We help IT Professionals succeed at work.

TS Gateway, Terminal Servers and Certificates

We have been testing a terminal server RemoteApp configuration.  We are currently using all of the functionality on one server, however the plans are to separate the TS Gateway and TS Web Access onto one server and we will end up with about 6 terminal servers.  (We currently have the same configuration using Citrix Presentation server and 7 Citrix Servers).

The issue comes in with the connection.  Users are connected to the website using citrix.xxxx.com, which is the certificate that we currently own.  Once the user clicks on an application and then authenticates to the internal domain, they receive a certificate error from the internal terminal server that the certificate is not from a trusted authority.
 Certificate Error
1.  Do I need to purchase trusted certificates for every internal terminal server?
2.  If not, how do I get past this error?  I've tried using the citrix.xxxx.com certificate for the terminal server RDP properties certificate, but then the user gets a name mismatch error.

Note: All of the users are outside the network and would not have access to any of the servers, except through the Terminal Server Applications.
Watch Question


The problem here is simple. You need to go into the Remote Desktop Services Server Host management and set the listener RDP-tcp to use that certificate (of course you must import the citrix.xxx.com on all TSs - make sure you export it WITH the private key). If using RemoteApps you also need to sign them using this same certificate.
That will get rid of this warning message.

Cláudio Rodrigues
Citrix CTP


Per question 2 above, I tried that but then I get a certificate name mismatch.  I just went into TS RemoteApp Manager and changed the Terminal Server -Server Name  in the deployment settings properties to use the citrix.xxxx.com certificate.  I then had to create an entry in the host file for the citrix.xxxx.com address pointing to this server.  This resolved the certificate mismatch dialog that I started getting.

My questions at this point are:
1) This then requires a license for the certificate for all 5 of the Terminal Servers therefore increasing the costs.  It seems like I should be able to have the Web server terminate the SSL connection and then connect to the terminal server over HTTP.  Or is this due to the fact that I have them both on the same server for testing?
2) How does this host file now affect the Terminal Server farm setup.  If I now add 5 terminal servers each with an entry in the hosts file (or internal DNS) how does the terminal server keep track of the disconnected sessions to the correct terminal server?
The right way of doing this, assuming this is your plan:
- Have multiple TSs load balanced so users can connect transparently to any of the TSs through a Gateway and Web Access server.

In this case you must use:
- RDS Gateway
- RDS Web Access
- RDS Connection Broker

I think you are missing the last one.
In this case you go on the DNS server and create as many entries for citrix.xxx.com as TSs you will have (6 for example), each entry pointing to one of the IPs (6, right?).
You then load the same certificate on all TSs (technically you will load the exact same certificate - I would assume you do NOT need to pay for multiple ones as again, it is the SAME one on all boxes).
Then finally you will create a Connection Broker farm and give it a name. You will then set Web Access to retrieve the app list from the Connection Broker server and make ALL TSs part of the same Connection Broker farm (you also set this under RDP-tcp).
You will have to add certain computer accounts to certain local groups as per the explanations/wizards that launch once you try that.

That should do what you want, including keeping track of where a user session is, reconnecting users and so on. The key piece is the Connection Broker in this case.

Cláudio Rodrigues
Citrix CTP


Thank you for the clarification.  We are still using TS 2008 and are awaiting certification that the clients application will run on 2008 R2.  I do have TS Session Broker installed, but have not configured anything within it.  I will take a look at that closer.

As per the certificates, I know that GeoTrust (to technically be legal) states that the certificate is only licensed for use on 1 physical server.  I just checked Verisign and they have the same requirement.  I'm not sure about some of the other certicate vendors.