Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

RD Farm Setup

Posted on 2011-04-28
12
Medium Priority
?
2,610 Views
Last Modified: 2013-11-21
Hello,
We are starting with 3 servers.
1 for the RD Licensing; RD Connection Broker; RD Gateway
2 for the RD Session Host; and RD Web Access
4 additional servers are planned to be added to the 2 within 5 months
Goals:  To let users inside of the corporation connect via Remote App with an RDP icon or RD Web Access.
To let users externally connect to a full desktop or RD Web Access.
I followed the following article and that helped alot.  http://aaronwalrath.wordpress.com/2010/05/28/configuring-windows-2008-r2-remote-desktop-farm-with-connection-broker/
I have our farm named RDFarm , I am doing DNS currenlty and no NLB.
Questions:
Do users outside go straight to the farm or can they to be routed through the Broker/Gateway Server?    Currently I can connect to the full desktop from the outside via RDP icon.
Second I am confused as all get out about the certificates.  I have it self signed on the RD Farm and signed by GoDaddy for the Broker/Gateway server.   For some reason I get certificate erros saying not trusted.  Even when using a domain laptop windows 7 connection I can not take advantage of Remote App and Desktop connections.  It tells me the remote computer cannot be configured due to problems with security cert.  
Thanks,
0
Comment
Question by:seniorcaretech
  • 7
  • 3
  • 2
12 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 35490528
0
 

Author Comment

by:seniorcaretech
ID: 35490554
RD  or Remote Desktop   It is called RDS now correct no longer Terminal Services.
I will edit to be RDS
0
 

Author Comment

by:seniorcaretech
ID: 35490568
I guess you can not edit the title after the first comment. Oh well, RD would be Remote desktop services farm or Terminal Services Farm.
Thanks
Ray
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Expert Comment

by:gheist
ID: 35490658
Basically your setup is valid.
Where do you get cert errors? On web connection or native connection?
0
 

Author Comment

by:seniorcaretech
ID: 35491947
If I am configuring my firewall do I have it route directly to the farm for TSWeb or do I need to setup or configure something on my gateway firewall server?
On the Certificate, I get the error message issued by local(servername).domain.local  and isssued to server.domain.local  Valid for 6 months
This CA root certificate is not trusted.
 I have it correct everywhere I can look. I get this every time on the server or remote PC.
So yes Web connection.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 35506455
Did you set the RDP-tcp listener on the RDS Session Hosts to use the proper certificate? Out of the box it will use the self signed one.
Launch the RDS Session Host management tool and you will see the RDP-tcp listener right there.
Double click it and you will see where to choose the certificate to be presented.

Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
0
 

Author Comment

by:seniorcaretech
ID: 35507394
I checked just now and both servers are rdfarm.domain.local from the local DC Server.
I also rechecked both RemoteApp Managers.  The correct one is chosen there as well.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 35507940
In this case:
- Do you have the root CA certificate for your internally issued certificated on all client machines as a trusted certificate?
- Did you get the certificate thumbprint and then pushed that as a policy (the thumbprint hash) or registry key to all the PCs relying on that certificate? Explained in these two articles:
http://morgansimonsen.wordpress.com/2011/03/21/sha1-thumbprints-for-trusted-rdp-publishers/
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
0
 

Author Comment

by:seniorcaretech
ID: 35787485
Yes I have the CA cert internally issued by the domain controller.  Which should let all domain PC's know it is trusted from my readings is this not correct?
I did read the articles and they might solve the issue.  If I were to go with someone like Godaddy could I get a cert for an internal domain name?  Then I would not have to do the push and scripting.
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 2000 total points
ID: 35787742
Yep, if you get from a major certificate authority (Entrust, Godaddy, etc) there will be no need for pushing the CA Root. And yes, you can get that for an internal name I am sure.

Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
0
 

Assisted Solution

by:seniorcaretech
seniorcaretech earned 0 total points
ID: 36505549
It turns out all of my external certs were correct.  You have to go in and change the internal settings for it to go correctly.

Problem
========
Remote Desktop Farm Certificate problem.

Cause
======
IIS console setting.

Solution
=====================
1. Log on to SC43 and open the IIS Manager console.
2. Explore to the rdweb site. Right click the site name and select Edit Bindings from the menu.
3. Highlight the HTTPS entry, then click Edit button to verify the current SSL certificate.
4. Ensure the rdfarm.sc.local certificate is selected. We could click View button to check the certificate.
0
 

Author Closing Comment

by:seniorcaretech
ID: 36527940
Your solution was the closest and you made a good suggestion.  The problem ended up being the servers initially do their own cert and you have to change it in the IIS manager which is the info I attached.
Problem
========
Remote Desktop Farm Certificate problem.

Cause
======
IIS console setting.

Solution
=====================
1. Log on to SC43 and open the IIS Manager console.
2. Explore to the rdweb site. Right click the site name and select Edit Bindings from the menu.
3. Highlight the HTTPS entry, then click Edit button to verify the current SSL certificate.
4. Ensure the rdfarm.sc.local certificate is selected. We could click View button to check the certificate.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question