none
Remote desktop gateway publishing problem

    Pregunta

  • Hi all,

    I set up an RDS server in my test environment, it has Session Host, Web Access and Remote Desktop Gateway roles installed and everything works correctly. I can reach every feature and remote app from an internal pc. I also have a TMG in my environment and it has an external IP and I have a public domain name which points to it. I tried to publish the remote desktop gateway to use the RDS features from an external pc. A followed these articles below:

    http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html

    http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html

     

    I followed the article step by step without problems. But after I tried to login from an external W7Enterprise via mstsc with these settings:

    Remote computer: www.mydomain.com

    Remote Gateway: test-tmg.demo.local

    Authentication: NTLM Authentication

     

    When I click Connect, it pops up a window where I can enter my credentials. On the top of the window I can see that it will use these credentials on both the www.mydomain.com (remote computer) and the test-tmg.demo.local (remote desktop gateway).

    When I type my username and password it hangs for a while and then throws me an error. It says that the Remote Desktop Gateway address is unreachable.

    Can anyone give me some hint what can be the problem?

    Thanks, Dvijne



    • Editado Dvijne sábado, 10 de septiembre de 2011 20:36
    sábado, 10 de septiembre de 2011 15:13

Respuestas

  • Hi,

    i assume that you publish your applications to rdweb first and u launch the app from there. In the remote app properties, did u define a RDGW server? This server should point to the external resolvable name of the tmg. Also, if u defined the RDGW settings via GPO ensure that the external name is used.

    Your publishing seems to be ok. So i think the error is either in the remote app configuration or in name resolution between tmg and rdgw. First try to check the RDGW settings in your remote app configuration.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    • Marcado como respuesta Dvijne domingo, 11 de septiembre de 2011 19:06
    domingo, 11 de septiembre de 2011 18:07

Todas las respuestas

  • One more thing. I've monitored the traffic on the TMG and I reckognized that when I click on connect it tries to communicate on the port 3389 instead of 443. Is it normal?

    I wondering is it possible to use the remote desktop gateway when it's installed on the same host as the session host...

    sábado, 10 de septiembre de 2011 20:34
  • Hi,

    u can use rd gateway and session host on the same box. It works well for testing scenarios and u can see the client connection in the rdgateway console.

    Look at this article on how to configure RDGateway for SSL-Bridging:

    http://technet.microsoft.com/en-us/library/cc772387.aspx

    Isa needs to send you on port 80 or 443, depending on you bridging setup. So review your publishing rule to make sure everything is correct. 3389 is the wrong port.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    domingo, 11 de septiembre de 2011 10:49
  • Hi Andreas,

    Thanks for your reply.

    I just reviewed my settings and I think it's ok. Just to give you more details I describe my test environment. So I have a TMG (test-tmg.demo.local) with one internal NIC and one external NIC. In my private network I have a DC(dc.demo.local with one internal NIC - 192.168.100.100) and an RDS server(rds.demo.local with one internal NIC - 192.168.100.101) both running 2008R2.

    Here are the settings I did on the TMG:

    1. created a web listener

    - it listens on the external NIC

            - only HTTPS enabled on the port 443

            - authentication set to "No authentication".

     

    2. created a publishing rule (with exchange 2010 web access publishing wizard)

    - allow from anywhere

    - to rds.demo.local (forward original the host header... checked)

    - traffic HTTPS

    - as listener I selected the one that I described earlier above

    - public name www.mydomain.com

    - to path, I added /RPC/* and /rdweb/*

    - authentication delegation: No delegation, but users may authenticate directly

    - bridging: redirect requests to SSL port 443

    - users: all users

    On the RDS server at the RD Gateway settings I set SSL bridging to Use SSL, HTTPS-HTTPS

     

    On the external client when I try to connect I use the following settings:

    1. Remote computer: www.mydomain.com

    2. Remote gateway: test-tmg.demo.local (also tried with rds.demo.local but the result was the same)

    3. Authentication: NTLM authentication

     

    First I thought it needs an externaly resolvable name for the RDS server (because it says the gateways address is not reachable), but why should it need that. Normaly the TMG has to forward the request to rds.demo.local on its internal leg on port 443. The connection fails on the very beginning of the story, so I don't really understand whats happening here. I think I miss a very basic step, but I cannot figure it out. So now the question is why the client cannot reach the internal gateway address?

    domingo, 11 de septiembre de 2011 11:46
  • Hi!

     

    You can publish a TS Gateway with TMG and have pre-authentication.
    The trick is to use Kerberos Constrained Delagation to the TS Gateway in the publishing rule and the following:

     Path Mappings

      Internal

    External

      /rpc/*

    /*

    An easy way to make the publishing rule is to use the Publish Exchange Wizard and choose Outlook anywhere and point out the TS gateway instead of Exchange 2010 :)

    domingo, 11 de septiembre de 2011 17:34
  • Hi,

    i assume that you publish your applications to rdweb first and u launch the app from there. In the remote app properties, did u define a RDGW server? This server should point to the external resolvable name of the tmg. Also, if u defined the RDGW settings via GPO ensure that the external name is used.

    Your publishing seems to be ok. So i think the error is either in the remote app configuration or in name resolution between tmg and rdgw. First try to check the RDGW settings in your remote app configuration.

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    • Marcado como respuesta Dvijne domingo, 11 de septiembre de 2011 19:06
    domingo, 11 de septiembre de 2011 18:07
  • It works.

    Andreas you were right, the problem was the RDGW at the remote app settings.

    I only have to swap the remote desktop gateway with the remote computer.

    This way:

    1. Remote computer: rds.demo.local

    2. Remote gateway: www.mydomain.com

    3. Authentication: NTLM authentication

    Thanks for your help.

    domingo, 11 de septiembre de 2011 19:06
  • Hi,

    ok, so everything is fine now, Enjoy. If u like, u can delegate authentication by using kerberos constrained delegation and u can enable sso to terminal services on client side by using gpo. After that it is a real smooth thing.

    Enjoy RDPing :-)

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    domingo, 11 de septiembre de 2011 19:11