Trying to Access Remote Apps through Terminal Services Web Access
We recently just set up a Terminal Services server with TS Web Access.
This server is a virtual server. In the scenario here, this server and the TS Gateway server are one in the same .
I believe we have made all of the configurations prescribed by microsoft including TS CAP and TS RAP policies along with setting user permissions up, getting Terminal services to issue a cert, getting the clients to trust the cert,
and configuring the remote apps. From a client that is in network ( meaning the client exists on the same network as the terminal services server / gateway) everything works as expected.
Meaning:
1) the client goes to access the terminal services web page via a url.
2) They are prompted to authenticate
3) If authenticated, the web page with icons comes up (provided the Active X control has been installed)
4) The user clicks the icons that represent the remote apps.
5) The users are prompted again to authenticate(this time with the Gateway and remote ts server)
6) The apps come up.
7) Users are able to work with those apps.
Unfortunately when the user tries to access it from a computer not on the network (out in "Internetland" in this case with a Windows 7 OS) After step 4 above the user gets hit with this error.. "Your computer can't connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway Server" address.
Obviously the user can connect if if the web page and the gateway are the same machine. Why does it tell the user they can't reach the gateway ???
Was wondering if anyone could provide any insight into this error. Any help would be greatly appreciated.
Jason
This server is a virtual server. In the scenario here, this server and the TS Gateway server are one in the same .
I believe we have made all of the configurations prescribed by microsoft including TS CAP and TS RAP policies along with setting user permissions up, getting Terminal services to issue a cert, getting the clients to trust the cert,
and configuring the remote apps. From a client that is in network ( meaning the client exists on the same network as the terminal services server / gateway) everything works as expected.
Meaning:
1) the client goes to access the terminal services web page via a url.
2) They are prompted to authenticate
3) If authenticated, the web page with icons comes up (provided the Active X control has been installed)
4) The user clicks the icons that represent the remote apps.
5) The users are prompted again to authenticate(this time with the Gateway and remote ts server)
6) The apps come up.
7) Users are able to work with those apps.
Unfortunately when the user tries to access it from a computer not on the network (out in "Internetland" in this case with a Windows 7 OS) After step 4 above the user gets hit with this error.. "Your computer can't connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway Server" address.
Obviously the user can connect if if the web page and the gateway are the same machine. Why does it tell the user they can't reach the gateway ???
Was wondering if anyone could provide any insight into this error. Any help would be greatly appreciated.
Jason
have to forward port 3389 to the server through your firewall.
Suggestion: change the incoming port on the firewall to point the internal 3389 port on the server.
Suggestion: change the incoming port on the firewall to point the internal 3389 port on the server.
If you change the port on the firewall you will need to also need to change the connection port on the website
example if you change to port 2233 and you server ip is 10.1.1.2 you need to connect to rdp session from 10.1.1.2 to 10.1.1.2:2233. But local connection will still be 3389 unless you do the following
To prevent needing 2 server connection you can change the port on the server by doing this:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsVista/RegistryTips/RegistryHacks/ChangingtheRemoteDesktopPort.html
Confusing but good steps to keep secure. Best secure would be to get a SSL VPN or something of the sort.
example if you change to port 2233 and you server ip is 10.1.1.2 you need to connect to rdp session from 10.1.1.2 to 10.1.1.2:2233. But local connection will still be 3389 unless you do the following
To prevent needing 2 server connection you can change the port on the server by doing this:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsVista/RegistryTips/RegistryHacks/ChangingtheRemoteDesktopPort.html
Confusing but good steps to keep secure. Best secure would be to get a SSL VPN or something of the sort.
ASKER
I should mention I have tested with a windows xp machine as well. XP machine from within the LAN works just fine. If I take it home moving it off the LAN (like cjrmail2k suggested) I get the same behavior with the error popping up.
Jason
Jason
Couple issues:
1. If you are using RDS Gateway all traffic goes through HTTPS so the only port required from the outside to the internal LAN is 443.
2. If you create the RemoteApps with an internal name or IP that cannot be resolved by the external clients, of course it will fail. What you need to do is when publishing resources, always use an FQDN that will ALSO be setup externally.
For example publish the application to the server ts1.company.com (internal DNS record) and then create an external DNS record (or ask your ISP to do in case you do NOT manage your external DNS record) for that exact same name. Once the internal/external FQDNs match it will work internally or externally.
The reason why it is failing now is probably because of the name/IP returned on the .RDP file on the RDS Web Access. Internally clients can resolve but not externally as you are not using FQDNs that are the same internally/externally.
Cláudio Rodrigues
Citrix CTP
1. If you are using RDS Gateway all traffic goes through HTTPS so the only port required from the outside to the internal LAN is 443.
2. If you create the RemoteApps with an internal name or IP that cannot be resolved by the external clients, of course it will fail. What you need to do is when publishing resources, always use an FQDN that will ALSO be setup externally.
For example publish the application to the server ts1.company.com (internal DNS record) and then create an external DNS record (or ask your ISP to do in case you do NOT manage your external DNS record) for that exact same name. Once the internal/external FQDNs match it will work internally or externally.
The reason why it is failing now is probably because of the name/IP returned on the .RDP file on the RDS Web Access. Internally clients can resolve but not externally as you are not using FQDNs that are the same internally/externally.
Cláudio Rodrigues
Citrix CTP
ASKER
In response to tsmvp 's post 2nd point I have made certain that the Remote App in question does infact live at an outside resolveable address. This did not resolve the issue. Our network admin completely opened up our firewall rather briefly for toubleshooting purposes and there was no change in the behavior (error still comes up) however upon further inspection we also found that we are not able to telnet through port 3389 which really does not make sense. Was wondering if anybody had any further advice on how to troubleshoot the issue.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just a thought to try test from the same client that works on the lan by moving it externally