Avatar of Jason Livengood
Jason Livengood
Flag for United States of America asked on

Trying to Access Remote Apps through Terminal Services Web Access

  We recently just set up a Terminal Services server with TS Web Access.
This server is a virtual server. In the scenario here, this server and the TS Gateway server are one in the same .

   I believe we have made all of the configurations prescribed by microsoft including TS CAP and TS RAP policies along with setting user permissions up, getting Terminal services to issue a cert, getting the clients to trust the cert,
and configuring the remote apps. From a client that is in network ( meaning the client exists on the same network as the terminal services server / gateway) everything works as expected.

1) the client goes to access the terminal services web page via a url.
2) They are prompted to authenticate
3) If authenticated, the web page with icons comes up (provided the Active X control has been installed)
4) The user clicks the icons that represent the remote apps.
5) The users are prompted again to authenticate(this time with the Gateway and remote ts server)
6) The apps come up.
7) Users are able to work with those apps.

Unfortunately when the user tries to access it from a computer  not on the network (out in "Internetland" in this case with a Windows 7 OS)  After step 4 above the user gets hit with this error.. "Your computer can't connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway Server" address.

Obviously the user can connect if  if the web page and the gateway are the same machine. Why does it tell the user they can't reach the gateway ???

 Was wondering if anyone could provide any insight into this error. Any help would be greatly appreciated.

Microsoft Server OSRemote AccessCitrix

Avatar of undefined
Last Comment

8/22/2022 - Mon

are the local pc's win 7 as well?

just a thought to try test from the same client that works on the lan by moving it externally

have to forward port 3389 to the server through your firewall.  

Suggestion: change the incoming port on the firewall to point the internal 3389 port on the server.

If you change the port on the firewall you will need to also need to change the connection port on the website
example if you change to port 2233 and you server ip is you need to connect to rdp session from to  But local connection will still be 3389 unless you do the following

To prevent needing 2 server connection you can change the port on the server by doing this:

Confusing but good steps to keep secure.  Best secure would be to get a SSL VPN or something of the sort.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jason Livengood

I should mention I have tested with a windows xp machine as well. XP machine from within the LAN works just fine. If I take it home moving it off the LAN  (like cjrmail2k suggested) I get the same behavior with the error popping up.  

Cláudio Rodrigues

Couple issues:
1. If you are using RDS Gateway all traffic goes through HTTPS so the only port required from the outside to the internal LAN is 443.
2. If you create the RemoteApps with an internal name or IP that cannot be resolved by the external clients, of course it will fail. What you need to do is when publishing resources, always use an FQDN that will ALSO be setup externally.
For example publish the application to the server ts1.company.com (internal DNS record) and then create an external DNS record (or ask your ISP to do in case you do NOT manage your external DNS record) for that exact same name. Once the internal/external FQDNs match it will work internally or externally.
The reason why it is failing now is probably because of the name/IP returned on the .RDP file on the RDS Web Access. Internally clients can resolve but not externally as you are not using FQDNs that are the same internally/externally.

Cláudio Rodrigues
Citrix CTP
Jason Livengood

In response to tsmvp 's post 2nd point I have made certain that the Remote App in question does infact live at an outside resolveable address. This did not resolve the issue. Our network admin completely opened up our firewall rather briefly for toubleshooting purposes and there was no change in the behavior (error still comes up) however upon further inspection we also found that we are not able to telnet through port 3389 which really does not make sense. Was wondering if anybody had any further advice on how to troubleshoot the issue.....
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.