I started a new job recently, and their network security is no joke. If your PC isn’t a member of the domain, any traffic to domain-joined resources is dropped. That would be fine if I was using my Windows PC to do my work, but I can’t.  It’s so locked down I can’t do anything with it, and I have no desire to waste time fighting IT every time I want to run a new program.  So I (and everyone else on my team) run Linux on another desktop. Mostly this isn’t a problem, but there’s just no way around using Outlook.  Wine, Evolution, and emulation wouldn’t help me here, because Outlook must be run on a host in the domain.

So what to do?

It took me a while, but I finally found a solution that lets me run Outlook over RDP as a “native” X windows application.  These directions are based on CentOS 7 and Windows 7.

Windows: Install SeamlessRDP and Appetizer

SeamlessRDP is an extension to rdesktop created by Cendio.  You have to give them a valid email address to download it, because they email you the download link.  (Annoying.)  The SeamlessRDP tools are in the ThinLinc Server bundle.

Although Windows 7 and 8 (and I assume 10) aren’t officially supported, I can confirm that 7 works.  (Download: https://www.cendio.com/downloads/server/register.py)  Extract the zip file, open the folder, and run the installer in windows-tools\wts-tools\.

Next, download and install Appetizer (http://appetizer.cozic.net/download)

After it’s installed, launch it and create shortcuts for the applications you want.  Rdesktop doesn’t close your connection when you close Appetizer, so you’ll need to create a logoff shortcut. Add a new shortcut named “Log off” and set its location to C:\Windows\System32\shutdown.exe.  Set the parameters to “-l” (lowercase “L”) and save it.

Hack the Registry

The next step requires some registry surgery.  It would be a good idea to create a backup, just in case.

This changes the default shell from explorer to the Seamless RDP shell.  Be aware that if you log in after making this change, you’ll get a black screen and nothing else!  You can get a normal desktop back by launching Task Manager (CTRL+Shift+ESC) and running explorer.exe.

There are two registry edits to make.  Open regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.  Change Shell from “explorer.exe” to “C:\Program Files\ThinLinc\WTSTools\seamlessrdpshell.exe”.  (Confirm that this is where its installed on your machine, or you will be left with no shell at all!)

Next, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services and create a new DWORD value named !fAllowUnlistedRemotePrograms.  Set its value to 1.

Install Rdesktop

Now back to Linux.  Rdesktop isn’t in the standard CentOS repos, so you’ll have to get it from elsewhere.  It’s available from the Nux Desktop repo, or you can search rpm.pbone.net.  You can also download the source and do the standard configure/make/make install, but c’mon–this is CentOS.  Use a damn RPM.

Optional – Create Your Own RPM

I didn’t like the RPMs I found, so I built my own.  Call me paranoid.

The current version as of this writing is 1.8.3.  Update the version number in the first line for newer revisions.  You may also need to track down newer versions of libgssglue.  Run these commands to build the RPM:

version='1.8.3'
sudo yum install -y \
  wget rpm-build make gcc libX11-devel openssl-devel pcsc-lite-devel \
  ftp://ftp.pbone.net/mirror/li.nux.ro/download/nux/dextop/el7/x86_64/libgssglue-0.4-2.el7.nux.x86_64.rpm \
  ftp://ftp.pbone.net/mirror/li.nux.ro/download/nux/dextop/el7/x86_64/libgssglue-devel-0.4-2.el7.nux.x86_64.rpm
mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
cd ~/rpmbuild/SOURCES/
wget https://github.com/rdesktop/rdesktop/releases/download/v${version}/rdesktop-${version}.tar.gz
tar xf rdesktop-${version}.tar.gz --strip=1 -C ~/rpmbuild/SPECS/ rdesktop-${version}/rdesktop.spec
rpmbuild -ba ~/rpmbuild/SPECS/rdesktop.spec
sudo yum install ~/rpmbuild/RPMS/x86_64/rdesktop-${version}-1.x86_64.rpm

Back to It

However you installed rdesktop, it’s finally time to run it.  Out of the arguments listed below, only -A and -s are required.  The password field is single quoted to prevent the shell from expanding special characters.  (Because your password does have special characters in it, doesn’t it?)

rdesktop \
  -A 'C:\Program Files\ThinLinc\WTSTools\seamlessrdpshell.exe' \
  -s 'C:\Program Files (x86)\Appetizer\Appetizer.exe' \
  -r disk:home=$HOME \
  -r clipboard:PRIMARYCLIPBOARD \
  -u <username> \
  -p '<password>' \
  -d <domain> \
  -N \
  -P \
  -x l \
  <hostname>

Explanation of non-obvious command line flags.

-A Seamless RDP shell binary on RDP server
-s Appetizer binary location on RDP server
-r disk:home=$HOME Map your Linux home directory as a drive named ‘home’
-r clipboard:PRIMARYCLIPBOARD Sync clipboards
-N Sync numlock status
-P Enable persistent bitmap caching
-x l  Set RDP experience to LAN  (Lowercase “L”)

 

If all went well, Appetizer should show up looking like a normal X app.  You may get a logon/welcome screen spanning all your monitors, but only until logon completes.

If you find that your fonts look terrible, you can try replacing -x l with -x 0x80.  This is LAN + Font smoothing.  However, if your Window manager is already performing font smoothing, you’ll end up with smudgy, hard to read text.


For the curious, here are all the other options that I tried before finally getting this to work.  Of course, no one told me that all traffic from non-domain hosts gets dropped–I just assumed there was a configuration error or compatibility issue.  I only figured that out after a ludicrous amount of trial and error, which is why I spent hours and hours trying the following first:

  • OWA
  • Evolution
  • Running Outlook inside a normal RDP window (worked, but annoying)
  • Thunderbird+Lightning
  • Outlook 2010 running on Wine
  • Outlook 2010 running on Crossover Office (because I thought the problem was with Wine)
  • davmail (Deleted immediately on install by the security software on the Windows host)
  • An in-house solution that maps mail to IMAP and calendar to CalDAV… but still requires Outlook to respond to meeting requests.  Stupid.