Link to home
Create AccountLog in
Avatar of gglollc
gglollc

asked on

Remote Desktop Gateway Firewall Issue

Question:
I have RD Gateway setup on my R2 server as follows:

It is installed to the Default Website
It has a valid SSL cert bound to it and installed in the Gateway Manager
It is bound to IP 10.0.016
DNS is setup with the same name remote.xxx.com both internally and externally.

It works great internally but not externally and the issue seems to be the firewall settings.
The error is: "Your computer can't connect to the remote computer because the Deskatop Gateway server is unreacheable or incorrect..."

The Gateway server is on the LAN behind a Watchguard firewall. I created a SSL 443 packet filter using NAT to translate the public IP to the internal IP. The firewall logs show that the connection is accepted. However, I still get the above error.

The same setup works fine for my other SSL connections such as our SharePoint site.

Avatar of Britt Thompson
Britt Thompson
Flag of United States of America image

Have you verified the settings in the Windows Firewall are not blocking addresses outside the LAN?
Avatar of gglollc
gglollc

ASKER

The windows firewall is not turned on. But the NAT setting on the firewall tanslates the public address to a LAN address anyway.
Avatar of Krzysztof Pytko
Did you disable all 3 Windows Firewall profiles (Public, Private and Domain) ?

If you have enabled port 443 (HTTPS) it should work fine, you have also enabled 3389 for RDP because it works internally.

Regards,
Krzysztof
Avatar of gglollc

ASKER

iSiek,

The server firewall is disbaled via AD policy. Internally I can RDP to it via the Gateway and direct RDP bypassing the gateway. Can you clarify what you mean by enabling 3389? My understaning is that the benefit of using the gateway is that 3389 does not need to be enabled on the firewall. The server is on our LAN behind the firewall, we do not have a DMZ.
Thanks
Yes, you're right! 3389 RDP Client port should be only enabled on TS/RDS Server. Firewall should pass 443 (HTTPS) traffic to your TS/RDS Gateway.

Does your client have appropriate crtificate installed in local store to be able to access TS/RDS Gateway ?

Krzysztof
Avatar of gglollc

ASKER

Yes, we use Digicert and have two websites with Digicert certs that work fine with the client.
Thanks
as you mentioned internally it works so the windows firewall should not be the issue.

when you access the TSGW internally you do use the remote.xxx.com address as well?



You mentioned digicert?
Can you run the SSL Certificate Management & Troubleshooting Tool of digicert? https://www.digicert.com/util/
I had a similar problem with digicert where the intermediate certificate where not installed correctly.
Remember to run this program as an administrator.
Avatar of gglollc

ASKER

jesaja, yes I do use the same address internally.

DeDeckkerAndy, yes the cert is fine. As I mentioned earlier, I have the same type of cert from Digicert for two other sites and they works fine on the same client.
Thanks
It is installed to the Default Website
It has a valid SSL cert bound to it and installed in the Gateway Manager
It is bound to IP 10.0.016
-->
Can you try binding it to All Unassigned and restart your IIS and gateway services.
Does that make any difference?
can't you enable logging for all traffic to and from this server in your firewall?

I would first test if port 443 is open from external

http://www.yougetsignal.com/tools/open-ports/

then next if so use MS Network Monitor (or preferred one :)) on that server if traffic reaches the server from external

in the TS GW Monitoring you probability will not see any entry due to that no connection is established but check the event log under Applications and SErvices Log Windows TErminal servies-gatway



next I would create a web site on that server in IIS and try to reach it from external



Avatar of gglollc

ASKER

jesaja: My firewall logs show that port 443 is allowed and being directed to the RDG server.
Network Monitor on the RDG server shows that a 443 port connection is being made from the client.
So it appears that for whatever reason the RDP is being dropped somewhere. And you are right, the RD Gatway monitor shows nothing. The event logs do not record any related events either.

DeDeckkerAndy: You are correct. However, the server does have two IP's, one for the default website and one for a SharePoint website. Two NICS. I can still try that later, however.

ASKER CERTIFIED SOLUTION
Avatar of gglollc
gglollc

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I am glad you've found the cause.
Gr., Andy
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.