Certificate issues with RemoteApp and the internet
I'm trying to set up RemoteApp with Server 2008 and terminal services.
I want employees to be able to access an internal application from the outside.
So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.
"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"
I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.
How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.
Thanks for any advice.
screenshot.jpg
I want employees to be able to access an internal application from the outside.
So far I think I seem to be doing pretty well, but I've hit a snag I can't seem to get past. I've gotten the TS website ported through the router and can access it successfully from the outside. I've also gotten the TS website SSL'd up and that seems to be working fine.
My problem is when I click on the application I want to launch inside the TS website it gives me the usual logins, and then throws a certificate error.
"The remote computer could not be authenticated due to problems with its security certicate. It may be unsafe to proceed"
"The certificate is not from a trusted certifying authority"
I have two options. One to view the certificate and the other to click "OK"
When I click "OK" the error screen goes away but nothing happens.
Installing the certificate on the remote machine did not change the error.
How do I move past this error? Can I somehow self sign my certificate in order for it to work. I would prefer not to purchase anything.
Thanks for any advice.
screenshot.jpg
ASKER
Your are correct that "orionserver" is an internal name and does not work on the outside. In order to get that to work I changed the Server name to the outside ip address in the RemoteApp deployment settings. I also changed the port to a custom port that's NAT'd through the router.
I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.
Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?
Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
I currently do have a self signed certificate assigned in the RemoteApp manager. I have also taken this certificate and imported it into the Trusted Root Cert. Auth. on the computer I'm dialing from. It's still no good. Still throws the same untrusted publisher error.
Can I purchase a certificate from say go daddy that would work and import into my remoteapp? Will they let me create a certificate with the name as an ip address?
Is there a way I can not use certificates on the program logins? The website itself is already secured and the logins will be secured. I don't use certificates to normally login my computers/servers from the outside. I've noticed that the "Sign with a digital certificate" checkbox in the RemoteApp deployment settings doesn't seem to change anything.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ugg
When you set up any secure connections with certificates, you need to know the eternal URL to connect before generating the certificate.
If i look at your certificate, the external url should be orionserver.drugrecovery.d
Looks like an internal name ...
The name you type in your browser (or mstsc.exe) must be the name included in the certificate.
So what solutions ?
- You could use a self signed certificate. If you haven't any certification authority on your network, I think the system will generate the certificate itself, but most probably with the internal computer name ... we want it with another name.
- You can use a Certification Authority (private on your network, or public but you will pay). In that cas, you can ask a certificate and set the name of the certificate as you want. The name must be the external name, when users will gain access to your site from home.
More, in order to work, the computer where you try to access the application must trust the certificate.
In the case where you use a self signed certificate, you need to put that certificate in the "trusted root certificate" store.
In the case where you use a signed certificate (set up with an internal certification authority), you will need to import the Certification Authority certificate in the "trusted root certificates" store on any external computer.
If you use a public signed certificate, you won't need to do anything because most certification enterprise are already trusted by Microsoft (Like Verisign ...)