none
Unable to connect to ts gateway from outside lan.

    Question

  • Ive read the posts on this subject but still struggling with a solution. 

    I have 1 win2008 server with AD,DNS, tsgateway installed and server is in a DMZ. My dlink router has 443, 3389, and 80 fowarded to lan ip. Same ports open on windows firewall.

    The server is the computer that i connect to thru gateway when testing on local net. I can remote desktop into the server from any computer over the internet.

    I used a self signed certificate with the CN as the fqdn mycomp.mydomain.com. I Should I be able to ping mycomp.mydomain.com from over the internet right? This is my problem

    I think but not sure how to fix. Thanks for anyhelp in advance

    Vista Laptop - Client
    Dlink DIR-625
    Win2008server-gateway and resource


    Wednesday, November 11, 2009 6:28 PM

Answers

  • I worked with Simon offline.

    He has a test lab and TS Gateway, TS, etc are all running on a DC.  He needed access from the outside. He needed DNS help.  SO I pointed him to dyndns, ha got a free dns record from them, pointed it to his gateway.

    Then we redid his self signed cert, to match the external name given to this gateway via dyndns. Then we reset this cert in TSG, and tested.  It worked.


    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 
    Monday, November 16, 2009 5:19 PM
    Moderator

All replies

  • you should only have to open port 443 on the outside of the firewall.  traffic comes in on 443, and TS Gateway sends it to the server on the inside on 3389.  so you need 3389 open from the TSG to the internal server.

    What about external DNS.  It is setup to point mycomp.mydomain.com --> external IP of Dlink?

    DO you have pings blocked in the dlink?
    do you have the firewall blocking pings on the TSG?

    PS - a self signed cert is ok for testing.  But you may have issues trying to authenticate to mycomp.mydomain.com unless your internal domain name and your external domain name happen to be the same. But you can test TSG from inside your network too.

    You will need to put that self signed cert into the trusted root store of the client trying to connect.

    If this doesnt make sense to you, I can help you if you like.  Email me at kristin.l.griffin AT gmail DOT com if you would like this and we can setup a time to meet remotely.

    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!)
    Wednesday, November 11, 2009 6:53 PM
    Moderator
  • What error do you get?
    Did you check the event logs on the Gateway server?
    Can you try and see if you can browse the site https://<GatewayServerName>/rpc from your client machine? It should ask you for credentials and then on successful authentication should lead you to a blank page.
    Thanks, Vikash
    Thursday, November 12, 2009 4:38 AM
    Moderator
  • I worked with Simon offline.

    He has a test lab and TS Gateway, TS, etc are all running on a DC.  He needed access from the outside. He needed DNS help.  SO I pointed him to dyndns, ha got a free dns record from them, pointed it to his gateway.

    Then we redid his self signed cert, to match the external name given to this gateway via dyndns. Then we reset this cert in TSG, and tested.  It worked.


    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 
    Monday, November 16, 2009 5:19 PM
    Moderator
  • Hello Kristin,

    Thanks for your sharing.

    It is a key point that the TS Gateway server must be resolved from the public network. In that way, the client from Internet side can find the target teminal server by the TS Gateway.

    For more information on TS Gateway role, please refer to:

    Terminal Services Gateway (TS Gateway)
    http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx

    Thanks.

    Regards,

    ·         Lionel Chen

    Tuesday, November 17, 2009 7:18 AM
  • Just wanted to give Kristin props, she helped me out tremendously. Im planning on buying her book because I think terminal services is good to know. I hope more companies decide to embrace it.
    Yea if you dont want to register your domain and just want to set something up to test for free then dyndns is the way to go.
    By the way I meant to get back on here and follow up on this but forgot all about it. Thanks to all who responded.
    Tuesday, November 17, 2009 9:39 PM
  • I worked with Simon offline.

    He has a test lab and TS Gateway, TS, etc are all running on a DC.  He needed access from the outside. He needed DNS help.  SO I pointed him to dyndns, ha got a free dns record from them, pointed it to his gateway.

    Then we redid his self signed cert, to match the external name given to this gateway via dyndns. Then we reset this cert in TSG, and tested.  It worked.


    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 
    I have a similar issue:

    I am having the exact same problem and my setup is as follows:

    TS Web Access TS Gateway and RDP Server on the same single member server. I have bound IIS to port 8443 as this is what i wish to use. I have a certificate issued by my internal CA which corresponds to the external name of RD Gateway Server.

    When i connect to the TS Web Access website from within the LAN i can get the App. As soon as i do this from the internet i get to the TS Website on port 8443, i can click on the app, but at the next credential prompt, it just keeps asking agains and again for the credentials.

    The external name of my RD Gateway server is server.abcdef.co.uk while the remote computer name (actual domain name of the server) is server.adc.co.uk. The certificate issued to IIS is server.abcdef.co.uk that the client does trust and has no errors with it. the TS Website is https://server.abcdef.co.uk:8443/TS

    What else should i be looking at, as this is driving me crazy now.

    The client is Windows 7
    Wednesday, November 18, 2009 10:31 AM
  • Do you mean you have the gateway website on the IIS listening on port 8443 for HTTPS requests? If yes, then this is not supported. TS Gateway can only listen on port 443 on the IIS for HTTPS connections.
    Thanks, Vikash
    Wednesday, November 18, 2009 11:32 AM
    Moderator
  • Also, your RD Gateway cert needs to be the external name (server.abcdef.co.uk).
    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 
    Wednesday, November 18, 2009 6:55 PM
    Moderator