none
RDWeb: can't connect, RD Gateway server temporarily unavailable RRS feed

  • Question

  • Hello everyone,

    We are having the "can't connect, RD Gateway server temporarily unavailable" on RDWeb, only when accessed externally. Internally, the same external URL works. Server 2016.

    This feature was working externally some time ago and we are not sure of what exactly broke it.

    BPA's only warning is:

    "The RD Gateway server SSL certificate must be configured with a valid certificate subject name

    Severity: Warning

    Problem:
    The Remote Desktop Gateway (RD Gateway) server Secure Sockets Layer (SSL) certificate may not have a valid certificate subject name.

    Impact:
    If the RD Gateway server is configured to use an SSL certificate with a certificate subject name that is not valid, users cannot connect to internal network resources (computers) through the RD Gateway server.

    Resolution
    Use the RD Gateway Manager tool to select a valid SSL certificate for the RD Gateway server to use."

    We have tried other certificates and the result is the same. All other certificates are also ok, they are valid and were made from Let's Encrypt.

    Any help will be highly appreciated!


    Saturday, January 19, 2019 6:58 PM

Answers

All replies

  • Hi,

    1. Is RD Gateway installed on the same server as RD Web Access, or different?

    2. If the FQDN for RD Gateway is different than the one you are using to access the RDWeb page, have you verified that it resolves to the correct external ip address on the public Internet?

    3. Is the RD Gateway service Running?

    4. Do you have TCP port 443 and UDP port 3391 forwarded on your firewall to your RD Gateway server's internal ip address?

    By default when launching connections internally the RD Gateway server isn't used.

    -TP

    Sunday, January 20, 2019 6:57 PM
    Moderator
  • Remember that RDGateway and RDWeb needs to have different names. Also, check the IIS bindings.

    https://www.virtuallyboring.com/setup-rd-gateway-role-on-windows-server-2012-r2/

    https://social.technet.microsoft.com/Forums/en-US/1da9cd90-80f4-4087-9edf-2d9cfa1d312f/the-remote-desktop-gateway-rd-gateway-server-does-not-have-a-valid-secure-sockets-layer-ssl?forum=winserverTS


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    Sunday, January 20, 2019 8:18 PM
  • Hi, thank you for taking time to help with this issue.

    Same server. Worked externally for some time.

    Names are resolved correctly.

    Every service running.

    Only port 443 was redirected, worked like this. Didn't found anything regarding redirecting port 3391 for it to work.

    Sunday, January 20, 2019 9:34 PM
  • Remember that RDGateway and RDWeb needs to have different names. Also, check the IIS bindings.

    https://www.virtuallyboring.com/setup-rd-gateway-role-on-windows-server-2012-r2/

    https://social.technet.microsoft.com/Forums/en-US/1da9cd90-80f4-4087-9edf-2d9cfa1d312f/the-remote-desktop-gateway-rd-gateway-server-does-not-have-a-valid-secure-sockets-layer-ssl?forum=winserverTS


    “Vote As Helpful” and/or “Mark As Answered” - MCSA - MCSE - http://www.ucsteps.com/

    They have different names.

    IIS Bindings seems fine, as the page is accessible externally. The 'can't connect, RD Gateway server temporarily unavailable' is the issue. No logs on server regarding this. We get this error when clicking on an remote app which already worked some time ago.

    Having a hard time trying to solve this, as you guys can imagine.

    I'll try those links tomorrow.

    Sunday, January 20, 2019 9:36 PM
  • Hello,

     

    You can refer to below steps to quickly check the IIS setting, post with similar issue for your reference:

    https://social.technet.microsoft.com/Forums/en-US/901d761e-773a-4dd0-a122-59d554fc63d8/your-computer-can8217t-connect-to-the-remote-computer-because-the-remote-desktop-gateway-server?forum=smallbusinessserver

     

    Go to IIS -> Application Pools -> DefaultAppPool -> Advanced Settings -> Enalbe 32-Bit Application - > if it's True , change it to False

     

    Hope it helps and have a nice day.

     

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 21, 2019 8:45 AM
  • Hello,

     

    You can refer to below steps to quickly check the IIS setting, post with similar issue for your reference:

    https://social.technet.microsoft.com/Forums/en-US/901d761e-773a-4dd0-a122-59d554fc63d8/your-computer-can8217t-connect-to-the-remote-computer-because-the-remote-desktop-gateway-server?forum=smallbusinessserver

     

    Go to IIS -> Application Pools -> DefaultAppPool -> Advanced Settings -> Enalbe 32-Bit Application - > if it's True , change it to False

     

    Hope it helps and have a nice day.

     

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    This was checked prior to this thread and it was already ok. Every procedure/tutorial was followed.

    What this server has that is unusual: another IP on the same interface. As follows:

    192.168.0.254: Every role of this server was setup on this IP. MS DNS listens only on it
    192.168.0.250: We have another web server and DNS, NxFilter. To avoid conflicts as by default IIS listens for connections on every IP, this was done:

    http://toastergremlin.com/?p=320

    Bindings seems ok on 'netsh http show iplisten', with IIS listening on the main IP 192.168.0.254. RDWeb works for a published app from inside the network, not outside. Everything works flawlessly on this server, which has a very fast startup (DNS is in top shape) and no errors on event logs.

    One important aspect here: I can say from experience that BPA could do a better job, really.

    Monday, January 21, 2019 6:48 PM
  • Hi,

    UDP 3391 permits RDP over UDP using DTLS.  If you don't forward it then things will still work but RDP will be limited to TCP only.

    1. Are there any warnings/errors in the TerminalServices-Gateway logs on your RD Gateway server?

    2. If you run netsh http show urlacl do you see reserved url for remoteDesktopGateway?  Please post it here.

    3. I read in your other reply that you have multiple ips and have changed the default configuration and have another web server running and running NxFilter.  It is possible that this change in configuration has somehow prevented RD Gateway from receiving traffic.

    What I would suggest is to completely remove the third-party web/dns software and return IIS to its default configuration to the degree possible.  After completing this test to see if RD Gateway is working.

    Thanks.

    -TP

    Monday, January 21, 2019 7:18 PM
    Moderator
  • Hi,

    UDP 3391 permits RDP over UDP using DTLS.  If you don't forward it then things will still work but RDP will be limited to TCP only.

    1. Are there any warnings/errors in the TerminalServices-Gateway logs on your RD Gateway server?

    2. If you run netsh http show urlacl do you see reserved url for remoteDesktopGateway?  Please post it here.

    3. I read in your other reply that you have multiple ips and have changed the default configuration and have another web server running and running NxFilter.  It is possible that this change in configuration has somehow prevented RD Gateway from receiving traffic.

    What I would suggest is to completely remove the third-party web/dns software and return IIS to its default configuration to the degree possible.  After completing this test to see if RD Gateway is working.

    Thanks.

    -TP

    It was working without the port being redirected. Anyway, I've tried redirecting it - no results.

    1. No warning/errors on logs;

    2. Interesting command that you pointed out.

    Here is the output:

    URL Reservations: 
    ----------------- 
    
        Reserved URL            : http://*:5357/ 
            User: BUILTIN\Usu rios
                Listen: Yes
                Delegate: No
            User: NT AUTHORITY\LOCAL SERVICE
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS) 
    
        Reserved URL            : http://+:80/Temporary_Listen_Addresses/ 
            User: \Everyone
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;WD) 
    
        Reserved URL            : https://*:5358/ 
            User: BUILTIN\Usu rios
                Listen: Yes
                Delegate: No
            User: NT AUTHORITY\LOCAL SERVICE
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;BU)(A;;GX;;;LS) 
    
        Reserved URL            : http://*:2869/ 
            User: NT AUTHORITY\LOCAL SERVICE
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;LS) 
    
        Reserved URL            : https://+:5986/wsman/ 
            User: NT SERVICE\WinRM
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;S-1-5-80-569256582-295340543351-2909559716-1301513147-412116970) 
    
        Reserved URL            : http://+:47001/wsman/ 
            User: NT SERVICE\WinRM
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;S-1-5-80-56922356582-295340543351-2909559716-1301513147-412116970) 
    
        Reserved URL            : http://+:5985/wsman/ 
            User: NT SERVICE\WinRM
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;S-1-5-80-56924356582-295340543351-2909559716-1301513147-412116970) 
    
        Reserved URL            : https://+:443/sra_{BA13959180-CD49-4548b-9E223-C84EE50ADCD75}/ 
            User: NT SERVICE\SstpSvc
                Listen: Yes
                Delegate: Yes
            User: BUILTIN\Administradores
                Listen: Yes
                Delegate: Yes
            User: NT AUTHORITY\SYSTEM
                Listen: Yes
                Delegate: Yes
                SDDL: D:(A;;GA;;;S-1-5-80-343575401886-79951854250-3791383489-3228296122-2938884314)(A;;GA;;;BA)(A;;GA;;;SY) 
    
        Reserved URL            : https://+:8391/ 
    Can't lookup sid, Error: 1332
                 SDDL: D:(A;;GX;;;S-1-5-80-380384433992-136396556432-2216135730-121415389-1533413295) 
    
        Reserved URL            : http://+:10246/MDEServer/ 
            User: NT AUTHORITY\Authenticated Users
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;AU) 
    
        Reserved URL            : http://+:10247/apps/ 
            User: NT AUTHORITY\Authenticated Users
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GX;;;AU) 
    
        Reserved URL            : https://+:443/remoteDesktopGateway/ 
            User: BUILTIN\Administradores
                Listen: No
                Delegate: Yes
            User: NT AUTHORITY\NETWORK SERVICE
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GW;;;BA)(A;;GX;;;NS) 
    
        Reserved URL            : https://+:443/kdcproxy/ 
            User: BUILTIN\Administradores
                Listen: No
                Delegate: Yes
            User: NT AUTHORITY\NETWORK SERVICE
                Listen: Yes
                Delegate: No
                SDDL: D:(A;;GW;;;BA)(A;;GX;;;NS) 


    3. We know that removing NxFilter would be the way to go, but it is not an option on this production server. We can't add another box at the moment. It seems that RD *may* be checking NxFilter DNS. 

    I'll try a test with this in mind and check the logs. Edit: nothing on the logs.

    There's also a metric setting as '1' so the server's name is resolved as 192.168.0.254 (and not other IPs).


    Monday, January 21, 2019 7:45 PM
  • Hi,

     

    Usually such issue is related to IIS setting and name mismatch, but as you confirmed both IIS and DNS settings are correct. Probably the cause is related to third party software but removing it is not a good option for you.

    Since then, you may consider to contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more detailed explanation and solution to this issue. (In addition, if the issue has been proved as system flaw, the consulting fee would be refund.)

    You may find phone number for your region accordingly from the link below: 

    Global Customer Service phone numbers 

    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

     

    Or kindly wait for TP if any more suggestion from him.

     

    Best Regards,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 28, 2019 8:10 AM
  • Thank you for the suggestion.

    To this moment, we are sure that the BPA doesn't properly consider multihomed scenarios, so a improvement on it and probably on RDWeb Gateway inner workings would be welcome.


    Monday, January 28, 2019 4:01 PM
  • Hi, 

    Sorry for late follow up. Sure, I will report your feedback to the product team to improve.

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 11, 2019 1:57 AM
  • Thank you, Jenny.

    I'll keep trying to address this issue.

    Edit: finally was able to restart this server to apply all updates. Issue still happens, we can connect to RDWeb RemoteApp from inside the network (using the external URL), but not from outside.
    Monday, February 11, 2019 9:30 PM
  • Is the "RD Gateway" role really needed to external Remote App / RdWeb access?


    Friday, May 24, 2019 5:50 PM
  • Solved by using the following steps:

    https://social.technet.microsoft.com/Forums/ie/en-US/cfa7d283-4b1b-4da6-8589-82059b31d258/local-fqdn-shown-when-connecting-to-session-host-through-rdgateway?forum=winserverTS

    And setting Deployment properties > RD Gateway > Automatically detect RD Gateway server settings.

    I hope that this could help who is having the same or similar issues.

    (By the number of problems on RDS/RDWeb/RemoteApp, the whole feature could get a new approach from Microsoft)


    Thursday, May 30, 2019 5:43 AM