none
ADFS and RDG SSL certificate RRS feed

  • Question

  • Hello

    we have a setup where we an RDG is in place and using port 443 and certificate rdg.companyname.co.uk. I'm pretty sure we can use the same certificate for the adfs but not sure how to handle the port for rdg. do we change the internal port for rdg to something like 8443 or change both internal/external ports?

    regards,

    Elroy

    Thursday, December 3, 2015 11:04 AM

All replies

  • I am not sure I understand. Do you have the RDG service installed on an ADFS server or a WAP server?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, December 3, 2015 9:52 PM
    Owner
  • I have a server-A functioning as an RDG server. when that server was setup, the certificate rdg.companyname.co.uk was purchased for it from GoDaddy. Now we have a requirement to install ADFS on Server-B. my questions are:

    1. Can I use the same SSL certificate called rdg.companyname.co.uk for both server-A (RDG) and Server-B (ADFS)?

    2. Both use port 443, will this be a problem? should I change the HTTPS port for RDG to something else?

    cheers!

    Wednesday, December 9, 2015 5:08 PM
  • The subject name of the certificate for your ADFS has to be the FQDN of your ADFS farm. Because you will probably not call your ADFS farm rdg.companyname.co.uk, you will not be able to use the same certificate.

    If you want to use the same certificate, you must have a wildcard certificate. Something like *.companyname.co.uk and then it will be possible.

    The port does not matter since the service is not installed on the same server. I guess what you mean is that you have only one public IP address. In that case, you can publish the RDP Gateway using WAP. Then you can bind different certificates to the same port as long as the FQDN is different.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, December 9, 2015 5:20 PM
    Owner
  • Thank you Pierre.

    since the setup is for a client, they may not accept paying for another SSL certificate. therefore, IF we had to use rdg.companyname.co.uk as the name of the ADFS farm, is that possible (if we had 2 public IPs)?

    Thursday, December 10, 2015 9:18 AM
  • Also, I haven't used WAP before. Reading MS TechNet on RDG deployment, it doesn't cover WAP either. Can I not just deploy RDG without WAP? I cant see this role anywhere in 2008 r2 so how did RDG work on there?

    Thursday, December 10, 2015 4:28 PM
  • I think there is some confusion here. My bad, I'll try to be clearer :)

    There is no relation whatsoever between Remote Desktop Gateway and ADFS. None. Hence there is no common port, nor common certificate issue.

    RDG is a way to access to machines using Remote Desktop Protocol over HTTPS. If you want to publish this externally, just make sure that the SSL certificate you are using is a public certificate with the subject name matching the public name of your RDG. So if your RDG is rdg.companyname.co.uk then make sure you configure your public DNS to resolve this FQDN to the public IP address of the RDG. If you have a public address it means that you are probably using some sort of reverse proxy technology or some NAT/PAT. In that case make sure your configuration is redirecting the traffic of your RDG to the right machine internally.

    ADFS and WAP (aka ADFS Proxy which enable you to publish your ADFS farm externally) has its own name and own certificate, let's say for adfs.companyname.co.uk. It is not related with RDG at all.

    So the original question is a bit odd. Now, what I assumed, and please give us more information to make sure we get it right, is that you have only 1 public IP address and therefore if you want to publish on your reverse proxy or whatever network device doing NAT/PAT to the right box you need to make some choice.

    One of the option to make it work with the aforementioned premise is to use WAP to publish RDG (even though I actually nerver tried, but worth a try) is the following:

    1. Obtain a valid cert for your RDG rdg.companyname.co.uk (internally the IP is 10.0.0.1)
    2. Obtain a valid cert for your ADFS adfs.companyname.co.uk, or obtain one cert valid for both with a wildcard or a SAN (internally the ADFS server IP address is 10.0.0.2)
    3. Deploy a WAP server (internal IP is 10.0.0.3 and its public IP is 1.1.1.1)
    4. Configure your internal DNS to make sure adfs.companyname.co.uk is resolved to 10.0.0.2 (split horizon DNS)
    5. Configure your public DNS to make sure rdg.companyname.co.uk is resolved to 1.1.1.1 and adfs.companyname.co.uk resolved to 1.1.1.1 (same public IP)
    6. On your WAP server import both cert and create a pass through (no pre auth) publication for your RDG.

    And this should do the trick. Please advise if you need more details! let us know!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 11, 2015 12:22 AM
    Owner