Solved

Terminal Server 2008 R2 Remote Desktop host services as its now called.

Posted on 2011-03-16
12
747 Views
Last Modified: 2012-05-11
I have setup RD Host services (Terminal Server) on a server 2008 R2 box. Installed all RD service roles except RD broker as it is a sinlge box with 10 users. Activated with MS and installed an SSL Certificte, opened ports on router and all seems to work great internally.

As soon as you try to access it externally we get the users logging in ok but run into an issues with the second login - this is when trying to open a remote app.

The can login to RDweb ok but when trying to open any apps they get promtpted for the login and I notice at this point the login to changes to the local internal domain name.

I have setup the RD gateway to use the external FQDN and this appears to work ok until this point. can anyone help please.
0
Comment
Question by:sifenwick
  • 8
  • 4
12 Comments
 
LVL 4

Expert Comment

by:pbrane
ID: 35151571
Hi sifenwick,

If you want to take advantage of your TS gateway then you'll need to make sure the following are in place.

When you open the RemoteApp Manager MMC, can you click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your internal server name.  

Then on the RD Gateway tab, you'll need to make sure you have the use these RD gateway server settings radio dot selected and put your external FQDN in the server name box and select whatever other options are relevant. Default is normally about right for your average setup.

You can use the same standard SSL certificate to sigh your apps as well in the digital Signatures tab. (There's also a registry hack you can pop in on the connect client that adds the thumbprint of the certificate tot eh trusted publishers list so they don't get any confirmation boxes, let me know if you need that and I'll dig it out.)

That’s should do it really, let me know how far that gets you.

P.s. if you didn't know when using a TS Gateway the only port you need forwarding is port 443 as the RDP protocol is sent down the SSL tunnel.

Unless, you want users to connect normally as well without using the gateway, then you'll need 3389 as well.

Thanks,
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35152115
Hi,

Should probably also mention that you are going to need a couple of certificates . One for the actual server NetBIOS name on the actual RCP connector and the one you already have for the FQDN of the TS gateway. (Unless you don’t mind the warning messages about the publisher not being trusted.)

If you want to just test this as a proof of concept and see what it’s like with no warnings first and only use one certificate, skip using the gateway for now.

Set up is as follows.

Assign the certificate to the RDP connector instead, using the remote desktop session host configuration Snap In.

Then back into the RemoteApp Manager snap in, click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your external FQDN in there, and make sure you select the Automatically detect RD Gateway server setting on the RD Gateway.
This should now set you up to use your remote apps directly without going through the gateway.
0
 

Author Comment

by:sifenwick
ID: 35154179
Not sure wha you mean by "if you want to use the TS gteway." If it is possible to not have to use it then we do not need it.  We have a simple setup of 1 TS so if we do not need the gate way side we can do without it.  This is my first 2008 TS so not sure of all the requirements. Simple as poss is bes, less things to go wrong the better..
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 4

Accepted Solution

by:
pbrane earned 500 total points
ID: 35154400
Hi,

Ok, no problem. No you don't NEED it to allow your TS to function. It's just a means of providing tighter control and security for access to the TS.

You can uninstall that role and carry on exactly how you have done before connecting directly on 3389.

That's my second post.

Let me know if you have any issues with the second post.

To summarise, you can use your standard SSL to:

1. Assign to the Terminal Server it's self through the remote desktop session host configuration Snap In.
2. Using the RemoteApp Manager snap in, click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your external FQDN that is used in the common name of your SSL in the server name box.

This will get it working I think from a general point of view.

In R2 they introduced SSO Single Sign On, which is supposed to stop you from having to enter your credentials in again when selecting an application. To get this to work there are prerequisites on the clients connecting.

One thing they will all need is the Thumbprint of your SSL placing in the registry as a trusted publisher. You can use the attached .reg file to do this after you have placed the thumbprint of your own certificate in there.

There are others but before I bombard you what client OS’s are likely to connect?  They will connect without any of the prerequisites, but it might not be so seamless and you’ll get a lot of prompts along the way.

0
 
LVL 4

Expert Comment

by:pbrane
ID: 35154421
Whoops, help if I actually attached the file!
Trused-Publisher.reg
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35154550
Sorry and missed from the Summary:

3. You can use the same standard SSL certificate to sigh your apps as well in the digital Signatures tab, also found in the RemoteApp Manager snap in.
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35154622
Sorry one more thing to consider,

If you assign your certificate to the RDP connector of the Terminal Server instead of its default self-signed one, when your users are connecting internally, unless your internal domain name is the same as your external domain name, depending on how the RDP client is set up, they will then get an error stating that the certificate contains a different name and do they want to continue?

The only really way to get round this, if you don't have the same domain internally as externally, is to host your external DNS zone internally as well, copy all of your existing A records in to the Zone so they can still reach everything externally, and then get them to connect to the server using the External FQDN from inside the network as well.

I'm not sure of your technical level, so if I'm dribbling on, feel free to pull me over and ask about anything I've just said.

Thanks,  
0
 

Author Comment

by:sifenwick
ID: 35157919
do I need a TS gateway to use the system via:
https://fqdn/rdweb ?
The idea is to enable users to connect via the website rather than port 3389
If so then I need other wise
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35158114
Hi,

No, you don't need a gateway.

What happens is when you click an Application Icon, or the RDP icon on the RDWeb page, the settings you have set up in the background actually open an RDP session in that manner. Then present you with the seamless application or the RDP session.  

So if you configure the server the way I stated in the first post, when a user clicks on an application or RDP icon, it will go through the Gateway, but they won't know anything about it.

If you configure it the way I stated in the Second post, it'll just connect using the normal 3389 in the background. Again the user can't see how it's connecting though.
0
 

Author Comment

by:sifenwick
ID: 35158347
Do i have to uninstall the TS gateway role for this to unapply?
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35158993
Hi,

No, you just don't use it in any configuration and it'll just sit there and do nothing.
0
 

Author Closing Comment

by:sifenwick
ID: 35161172
Thanks forall your time on this.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
website went down 6 55
No login server available 4 54
Dell server Power Edge 520 with a H710/H710P controler 3 32
windows 10 versions 3 34
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question