Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Remote Desktop Farm _ SSL Certificate

Posted on 2011-04-28
14
Medium Priority
?
2,460 Views
Last Modified: 2012-05-11
We currently have setup 1 Remote Desktop Gateway server, and 3 Remote Desktop Session Host Servers (RDSH11, RDSH12, RDSH13). The Remote Desktop Gateway Server is also the Connection Broker, and Remote Desktop Redirector. We purchased a SSL from GoDaddy and installed it on the Remote Desktop Gateway Server. It is remote.publicdomain.com. It is setup.

My question is when a user outside of the network connects to the Remote Desktop Gateway it goes through and the redirector connects it to a Session Host Server.. Either RDSH11, RDSH12, or RDSH13 but when it redirects I get an SSL warning for RDSH11.domain.local. Do I have to add an SSL to each Session Host Server as well?
0
Comment
Question by:LeviDaily
  • 7
  • 7
14 Comments
 
LVL 5

Expert Comment

by:oneitnz
ID: 35488398
Hi LeviDaily

Firstly have you configured your RD Session Hosts to all be members of an RD Farm, if so you would have a RD Farm DNS Name you should setup your clients to connect to the Farm Name. This is what will actually load balance out your connections.

From what I understand from you post you have the Gateway and Connection broker working fine but I'm guessing your entering in the Remote Desktop Client to connect to the internal Computer Name of one of the RD Session Hosts. You should be connecting to the RD Farm DNS Name and you'll need a Cert for that.

Regards
Brett Smith
One IT
www.oneit.co.nz
0
 
LVL 2

Author Comment

by:LeviDaily
ID: 35493935
Thank you for replying!

I have configured the servers RDSH11, RDSH12, RDSH12 to be part of the farm remote.domain.local.  For the Gateway, I purchased a godaddy SSL for remote.domain.com and installed it on my Gateway Server RDGW01.

When I remote desktop to the farm remote.domain.local with my gateway settings, it redirects me to one of the Session Host servers. It gives me a SSL warning once it directs me to RDSH11, RDSH12, or RDSH13.  Do I need to purchase an SSL for each of the Session Host servers?
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35494924
Right in that case yes you probably do need a cert for them, normally I purchase a UCC certificate which can give you 5 different hostnames on the same cert then you can use the same one on all computers, I think its cheaper than buying individual ones, also it allows you to have any host name you want including internal names. So for your scenario you could have a UCC Cert like this:

Main Domain: remote.publicdomain.com
Secondarys: remote.domain.local
                      rdsh11.domain.local
                      rdsh12.domain.local
                      rdsh13.domain.local

By the way if you need more than 5 you can get these too.

Regards
Brett Smith
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Author Comment

by:LeviDaily
ID: 35494945
Thank you!! So I will purchase a SSL for each since godaddy has a $12.99 a year deal going.. Last question, how do I generate a SSL request on the Remote Desktop Session Host Servers without using IIS? I tried of the Certificates MMC, but it gives me weird Active Directory Enrollment Policy error?? Maybe I should install IIS on each server ??
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35495402
I have a feeling you'll run into problems this way I doubt whether GoDaddy will issue a cert to an Internal Domain Name. Thats why I suggested going for the UCC Cert.

You can always try with GoDaddy though not sure if they allow internal domain names or not.
Just do the cert request from your IIS Server don't go installing IIS on all your RD SH servers.

When you supply the Common Name for the Cert enter the rdsh11.domain.local name. Send it off to GoDaddy and see if they approve it.

Then if they issue you the cert just import each one into each rdsh server.
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35502133
Hi LeviDaily

Have you managed to get this to work yet because I have found that you shouldn't need a Cert for each RDSH Host you just need to assign the Farm's Cert to each host.

In Server Manager
Expand Remote Desktop Services
Click RD Session Host Configuration
Double Click the RDP-tcp Connection Name on the Right Panel
At the bottom of the RDP-Tcp Properties window click Select
Choose the remote.domain.local Cert that you get from GoDaddy
Do this on all Farm RDSH Servers

Of course you'll need to make sure that you've installed the cert from GoDaddy on to the servers first otherwise it won't show up when you click select.

Regards
Brett
0
 
LVL 2

Author Comment

by:LeviDaily
ID: 35502173
I will try that.. How do I install the cert On each remote desktop server and make it available?
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35502253
Start - Run - MMC - Enter
File - Add/Remove Snap-in
Double Click Certificates - Select Computer Account - Next - Local Computer - Finish
OK
Expand - Certificates - Personal - Certificates
Right Click Certificates - All Tasks - Import...
Next - Select the Cert from GoDaddy - Next - Next - Finish
You should now be able to select it in the RDSH Configuration.
0
 
LVL 2

Author Comment

by:LeviDaily
ID: 35691168
Ok.. Here is what is crazy. I follow the instructions above and the Certificates > Personal doesnt have a folder called certificates?
0
 
LVL 2

Author Comment

by:LeviDaily
ID: 35691200
Nevermind.. I was able to import the SSL, but when I go to select the SSL it says "There are no certificates installed on this Remote Desktop Session Host server."
0
 
LVL 5

Accepted Solution

by:
oneitnz earned 2000 total points
ID: 35694688
You need to be sure you've selected Computer Account and Local Computer
Then you'll see Certificates > Personal

Please take a look at this image from my test RDSH Host and you'll see what I mean. RDSH SSL Certs Install
0
 
LVL 2

Author Comment

by:LeviDaily
ID: 35708943
Thank you for all your help. I purchased a SAN Certificate with every name of every server in my environment. I installed it on the Gateway server and exported it and then installed it on every rd session host server. All is well. Thank you very much for your help.  

The only problem I am having is it takes about 1 minute when I run the remote desktop to actually remote me into a session host. Not seeing any issues, except for an extremely long amount of time. I can post another question as well.
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35714623
I have also seen this before with Remote App Programs in a RD Farm Configuration.
I believe this may be normal, but post another question and I'll do some tests here and see if I experience the same issues.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question