Solved

SSL Setup for RemoteApp using TS Web Access Server

Posted on 2010-09-12
20
1,607 Views
Last Modified: 2013-11-21
I have a TS Web Access Server running on the same machine as a TS Gateway.  This machine wa.mysite.com has an SSL cert and is functioning well.  I had some SSL issues with customers connecting to the RemoteApp server (ras.mydomain.local) so I got an SSL cert for the local FQDN and installed it on the RemoteApp server.  I thought all was well, but some clients get an error, "The certificate or associated chain is invalid."  I have checked the Certification Path using IIS on the RemoteApp server and it's properly configured.  After reading that not all SSL certs are created equally, I though i would try one from Thawte to replace the GoDaddy one I have.  While I was doing that, i stumbled across the notion that perhaps i should have a public FQDN for the RemoteApp server.  Is this the case?  Seems odd to me--b/c i want to protect the RemoteApp server by using TS Web Access / TS Gateway.
0
Comment
Question by:AndrewLauden
  • 13
  • 7
20 Comments
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33659482
With the cert from GoDaddy did you install the intermediate root certificates provided along with your SSL cert?

http://help.godaddy.com/article/869
0
 

Author Comment

by:AndrewLauden
ID: 33660945
Yes, I installed them on the RemoteApp server and the Gateway server.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33661473
Are you able to connect even though you are receiving the error? If that is the case than what I think is happening is the public FQDN used by the client to connect is different than the common name of the certificate.

I haven't done this, but I believe it will work. Configure a secondary NIC on the TS Gateway server and add a DNS suffix on the secondary NIC that matches the public FQDN. Remember to make sure the secondary NIC binds the new dns suffix first, or only the new DNS suffix. Then bind the SSL cert to the secondary NIC. The public FQDN will then match the common name of the cert, which should be hostname.domain.com.(x)

Another approach would be to use MS ISA2006 server, which would allow you to proxy your incoming connections. This is a much better approach and one I would recommend. You can then enforce AD permissions and require the user to provide a user name and password before the ISA server will allow them to connect to the terminal server. I know TS Gateway is supposed to allow you to directly connect to your terminal servers from the Internet, but just because you can doesn't mean you should.
0
 

Author Comment

by:AndrewLauden
ID: 33672266
Thanks.  The Thawte cert hasn't improved anything.  I'll try some more and consider the ISA server.  Does the App Server need to be publicly available?
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33677970
The TS Gateway server should be the sever the clients are targeting from the Internet.
0
 

Author Comment

by:AndrewLauden
ID: 33678679
Yes, that is the case.  Clients browse to wa.mysite.com/ts which requires a login.  From there, they launch RemoteApps hosted on anther machine.  The SSL issues arise when launching the apps listed in the TS Web Access site.  When theey connect to the RemoteApp server, they're connecting to another machine with a local domain name (not a public domain name).  I have an SSL cert for the local machine using its local domain name (ras.mydomain.local), and for most clients it works fine.  For some, there is an issue with the Certificate Path even though the intermediate certs are properly installed on the RemoteApp server.  Prior to installing an SSL cert on the RemoteApp sever, I had imported the cert from the TS Web Access site and used it to secure the TS connections.  I ran into the issue that the RemoteApp server's certificate didn't match it's domain name (ras.mydomain.local).  That seemed to fix the SSL issues until recently.

0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33679289
Does the TSGateway box have seperate interfaces for external and internal traffic?
0
 

Author Comment

by:AndrewLauden
ID: 33680740
It does have two NICs and external traffic comes in via one of them (routed by firewall).  Other than that, I have not done anything to separate traffic on them.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687458
Is the external NIC on the TS Gateway box on a seperate network?
0
 

Author Comment

by:AndrewLauden
ID: 33687511
No, same physical network with DHCP running on 2008 domain controller.  (NICs have IP reservations)
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687540
Yes, but are they on the same subnet?

Just an FYI server's should always use static IP's.
0
 

Author Comment

by:AndrewLauden
ID: 33687551
Thanks, yes, same subnet.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687571
I believe that is where the problem is coming from. You need to put the external NIC on a seperate network. It doesn't matter that physically they use the same switch. What matters is the NIC's are not on the same subnet. This will ensure proper traffic flow.
0
 

Author Comment

by:AndrewLauden
ID: 33687606
Thank you.  I am out of the office at the moment and will implement your solution when I return.  I will report back in a week.
0
 

Author Comment

by:AndrewLauden
ID: 33734815
I found that the Gateway's default website was bound to the the port that was not receiving external traffic--so I fixed that and put the proper NIC on a separate subnet.  The problem with the certificate chain on ras.mydomain.local remained.  I then removed the purchase certificate (used Auto Generated one instead) from the RDP-TCP connection on the Remote App server and the issue is gone!   My understanding was that the only cert required was on the Gateway--could the NICs on the Gateway being on the same subnet have caused an issue that lead me to install a cert on the Application Server to begin with?  Is there any scenario where the Application Server would need a cert?
0
 

Author Comment

by:AndrewLauden
ID: 33745859
Now when users attempt to log in, they get a warning that the RemoteApp is from an Unknown Publisher and after that an error kicks up that the Cert on the remote computer is not from a trusted certifying authority.  If I view the certificate, it shows that it is the the default one generated certificate. ( So now, I'm back at square one.
0
 

Author Comment

by:AndrewLauden
ID: 33746436
I've modified the Terminal Server settings from the TS Remote App Manager on the RemoteApp server: 1) unchecked the "Require server authentication" 2) removed ".domain.local" from the Server name, and on the  Digital Signature tab, I selected the Gateway Server's certificate.  All seems to be working now.  

What is the downside of unchecking the "Require server authentication" option?
0
 

Author Comment

by:AndrewLauden
ID: 33785765
I now have several users, some using client v7 and some v6 that are getting repeat login screens upon clicking on the RemoteApp icon on the TS Web page.  For other users, two or three attempts results in a successful launch of the RemoteApp, while others never get through.

0
 

Accepted Solution

by:
AndrewLauden earned 0 total points
ID: 34016804
This is a known issue: http://support.microsoft.com/kb/969084 
0
 

Author Closing Comment

by:AndrewLauden
ID: 34040547
The remaining issue is a know Microsoft bug.  All of the recommendations made by participating experts have been helpful and wise but did not solve the problem.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now