Solved

SSL Setup for RemoteApp using TS Web Access Server

Posted on 2010-09-12
20
1,616 Views
Last Modified: 2013-11-21
I have a TS Web Access Server running on the same machine as a TS Gateway.  This machine wa.mysite.com has an SSL cert and is functioning well.  I had some SSL issues with customers connecting to the RemoteApp server (ras.mydomain.local) so I got an SSL cert for the local FQDN and installed it on the RemoteApp server.  I thought all was well, but some clients get an error, "The certificate or associated chain is invalid."  I have checked the Certification Path using IIS on the RemoteApp server and it's properly configured.  After reading that not all SSL certs are created equally, I though i would try one from Thawte to replace the GoDaddy one I have.  While I was doing that, i stumbled across the notion that perhaps i should have a public FQDN for the RemoteApp server.  Is this the case?  Seems odd to me--b/c i want to protect the RemoteApp server by using TS Web Access / TS Gateway.
0
Comment
Question by:AndrewLauden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 7
20 Comments
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33659482
With the cert from GoDaddy did you install the intermediate root certificates provided along with your SSL cert?

http://help.godaddy.com/article/869
0
 

Author Comment

by:AndrewLauden
ID: 33660945
Yes, I installed them on the RemoteApp server and the Gateway server.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33661473
Are you able to connect even though you are receiving the error? If that is the case than what I think is happening is the public FQDN used by the client to connect is different than the common name of the certificate.

I haven't done this, but I believe it will work. Configure a secondary NIC on the TS Gateway server and add a DNS suffix on the secondary NIC that matches the public FQDN. Remember to make sure the secondary NIC binds the new dns suffix first, or only the new DNS suffix. Then bind the SSL cert to the secondary NIC. The public FQDN will then match the common name of the cert, which should be hostname.domain.com.(x)

Another approach would be to use MS ISA2006 server, which would allow you to proxy your incoming connections. This is a much better approach and one I would recommend. You can then enforce AD permissions and require the user to provide a user name and password before the ISA server will allow them to connect to the terminal server. I know TS Gateway is supposed to allow you to directly connect to your terminal servers from the Internet, but just because you can doesn't mean you should.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:AndrewLauden
ID: 33672266
Thanks.  The Thawte cert hasn't improved anything.  I'll try some more and consider the ISA server.  Does the App Server need to be publicly available?
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33677970
The TS Gateway server should be the sever the clients are targeting from the Internet.
0
 

Author Comment

by:AndrewLauden
ID: 33678679
Yes, that is the case.  Clients browse to wa.mysite.com/ts which requires a login.  From there, they launch RemoteApps hosted on anther machine.  The SSL issues arise when launching the apps listed in the TS Web Access site.  When theey connect to the RemoteApp server, they're connecting to another machine with a local domain name (not a public domain name).  I have an SSL cert for the local machine using its local domain name (ras.mydomain.local), and for most clients it works fine.  For some, there is an issue with the Certificate Path even though the intermediate certs are properly installed on the RemoteApp server.  Prior to installing an SSL cert on the RemoteApp sever, I had imported the cert from the TS Web Access site and used it to secure the TS connections.  I ran into the issue that the RemoteApp server's certificate didn't match it's domain name (ras.mydomain.local).  That seemed to fix the SSL issues until recently.

0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33679289
Does the TSGateway box have seperate interfaces for external and internal traffic?
0
 

Author Comment

by:AndrewLauden
ID: 33680740
It does have two NICs and external traffic comes in via one of them (routed by firewall).  Other than that, I have not done anything to separate traffic on them.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687458
Is the external NIC on the TS Gateway box on a seperate network?
0
 

Author Comment

by:AndrewLauden
ID: 33687511
No, same physical network with DHCP running on 2008 domain controller.  (NICs have IP reservations)
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687540
Yes, but are they on the same subnet?

Just an FYI server's should always use static IP's.
0
 

Author Comment

by:AndrewLauden
ID: 33687551
Thanks, yes, same subnet.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687571
I believe that is where the problem is coming from. You need to put the external NIC on a seperate network. It doesn't matter that physically they use the same switch. What matters is the NIC's are not on the same subnet. This will ensure proper traffic flow.
0
 

Author Comment

by:AndrewLauden
ID: 33687606
Thank you.  I am out of the office at the moment and will implement your solution when I return.  I will report back in a week.
0
 

Author Comment

by:AndrewLauden
ID: 33734815
I found that the Gateway's default website was bound to the the port that was not receiving external traffic--so I fixed that and put the proper NIC on a separate subnet.  The problem with the certificate chain on ras.mydomain.local remained.  I then removed the purchase certificate (used Auto Generated one instead) from the RDP-TCP connection on the Remote App server and the issue is gone!   My understanding was that the only cert required was on the Gateway--could the NICs on the Gateway being on the same subnet have caused an issue that lead me to install a cert on the Application Server to begin with?  Is there any scenario where the Application Server would need a cert?
0
 

Author Comment

by:AndrewLauden
ID: 33745859
Now when users attempt to log in, they get a warning that the RemoteApp is from an Unknown Publisher and after that an error kicks up that the Cert on the remote computer is not from a trusted certifying authority.  If I view the certificate, it shows that it is the the default one generated certificate. ( So now, I'm back at square one.
0
 

Author Comment

by:AndrewLauden
ID: 33746436
I've modified the Terminal Server settings from the TS Remote App Manager on the RemoteApp server: 1) unchecked the "Require server authentication" 2) removed ".domain.local" from the Server name, and on the  Digital Signature tab, I selected the Gateway Server's certificate.  All seems to be working now.  

What is the downside of unchecking the "Require server authentication" option?
0
 

Author Comment

by:AndrewLauden
ID: 33785765
I now have several users, some using client v7 and some v6 that are getting repeat login screens upon clicking on the RemoteApp icon on the TS Web page.  For other users, two or three attempts results in a successful launch of the RemoteApp, while others never get through.

0
 

Accepted Solution

by:
AndrewLauden earned 0 total points
ID: 34016804
This is a known issue: http://support.microsoft.com/kb/969084 
0
 

Author Closing Comment

by:AndrewLauden
ID: 34040547
The remaining issue is a know Microsoft bug.  All of the recommendations made by participating experts have been helpful and wise but did not solve the problem.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question