locked
using certificates with 2008R2 RDS farm RRS feed

  • Question

  • Hello, would appreciate some guidance on what certificates are necessary in our RDS farm scenario. I am in process of setting up a 5 server session host farm with a single connection broker server. This farm will be accessible by both nondomain and domain joined computers but all users connect through our SSL VPN before accessing the farm thus no gateway is required.

    Im currently getting prompted with the various certificate warnings and would like to get a better understanding of what typer of certs are needed where. Im assuming the connection broker needs an SSL cert for RDWeb? What about each session host server? Would each session host server require an SSL cert with the farm name?

    Would appreciate hearing what works best for others.

    thanks for your help


    Thursday, March 24, 2011 3:07 PM

Answers

All replies

  • cwalstib,

    You need:

    • an SSL that contains the name of the farm (farm.domain.local for example) - this will go on each of your 5 farm servers
    • RD Web Access needs an SSL cert: (rdweb.domain.com for example)
    • If you sign remoteApps, then you need an SSL cert for that

    (Note: you can use a SAN cert for the signing and RD Web Access parts)

    Another note: make sure the certs come from a CA that is part of the Microsoft Root Certificate program so the windows clients will already trust the CA certs

    Oh yeah, I did a blog about certs a while back: http://blog.kristinlgriffin.com/2010/08/minimum-certificate-requirements-for.html (obviously you dont need the RD Gateway part)

     


    Hope this helps,

    Kristin L. Griffin

    SUPER BIG fan of the Remote Desktop Virtualization Team!!!) 

    My RDS blog: blog.kristinlgriffin.com

    The new Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit is now available!
    Thursday, March 24, 2011 6:33 PM
  • Thank you! Appreciate the quick response

    Thursday, March 24, 2011 6:49 PM
  • Hi,

    The exact certificates you need depends on which RDS role services you are using and how you are configuring your environment.  For simplicity I recommend purchasing a wildcard certificate ($99/year) that could be used for all RDS purposes.  For example, say you purchase *.domain.com wildcard certificate.  This single cert would support all of the following RDS servers (and more):

    1. farm.domain.com - RDS Farm name, installed on each RDSH and configured using RD Session Host Configuration (tsconfig.msc).  This is the name your users will connect to when using the RD Client manually and/or the name that you will specify in RemoteApp Manager to be used for running RemoteApps from RDWeb.

    2. rdweb.domain.com - RDWeb Access, installed on each RDWeb server and configured in RemoteApp Manger for digital signing and IIS Manager https bindings of Default Web Site.  This is the name users will enter in their web browser (https://rdweb.domain.com/rdweb) to connect to RDWeb and run RemoteApps.  Additionally it should be configured in RD Session Host Configuration (tsconfig.msc) for server authentication purposes when connecting to the server via RD for admin purposes.

    3. rdcb.domain.com - RD Connection Broker, installed on each RDCB server and configured in Remote Connection Manager for digital signing of virtual desktops.  Additionally it should be configured in RD Session Host Configuration (tsconfig.msc) for server authentication purposes when connecting to the server via RD for admin purposes.

    4. rdg.domain.com - RD Gateway, installed on each RDG server and configured in RD Gateway Manager and IIS Manager for RD Gateway connections (you stated you are not using this option).  Additionally it should be configured in RD Session Host Configuration (tsconfig.msc) for server authentication purposes when connecting to the server via RD for admin purposes.

    I may have forgotten a specific certificate purpose above so please let me know if you have a use I did not cover.

    Thanks.

    -TP

    Thursday, March 24, 2011 6:53 PM
  • Hi CWALSTIB,

    I have a very similar scenario as yours except I only have 2 server session host machines with a broker as well.

    Did you get this to work? I see may different recommendations and suggestions. I tried buying a wildcard cert or a SAN from Comodo and they said they can not do this for my internal name of .pri 

    When creating a CSR is this done from my broker server since that is the only server I have that has IIS. Can a CSR come from any of my internal servers with IIS on it? Anyway I am just curious to see how this is going for you.

    Thanks,

    TKE402

    Friday, October 12, 2012 3:48 PM