locked
RD Web and RD Gateway Access Issues RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi there

    Im hoping someone can help with RD access using server 2008 r2.

    We are trying to publish remote apps and RDP throu RD web access.  The web pages work a treat, but do not allow users to launch any of the remote apps or RDP to a server/desktop on the internal network.

    The current config is this:

    1x RDWeb 2008r2 server

    1x RDGateway 2008r2 server

    1x RDApp 2008r2 server

    1x ISA2006 2003 server

    The ISA server sits in the DMZ whereas the other servers all sit on the domain

    The RDWeb server has a public IP.

    Internally everything works without issue. externally, only the displaying of the RDweb page and its applications work.  If you click on them, you get the following error messages

    (with RD Gateway enabled)

    Your computer cannot connect to the remote computer because the remote desktop gateway server is unreachable or incorrect. Type a valid remote desktop gateway server address

    (without RD Gateway enabled)

    The remote computer could not be found. please contact your helpdesk about this error

    -----

    Ive been reading the technet documentation (which tbh is fairly pants) and blogs/posts etc but none that I have come accross seem to indicate the best way to have this configured.  I think I may require another external IP for the RD gateway and another SSL for the RD Gateway.

    Could someone please give me guidance/help/advice/instructions that are relevant for this setup

    Many thanks in advance

    Andy

     

    Thursday, August 5, 2010 12:13 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    Your RD Gateway server (the name you specified in RemoteApp Manager settings, RD Gateway tab) needs to be reachable from the external clients via TCP port 443.  If you want you could have RDWeb as well as RDG on the same server, using the same SSL certificate.

    I recommend using a UCC certificate purchased from a public authority like Godaddy, Geotrust, GloabalSign, Thawte, etc. that contains the names of all of your different RDS servers.  That way you can use a single ssl certificate for RDWeb, RDGateway, RDSH, etc.  UCC certs are as low as $72/year.

    Let me give a quick summary of the process when a client connects via RDWeb with a RDG configured to better illustrate where your configuration is wrong:

    Client PC Internet Explorer communicates with RDWeb via port 443 --> user clicks RemoteApp icon, which launches the RD Client and instructs it to connect to RDG via port 443 --> RDG server opens a connection to the RDSH via port 3389, acts as middle-man between client PC and RDSH server

    To summarize key points, the RD Gateway server must be resolvable as well as reachable from the Internet via port 443, whereas the Remote Desktop Session Host server name must be resolvable/reachable via port 3389 from the RDG server.  Each role should have a ssl certificate that matches the name configured for it in RemoteApp Manager settings.

    -TP

     

    • Proposed as answer by TP []MVP Friday, August 6, 2010 12:03 PM
    • Marked as answer by Wilson Jia Thursday, August 12, 2010 3:24 AM
    Friday, August 6, 2010 12:03 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    According to your description, I would suggest you verify whether the RD Gateway server has at least one RD CAP enabled, you can refer to:
    In addition, I have also included the following helpful blog about RD Gateway deployment for your reference.
    RD Gateway deployment in a perimeter network & Firewall rules
    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, August 6, 2010 7:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Cheers for the reply but unfortunately the posts do not really help

    Could someone confirm if you have an RDWeb server and an RDGateway server, to access the RDApps externally exactly what you need.  as in, do i need both a web.domain.com and a rdgate.domain.com. if i need both, do they require their own IP addresses?

    Cheers

    Andy

    Friday, August 6, 2010 11:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Depending on the size of your implementation you could put both roles on the same server, thus only requiring one IP and one certificate. Unfortunately RD Gateway is does not reverse proxy connections like Citrix Secure Gateway (which proxies access to Citrix Web Interface).

    Implementing ISA Server or Forefront Threat Management Gateway may give you the ability to provide access to both RD Gateway and RD Web Access behind a single IP.

    Friday, August 6, 2010 11:59 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Andy,

    Your RD Gateway server (the name you specified in RemoteApp Manager settings, RD Gateway tab) needs to be reachable from the external clients via TCP port 443.  If you want you could have RDWeb as well as RDG on the same server, using the same SSL certificate.

    I recommend using a UCC certificate purchased from a public authority like Godaddy, Geotrust, GloabalSign, Thawte, etc. that contains the names of all of your different RDS servers.  That way you can use a single ssl certificate for RDWeb, RDGateway, RDSH, etc.  UCC certs are as low as $72/year.

    Let me give a quick summary of the process when a client connects via RDWeb with a RDG configured to better illustrate where your configuration is wrong:

    Client PC Internet Explorer communicates with RDWeb via port 443 --> user clicks RemoteApp icon, which launches the RD Client and instructs it to connect to RDG via port 443 --> RDG server opens a connection to the RDSH via port 3389, acts as middle-man between client PC and RDSH server

    To summarize key points, the RD Gateway server must be resolvable as well as reachable from the Internet via port 443, whereas the Remote Desktop Session Host server name must be resolvable/reachable via port 3389 from the RDG server.  Each role should have a ssl certificate that matches the name configured for it in RemoteApp Manager settings.

    -TP

     

    • Proposed as answer by TP []MVP Friday, August 6, 2010 12:03 PM
    • Marked as answer by Wilson Jia Thursday, August 12, 2010 3:24 AM
    Friday, August 6, 2010 12:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    KeyHKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot

    ValueDisableRootAutoUpdate

    Type: REG_DWORD

    Data1 - Root Update disabled

    To be implemented on the TS/RD Gateway only.

    I had a similar issue and resolve it with the above registry. The reason why we set DisableRootAutoUpdate to 1 is because in some scenarios, if the TLS client side can’t retrieve root authorities list via internet due to DNS error or network connectivity issue, it will retry 1 more time. Sometimes, we experience slowness issue to wait download behavior timeout. The workaround is to disable this feature accordingly.

     

    Here is explanation about “update root certificates feature”

    The Update Root Certificates Feature in Windows Vista

    The Update Root Certificates feature in Windows Vista is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by a user's application. Specifically, if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature (if it is not turned off) will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the user's computer.

    http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

    Please proposed as answered if this has helped you.

    Thanks

    Monday, April 29, 2013 10:20 PM