NeedHelp2010
asked on
TS gateway
hi,
My environment is using a TS gateway server as a proxy for clients to RDP to APP servers. My questions are:
1) Clients using RDP with TS gateway will still get a prompt identifying the APP server certificate before connecting, is this correct?
2) Can i use the TS gateway cert and import the cert to all APP servers so that i won't get the prompt?
3) How to generate a cert for use in all servers?
Thanks
My environment is using a TS gateway server as a proxy for clients to RDP to APP servers. My questions are:
1) Clients using RDP with TS gateway will still get a prompt identifying the APP server certificate before connecting, is this correct?
2) Can i use the TS gateway cert and import the cert to all APP servers so that i won't get the prompt?
3) How to generate a cert for use in all servers?
Thanks
ASKER
to further add on, we do not have a CA or PKI in our environment.
When i use the TS gateway cert and import to my APP servers, when i RDP in through a Client, there is a prompt saying my Cert name mismatch as the issuer name is: 123.abc.com but the cert name is 123wts.abc.com so how can i create a cert that can be used by all APP servers.
My question 2 is how do i import a cert to the APP server so that when i RDP with a TS gateway proxy, i won't get a certificate prompt.
Thanks
When i use the TS gateway cert and import to my APP servers, when i RDP in through a Client, there is a prompt saying my Cert name mismatch as the issuer name is: 123.abc.com but the cert name is 123wts.abc.com so how can i create a cert that can be used by all APP servers.
My question 2 is how do i import a cert to the APP server so that when i RDP with a TS gateway proxy, i won't get a certificate prompt.
Thanks
if you get a 'name missmatch' error then you should recreate your certificate via Internet Address Management Wizard (IAMW)
You dont need a CA or PKI all you need is a self signed certificate..
for more information:
http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
You dont need a CA or PKI all you need is a self signed certificate..
for more information:
http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
ASKER
sorry maybe my question is not clear enough.
my question are:
1) When i login from a XP SP2 RDP 6.0 client with a W2008 TS gateway server as a proxy to a W2008 APP server e.g abc.123.com. I will get a prompt saying the cert is not from a trusted CA authority. Is this a correct setup?
2) Is there any way for me to create a single SSL cert for all my clients and servers to use for SSL RDP authentication? I am trying to use a wildcard cert but it always prompting name mismatch as the cert name is *.123.com but issuer is abc.123.com.
My environment is not using a CA to publish the Cert template for authentication.
my question are:
1) When i login from a XP SP2 RDP 6.0 client with a W2008 TS gateway server as a proxy to a W2008 APP server e.g abc.123.com. I will get a prompt saying the cert is not from a trusted CA authority. Is this a correct setup?
2) Is there any way for me to create a single SSL cert for all my clients and servers to use for SSL RDP authentication? I am trying to use a wildcard cert but it always prompting name mismatch as the cert name is *.123.com but issuer is abc.123.com.
My environment is not using a CA to publish the Cert template for authentication.
1. yes it is a correct setup. If you install the certificate using the installer from C:\users\Public\Public then it will stop prompting you for a certificate.
2. You cannot create a certificate using wildcard. It must be unique for each subdomain/domain.
You must create a certificate and distribute it as i described on my last post.
You dont need ca authority just a self signed cert..
2. You cannot create a certificate using wildcard. It must be unique for each subdomain/domain.
You must create a certificate and distribute it as i described on my last post.
You dont need ca authority just a self signed cert..
ASKER
hi psychogr,
i am not using SBS edition, i am using W2008 R2 enterprise edition. I cannot see anything in C:\users\Public\Public and how to use IAMW?
Thanks
i am not using SBS edition, i am using W2008 R2 enterprise edition. I cannot see anything in C:\users\Public\Public and how to use IAMW?
Thanks
oooops sory for that mate.. for some reason i though you had sbs ed..
There's no IAMW on windows 2k8 r2 editions.
Follow steps described on the above link to create a self-signed certificate
http://technet.microsoft.com/en-us/library/cc730805.aspx
There's no IAMW on windows 2k8 r2 editions.
Follow steps described on the above link to create a self-signed certificate
http://technet.microsoft.com/en-us/library/cc730805.aspx
ASKER
hi psychogr,
haha its ok.
I have already created aa cert for use with my TS gateway server which is like ts.123.com, i have import the cert to my RDP client and APP server, but when i do a RDP connection from the client to my APP server through a TS gateway, i will get a cert error prompt saying name mismatch as the remote computer name is abc.123.com but cert name is ts.123.com.
Is there any way for me to use the TS cert as a common cert for RDP connection between all my Clients and APP servers without a CA setup in my domain?
Thanks
haha its ok.
I have already created aa cert for use with my TS gateway server which is like ts.123.com, i have import the cert to my RDP client and APP server, but when i do a RDP connection from the client to my APP server through a TS gateway, i will get a cert error prompt saying name mismatch as the remote computer name is abc.123.com but cert name is ts.123.com.
Is there any way for me to use the TS cert as a common cert for RDP connection between all my Clients and APP servers without a CA setup in my domain?
Thanks
The FQDN must match the DNS name that the client uses to connect to the RD Gateway server
Thats why you get a name mismatch error. Follow the steps described on the link from my previous post to create a new cert. Distribute it an you are set to go
Thats why you get a name mismatch error. Follow the steps described on the link from my previous post to create a new cert. Distribute it an you are set to go
ASKER
haha psychogr,
i think my question is not clear again.
If client connect to my TS gateway server using FQDN, there is no problem but when i RDP frm my client to my APP servers and use the TS gateway cert, i get a name mismatch as my APP server name is not the same as the FQDN name on the cert.
So i am asking if there is any way other than having a CA server in the domain to use a single cert for RDP connection?
I have tested with W2008 RDC6.1 and there is no such problems but if using RDC 6.0 from XP SP2, i will get a certificate warning prompt.
i think my question is not clear again.
If client connect to my TS gateway server using FQDN, there is no problem but when i RDP frm my client to my APP servers and use the TS gateway cert, i get a name mismatch as my APP server name is not the same as the FQDN name on the cert.
So i am asking if there is any way other than having a CA server in the domain to use a single cert for RDP connection?
I have tested with W2008 RDC6.1 and there is no such problems but if using RDC 6.0 from XP SP2, i will get a certificate warning prompt.
ok, now i see ;)
you could create an entry in hosts file for abc.123.com pointing to the local ip of your server.
or if you have local dns server put an entry there..
hope i get it now :PP
you could create an entry in hosts file for abc.123.com pointing to the local ip of your server.
or if you have local dns server put an entry there..
hope i get it now :PP
ASKER
i dont think dns is the problem as the cert name and the server FQDN trying to RDP in is not the same so will get a certificate error pop-up.
ASKER
i think i got the answer.
I used RDC 6.1 and the cert prompt was gone..:) so if client is XP SP2, may need to upgrade to SP3 and use RDC 6.1
I used RDC 6.1 and the cert prompt was gone..:) so if client is XP SP2, may need to upgrade to SP3 and use RDC 6.1
ASKER
the solution also cannot really work, got 1 client can RDP in without cert prompt but another XP SP3 machine will get the cert prompt....so strange..
anyone able to help??
Thanks
anyone able to help??
Thanks
ASKER
anyone can help please?????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2. Yes it is located under C:\users\Public\Public Downloads or \\servername\public\public
3. It should be already generated from fist setup. If its not there or you changed domain since your installation then use Internet Address Management Wizard (IAMW) to generate a new one