seniorcaretech
asked on
RD Farm Setup
Hello,
We are starting with 3 servers.
1 for the RD Licensing; RD Connection Broker; RD Gateway
2 for the RD Session Host; and RD Web Access
4 additional servers are planned to be added to the 2 within 5 months
Goals: To let users inside of the corporation connect via Remote App with an RDP icon or RD Web Access.
To let users externally connect to a full desktop or RD Web Access.
I followed the following article and that helped alot. http://aaronwalrath.wordpr
I have our farm named RDFarm , I am doing DNS currenlty and no NLB.
Questions:
Do users outside go straight to the farm or can they to be routed through the Broker/Gateway Server? Currently I can connect to the full desktop from the outside via RDP icon.
Second I am confused as all get out about the certificates. I have it self signed on the RD Farm and signed by GoDaddy for the Broker/Gateway server. For some reason I get certificate erros saying not trusted. Even when using a domain laptop windows 7 connection I can not take advantage of Remote App and Desktop connections. It tells me the remote computer cannot be configured due to problems with security cert.
Thanks,
We are starting with 3 servers.
1 for the RD Licensing; RD Connection Broker; RD Gateway
2 for the RD Session Host; and RD Web Access
4 additional servers are planned to be added to the 2 within 5 months
Goals: To let users inside of the corporation connect via Remote App with an RDP icon or RD Web Access.
To let users externally connect to a full desktop or RD Web Access.
I followed the following article and that helped alot. http://aaronwalrath.wordpr
I have our farm named RDFarm , I am doing DNS currenlty and no NLB.
Questions:
Do users outside go straight to the farm or can they to be routed through the Broker/Gateway Server? Currently I can connect to the full desktop from the outside via RDP icon.
Second I am confused as all get out about the certificates. I have it self signed on the RD Farm and signed by GoDaddy for the Broker/Gateway server. For some reason I get certificate erros saying not trusted. Even when using a domain laptop windows 7 connection I can not take advantage of Remote App and Desktop connections. It tells me the remote computer cannot be configured due to problems with security cert.
Thanks,
gheist
What do you mean? http://acronyms.thefreedictionary.com/RD
ASKER
RD or Remote Desktop It is called RDS now correct no longer Terminal Services.
I will edit to be RDS
I will edit to be RDS
ASKER
I guess you can not edit the title after the first comment. Oh well, RD would be Remote desktop services farm or Terminal Services Farm.
Thanks
Ray
Thanks
Ray
Basically your setup is valid.
Where do you get cert errors? On web connection or native connection?
Where do you get cert errors? On web connection or native connection?
ASKER
If I am configuring my firewall do I have it route directly to the farm for TSWeb or do I need to setup or configure something on my gateway firewall server?
On the Certificate, I get the error message issued by local(servername).domain.l
This CA root certificate is not trusted.
I have it correct everywhere I can look. I get this every time on the server or remote PC.
So yes Web connection.
On the Certificate, I get the error message issued by local(servername).domain.l
This CA root certificate is not trusted.
I have it correct everywhere I can look. I get this every time on the server or remote PC.
So yes Web connection.
Did you set the RDP-tcp listener on the RDS Session Hosts to use the proper certificate? Out of the box it will use the self signed one.
Launch the RDS Session Host management tool and you will see the RDP-tcp listener right there.
Double click it and you will see where to choose the certificate to be presented.
Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
Launch the RDS Session Host management tool and you will see the RDP-tcp listener right there.
Double click it and you will see where to choose the certificate to be presented.
Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
ASKER
I checked just now and both servers are rdfarm.domain.local from the local DC Server.
I also rechecked both RemoteApp Managers. The correct one is chosen there as well.
I also rechecked both RemoteApp Managers. The correct one is chosen there as well.
In this case:
- Do you have the root CA certificate for your internally issued certificated on all client machines as a trusted certificate?
- Did you get the certificate thumbprint and then pushed that as a policy (the thumbprint hash) or registry key to all the PCs relying on that certificate? Explained in these two articles:
http://morgansimonsen.wordpress.com/2011/03/21/sha1-thumbprints-for-trusted-rdp-publishers/
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
- Do you have the root CA certificate for your internally issued certificated on all client machines as a trusted certificate?
- Did you get the certificate thumbprint and then pushed that as a policy (the thumbprint hash) or registry key to all the PCs relying on that certificate? Explained in these two articles:
http://morgansimonsen.wordpress.com/2011/03/21/sha1-thumbprints-for-trusted-rdp-publishers/
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
Cláudio Rodrigues
Citrix CTP
Microsoft MVP - RDS
ASKER
Yes I have the CA cert internally issued by the domain controller. Which should let all domain PC's know it is trusted from my readings is this not correct?
I did read the articles and they might solve the issue. If I were to go with someone like Godaddy could I get a cert for an internal domain name? Then I would not have to do the push and scripting.
I did read the articles and they might solve the issue. If I were to go with someone like Godaddy could I get a cert for an internal domain name? Then I would not have to do the push and scripting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your solution was the closest and you made a good suggestion. The problem ended up being the servers initially do their own cert and you have to change it in the IIS manager which is the info I attached.
Problem
========
Remote Desktop Farm Certificate problem.
Cause
======
IIS console setting.
Solution
=====================
1. Log on to SC43 and open the IIS Manager console.
2. Explore to the rdweb site. Right click the site name and select Edit Bindings from the menu.
3. Highlight the HTTPS entry, then click Edit button to verify the current SSL certificate.
4. Ensure the rdfarm.sc.local certificate is selected. We could click View button to check the certificate.
Problem
========
Remote Desktop Farm Certificate problem.
Cause
======
IIS console setting.
Solution
=====================
1. Log on to SC43 and open the IIS Manager console.
2. Explore to the rdweb site. Right click the site name and select Edit Bindings from the menu.
3. Highlight the HTTPS entry, then click Edit button to verify the current SSL certificate.
4. Ensure the rdfarm.sc.local certificate is selected. We could click View button to check the certificate.