none
S2K8 R2 RemoteApps Server on SBS 2003 Domain, WAN Setup?

    Dotaz

  • Scenario/Setup: Existing SBS2003 domain, typical SBS ports including 25, 443 inbound forwarded at firewall to SBS server.

    Project/Desire: Add new 2008R2 RemoteApps server and properly host both local network and inbound/WAN RemoteApps connections.

    Details: We have just added a new Server 2008R2 box into an existing SBS 2003 domain for the explicit purpose of being a RemoteApps server.  Terminal CALs are installed and licensed through the new 2008R2 box and everything is working fine on the LAN.  We have installed our two LOB applications onto the RemoteApps server and have generated .msi's to install the RemoteApps connectors, and everything works PERFECTLY from within our network from those RemoteApps links created on the desktops by the .msi.  In short, from the local desktops and laptops, RemoteApps is working great.

    Now, it's time to allow RemoteApps connections inbound from outside the firewall (i.e. the owner needs to run the LOB app from home or from the road).

    Now, I've set up RemoteApps previously on SBS2011 domains and it works pretty easy--just add the RemoteApps Gateway onto our SBS with 443 inbound port forwarded to it) and "it just works".

    But this is an SBS2003 domain, and port-forward of 443 is already used on the SBS for OWA and RWW.

    So, what's the easiest way I can get a user clicking on a RemoteApps icon on their desktop at home to launch the RemoteApp?  I have installed the RemoteApps Gateway role/features on the S2K8R2 box already.  But I can't just forward port 443 to the RemoteApps server.  Is there a way of just configuring the RemoteApps gateway to listen on a different port, and then configure RemoteApps installers to use that second port?  If so, then I can just open a different port in the firewall and away we go.

    Any suggestions?

    Thanks.


    -Dan

    22. června 2012 20:49

Odpovědi

  • Hi,

    You cannot change the port that the Remote Desktop Client uses to connect to RD Gateway.  It will always try to use tcp 443.  Suggestions:

    1. Assign a second public ip address/FQDN and forward port 443 to your Server 2008 R2 for RD Gateway and RD Web Access (if you want RDWeb) purposes.  Purchase a single-name certificate for less than $10/year and use it for RDG/RDSH/RDWeb on the Server 2008 R2 box.

    2. Use a firewall that will do reverse proxy and forward traffic to the correct server based on host headers and/or the target virtual directory.  If Outlook Anywhere (RPC Proxy) is being used then you cannot base it on virtual directory because RD Gateway uses RPC Proxy as well.

    3. Change the RDP port on the Server 2008 R2 server to something custom like 32521, forward that to the Server 2008 R2, modify the port in RemoteApp Manager, and re-create the .msi files.  In this case you are not using RD Gateway so one layer of security has been removed.  You should use a ssl certificate from a trusted public authority on your RDSH with a FQDN that matches what you use for the RemoteApps, strong passwords, and make certain that all critical updates for Server 2008 R2 are installed due to recent RDP vulnerabilities.  You could export the current ssl certificate along with its private key from the SBS 2003 server and import it on the Server 2008 R2, then assign it to the RDP-Tcp listener in RD Session Host Configuration (tsconfig.msc).

    -TP

    22. června 2012 21:51
    Moderátor
  • Hi,

    On your RDWeb/RD Gateway server:

    1. Please open IIS Manager.  In the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane, double-click on Application Settings, then double-click on DefaultTSGateway.  Set this to the FQDN of your RD Gateway (same FQDN as RDWeb in your case).  This setting is used for the Remote Desktop tab in RDWeb.

    2. In RemoteApp Manager please make sure you have configured to use RD Gateway and entered the FQDN.

    3. After performing the above please test (with port 3389 blocked) via RDWeb and then re-create any .msi and/or .rdp files.

    Thanks.

    -TP

    28. června 2012 19:24
    Moderátor

Všechny reakce

  • Hi,

    You cannot change the port that the Remote Desktop Client uses to connect to RD Gateway.  It will always try to use tcp 443.  Suggestions:

    1. Assign a second public ip address/FQDN and forward port 443 to your Server 2008 R2 for RD Gateway and RD Web Access (if you want RDWeb) purposes.  Purchase a single-name certificate for less than $10/year and use it for RDG/RDSH/RDWeb on the Server 2008 R2 box.

    2. Use a firewall that will do reverse proxy and forward traffic to the correct server based on host headers and/or the target virtual directory.  If Outlook Anywhere (RPC Proxy) is being used then you cannot base it on virtual directory because RD Gateway uses RPC Proxy as well.

    3. Change the RDP port on the Server 2008 R2 server to something custom like 32521, forward that to the Server 2008 R2, modify the port in RemoteApp Manager, and re-create the .msi files.  In this case you are not using RD Gateway so one layer of security has been removed.  You should use a ssl certificate from a trusted public authority on your RDSH with a FQDN that matches what you use for the RemoteApps, strong passwords, and make certain that all critical updates for Server 2008 R2 are installed due to recent RDP vulnerabilities.  You could export the current ssl certificate along with its private key from the SBS 2003 server and import it on the Server 2008 R2, then assign it to the RDP-Tcp listener in RD Session Host Configuration (tsconfig.msc).

    -TP

    22. června 2012 21:51
    Moderátor
  • Hi,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,
    Clarence
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    28. června 2012 8:10
    Moderátor
  • Thank you for the solution above.  It's still not working flawlessly (we still need port 3389 open and pointing to the RD gateway server for some reason) but we solved the primary issue with the following steps:

    1. This client's site happened to already have a block of 5 static public IP's and one was not in use.  Set up our firewall to route any allowed traffic (ports 443, 3389) from that public IP to our new server.

    2. Modified our domain records so our publicly-visible FQDN (apps.mydomain.com) matched the new public IP.

    3. Purchased and installed an SSL certificate onto the RemoteApps/RD Gateway server matching the FQDN.

    4. Published MSI's and RDP's and they all work perfectly.

    The only remaining issue, which I was not expecting, was that we need to leave port 3389 open on our firewall and pointing to our new server.  Not sure why that is--I was expecting that everything would go through port 443 inbound, as my understanding was RemoteApps was supposed to solve the issue of needing an open RDP firewall port in the first place.  If I close 3389, I can't connect with any of the RDP's.  If I open it, it works great.


    -Dan

    28. června 2012 16:15
  • Hi,

    On your RDWeb/RD Gateway server:

    1. Please open IIS Manager.  In the left pane, navigate to and select Sites\Default Web Site\RDWeb\Pages.  In the middle pane, double-click on Application Settings, then double-click on DefaultTSGateway.  Set this to the FQDN of your RD Gateway (same FQDN as RDWeb in your case).  This setting is used for the Remote Desktop tab in RDWeb.

    2. In RemoteApp Manager please make sure you have configured to use RD Gateway and entered the FQDN.

    3. After performing the above please test (with port 3389 blocked) via RDWeb and then re-create any .msi and/or .rdp files.

    Thanks.

    -TP

    28. června 2012 19:24
    Moderátor