Solved

Terminal Server 2008 R2 Remote Desktop host services as its now called.

Posted on 2011-03-16
12
745 Views
Last Modified: 2012-05-11
I have setup RD Host services (Terminal Server) on a server 2008 R2 box. Installed all RD service roles except RD broker as it is a sinlge box with 10 users. Activated with MS and installed an SSL Certificte, opened ports on router and all seems to work great internally.

As soon as you try to access it externally we get the users logging in ok but run into an issues with the second login - this is when trying to open a remote app.

The can login to RDweb ok but when trying to open any apps they get promtpted for the login and I notice at this point the login to changes to the local internal domain name.

I have setup the RD gateway to use the external FQDN and this appears to work ok until this point. can anyone help please.
0
Comment
Question by:sifenwick
  • 8
  • 4
12 Comments
 
LVL 4

Expert Comment

by:pbrane
ID: 35151571
Hi sifenwick,

If you want to take advantage of your TS gateway then you'll need to make sure the following are in place.

When you open the RemoteApp Manager MMC, can you click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your internal server name.  

Then on the RD Gateway tab, you'll need to make sure you have the use these RD gateway server settings radio dot selected and put your external FQDN in the server name box and select whatever other options are relevant. Default is normally about right for your average setup.

You can use the same standard SSL certificate to sigh your apps as well in the digital Signatures tab. (There's also a registry hack you can pop in on the connect client that adds the thumbprint of the certificate tot eh trusted publishers list so they don't get any confirmation boxes, let me know if you need that and I'll dig it out.)

That’s should do it really, let me know how far that gets you.

P.s. if you didn't know when using a TS Gateway the only port you need forwarding is port 443 as the RDP protocol is sent down the SSL tunnel.

Unless, you want users to connect normally as well without using the gateway, then you'll need 3389 as well.

Thanks,
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35152115
Hi,

Should probably also mention that you are going to need a couple of certificates . One for the actual server NetBIOS name on the actual RCP connector and the one you already have for the FQDN of the TS gateway. (Unless you don’t mind the warning messages about the publisher not being trusted.)

If you want to just test this as a proof of concept and see what it’s like with no warnings first and only use one certificate, skip using the gateway for now.

Set up is as follows.

Assign the certificate to the RDP connector instead, using the remote desktop session host configuration Snap In.

Then back into the RemoteApp Manager snap in, click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your external FQDN in there, and make sure you select the Automatically detect RD Gateway server setting on the RD Gateway.
This should now set you up to use your remote apps directly without going through the gateway.
0
 

Author Comment

by:sifenwick
ID: 35154179
Not sure wha you mean by "if you want to use the TS gteway." If it is possible to not have to use it then we do not need it.  We have a simple setup of 1 TS so if we do not need the gate way side we can do without it.  This is my first 2008 TS so not sure of all the requirements. Simple as poss is bes, less things to go wrong the better..
0
 
LVL 4

Accepted Solution

by:
pbrane earned 500 total points
ID: 35154400
Hi,

Ok, no problem. No you don't NEED it to allow your TS to function. It's just a means of providing tighter control and security for access to the TS.

You can uninstall that role and carry on exactly how you have done before connecting directly on 3389.

That's my second post.

Let me know if you have any issues with the second post.

To summarise, you can use your standard SSL to:

1. Assign to the Terminal Server it's self through the remote desktop session host configuration Snap In.
2. Using the RemoteApp Manager snap in, click on change for the RDS Session Host Server Settings and in the server name box, make sure you have your external FQDN that is used in the common name of your SSL in the server name box.

This will get it working I think from a general point of view.

In R2 they introduced SSO Single Sign On, which is supposed to stop you from having to enter your credentials in again when selecting an application. To get this to work there are prerequisites on the clients connecting.

One thing they will all need is the Thumbprint of your SSL placing in the registry as a trusted publisher. You can use the attached .reg file to do this after you have placed the thumbprint of your own certificate in there.

There are others but before I bombard you what client OS’s are likely to connect?  They will connect without any of the prerequisites, but it might not be so seamless and you’ll get a lot of prompts along the way.

0
 
LVL 4

Expert Comment

by:pbrane
ID: 35154421
Whoops, help if I actually attached the file!
Trused-Publisher.reg
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35154550
Sorry and missed from the Summary:

3. You can use the same standard SSL certificate to sigh your apps as well in the digital Signatures tab, also found in the RemoteApp Manager snap in.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 4

Expert Comment

by:pbrane
ID: 35154622
Sorry one more thing to consider,

If you assign your certificate to the RDP connector of the Terminal Server instead of its default self-signed one, when your users are connecting internally, unless your internal domain name is the same as your external domain name, depending on how the RDP client is set up, they will then get an error stating that the certificate contains a different name and do they want to continue?

The only really way to get round this, if you don't have the same domain internally as externally, is to host your external DNS zone internally as well, copy all of your existing A records in to the Zone so they can still reach everything externally, and then get them to connect to the server using the External FQDN from inside the network as well.

I'm not sure of your technical level, so if I'm dribbling on, feel free to pull me over and ask about anything I've just said.

Thanks,  
0
 

Author Comment

by:sifenwick
ID: 35157919
do I need a TS gateway to use the system via:
https://fqdn/rdweb ?
The idea is to enable users to connect via the website rather than port 3389
If so then I need other wise
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35158114
Hi,

No, you don't need a gateway.

What happens is when you click an Application Icon, or the RDP icon on the RDWeb page, the settings you have set up in the background actually open an RDP session in that manner. Then present you with the seamless application or the RDP session.  

So if you configure the server the way I stated in the first post, when a user clicks on an application or RDP icon, it will go through the Gateway, but they won't know anything about it.

If you configure it the way I stated in the Second post, it'll just connect using the normal 3389 in the background. Again the user can't see how it's connecting though.
0
 

Author Comment

by:sifenwick
ID: 35158347
Do i have to uninstall the TS gateway role for this to unapply?
0
 
LVL 4

Expert Comment

by:pbrane
ID: 35158993
Hi,

No, you just don't use it in any configuration and it'll just sit there and do nothing.
0
 

Author Closing Comment

by:sifenwick
ID: 35161172
Thanks forall your time on this.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now