TS Gateway, Terminal Servers and Certificates
We have been testing a terminal server RemoteApp configuration. We are currently using all of the functionality on one server, however the plans are to separate the TS Gateway and TS Web Access onto one server and we will end up with about 6 terminal servers. (We currently have the same configuration using Citrix Presentation server and 7 Citrix Servers).
The issue comes in with the connection. Users are connected to the website using citrix.xxxx.com, which is the certificate that we currently own. Once the user clicks on an application and then authenticates to the internal domain, they receive a certificate error from the internal terminal server that the certificate is not from a trusted authority.
1. Do I need to purchase trusted certificates for every internal terminal server?
2. If not, how do I get past this error? I've tried using the citrix.xxxx.com certificate for the terminal server RDP properties certificate, but then the user gets a name mismatch error.
Note: All of the users are outside the network and would not have access to any of the servers, except through the Terminal Server Applications.
The issue comes in with the connection. Users are connected to the website using citrix.xxxx.com, which is the certificate that we currently own. Once the user clicks on an application and then authenticates to the internal domain, they receive a certificate error from the internal terminal server that the certificate is not from a trusted authority.
1. Do I need to purchase trusted certificates for every internal terminal server?
2. If not, how do I get past this error? I've tried using the citrix.xxxx.com certificate for the terminal server RDP properties certificate, but then the user gets a name mismatch error.
Note: All of the users are outside the network and would not have access to any of the servers, except through the Terminal Server Applications.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Per question 2 above, I tried that but then I get a certificate name mismatch. I just went into TS RemoteApp Manager and changed the Terminal Server -Server Name in the deployment settings properties to use the citrix.xxxx.com certificate. I then had to create an entry in the host file for the citrix.xxxx.com address pointing to this server. This resolved the certificate mismatch dialog that I started getting.
My questions at this point are:
1) This then requires a license for the certificate for all 5 of the Terminal Servers therefore increasing the costs. It seems like I should be able to have the Web server terminate the SSL connection and then connect to the terminal server over HTTP. Or is this due to the fact that I have them both on the same server for testing?
2) How does this host file now affect the Terminal Server farm setup. If I now add 5 terminal servers each with an entry in the hosts file (or internal DNS) how does the terminal server keep track of the disconnected sessions to the correct terminal server?
TS-Cert-Error2.jpg
My questions at this point are:
1) This then requires a license for the certificate for all 5 of the Terminal Servers therefore increasing the costs. It seems like I should be able to have the Web server terminate the SSL connection and then connect to the terminal server over HTTP. Or is this due to the fact that I have them both on the same server for testing?
2) How does this host file now affect the Terminal Server farm setup. If I now add 5 terminal servers each with an entry in the hosts file (or internal DNS) how does the terminal server keep track of the disconnected sessions to the correct terminal server?
TS-Cert-Error2.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the clarification. We are still using TS 2008 and are awaiting certification that the clients application will run on 2008 R2. I do have TS Session Broker installed, but have not configured anything within it. I will take a look at that closer.
As per the certificates, I know that GeoTrust (to technically be legal) states that the certificate is only licensed for use on 1 physical server. I just checked Verisign and they have the same requirement. I'm not sure about some of the other certicate vendors.
As per the certificates, I know that GeoTrust (to technically be legal) states that the certificate is only licensed for use on 1 physical server. I just checked Verisign and they have the same requirement. I'm not sure about some of the other certicate vendors.
ASKER