Avatar of plymouthmuscle
plymouthmuscleFlag for United States of America asked on

Certificate issues with RemoteApp and the internet

I'm trying to set up RemoteApp with Server 2008 and terminal services.
I want employees to be able to access an internal application from the outside.

So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.

"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"

I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.

How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.

Thanks for any advice.
screenshot.jpg
Remote AccessMicrosoft IIS Web ServerWindows Server 2008

Avatar of undefined
Last Comment
plymouthmuscle

8/22/2022 - Mon
Tasmant

Many issues with certificates ...
When you set up any secure connections with certificates, you need to know the eternal URL to connect before generating the certificate.
If i look at your certificate, the external url should be orionserver.drugrecovery.dri
Looks like an internal name ...

The name you type in your browser (or mstsc.exe) must be the name included in the certificate.

So what solutions ?
- You could use a self signed certificate. If you haven't any certification authority on your network, I think the system will generate the certificate itself, but most probably with the internal computer name ... we want it with another name.
- You can use a Certification Authority (private on your network, or public but you will pay). In that cas, you can ask a certificate and set the name of the certificate as you want. The name must be the external name, when users will gain access to your site from home.

More, in order to work, the computer where you try to access the application must trust the certificate.
In the case where you use a self signed certificate, you need to put that certificate in the "trusted root certificate" store.

In the case where you use a signed certificate (set up with an internal certification authority), you will need to import the Certification Authority certificate in the "trusted root certificates" store on any external computer.

If you use a public signed certificate, you won't need to do anything because most certification enterprise are already trusted by Microsoft (Like Verisign ...)

ASKER
plymouthmuscle

Your are correct that "orionserver" is an internal name and does not work on the outside. In order to get that to work I changed the Server name to the outside ip address in the RemoteApp deployment settings. I also changed the port to a custom port that's NAT'd through the router.

I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.

Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?

Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
ASKER CERTIFIED SOLUTION
Tasmant

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
plymouthmuscle

Ugg
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck