none
WS2012 + RD Gateway + RemoteApps : multiple nuisances (UDP not used, certificate warnings)

    Question

  • Hi all

    I've configured an all-in-one WS2012 Remote Desktop server with RD Gateway and RDWeb, serving RemoteApps to a distant location. The RD Gateway listens on 8388 TCP (because 443 is already taken on my NAT) and 3391 UDP. The RDWeb similarly listens on 8388.

    Since the gateway is not listening on the standard port, I had to run this command http://social.technet.microsoft.com/Forums/windowsserver/en-US/6ed0845a-1a51-4c05-8331-ece9c0eb73fa/remote-desktop-gateway-port?forum=winserverTS to tell RDWeb to write the correct TCP port in the webfeed it distributes (and I am NOT comfortable with having to do it manually since the UDP port is an UI-changeable setting, but I digress...).

    RemoteApps open fine from the remote location... except UDP is not used. Connections show up in the RD Gateway Monitoring as HTTP, not UDP. Also a direct MSTSC connection to the server doesn't use UDP (it doesn't appear in the signal bars text).

    But I am sure that:

    1) public address's port 3391 is correctly UDP-mapped to the Gateway, tested with network monitor
    2) the TS is listening on UDP 3389 (RDP) and 3391 (RD Gateway), tested with netstat
    3) my Win7 client uses UDP when connecting to other Win8 workstations at my company, and these Win8 clients won't use UDP when connecting to the TS
    4) even though UDP is not used, I see packets in the network monitor, coming and going to port 3389

    What can I do to address this?

    I have two more questions.

    1) I'm inclined to think that for full UDP usage, remote NAT'ted client would need to be in a DMZ, otherwise how are they going to receive UDP packets coming back from the server?

    2) Unrelated to this: the Best Practice Analyzer in Server Manager found that the RD Gateway certificate is invalid; needless to say, other parts of the same Server Manager (RDS > Collections > Edit Deployment Properties > Certificates) think otherwise, so does the RD Gateway manager. God fashioned panels...

    Thank you for any answer...

    Tuesday, November 19, 2013 6:24 PM

Answers

  • Hi,

    As you have already mentioned in your comment that your certificate covers different name and your TS joined to different domain. This is the probable reason you are facing the error. Refer below notice which is quoted from the link, provided you in my last post.

    Note: You may also see this error when the certificate you have bound to the Gateway service doesn’t have the Fully Qualified Domain Name of the Gateway Server as either the Subject or as a Subject Alternative Name. 

    Meanwhile sharing one good article with you, refer it for more details.
    RDS8 – Gateway and Certificates on Windows Server 2012

    Hope it helps for clear understanding!
    Thanks.
    Tuesday, November 26, 2013 8:39 AM
    Moderator

All replies

  • Hi,

    After referring your post, I can suggest you something for your case. As you have stated that “public address's port 3391 is correctly UDP-mapped to the Gateway, tested with network monitor” with this we can able to view UDP packets in network monitor. In addition, UDP connections can’t be created as stand-alone; UDP connections are established only after a main HTTP connection has been created between the remote desktop client and the remote desktop server. Please refer below articles for more information.

    1.  Deploying Remote Desktop Gateway RDS 2012
    2.  What’s new in Windows Server 2012 Remote Desktop Gateway

    In respect to certificate warning, RD Gateway must be configured to use valid SSL certificate and also must be signed by trusted certification authority.

    -  The SSL Certificate must contains the name of the farm
    -  RD Web Access needs an SSL cert
    -  If you sign RemoteApp, then you need an SSL cert for that

    For certificate related information, refer “Minimum Certificate Requirements for Typical RDS implementation”. Also for sharing RDS Server 2012 article with you.

    Hope it helps!
    Thanks

    Wednesday, November 20, 2013 8:16 AM
    Moderator
  • Hi Dharmesh, thanks for the answer.

    I'm replying for the certificate issue with this list of items.

    1) We have a wildcard, paid-for certificate with *.mycorp.com in its name, purchased from a well known CA, and I've used this everywhere
    2) The TS name is ts.mycorp.com outside, and its domain name ts.mycorpdom.local - yes, it's a different domain inside!
    3) My cert meets the requirements specified in the BPA error link: http://technet.microsoft.com/en-us/library/dd320340.aspx
    4) My cert expires in Oct 2014
    5) There are no warnings in RDGateway manager console, where the above link stated they should be if the cert was invalid6) There are no warnings either in the Deployment Properties of my RemoteApp session (Server Manager). RD Gateway, RD Web Access and RD Connection Broker are using the same certificate, their status is OK, and the deployment certificate level is Trusted.

    I don't know what else to do.

    Wednesday, November 20, 2013 10:55 AM
  • I'm going to add 2 screenshots to better illustrate the inconsistencies between the user interfaces.

    1) Server Manager Best Practices Analyzer results:

    2) (a) Server Manager RDS Deployment Properties, and (b) RD Gateway Manager Properties (SSL Tab)

    The question is really simple and can be summarized in these terms: if (2), then why (1) ?

    I hope I have been clear this time.

    Thank you

    Thursday, November 21, 2013 4:48 PM
  • Hi,

    After referring your comments and error snapshot it’s clear that RD Gateway does not have valid SSL certificate.

    Here have you make sure that the imported certificate to RD gateway server is in the (Local computer) / Personal store and not stored in (Local User)/ Personal store. As it’s compulsory to have certificate stores in local computer/ personal store. For that you can refer the Best Practices Analyzer points.


    Apart from this, I can suggest you to use RD Gateway Manager tool to select a valid SSL certificate for RD Gateway Server to use. For more information, refer below article where it’s described clearly issue of SSL certificate after running Best Practices Analyzer.
    Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway implementation

    Hope it helps!
    Thanks.

    Saturday, November 23, 2013 5:13 AM
    Moderator
  • Hi,

    1. In RD Gateway Manager, Properties, Transport Settings tab, please set the UDP port to 8388 to match your custom TCP port.

    2. On your firewall, please make sure UDP port 8388 is forwarded to your RD Gateway server.

    After making the above changes please refresh the RDWeb page and test connecting from an external client.

    Thanks.

    -TP

    Saturday, November 23, 2013 6:46 AM
    Moderator
  • Hi TP,

    1 and 2 done but still no go.

    There's a much more basic question. If I connect to the TS from inside my corporate lan, it doesn't appear to use UDP, or at least it doesn't say so.

    When trying this with other Win8 PC, it uses UDP and says it does.

    Why is that?

    Monday, November 25, 2013 11:42 AM
  • Hi Dharmesh

    My certificate covers *.mycorp.com but the TS is joined to a different domain, "mycorpdom.local" (don't ask why...). Externally, it can be reached using the first domain name, so the cert is happy.

    Maybe this is the reason for the warning?

    Monday, November 25, 2013 11:47 AM
  • Hi,

    As you have already mentioned in your comment that your certificate covers different name and your TS joined to different domain. This is the probable reason you are facing the error. Refer below notice which is quoted from the link, provided you in my last post.

    Note: You may also see this error when the certificate you have bound to the Gateway service doesn’t have the Fully Qualified Domain Name of the Gateway Server as either the Subject or as a Subject Alternative Name. 

    Meanwhile sharing one good article with you, refer it for more details.
    RDS8 – Gateway and Certificates on Windows Server 2012

    Hope it helps for clear understanding!
    Thanks.
    Tuesday, November 26, 2013 8:39 AM
    Moderator
  • Hi,

    Do you need any further assistance? Please let us know, if there is anything we can assist you.

    Thanks.

    Saturday, November 30, 2013 2:39 PM
    Moderator