none
RemoteApp does not work when connecting from the internet

    Question

  • Hi ,

    We are doing a proof of concept in regards to RD and have set up a three 2008 R2 servers (RDSH, RDWA and RDCB) with RDWeb and RemoteApp. All works fine and as expected from the internal LAN. Connecting from the internet works to a point;

    - you can get to the RD Web Access page and login successfully

    - you can see all RemoteApp icons

    - launch the app and you get the RemoteApp caution box and Options

    - click on connect and a "RemoteApp Disconnected" box pops up with;

    "Remote Desktop can't connect to the remote computer for one of these reasons:
    1.) Remote Access to the server is not enabled
    2.) The remote computer is turned off
    3.) The remote computer is not available on the network.

    RD server internal name is: rdsh-01    External name is:  remote.ABCD.com

    So a user goes to https://remote.ABCD.com/RDWeb 

    I Disabled all firewall settings, but with no results,

    I Changed the FWDN on the RDSH connection settings into IP,

    I checked the user rights on "Remote Desktop Users".......

    I have my suspicions on the configuration of the RDCB................

    Any ideas?

    Wednesday, February 22, 2012 1:36 PM

All replies

  • Update:

    I suspect that I can't login to the RDCB..........,

    Or something with "certificates"

    Peter


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Wednesday, February 22, 2012 3:27 PM
  • Update;

    It has nothing to do with certificates........

    This is working fine now.

    Still. On the Local Lan: Everything works fine

    When I connect over the Internet, I can login. see all the icons, can start but not connect to the RemoteApp.

    It seems that the RDCB cannot connet to the RDSH

    Anyone........


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Thursday, February 23, 2012 3:16 PM
  • Hello,

    Do you have your remote application part setup to use the RD Gateway so end users can connect over this?


    regards Robert Maijen

    Thursday, February 23, 2012 4:42 PM
  • Hello,

    Do you have your remote application part setup to use the RD Gateway so end users can connect over this?


    regards Robert Maijen

    Thanks for this, I was looking at this, but what does it entail setting up a RD Gateway? I am new to Server 2008 and have the same problem as

    PeterBöhm

    It seems I can connect all of the windows 7 machines remotely but am not sure if I have set things up properly, because even though I can reach the desktop of the off site machine, it cannot reach back and remote into any of the machines on the server side.

    Any ideas?  Thanks in advance,

    Dave M.


    Thursday, February 23, 2012 7:51 PM
  • Hello Robert,

    I did not setup a RD gateway.

    peter


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Tuesday, February 28, 2012 7:39 AM
  • Hi Dave,

    Do you have installed "Remote Desktop Terminal Server 2008" or are you trying to setup a single 'Remote Desktop Connection" to a machine in you network?

    Peter


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Tuesday, February 28, 2012 7:43 AM
  • Hello Peter,

    Did you get it working ??


    regards Robert Maijen

    Tuesday, February 28, 2012 10:22 AM
  • Hi Robert,

    Not yet.<o:p></o:p>

    still....On the local network. No problems, everything
    works,<o:p></o:p>

    Over the Internet; can login to RDWeb, See the icons,
    get the certificate announcement and then Can't connect…….<o:p></o:p>


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Tuesday, February 28, 2012 10:32 AM
  • Hello Peter,

    For remote apps to work from the internet you will need the gateway to be deployed. Otherwise user can never connect. Please review here:

    http://technet.microsoft.com/en-us/library/ff519174(v=ws.10).aspx


    regards Robert Maijen

    Tuesday, February 28, 2012 11:27 AM
  • Hi Robert,

    Thankx again for your reply.

    last week I installed the RD-Gateway, but with no result.

    When I connect over the Internet and arrive on the RDWeb page and login everything looks to work fine.

    But when I try to open a "RemoteApp" ( for example Word or Notepad ) I get the message: Gateway-address is incorrect.

    It looks that the App tries to connect to the RD Connection Broker and could not authenticate.

    I'm lost………..



    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management


    • Edited by PeterBöhm Monday, March 05, 2012 9:29 AM
    Monday, March 05, 2012 9:28 AM
  • Hello Peter,

    Sorry to hear that you didn't get it working yet :-). Please follow this link for configuration of your RDS setup:

    http://technet.microsoft.com/en-us/library/ff519174(v=ws.10).aspx


    regards Robert Maijen

    Monday, March 05, 2012 10:43 AM
  • Peter,

    If you have a FW you will have to allow open port 443.  Also, the RD client is not 'proxy aware' so you might be running into a proxy issue.  Netmon should reveal where the disconnect is.  Assuming that since you can authenticate and render the apps in RD web the problem is connectivity to the RD gateway from the RD client.

    Thanks,

    Mark

    Monday, March 05, 2012 10:14 PM
  • hi Mark,

    Thankx for your reply.

    I think that it is the connectivity between de Webaccess and the Gateway, but what?


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Friday, March 09, 2012 9:00 AM
  • Once the web access server has rendered the RDP files as it has here it is essentially out of the picture.  You can test this by going into Remote App manager and exporting one of the publihsed apps as an RDP file.  Also, if you do this you can open the RDP file in a text editor and verify the 'gatewayhostname' is the fully qualified domain name of the externally available gateway server.  You can further test connectivity from the client by taking the gatewayhostname and opening internet explorer and type in the URL HTTPS://gatewayhostname/rpc.  You should get an authentication prompt.  Is the the case for you?
    Friday, March 09, 2012 6:54 PM
  • Hi   m.cass,

    Thankx for your reply.

    Here I have copied the Contant of the RDP file I use.

    <?xml version="1.0"?>
    <RemotePrograms>
      <UseAllowList>Yes</UseAllowList>
      <DeploymentSettings>
        <Port>3389</Port>
        <FarmName>192.168.2.101</FarmName>
        <GatewaySettings>
          <GatewayName>RDGA-SRV.daisy.local</GatewayName>
          <GatewayUsage>1</GatewayUsage>
          <GatewayAuthMode>4</GatewayAuthMode>
          <UseCachedCreds>True</UseCachedCreds>
        </GatewaySettings>
        <CertificateSettings>
          <UseCertificate>True</UseCertificate>
          <CertificateSize>20</CertificateSize>
          <Certificate>BLBLABLABLABLA</Certificate>
          <CertificateIssuedTo>*.daisy.com</CertificateIssuedTo>
          <CertificateIssuedBy>UTN-USERFirst-Hardware</CertificateIssuedBy>
          <CertificateExpiresOn>130059647990000000</CertificateExpiresOn>
          <AllowFontSmoothing>True</AllowFontSmoothing>
          <UseMultimon>False</UseMultimon>
          <ColorBitDepth>32</ColorBitDepth>
          <RedirectionSettings>31</RedirectionSettings>
          <CustomRdpSettings>authentication level:i:2</CustomRdpSettings>
          <ShowRemoteDesktop>True</ShowRemoteDesktop>
          <RemoteDesktopSecurityDescriptor />
        </CertificateSettings>
      </DeploymentSettings>
      <Application>
        <Name>Paint</Name>
        <Alias>mspaint</Alias>
        <SecurityDescriptor />
        <Path>C:\Windows\system32\mspaint.exe</Path>
        <VPath>%SYSTEMDRIVE%\Windows\system32\mspaint.exe</VPath>
        <ShowInTSWA>Yes</ShowInTSWA>
        <RequiredCommandLine />
        <IconPath>%windir%\system32\mspaint.exe</IconPath>
        <IconIndex>0</IconIndex>
        <CommandLineSetting>0</CommandLineSetting>
        <RDPContents>redirectclipboard:i:1
    redirectposdevices:i:0
    redirectprinters:i:1
    redirectcomports:i:1
    redirectsmartcards:i:1
    devicestoredirect:s:*
    drivestoredirect:s:*
    redirectdrives:i:1
    session bpp:i:32
    prompt for credentials on client:i:1
    span monitors:i:1
    use multimon:i:1
    remoteapplicationmode:i:1
    server port:i:3389
    allow font smoothing:i:1
    promptcredentialonce:i:1
    authentication level:i:2
    gatewayusagemethod:i:2
    gatewayprofileusagemethod:i:1
    gatewaycredentialssource:i:4
    full address:s:192.168.2.101
    alternate shell:s:||mspaint
    remoteapplicationprogram:s:||mspaint
    gatewayhostname:s:RDGA-SRV.daisy.local
    remoteapplicationname:s:Paint
    remoteapplicationcmdline:s:
    alternate full address:s:192.168.2.101
    signscope:s:Full Address,Alternate Full Address,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,Authentication Level,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectPOSDevices,RedirectClipboard,DevicesToRedirect,DrivesToRedirect
    signature:s:BLABLABLABLABLA

    </RDPContents>
      </Application>
    </RemotePrograms>

    HTTPS://rdga-srv.daisy.local/rpc works, and I get an an authentication prompt.

    When I connet over the internet and start the application i get also an authenticaition prompt.....! after that I get the error message.


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Monday, March 12, 2012 3:28 PM
  • Hi Peter,

      Is the Internal LAN url and the Internet url the same? Also, are the RemoteApps digitally signed? If so, the RDGateway, RDWebAccess and the RemoteApp needs to be signed by a trusted certificate and it is recommended to add the Certificate chain to the appropriate certificate stores on all the RDS. If internal and exteral url is different, then create a local host entry on your machine that points the external IP and name of the certificate of the RDWebAccess Server. Then browse and see if you are able to connect.

    Another Option would be to disable the User Group Policy Configuration for "Allow .rdp files from unknown publishers." option. If this GPO is enabled and the RemoteApp is signed by an Untrusted Publisher or not signed at all, then the RemoteApp connection will fail.

    Ideally the Gateway should be configured with an external certificate. In the post of the RDP file, the gateway is using an internal server name. If you can't resolve this DNS name of the gateway from the internet than this would cause issues when connecting to the RemoteApps.

    I think the information in bold is your issue.

    Thank You

    Avery

    • Proposed as answer by A-v-e-r-y Monday, March 12, 2012 7:12 PM
    Monday, March 12, 2012 6:27 PM
  • Hi Peter,

    I believe Avery is correct.  You cannot connect to the internal address of the Gateway when you are connected to the internet, this results in the gateway error from your previous post because you need an external address to connect through to reach you internal '192.168...' farm.  When making this connection the client will require that the gateway is signed with a valid certificate from a trusted root authority, which a wildcard should work if that's what you use.  So, you might have for example, RDGASRV.daisy.com assigned as the gateway server in Remote App manager for external client conenctions and use the setting for internal clients to 'Bypass RD Gateway server for local addresses'.

    Monday, March 12, 2012 8:53 PM
  • Hi A-c-e-r-y

    Thankx for your reply and help.

    I got some anwsers to your questions.

    • No, the internal en external url are not the same. outside I use https://tsgateway.daisy.com:4451/rpc.
      I get an Login box, but when I login i can't see that back on the gateway server. So....Do I login?
    • Yes, I use digitally signed certificates. *.daisy.com and installed then on all my RD servers in the Persenal and Trused Root store (local Computer)

    I changed the RDP file to:

    redirectclipboard:i:1
    redirectposdevices:i:0
    redirectprinters:i:1
    redirectcomports:i:1
    redirectsmartcards:i:1
    devicestoredirect:s:*
    drivestoredirect:s:*
    redirectdrives:i:1
    session bpp:i:32
    prompt for credentials on client:i:1
    span monitors:i:1
    use multimon:i:1
    remoteapplicationmode:i:1
    server port:i:3389
    allow font smoothing:i:1
    promptcredentialonce:i:1
    authentication level:i:2
    gatewayusagemethod:i:2
    gatewayprofileusagemethod:i:1
    gatewaycredentialssource:i:0
    full address:s:192.168.2.101
    alternate shell:s:||calc
    remoteapplicationprogram:s:||calc
    gatewayhostname:s:tsgateway.Daisy.com:4451
    remoteapplicationname:s:Calculator
    remoteapplicationcmdline:s:
    alternate full address:s:192.168.2.101
    signscope:s:Full Address,Alternate Full Address,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,Authentication Level,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectPOSDevices,RedirectClipboard,DevicesToRedirect,DrivesToRedirect
    signature:s:AQABAAE

    Peter


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Tuesday, March 13, 2012 10:56 AM
  • Hi m.cass

    Yes, you were right. I had the wrong adres and changed it.

    But still notthing


    Met vriendelijke groet, Kind regards, Peter Böhm Technical Support, Network Management

    Tuesday, March 13, 2012 11:02 AM
  • Hi Peter,

      Can you resolve the Gateway name from the internet? I attempted a name resolution and it failed. The gateway server needs to be resolved from the internet also or you need to create a local host entry.

    Also in your screen shot, the "Bypass gateway for local addresses" option is check. So internal users will never go through the gateway server to connect to the remote app. What I recommend you trying is to connect Remote Desktop to a server using your Admin account. The Remote Desktop connection should like the following:

    RDP_ComputerName

    Go to the "Advanced" tab and configure the TS Gateway settings in the "Connect from anywhere" section.

    RDP_Gateway

    If you are able to RDP to an internal server, then this rules out that the Gateway is the issue. One thing to note: If the Gateway and WebAccess Server is in a DMZ with FW placement between it and RDS Farm servers, then you will need to validate that the appropriate FW rules are enabled from this server.http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

    Hope this helps

    Thank You

    Avery

    Tuesday, March 13, 2012 1:33 PM