Solved

Buying ssl for 2008 terminal server

Posted on 2011-09-06
5
226 Views
Last Modified: 2012-05-12
I am purchasing an SSL cert for my 2008 terminal server (has a self signed currently) and was wondering how i should address it?
The outside address users connect to is mail.mydomain.com , however the machine name is ABC-TS

so do i need to purchase an ssl for abc-ts.mydomain.com  and keep the mail. the same or do i need to add an a record and have my users connect to abc-ts.mydomain.com
Or am i completely wrong and it needs to be addressed to my internal domain?

Thanks!
0
Comment
Question by:InnovateAll
  • 3
  • 2
5 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 250 total points
Comment Utility
Your CN on the certificate should match the address your users hit. In your example mail.mydomin.com.  So, if your external users (or users who are remote) are currently accessing you r TS gateway at mail.mydomin.com that is what should be on the certificate.

Take a look at the certificate requirements for TS gateway here: http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx   Scroll a little less that half way down to see the requirements.
0
 
LVL 4

Assisted Solution

by:HostOne
HostOne earned 250 total points
Comment Utility
You also need to ensure that not only does the certificate name match the address the users are going to but it also matches the name the TS believes itself to be.

I am in no way advertising here but I would just buy a cheap cert for around $50 from a place that sounds a lot like yodaddy.com (but starts with a g instead of a y), matched to the name of your server. Then make sure the "real world" has a DNS record so users can go to ABC-TS.mydomain.com and now the name on the cert, the dns and the server all match.

Also make sure *inside* your network the name functions (you may need to create a "fake" internal DNS record so ABC-TS.mydomain.com internally points to your internal IP instead of the external one. This way, you won't have issues with users who are inside the network or who access it both internally and externally.

I've done this on about 10 TS boxes this year and these cheap certs work fine.
0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 250 total points
Comment Utility
I hate to disagree with HostOne but I'm afraid I must as most of his/her comments are incorrect.

First,  a certificate can have only 1 Common Name (CN).  So you cannot as quoted by HostOne:

"...ensure that not only does the certificate name match the address the users are going to but it also matches the name the TS believes itself to be."

The server could care less what its name is. That is the point of DNS. You could have 10 names associated with a single IP on a single server. All the traffic would still get there correctly.

Even so, if you want your users to access this server using more than one name you can have a Subject Alternate Name (SAN) added to the certificate. In fact, you can add as many hostnames / URL's as you wish with SAN's. Keep in mind that it adds expense unnecessarily because SAN certs cost more. Having said that if you want to use ABC-TS.mydomain.com then by all means add the A record, buy your cert with that name and have your users hit that address instead. However, since the name currently used is mail. then I'm guessing you are running OWA as well or allowing users to get to mail in some fashion. You may want to use SSL for that too. If so, you kill two birds with one stone by using that name on the cert.

Second, why would anyone hit your TS Gateway from inside when they can just RDP directly to whatever server they need to access. Plus there is no need to create a "fake" DNS record for ABC-TS.mydomain.com there is already a real one. The server registers itself with internal DNS automatically. Even if it didn't an internal call to that server would resolve via broadcast anyway. Unless something is broken or not working correctly you don’t have to worry about someone on the internal network being directed to the external IP.
0
 
LVL 4

Assisted Solution

by:HostOne
HostOne earned 250 total points
Comment Utility
Sorry Shmoid, perhaps I wasn't clear enough - I meant to match the TS name to the DNS name and the SSL (i.e. all 3 should be the same).

The reason why people may use it inside the LAN is because they may wish to use the same save RDP icon to connect from their laptop, regardless of where they are. So they may wish to use the same name and SSL regardless of where they are. If the SSL is different externally (to the gateway) and internally (direct to the RDS), then their client will inform them the SSL has changed, every time they connect and then they will complain. *That's* why you want to connect them to the same server and SSL, regardless of their location.
0
 
LVL 8

Expert Comment

by:Shmoid
Comment Utility
No need to be sorry, but I'm afraid I must still respectively disagree.

It doesn't matter if the hostname and DNS names match. It is simply irrelevent. Further, if you are accessing a server from inside you would not go through the TS Gateway (unless perhaps an admin wanted to do something on the TS Gateway server) Even then, from the inside it would not use the SSL cert at all. RDP is encrypted natively. You can RDP to a brand new server with no certificates on it at all. That is not to say that it can't be setup for SSL but it is not by default and to turn it on both the host server and the client computer must be correctly configured for SSL/TLS to provide the enhanced security.

Since the original poster has closed this question I won't beat it to death.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now