?
Solved

Remote Desktop Services (2008 R2) works great internally (LAN) but fails to broker sessions externally

Posted on 2009-12-16
9
Medium Priority
?
3,965 Views
Last Modified: 2013-11-21
As the title says, Remote Desktop Services works great internally but fails to broker sessions externally.  I setup a three-server RDS farm with Windows Server 2008 R2, two servers are identically configured Session Hosts (RD1a and RD1b), the other is a Session Broker with RD Web Access (RDBroker1) with an HTTPS certificate.  My attached diagram shows the setup we have internally and externally and what I believe should be happening.

What is happening is when the end user connects via the RDP client, the RDBroker server begins to connect, but then freezes as it's trying to redirect the connection to either RD1a or RD1b for a session.  Eventually the RDP client closes.  From the web, users can successfully get to and log into the web site.  Once in, sometimes connecting to RDP via the web or to a Remote App works externally, but oftentimes it too will fail to direct the connection to one of the session hosts and fail to connect to the app or RDP session. My guess is that is has something to do with DNS.  The RDBroker server is a dedicated session broker, and it along with the session hosts are using IP address redirection.

We have DNS round robin setup on our external DNS with the farm name "RDF1.company.com" along with external URLs for RD1a and RD1b:

RD1a.company.com  204.XX.XX.02
RDF1.company.com  204.XX.XX.02
RD1b.company.com  204.XX.XX.03
RDF1.company.com  204.XX.XX.03
  and
RD1.company.com 204.XX.XX.01

We also have our internal DNS setup the same way with the 10.XX.XX. series of addresses.  It seems that when the broker is trying to redirect a session it may be trying to send the external client to an internal 10.XX.XX.XX address, which is why it's not connecting.  Internally everything works perfectly, but not from outside.  Should we add the external DNS addresses to our internal DNS somehow, or are there any other suggestions?  We also have the RD Gateway installed on the RDBroker1 server.  Can we configure that to tunnel RDP traffic through HTTPS somehow?  I look forward to your assistance.
RD-Map1.jpg
0
Comment
Question by:wildclay
  • 5
  • 3
9 Comments
 
LVL 2

Expert Comment

by:Libis_aka_Dusk
ID: 26068079
Hello Wildclay,¨

What I miss completely here is the identification of device you describe in image as firewall.

TS Gateway is supposed to do the job, nevertheless it is behind firewall with port forwarding. Point is to configure it as HTTPS. Otherwise you could run into trouble, especially if your firewall checking up the payload of HTTP requests aka content filtering. RDP traffic then will not work trough firewall.

Here are some howtos on configuration of TS gateway you may use:
http://chrislehr.com/2009/01/setting-up-ts-gateway.htm
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part1.html
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part2.html


0
 
LVL 1

Author Comment

by:wildclay
ID: 26068940
Hi Libis, thank you for your comments. We use a Cisco PIX firewall, but we do not do any content filtering at all. I will take a look at the links you sent me about the Gateway. I have an HTTPS certificate for our "rd1.company.com" domain installed on the RD web portion of the broker (RDBroker1) server in IIS, but I am not sure if I need to also configure the certificate somewhere in the Gateway component. I didn't see any options for it. RDP sessions do work successfully from outside when going directly to a session host, but just not when redirecting through the broker.
0
 
LVL 2

Expert Comment

by:Libis_aka_Dusk
ID: 26076614
0
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

 
LVL 1

Author Comment

by:wildclay
ID: 26098133
I've reviewed the two WindowsSecurity.com links from Dr. Tom Shinder.  I was already through the Part 2 "Request a Certificate for the Terminal Services Gateway" and the "Configure Terminal Services Gateway to Use the Certificate" sections, however, the difference is that I am not using an internal Certification Authority, we purchased an SSL certificate from Comodo (a third party CA) and installed it in our Gateway.  We did this as similarly described in the IIS section by the "Create a Certificate Request" option instead of the "Create Domain Certificate" option that Dr. Shinder describes.  The request was required for a 3rd-party CA to generate the certificate for us.  As mentioned, that same certicate is installed in our Gateway. I have attached two pics showing our Gateway settings.

As mentioned, the Gatway is installed on the same server as the session broker.  The broker is called "RDBroker1" internally and the external URL for it is "RD1.company.com."  I assume that same "rd1.company.com" address would be what we need to use for the Gateway as well, correct?  Or should the certificate have been created with the "rdbroker1" name instead?  Let me know if you have any other suggestions.  Our setup is not going through an ISA server, so I'm not sure if we need to or can setup the SSL bridging.  Should we perhaps have obtained a wildcard SSL certificate for our company domain since we also have "rd1a.company.com" and "rd1b" in additon to just "rd1"?

GatewaySSLCert.JPG
GatewaySSLbridge.jpg
0
 
LVL 2

Assisted Solution

by:Libis_aka_Dusk
Libis_aka_Dusk earned 1000 total points
ID: 26099154
Still seems to me as cert issue...
1) try to configure it first with self signed certificate with internal server name as certificate name. Try it also with external name. This will eliminate the certificate as source of problem.
2) You probably dont need SSL bridging if you dont using a active content filtering ISA or firewall that inspects the traffic.
0
 
LVL 1

Author Comment

by:wildclay
ID: 26403386
Sorry for not keeping up with this question.  We just finished building a new data center and moved all of our servers, so things have been pretty busy for us.  I decided to turn off redirection on our session host servers, but leave it on for the broker server.  At first our Remote Application launching would not work when DNS would connect the remote user to the RD1b session host, but would work fine for RD1a.  After we moved everything, it appears to work from both now.  It appeared to be a security glitch.  Connecting with the RDP client over RD1.company.com still doesn't work, but going through the web does.  We have to use RDF1.company.com to get it to work via the RDP client because RDF1 is the DNS name of our farm.

I haven't had time to test Libis' solution, but at first we did have a self-assigned certificate that worked internally, but I think we may need to buy a domain wildcard certificate to get it to work correctly from the outside, since multiple URLs are being used from the outside.  Any thoughts on a different type of certificate?  Right now users have to enter their credentials multiple times when logging in remotely, it's my hope that the correct certificate can resolve this.
0
 
LVL 1

Assisted Solution

by:brandon-shelton
brandon-shelton earned 1000 total points
ID: 33074073
I ran across an issue recently with configuring a Remote Desktop Gateway server.  Internally I was able to access the server and connect to computers remotely but I was unable to do this externally.
I don't really have time to read through all of the posts, but this might help: http://blog.xiquest.com/tag/remote-desktop-gateway/
0
 
LVL 1

Author Comment

by:wildclay
ID: 33467735
Thanks for the comment, Brandon.  I will review the info when I get a chance.  It may be a few weeks since I work at a college and it's the beginning of a new semester next week.
0
 
LVL 1

Accepted Solution

by:
wildclay earned 0 total points
ID: 33783543
Instead of using redirection and the gateway, I purchased a UC (Unified Communications) SSL Certificate that includes all four of our Remote Desktop domain names:

RD1a.company.com
RD1b.company.com
RDF1.company.com
RD1.company.com

I setup our farm, but use DNS round robin for our external addresses instead of using redirection since I never was able to get it to work, even with the multi-domain certificate. Round robin seems to work for selecting between session host A and B.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question