application Launch Server, this is the name of
the system/server as it appears in Lieberman RED Identity Management from which to draw the
credentials from. It is recommended to use a domain credential for this purpose; see the
section for configuring an Application Launch Server login account.
Login credential account name – This is the name of the account that will be used to log in to
the Application Launch Server. It is recommended to use a domain credential for this purpose;
see the section for configuring an Application Launch Server login account.
Warning! Be careful that your RDS collection name does not exceed 16 characters.
Microsoft truncates names that exceed 16 characters when storing the name
in the registry. If the truncated name does not match the configured load
balancer info value, the following error message is returned: "Your computer
can't connect to the remote computer because the connection broker couldn't
validate the settings in your RDP file."
Configuring Application Launching and Session Recording 133
Login credential domain name – The domain to which the account belongs. If this is a local
account (not recommended) then this should be the simple (NetBIOS) name of the Application
Launch Server.
Load saved password for connection from password store – Select this option to pull the
managed password from the solution's password store. If it is desired to use a hard coded
password instead, then supply the actual password in the remote server logon password field.
[Script Launch] Path to script files on client systems – The path that the script automation files
will be copied to during installation of the AppLauncher. This path is used when launching web
based applications such as Twitter, FaceBook, or other web based programs. The default
location where these scripts are found is:
C:\Program Files (x86)\Lieberman\Roulette\LaunchApp\WebAutomation
• Update OIT agent data for agent running on the server – Only provides functionality when the
session recorder is provided by ObserveIT. Selecting this option will change certain metadata
attributes to more accurately reflect which user account is performing certain actions. This
affects auditing information stored within OIT.
Note: Important! If using the built-in session recording, instead of the session recording
offering from ObserveIT, DO NOT check the Update OIT agent data for agent
running on the server. This will prevent the built-in session recorder from working.
134 Configuring Application Launching and Session Recording
Once the entries are validated, click OK to add the Application Launch Server object. If the option to
Load saved password for connection from password store is selected and a stored password for
the target account does not exist, a warning indicating such will appear to the user otherwise the
dialog will close without incident.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
4.4 CONFIGURE THE APPLICATION LAUNCH SERVER HOST This section lists two configuration updates that should be made on the Application Launch Server
host.
Configuring Application Launching and Session Recording 135
To Configure the Host Machine for Multiple Application Launcher Sessions
The following configuration change is needed to allow multiple application launcher sessions to run
concurrently.
1) Log on to the Application Launcher Server host machine.
2) Open the Run dialog using the Win+R keyboard shortcut.
3) Type gpedit.msc and press OK.
The "Local Group Policy Editor" window opens.
4) Choose Computer Configuration > Administrative Templates > Windows Components >
Remote Desktop Services > Remote Desktop Session Host > Connections : Restrict Remote
Desktop Services users to a single Remote Desktop Services session.
5) Right-click Restrict Remote Desktop Services users to a single Remote Desktop Services
session and choose Edit.
A dialog opens to configure the policy.
6) Select Disabled, then click OK.
To Configure the Host Machine to Prevent Transcoding Problems
The following configuration change is needed to prevent a problem that could potentially result in
your session recordings failing to be processed by the transcoder.
1) Open the Run dialog on the Application Launcher Server host using the Win+R keyboard
shortcut.
2) Type gpedit.msc and press OK.
The "Local Group Policy Editor" window opens.
3) Choose Computer Configuration > Administrative Templates > System > User Profiles: Do not
forcefully unload the user registry at logoff.
4) Right-click Do not forcefully unload the user registry at logoff and choose Edit.
A dialog opens to configure the policy.
5) Select Enabled, then click OK.
4.5 CONFIGURE SESSION RECORDING SETTINGS From the management console, navigate to Settings | Manage Web Application | Application
Launch. Select the Session Recorders tab.
136 Configuring Application Launching and Session Recording
The Session Recorders tab identifies configured session recording servers. There will typically be a
one-to-one relationship with the servers configured on the Remote Servers tab.
To add a new server, click the Add button in the lower right area of the dialog.
The following fields are mandatory:
• Configuration label - the friendly name of the server as it will appear in the application launcher
configuration.
• Basic configuration - use this option if the session recording host will perform both recording
and transcoding duties. Recorder options include Expressions 4, VLC, and Windows Problem
Steps Recorder. It is recommended to choose the Expressions 4 recorder option. The output
path will default a default local path if this option is selected.
Configuring Application Launching and Session Recording 137
• Advanced configuration - use this option if it is desired to put recordings in a custom location or
if video transcoding will occur on a separate host (typical). It is not recommended to change the
Assembly path or Type in Assembly values.
• Abort application launch if session recording fails - with this option selected, if session
recording fails to initialize, the remote session will be logged off and no remote app launch will
occur.
• Output path - This is the path for the raw session recording files on the machine functioning as
the transcoding host. If using the Application Launch Server for both session recording and
video transcoding, specify a local path here. The default location is c:\program files
x86)\Lieberman\Roulette\LaunchApp\Transcoders\Source. If the transcoder is on a
separate host, specify the UNC path to the Source share on that server (\\server\source). DO
NOT place a back slash after the last directory name.
138 Configuring Application Launching and Session Recording
• File name template - the default value is SessionRecording-$(SessionID). In this scenario
SessionRecording- is the filename prefix and $(SessionID) is a variable for the session ID of the
remote app launch session. If the names of the recordings should be changed, this is acceptable
but to not remote the $(SessionID) value from the name. There should also be no extension
listed for the file name.
Configuring Application Launching and Session Recording 139
Once the entries are validated, click OK to add the session recorder host object.
Any of these settings can be changed at any time without having to make any changes to IIS or
performing IISReset or other administrative actions.
Configuring the Transcoder to Record Multiple Videos at the Same Time
The session recording transcoder is set to record a maximum of one video at a time by default. To
configure the transcoder to record multiple concurrent videos, complete the following steps
1) Go to the system where the Application Launcher and Session Recorder components are
installed and choose Start | Lieberman Software | Settings. The "Session Recording
Configuration" dialog opens.
2) If necessary, expand the File Watcher Transcoder Service Settings section and locate Setting:
Maximum Concurrent Encoders.
140 Configuring Application Launching and Session Recording
3) Type the maximum number of simultaneous recordings that the transcoder should allow, then
click Push.
4) Close the "Session Recording Configuration" dialog.
4.6 CONFIGURE THE WEB APPLICATION SETTINGS FOR SESSION PLAYBACK To play back recorded sessions, the web application needs to be configured with the video playback
URL where the final recorded sessions are stored.
The media server will have configured IIS with a virtual directory under the default root website
called SessionRecording. It is this URL that will be provided on the User/Session Management
dialog. The SessionRecording URL may be presented with or without SSL, but should be configured
to use anonymous authentication.
To Configure the Session playback URL 1) Open the management console and click Manage Web App in the left action pane.
2) Double click an existing web application to edit it of change the default options by opening
Options | Configure default web application options from the menu.
Configuring Application Launching and Session Recording 141
3) Click the User/Session Management tab.
4) Locate the Session playback URL field and enter the URL for the media server where the videos
are hosted from. If using HTTPS, be sure to enter the valid name of the server that matches the
assigned name on the certificate to avoid certificate errors. A typical URL will be similar to
https://server.your.domain/sessionrecording/. Be aware that the system is expecting a
trailing forward slash at the end of the URL.
5) Click OK once the URL is entered.
6) If updating an existing website with this new information, simply click OK and the new settings
will be pushed to the web instance and its COM+ application restarted. If changing the default
web application settings and it is now required to push the new settings to an existing web
application, right-click on the website instance and select Replace instance options with default
web application options. There is no need to restart any servers or additional components after
making this change.
142 Configuring Application Launching and Session Recording
Once the URL is added and sessions have been recorded, users with access to the auditing section of
the web application will be able to play back any recorded sessions that exist.
Configuring Application Launching and Session Recording 143
4.7 CONFIGURE APPLICATIONS FOR LAUNCHING This section describes how to configure applications for use with application launching.
4.7.1 Adding Application Launching Scripts
Lieberman RED Identity Management includes a number of application launching scripts. Most
scripts require additional configuration before they can be used to launch the target application.
To Add the Application Launching Scripts 1) In the management console, choose Settings > Manage Web Application > Application Launch.
The "Launch Application with Credentials Settings" dialog opens.
2) Click the Applications tab.
3) Click Add Defaults.
4) To add new applications, click the Add button. Duplicate or edit existing items by using the Copy
or Edit buttons respectively.
144 Configuring Application Launching and Session Recording
After adding an application you have to configure it before it can be launched.
4.7.2 Configuring Lieberman RED Identity Management to Launch Applications
This section documents how to configure Lieberman RED Identity Management for app launching.
To Configure Lieberman RED Identity Management to Launch Specific Applications
1) Open the management console and choose Settings > Manage Web Application > Application
Launch.
Configuring Application Launching and Session Recording 145
The "Launch Application with Credentials Settings" dialog opens.
2) Click the Applications tab.
The Applications tab identifies the applications that can be made available to launch from the
web application and other related settings that will be used when launching these applications.
3) Select an application launch type item and click Edit.
The "Remote Application Configuration" dialog opens.
4) Complete the form.
EDITING THE REMOTE APPLICATION CONFIGURATION DIALOG
• Remote application label – Required. This is the friendly name of the application as it will
appear in the web application.
• Remote application description – Optional. Enter a description for the application that will
appear in the web application.
• Remote application icon path – Optional. To set a custom icon for the application, identify the
location of the physical web application installation files. Typically, this will be at
%inetpub%\wwwroot\PWCWeb. All file paths defined for the icons will be relative to this path.
It is recommended to create a custom folder (example "CompanyIcons") and add your icons to
this folder so that they persist through website upgrades. Then, for the icon path, simply add
the path using the following convention: FolderName\IconName.gif. All GIF files should be
32x32 pixels.
• Remote launch type – Required. Select from the available launch types:
Launch application with command line parameters – Use this for any application which can be
launched with command line options such as SQL Management Studio, PuTTy, VMware vCenter,
and so on.
Open web application with form post – Use this for websites that only require a basic form post
and does not make use of JSON, YAML, or other technologies for passing the user name and
password information. When this is selected, fill out the Web Page and Name-Value pair fields.
The web page is the name of the login page, including the protocol, such as
http://webserver/pwcweb/login.asp. The name-value pair should consist of the variables
for the user name and password.
Launch terminal services client – Use this for launching the Microsoft Terminal Services client.
There are no additional requirements to set up this launch type.
Launch app through .net assembly – Used when an external .Net assembly will be used to
perform the connection and credential passing. Supply the Assembly Path and Type Name
146 Configuring Application Launching and Session Recording
values. The assembly path is the full physical file patch to the .Net assembly. Type name is the
name of the .Net interface.
Launch app through script automation – This is most frequently used for launching MMCs,
websites that do not pass user name and password information basic form post (see most web
examples in the default list), fat clients that do not make use of command line parameters, and
so on. Supply the Script Path and Automation URL. Script path is the name of the script to run,
including the extension. For example, login_azuremgmt.vbs. This script must be found in the
pre-defined script automation directory on the global options or Application Launch Server
configuration dialogs for the app launcher. Automation URL is the target URL. For example,
http://manage.windowsazure.com or for a device,
https://$(RemoteAccessTarget_TargetName)/login.html.
• Run on the jump server – Optional. Use to launch the target application from the Application
Launch Server (configured previously) or from the user's workstation. If this option is not
selected then the application will attempt to launch locally on the user's local workstation. If
this option is selected, then the application will be launched on the Application Launch Server.
The application must be installed on the Application Launch Server at that time. This is a
per-application setting.
Use the targeted account to connect to the jump server – If the Application Launch Server is
used and the account being targeted to launch the application is a domain account or a valid
local Application Launch Server host account, this option will establish a connection with those
credentials rather than the pre-configured Application Launch Server connection credentials. If
the credentials are not valid on the Application Launch Server host then the connection will not
succeed. Do not use this option for non-Windows systems.
Application supports multi-tab – A special set of configurations and launch scripts for
applications which have multi-branch or multi-tab capabilities. See the the Multi-tab Support
section for more information on configuration and use.
Load user profile when starting application (Configure RDP connection parameters) – When
selected will load the connecting user's user profile on the Application Launch Server host which
will enable additional elements to available via RDP to become available such as color depth,
mapped drives, clipboard capability and so on.
• Enable session recording – Optional. If a session recording host is configured, this option will be
available. When configured, the launching of this application on an Application Launch Server
will record just this application being run. This is a per-application setting.
• Application – Mandatory. The application name is simply the name of the executable without
the path. For example, SSMS.EXE.
Configuring Application Launching and Session Recording 147
• Command line – Mandatory. Command line is the parameters to launch the executable with.
Parameters are specific to the program being launched and not Lieberman RED Identity
Management. Specific replacement variables variables are provided by Lieberman RED Identity
Management that can be used in place of otherwise static values, such as
$(RemoteAccessTarget_TargetName) instead of the target's actual host name. See the
following sub-section for more information. See Variables for App Launching (on page 149) for
more information.
• Application location – Optional. An application location must also be defined but can either be
a full physical path in the application location field or be setup to search for and even to
download a ready to run executable from a predefined network path (At launch download file
from path). A physical path MUST be defined when launching the application from an
Application Launch Server. If a physical path is not defined in the application location field, then
the option to Search for application on local system should be enabled. Sub-options for
application search include searching for the application on the system root or program files
directories. In addition, subsequent include and exclude directories may be defined. Multiple
values should be segregated by a semi-colon. There is no variable replacement such as
%systemroot% or %inetpub% so full physical locations must be used.
• Search for application on local system –Optional. Will cause the application launcher to search
the Application Launch Server or the calling workstation's file system for the executable being
launched, and launch the first valid application it comes across. If this option is deselected, then
the Application location field above it becomes active where a static path can be defined. Using
the search mechanism adds time to launch the application. The locations it can search are the
Program Files directories or the system root directory. Searching is controlled by the
subsequent options on this dialog.
Search for application on local system root directs the product to search the %systemroot%
location on the Application Launch Server or the calling workstation's file system when
launching an application.
Search for application under the program files directory directs the product to search
%programfiles% and %programfiles(x86)% on the Application Launch Server or the calling
workstation's file system when launching an application.
Subdirectory restriction is the directories to not search when searching the program files
directory structure.
Additional search directories is the additional directories to search if there are any other
directories on the system to search. The list is semi-colon delimited.
148 Configuring Application Launching and Session Recording
Working Directory is the default search starting point.
• Only run signed executables – Optional. Will ensure the program has a digital signature on it. If
the option is enabled, an additional verification can be configured to validate specific fields of
the digital signature such as the certificate serial number, certificate issuer or other signing bits.
Verify certificate fields of signing certificate – Becomes available if the option to Only run signed
executables is selected. The resulting dialog allows defining which fields to verify in the signing
certificate.
• Only run executables with expected hashes – Optional. Allows the admin to define hashes of a
target application. This is useful to ensure that someone did not rename a malicious executable
or that only a specific patched version runs. Multiple hashes can be calculated and defined from
this dialog.
• At launch, download the file from path – Optional. Defines a network path or URL to download
the application from if it is not already present on the host system.
• Settings apply to client system configuration – Applies only to applications launched from the
users workstation and has no effect for applications launched using the Application Launch
Server host. Consider that a 32-bit application running on a 32-bit Windows host will typically
Configuring Application Launching and Session Recording 149
install to c:\program files\application. Yet that same 32-bit application running on a 64-bit
Windows host will typically install to c:\program files (x86)\application. This setting
permits configuration of only one application to launch with multiple possible settings. When
these settings are configured, the launcher will determine what host it is running on and
retrieve the appropriate settings, such as launch directory.
• Application uses stored private key – Optional. This option allows programs that can use
certificates (such as SSH clients) to define which certificate to use when connecting. These
certificates must have been pre-imported and assigned via the management console by
choosing Settings > User Keys > Import Keys.
• Application uses gateway server – Optional. If an SSH proxy/gateway is defined (in the
management console by choosing Settings | Manage Web Application | Remote Gateway
Servers) this option is available. This option is useful when a client must first connect to an SSH
proxy first before connecting to the final SSH target. This process uses plink.exe. The plink.exe
download location must also be specified with the path on the Application Launch Server where
the plink.exe executable resides. Plink.exe is installed in the launch app folder on the
Application Launch Server if the PuTTy files are also installed when installing the application
launcher. Plink.exe can also be downloaded from http://www.putty.org (see
http://www.putty.org - http://www.putty.org).
• Configure Allowable Types – Mandatory. This defines which account types in the application
will be available. At least one account type must be selected. This is what specifically makes an
application available to MySQL or Windows but not Linux or SQL Server or Oracle.
• Always use the specified account when starting this application – Optional. When this option is
NOT selected (default), the application is available for the selected account type(s) (Configure
Allowable Account Types). That means potentially any account could be used to launch this
application. If the option is enabled, the solution will pull a predefined credential from the
account store and always use that account to launch the application. Also, the application will
not be available in the Launch App section of the web application. Rather, it will be made
available in the Applications section of the website for the users that have permission to launch
the application. The Launch App section is accessible when viewing specific managed
passwords. Applications is always available regardless of managed passwords.
4.7.3 Variables for App Launching
Lieberman RED Identity Management provides variables for you to use to pass the user name,
password, target server, and so on when launching an application from the command line or via
web automation scripts.
150 Configuring Application Launching and Session Recording
Consider the following scenario:
1) DEMO\Broberts logs into the web application.
2) DEMO\Broberts clicks on launch app. This causes a secondary account (DEMO\AppLaunchLogin)
to connect to the Application Launch Server and initiate and launch the liebsoftlauncher.exe
program.
3) Liebsoftlauncher connects back to the web service and retrieves program settings (including
target system), target user name, and target password. For this example, connecting to a server
called DB2012 as SA with with the SA password.
In this scenario the following elements are defined using the following variables:
• DEMO\Broberts = $(SourceAppLogin) or $(UserEnteredLoginUsername)
• DEMO\AppLaunchLogin = NOT EXPOSED
• DB2012 = $(RemoteAccessTarget_TargetName)
• SA = $(Username) or $(AccountName_FullyQualified)
• SA Password = $(Password) or $(Password_Raw)
Following is a list of all possible variables
• $(UserEnteredLoginUsername) – Same as $(SourceAppLogin), is the account used to log in to
the web application.
• $(UserEnteredLoginUsername:RemoveNTSyleNamespace) – This element prunes the domain
name from the user name. From the example above, DEMO\Broberts becomes simply Broberts.
• $(UserEnteredLoginUsername:ReplaceBackslashWithDot) – This element retains the domain
name with the user name but replaces the slash with a dot. From the example above,
DEMO\Broberts becomes DEMO.Broberts. Use this variable when a name is required that will
no be interpreted as a path for creating directories.
• $(SourceAppLogin) – Same as $(UserEnteredLoginUsername), is the account used to login to
the app [component] that is triggering the launcher (that is, the RDP user to the Application
Launch Server).
• $(SourceAppLogin:RemoveNTSyleNamespace) – This element prunes the domain name from
the user name. From the example above, DEMO\Broberts becomes simply Broberts.
• $(SourceAppLogin:ReplaceBackslashWithDot) – This element retains the domain name with
the user name but replaces the slash with a dot. From the example above, DEMO\Broberts
becomes DEMO.Broberts. Use this variable when a name is required that will no be interpreted
as a path for creating directories.
Configuring Application Launching and Session Recording 151
• $(Username) – This is the name of the target account. From the example above, SA.
• $(AccountName_FullyQualified) – Building on the $(Username) variable, this will pre-pend the
domain prefix to the account name, if applicable.
• $(Password) – The regex escaped password (for example, pass\"word ).
• $(Password_Raw) – The raw un-escaped password.
• $(RemoteAccessTarget_TargetName) – The target host to which the application will connect.
• $(LauncherPath) – The path to the application launcher.
• $(SessionID) – The GUID for the launcher link.
• $(PrivateKey) – The file path for the DER encoded private key (if available).
• $(PrivateKeyPassphrase) – The pass phrase, if present for $(PrivateKey).
• $(PuttyKey) – The file path for the putty encoded private key (if available).
These variables are used in line and replaced by Lieberman RED Identity Management at the time
the application is launched. For example, if in the website the user were to go to the SQL Server
database instance on a server called DB2012 and connect with the built-in (and managed) SA
account, the command-line syntax would be:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password) -nosplash
The switches ( -S, -U, and -P ) are part of the SMSS.EXE executable. The subsequent values of
$(RemoteAccessTarget_TargetName), $(Username), and $(Password) would be replaced by the
name of the server (DB2012), the name of the account (SA), and the password for SA respectively.
4.7.4 Maintaining Application Launching Scripts
As a courtesy to our customers, updated scripts that support common online business applications
are periodically made available. This section describes how to download and install those files, and
keep the script directory in sync across multiple launchers if script updates are required.
To Install New Application Launching Scripts 1) Download updated scripts from the Lieberman RED Identity Management product download
page:
https://liebsoft.com/products/enterprise_random_password_manager/product-download/
Scripts are distributed as a single .zip archive file.
2) Customize the scripts as needed and test that they work.
152 Configuring Application Launching and Session Recording
Scripts are generic and may need to be customized to work in your environment. See Variables
for App Launching (on page 149) for additional information.
3) Copy updated and customized automation scripts to the WebAutomation location. Be sure to
also copy scripts to any secondary launchers.
To verify that you are copying scripts to the correct location, see "To Verify the Script Launch
Path Configured on Your Remote Application Server" later in this section.
The following table lists the default file installation locations.
Application Launcher File(s) Default installation location
• Application launcher
files to be installed
on a bastion host
• LiebSoftLauncher.exe
%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp
• The automation
scripts
%ProgramFiles(x86)%\Lieberman\Roulette\LaunchApp\
WebAutomation
Note: If you add your own compiled scripts to the WebAutomation folder, the defined
login account must be able to read and execute the scripts.
To Verify the Script Launch Path Configured on Your Remote Application Server 1) In the management console, choose Settings | Manage Web Application | Application Launch.
2) Click the Remote Servers tab.
3) Select the remote application server and click Edit. The "Remote Application Server
Configuration" dialog opens.
Configuring Application Launching and Session Recording 153
4) Refer to the [Script Launch] Path to script files field to view the path.
4.7.5 Multi-Tab Support
A lot of administrative tools support several connections to the target systems from one tool
window. It can be implemented as separate tabs (like in SecureCRT) or like branches in tree-view
navigation pane (like in Microsoft SQL Management Studio).
154 Configuring Application Launching and Session Recording
The following shows SecureCRT with two connections.
Configuring Application Launching and Session Recording 155
The following shows SQL Management Studio with two servers.
These applications can use different credentials for each target system connection. However, some
applications have limitations when using multiple tabs or branches. For example it is possible to use
integrated windows authentication to connect SQL Management Studio to some MS SQL servers,
while others require an explicit SQL account using SQL authentication. In the case of SQL
Management Studio, when the tool is launched and integrated, Windows authentication is used and
it is not possible to re-use the existing instantiation of the tool. However, if one connection uses
integrated authentication and the secondary connections use SQL authentication, or if all
connections use SQL authentication, then you can re-use the currently running instance.
Lieberman RED Identity Management supports this functionality using the Multi-tab Configuration
window in Remote Application Configuration.
If multi-tab is not used, when a user launches a tool like SecureCRT or SQL Management Studio, it
establishes one session on the Application Launch Server and one instance of the application in that
session. This is a more secure scenario as it segregates the data and session information so it cannot
be shared within the tool and any systems the user may be accessing.
156 Configuring Application Launching and Session Recording
The trade-off is that a secondary launch of the same tool, just to a new system, will cause a second
session to be created, which can be slow and will consume more resources.
If multi-tab is used, when a user launches a tool such as SecureCRT or SQL Management Studio, it
establishes one session on the Application Launch Server, and one instance of the application in that
session. Then, when a user launches the same tool again to connect to another system, it re-uses
the existing session and simply adds a tab or another tree to the tool. This reduces resource
consumption on the Application Launch Server host and can speed up the use of the tool. The
trade-off is that the application can now share information from all servers with anything it is
connected to. Consider launching a web application to your company's Twitter feed, logging in, and
then launching a new tab to another site that has been compromised. Now the cache and
in-memory information is available to all tabs in the browser.
Configuring Application Launching and Session Recording 157
4.7.6 Multi-Tab Support Configuration
To configure multi-tab support, first establish the Application Launch Server and basic application
settings as previously described in the Configure Applications for Launching section.
Note: Mutli-tab is only supported when launching from the Application Launch Server(s).
Enable the Application supports multi-tab option on the left side of the Remote Application
Configuration dialog, then click the ellipses (...)
158 Configuring Application Launching and Session Recording
Click Add in the lower left corner of the dialog.
Fill out all the information on the Multi-tab Configuration dialog.
• Multi-tab configuration label is a label that will be shown in the Multi-tab configuration
selection drop down list in the Remote application configuration window. The name should be
indicative of the multi-tab application settings being used.
• Multi-tab automation local executable path is a path to compiled AutoIT script which is able to
open a new tab/establish a connection to new target system.
• Automation executable arguments are new-tab-executable specific. Usually the ProcessID is
used to find the HWND (handle to a window) of the application window, target system is
transferred to provide it to the application for new connection. If is used in this case user name
and password are not needed.
Configuring Application Launching and Session Recording 159
• Allow this multi-tab automation for existing application launches by EXE name controls how
launched application instance will be detected. If it is unchecked, the only instances of the
applications this multi-tab configuration is selected for will be assumed as previously launched.
In the example of using SQL Management Studio, there are two different application configurations:
one for Integrated Windows Authentication and another one for SQL server authentication. Both
scenarios use the same executable, ssms.exe. In case of multi-tab configuration for Integrated
Windows Authentication, where different Windows accounts are being used to connect to target
database servers, the option to Allow this multi-tab automation for existing application launches
by EXE name should be unchecked because it is impossible to connect to secondary instance of MS
SQL using the existing instance of smss.exe server using integrated Windows authentication if SSMS
process was initially launched from another user. In this case the automation executable arguments
will be similar to this:
$(RemoteAccessTarget_TargetName) nouser nopasswords $(ProcessID)
ProcessID is the ID that will be used to reuse the currently running executable.
In the SQL Management Studio case where SQL Authentication is being used or similar types of
connections, the option to Allow this multi-tab automation for existing application launches by
EXE name can be selected. In this case the automation executable arguments will be similar to this:
-S $(RemoteAccessTarget_TargetName) -U $(Username) -P $(Password_Raw)
In the commands above, $(RemoteAccessTargget_TargetName), $(Username), and
$(Password_Raw) are standard variables. $(ProcessID) is a variable that returns the PID of the
initial launched application. The nouser and nopasswwords values are “fake” values for user name
and passwords arguments. Because we use IWA, we do not need user name and password
arguments.
160 Configuring Application Launching and Session Recording
SSMSNewTabIwa.exe and SSMSNewTabSql.exe are compiled AutoIT scripts that we use to interact
with Microsoft SQL Server to open new connections that use Integrated Windows Authentication or
SQL authentication respectively. The listing of these scripts is below. Users may create their own
AutoIT scripts or Lieberman Software will provide the scripts.
Configuring Application Launching and Session Recording 161
Click OK when finished. Then select the appropriate multi-tab configuration settings for the target
application.
Multi-tab scripts have been compiled for the following applications:
• RunAs and wait until process finishes = RunAsWait
• DHCP Manager = RunDHCP
• DHCP Manager = RunDHCPNewTab
• DNS Manager = RunDNS
• DNS Manager = RunDNSNewTab
• File Server Resource Manager = RunFSRM
• Hyper-V Manager = RunHyperV
• Hyper-V Manager = RunHyperVNewTab
• MS Terminal Services = RunMstsc
• Network File Services Management = RunNFSMGMT
162 Configuring Application Launching and Session Recording
• Performance Monitor = RunPERFMON
• Server Manager = RunServerManager
• Storage Explorer = RunStorageExplorer
• Storage Manager = RunStorageMgmt
• Task Scheduler = RunTaskScheduler
• Run process and wait until finished = RunWait
• WBAdmin (Backup) = RunWBADMIN
• WINS Manager = RunWINS
• WINS Manager = RunWINSNewTab
• SecureCRT = ARM_SCRTStart
• SecureCRT = SCRTNewTabSSH2
• SecureCRT = SCRTNewTabTELNET
• SecureCRT = SCRTStart
• SQL Mgmt Studio = SSMSNewTabIwa
• SQL Mgmt Studio = SSMSNewTabSql
• A simple test script = TestParams
• Remote Desktop = UnlockMstsc
• Remote Desktop for ARM = UnlockMstscARM
4.7.6.1 MULTI-TAB AUTOIT SCRIPT EXAMPLES
SSMSNewTabIwa.au3 #include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
Configuring Application Launching and Session Recording 163
local $ssmsPid = $CmdLine[4]
if $paramCount = 4 Then
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Sleep($delay)
Send('+d')
Sleep($delay)
164 Configuring Application Launching and Session Recording
Send('{TAB}')
Sleep($delay)
Send($systemName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send('+w')
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
SSMSNewTabSql.au3 #include <MsgBoxConstants.au3>
local $paramCount = $CmdLine[0]
local $systemName = $CmdLine[1]
local $domainUserName = $CmdLine[2]
local $password = $CmdLine[3]
local $ssmsPid = $CmdLine[4]
if $paramCount = 4 Then
openNewTab($ssmsPid, $systemName, $domainUserName, $password)
EndIf
Configuring Application Launching and Session Recording 165
Func openNewTab($p_ssmsPid, $p_systemName, $p_domainUserName, $p_password)
Opt("WinTitleMatchMode", 2)
local $ssmsWindows = WinList("Microsoft SQL Server Management Studio")
for $i=1 To $ssmsWindows[0][0]
If $ssmsPid=WinGetProcess($ssmsWindows[$i][1]) Then
local $delay = 5
WinActivate($ssmsWindows[$i][1])
WinWaitActive($ssmsWindows[$i][1])
Send('!f')
Sleep($delay)
Send('e')
Sleep($delay)
Send('+{TAB}')
Sleep($delay)
Send('+d')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($systemName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
166 Configuring Application Launching and Session Recording
Send('+s')
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($domainUserName)
Sleep($delay)
Send('{TAB}')
Sleep($delay)
Send($password)
Sleep($delay)
Send('{ENTER}')
EndIf
Next
EndFunc
4.8 CONFIGURE APPLICATION SETS Application sets are simply pre-defined collections of applications to launch. They can be created to
group types of applications together, such as DB management products or remote terminal
products, or they can be created based on job duties.
To Create an Application Set 1) Open the management console and navigate to Settings | Manage Web Application |
Application Launch. The "Launch Application with Credentials Settings" dialog opens.
2) Click App Sets on the Applications tab. The "Remote Application Sets" dialog opens.
Configuring Application Launching and Session Recording 167
3) Click Add Set in the lower-left corner, supply a proper name, then click OK and the new list will
be added to the dialog.
4) To add applications to the application set, right-click the application set and select Add
applications to set. The "Remote Applications" dialog opens.
168 Configuring Application Launching and Session Recording
5) Select all the desired applications then click OK.
Configuring Application Launching and Session Recording 169
To view the applications added to an application set, expand the application set.
Once application sets are defined, in order for users who do not have" All Access" privileges to be
able to use the groupings, application set permissions must be defined in addition to the application
permissions.
To Define Application Permissions
When the user does not have "All Access" privileges, additional permissions are required to launch a
specific application. Use the management console to define these permissions.
1) Open the management console and choose Delegation | Web Application Remote Application
Permissions.
The "Web Application Remote Application Permissions" dialog opens.
2) Click Add in the lower-left corner.
The "Select Enrolled Identities" dialog opens.
170 Configuring Application Launching and Session Recording
3) Select an available identity, click OK, then select one or more applications that the user can
launch.
To Define Application Set Permissions 1) Open the management console and choose Delegation > Web application Remote Application
Set Permissions.
2) Click the Add button to add an identity that will have permissions to an application set and add
the identity and click OK.
3) Select from the available application sets, then click OK again.
Configuring Application Launching and Session Recording 171
A prompt will appear to use a shadow account. (See Shadow Accounts (on page 172) for details.)
4) If a Shadow Account will be used, click Yes and continue to supply the required information,
otherwise, click No.
After shadow accounts, another prompt will appear asking if there will be system restrictions.
5) If there will be system restrictions for these applications, click Yes and continue to supply the
required information; otherwise, click No.
172 Configuring Application Launching and Session Recording
6) When the user goes to the website, they will be able to select from among the available
application set filters when attempting to launch an application.
4.9 SHADOW ACCOUNTS Shadow accounts allow a user to connect to a system with a specific app and choose from among
one or more accounts to connect with. Consider the normal paradigm where a user must go to the
Managed Passwords Area, find the target system and local account for the application to connect
with. While this works for many scenarios, it is not very flexible and it does not address the need be
able to connect with domain or directory accounts to other systems or applications. This is
specifically what shadow accounts do.
With a shadow account, a user will go to the system or application in question in the systems view
of the web application and choose to launch an application. An available list of applications will be
presented to the user and the user can determine which account, local or central (domain or
directory) to connect with to the system or application.
To use shadow accounts requires the View Systems and Allow Remote Sessions global delegation
permission. Once permissions are granted, additional configuration to map shadow accounts must
be performed.
Shadow accounts are first mapped and then associated with application permissions, even when a
user has All Access. To use Shadow Accounts, a per application rule must be established for the
target user. Use the following steps to add a new shadow account mapping.
1) Open the management console and go to Delegation | Web Application Identity to Shadow
Account Mappings.
Configuring Application Launching and Session Recording 173
2) Click the Add Mapping button in the lower left corner of the dialog.
174 Configuring Application Launching and Session Recording
3) Select the target identity from the list of available identities, then click OK.
Configuring Application Launching and Session Recording 175
4) Select from the available [previously] managed/stored identities and click OK. The new
mappings will now be in the list of available mappings.
5) Click OK to close the Shadow Account Mappings dialog.
6) Next add the application permissions. Go to Delegation | Web Application Remote Application
Permissions.
176 Configuring Application Launching and Session Recording
7) Click Add in the lower left corner of the Remote Application Permissions dialog to add a new
application permission. The first dialog to appear will be for the identity that will be granted the
permissions to use an application with a shadow account. Select the identity then click OK.
Configuring Application Launching and Session Recording 177
8) Next a list of remote applications will be presented to the user. Select the target application(s)
that will be established for the user then click OK.
178 Configuring Application Launching and Session Recording
9) You will receive a prompt to use a Shadow Account. Click Yes to assign one or more shadow
accounts that the target user may use when launching the specified application.
10) Based on the selected user, a list of available corresponding mappings will be presented Select
the mapping(s) that should be configured for the target user and selected applications, then
click OK.
Configuring Application Launching and Session Recording 179
11) You will receive a prompt to restrict the applications permissions & configured shadow account
mappings to specific management sets. If it is desired to restrict the applications and or shadow
account mappings to specific lists of systems, click Yes. Otherwise, click No.
12) If Yes was selected, then a list of management sets will be presented.
180 Configuring Application Launching and Session Recording
13) Select from the desired management set(s) and click OK.
14) The new mapping will be presented in the Web Application Remote Application Permissions
dialog. Any undesired mappings may be deleted or reports may be generated from this page.
15) To use the mappings, the user must go to the Systems view in the web application (View
systems permission required).
Configuring Application Launching and Session Recording 181
16) Click Launch App next to the desired target system. If Launch App is not visible it means the
user does not have either the Allow Remote Sessions permission or a Shadow Account Mapping
is not present.
The user will be able to select from among the applications and launch accounts to launch the
application.
183
IN THIS CHAPTER
Setting User Permissions to Launch Applications ................................. 183
Using the Application Launcher ............................................................ 184
5.1 SETTING USER PERMISSIONS TO LAUNCH APPLICATIONS To launch an application a user must have one of the following sets of permissions:
• All Access, or
• View accounts, Allow Remote Sessions, and permissions for the specific application being
launched
To Set Permission to Launch Applications
To define the additional permissions that are required to launch a specific application if a user does
not have All Access permissions, do the following:
1) Open the management console and choose Delegation | Web application remote application
permissions.
2) Click Add in the lower left corner, then select an available identity.
Chapter 5 Using Application
Launching
184 Using Application Launching
3) Click OK, then select one or more applications the user can launch.
5.2 USING THE APPLICATION LAUNCHER There are two types of application launching in Lieberman RED Identity Management:
• Launching with variable account and system information
• Launching with pre-define account and system information
The difference in app configuration is the option in the lower right corner of the application that
says to always use the specified account being selected or not. If the option is selected, the
Using Application Launching 185
application will appear in the applications portion of the website. If the option is not selected, the
user must go to the Launch App section next to the system/account they wish to use to connect.
To Launch an App as a Pre-Configured Application
To launch an application that has been pre-configured for a specific account and target, such as a
company's Twitter or Facebook page, the user will click the Operations > Applications link, then
click on the application to launch. Only applications that are pre-configured to always launch as a
specific user and that the login user has access to will be shown on this page. If an application is not
shown it is a sign of at least one of two possible causes:
• The user has no permission to launch an application
186 Using Application Launching
• There are no apps configured to always run as a specific user
To Launch an App Using Variable Target and Account Information
Once the the target system and account to connect as are located in the Passwords > Managed
Password section of the website, click the play button.
All applications available to the user for the specific account type will then be shown. If the RDP icon
appears at the right edge of the black title bar, that indicates the application is configured to launch
via the Application Launch Server. If the camera icon appears at the right edge of the black title bar,
that indicates the session will be recorded.
Using Application Launching 187
To launch the application, click Launch. What happens next will depend on whether the application
is configured to launch locally or from an Application Launch Server, and whether or not the user
has performed this process previously. If connecting via an Application Launch Server, the system
will initiate a series of calls to the Application Launch Server and the LiebsoftLauncher on that host.
This will be visible to the user. If the user has not previously launched an app from the
machine/profile that they are currently logged into, they will likely receive a couple of security
prompts. Use the filter options at the top of the page to search for applications, show only a set of
applications, or change the layout of application launcher page.
188 Using Application Launching
Each application also has an Advanced launch configuration. Clicking the ear icon will allow the
interactive user to specify alternate credentials to connect to the target system as. These could be
static credentials or they could be other stored credentials in Lieberman RED Identity Management
(if they have the rights to retrieve the password). Generally, it will not be necessary to manipulate
the advanced settings.
189
Once any sessions have been recorded, users with access to the auditing section of the web
application will be able to playback any recorded sessions that exist. Such recored sessions will be
visible in the auditing section with a camera icon next to their audit entry.
Simply click on the camera icon to playback the recorded sessions.
The session properties page will identify user, IP address, and time stamp information and more. To
playback the recording, simply chose the desired recording and click Play Recording.
Chapter 6 Auditing
Application Launching
190 Auditing Application Launching
The video will open on the systems preferred media player and begin streaming automatically.
191
The upgrade process for the application launcher software and session recording software are
exceptionally straight forward: simply re-run the installation routines on the host servers. Your
previous settings will be remembered with one notable exception: you will need to re-enter the
service account credentials that are asked for during the session recording installation routine.
These upgrade routines should be performed after the core Lieberman RED Identity Management
software (console, web application and web service) have already been upgraded.
There is no need to re-establish previously configured applications or application settings.
Chapter 7 Upgrading
Application Launcher & Session
Recording Software
193
A
ADDING APPLICATION LAUNCHING
SCRIPTS • 144
APPLICATION LAUNCHER REQUIREMENTS
• 15
AUDITING APPLICATION LAUNCHING •
193
C
CONFIGURE AN APPLICATION LAUNCH
SERVER LOGON ACCOUNT • 99
CONFIGURE AN APPLICATION LAUNCH
SERVER LOGON ACCOUNT • 100
CONFIGURE APPLICATION SETS • 168
CONFIGURE APPLICATIONS FOR
LAUNCHING • 99
CONFIGURE APPLICATIONS FOR
LAUNCHING • 144
CONFIGURE SESSION RECORDING
SETTINGS • 136
CONFIGURE THE APPLICATION LAUNCH
SERVER HOST • 99
CONFIGURE THE APPLICATION LAUNCH
SERVER HOST • 135
CONFIGURE THE APPLICATION LAUNCH
SERVER SETTINGS • 99
CONFIGURE THE APPLICATION LAUNCH
SERVER SETTINGS • 129
CONFIGURE THE WEB APPLICATION
SETTINGS FOR SESSION PLAYBACK • 141
CONFIGURE THE WEB LAUNCHER
SETTINGS • 99
CONFIGURE THE WEB LAUNCHER
SETTINGS • 126
CONFIGURING APPLICATION LAUNCHING
AND SESSION RECORDING • 99
CONFIGURING LIEBERMAN RED IDENTITY
MANAGEMENT TO LAUNCH
APPLICATIONS • 146
CONFIGURING REMOTE APP FOR 2008 R2 •
93
CONFIGURING REMOTE APP FOR 2012 R2 •
86
I
INSTALLATION ROADMAP • 5
INSTALLING APPLICATION LAUNCHER &
SESSION RECORDING PREREQUISITES • 11
INSTALLING DESKTOP EXPERIENCE FOR
2008 R2 • 52
INSTALLING DESKTOP EXPERIENCE FOR
2012 R2 • 48
Chapter 8 Index
194 Index
INSTALLING REMOTE DESKTOP SERVICES
FOR 2008 R2 • 38
INSTALLING REMOTE DESKTOP SERVICES
FOR 2012 R2 • 21
INTRODUCTION • 1
L
LICENSE AGREEMENT • 2
LIMITED WARRANTY • 2
M
MAINTAINING APPLICATION LAUNCHING
SCRIPTS • 153
MEDIA SERVER REQUIREMENTS • 16
MULTI-TAB AUTOIT SCRIPT EXAMPLES • 164
MULTI-TAB SUPPORT • 155
MULTI-TAB SUPPORT CONFIGURATION •
159
P
PLANNING YOUR SESSION RECORDING
INSTALLATION • 6
PORT REQUIREMENTS • 19
PRODUCT REQUIREMENTS OVERVIEW • 12
R
RECOMMENDED KNOWLEDGE • 12
S
SERVICE ACCOUNT REQUIREMENTS • 17
SESSION RECORDER REQUIREMENTS • 15
SESSION RECORDING AND THE
APPLICATION LAUNCHER • 57
SESSION RECORDING MEDIA SERVER • 80
SESSION RECORDING ON THE
TRANSCODER HOST • 69
SETTING USER PERMISSIONS TO LAUNCH
APPLICATIONS • 187
SHADOW ACCOUNTS • 174
SHADOW ACCOUNTS • 175
START HERE
Installation and Upgrade Roadmap • 5
STEP 1. INSTALL REMOTE DESKTOP
SERVICES • 21
STEP 2. INSTALL DESKTOP EXPERIENCE • 48
STEP 3. INSTALL THE APPLICATION
LAUNCHER AND SESSION RECORDING
SOFTWARE • 57
STEP 4. SETUP RDS FOR APPLICATION
LAUNCHING • 86
STEP 5. CONFIGURE IIS TO HOST
RECORDED SESSIONS • 98
U
UNDERSTANDING PREREQUISITES • 12
UPGRADE ROADMAP • 6
UPGRADING APPLICATION LAUNCHER &
SESSION RECORDING SOFTWARE • 197
USING APPLICATION LAUNCHING • 187
USING THE APPLICATION LAUNCHER • 188
Index 195
V
VARIABLES FOR APP LAUNCHING • 148, 151,
153
top related