Solved

RD Gateway

Posted on 2011-09-20
37
897 Views
Last Modified: 2012-08-13
Hello,
We've set up RD services on a test server here, all of the roles bar virtualisation installed onto one server. I've setup an application to get the desktop in remote app services. The problem we have is that I get an RD Gateway error on running this application, even if it's run on a client in the internal network. Further complication is that for external users, they are pointing to a forwarding domain name which is not the same as the internal FQDN of the RD server, which I suspect is confusing the certificates which I'm creating from the server. Any help gratefully received!!!!
0
Comment
Question by:sidnuts
  • 17
  • 16
  • 4
37 Comments
 
LVL 12

Expert Comment

by:xmlmagician
ID: 36565682
Could you pose the error please?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36565834
From what you've said, it does sound like a potential certificate error.

I would buy a public SAN (Subject Alternative Name) certificate (also known as a UC (Unified Communications) Certificate.

This allows you to put the external FQDN on, plus any internal/alternative names. All on a single certificate.

GoDaddy do them dirt cheap, as do certificatesforexchange.com
0
 

Author Comment

by:sidnuts
ID: 36565882
Hi there, thanks for the comments. Have attached the error message as a jpeg. Unfortunately we're a school., so cost is a bit of an issue regarding the certificate. Is there any way I can test to know for certain that it's a certification issue? Sorry to whinge!!!
Untitled.jpg
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36565896
Well that looks more like a DNS issue.

Does that error occur internally?

Can you resolve the address via nslookup?

The reason I suggested GoDaddy or certificatesforexchange.com is because they're cheap - last one I got was less than US$70.
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 36565944
that was my next question as well. is everything working okay from the inside?
0
 

Author Comment

by:sidnuts
ID: 36565972
Yes, I get it from an internal client as well. Colour me stupid, but I'm a bit of a noob at this. Do I do the nslookup from the external client to the outward facing address of the RD server?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36565979
No problems - we all start somewhere.

First things first, let's get the internal bits working.

From a command prompt, type:

nslookup andy.ashgrove.int
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36565982
Sorry - run that command from an internal workstation (on the LAN) that can't connect.
0
 

Author Comment

by:sidnuts
ID: 36566010
I'm getting "DNS request timed out".

Incidentally, I should have added that if I try and connect to the desktop using the remote desktop tab of RDweb (ie: not the remote app desktop connection), I can only connect (internally) using the IP address of the RDweb server, not the computer name.  Apologies if this opens up another can of worms, though I can live with just inputting the IP address.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566025
No apologies needed.

You won't be able to use IP addresses and connect externally. It will have to be a name.

I need to ask a bit more, I'm afraid, but certainly there's a picture forming.

You cannot resolve the name - this is a DNS issue.

What supplies your DNS? Do you have a server hosting it?

Again - if, from a command prompt, you just type nslookup it'll tell you which server it is using.

What you don't want to see, really, is it being the DSL router (some can do internal DNS but most don't).

Can you tell us your DNS servers?
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 36566031
it seems like a DNS issue, what is your DNS setup? I think if we resolve your DNS issue that would solve your problem
0
 
LVL 12

Expert Comment

by:xmlmagician
ID: 36566036
@tony1044 i assume that you clicked submit as i was typing mine :)
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566044
I'm a quick typer ;-)
0
 

Author Comment

by:sidnuts
ID: 36566056
Many thanks for your patience. Our local server is the DNS server for our network, but our LEA is technically our ISP. We've been given the IP of 10.0.100.254 and 253 as our DNS servers, and 10.0.100.254 is the address given in the return for nslookup. It read thusly:

DNS request timed out
        timeout was 2 seconds
Server:     UnKnown
Address:    10.0.100.254

then four instances of DNS request timed out, timeout 2 secs, etc.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566077
Ok - so, you are using the default gateway as the DNS server?

Not knowing what kit the LEA provided, I'm not sure if it will do internal lookups.

Can you try something for me please?

Again, at the command prompt, can you try:

nslookup ashgrove.int

And from the RD server, from a command prompt (you may have to right-click "Command Prompt" in accessories and choose run as administrator) run the following:

ipconfig /registerdns

Then from the test workstation command prompt:

ipconfig /flushdns
nslookup andy.ashgrove.int

0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566080
Oh and of course - one major thing I didn't think to ask - your RDS server IS called Andy?
0
 

Author Comment

by:sidnuts
ID: 36566129
Ummmm, yeah. Guess what my name is too! They're pretty loose on naming conventions in school! Ran the nslookup for the domain. Got the same result as before. Ran the registerdns on the rd server, it showed the attachment. Flushed the dns locally, re ran nslookup for the rdserver and got the same result as before.
registerdns.jpg
0
 

Author Comment

by:sidnuts
ID: 36566192
BTW, our gateway internally is down as 10.35.8.1, not sure if that casts any light on the situation.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 25

Expert Comment

by:Tony1044
ID: 36566201
Ok.

One more thing to try.

I'm assuming that ashgrove.int is an internal active directory domain?

Can you run nslookup again.

This time, type:

server xxx.xxx.xxx.xxx
ashgrove.int

And then:

andy.ashgrove.int

Where xxx.xxx.xxx.xxx is the IP address of the domain controller?

What I think is happening, is that the DNS server being used is not configured to resolve addresses on the LAN, but if you have active directory then the chances are the domain controller(s) will be configured as DNS server(s).

If that last nslookup works, then can you edit the network adapter properties and change the DNS server entry to point to the domain controller IP address and try the RD connection again?
0
 

Author Comment

by:sidnuts
ID: 36566236
OK, run this from the client or the RDserver? And would it be
"nslookup 10.35.10.195.ashgrove.int" where 10.35.10.195 is our PDC?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566244
Sorry - from the client.

nslookup
server 10.35.10.195
ashgrove.int
andy.ashgrove.int

Each line being a separate command.
0
 

Author Comment

by:sidnuts
ID: 36566289
OK, got the following from the client on the LAN:

nslookup.jpg
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566351
Now we're cooking.

You need to set your DNS servers up to be the domain controller in the network card settings.

Then try browsing to the RDWeb site again (internally)
0
 

Author Comment

by:sidnuts
ID: 36566354
The settings on the client NIC? Again, apologies for the denseness and apologising all the time!
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566373
It's ok - really. No need to apologise.

Yep on the client. You can leave the IP settings as DHCP (TCP/IP v4) but manually set the DNS server to the above address.

There's space for two, but it won't complain about just putting one in.
0
 

Author Comment

by:sidnuts
ID: 36566395
Awesome! Set the client card to DC as DNS and loopback as secondary. Got through straight away. That's that thatted then. As to the external machine, I'm still getting that same error message from the remote desktop app.
0
 

Author Comment

by:sidnuts
ID: 36566401
But I'm guessing that's a certificate issue now?
0
 

Author Comment

by:sidnuts
ID: 36566423
Incidentally, when I run nslookup from the external machine, I'm getting this:

nslookup-external.jpg
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566440
Actually it's probably not.

By the way - don't set up a loopback address for the second DNS server. If it can't reach the first one, it'll try the second and as that's itself, it'll fail.

Not a problem on a workstation of course but could be on a server.

To access the RD Web Gateway from an external client, you need a public IP address and the relevant external DNS entry (this will usually be handled by your LEA).

So what you need to do, is decide on a suitable external name (for example, remote.school.ac.uk) and ask your LEA to register this and to forward port 443 and 3389 on their managed firewall to your Andy. server.

I'm assuming here, but with any educational establishment I've worked with, it's been a fully managed firewall and they do this.

You then need to procure an externally signed certificate (they really aren't expensive) that will include, as a minimum:

remote.school.ac.uk
andy.ashgrove.int
andy

Once that is done, you should get access to the site and connect.

We still have to consider your internal DNS though.

Another assumption - your workstations are all set to DHCP (i.e. pick up their IP address automatically)?

And that they all use the gateway as the DNS server?

You need to log into your domain controller (I'm assuming again, but I'm going to assume it's the DHCP server) and from the administrative tools, launch DHCP manager.

Under the reservation (don't worry - it'll be clear when you sit in front of it) you need to look for scope options.

In there, you need to set the DNS server to be the DC as above.

But...I would caveat all of that with a word of warning to ask if there's any specific reason the existing DNS server settings point to the gateway (though I can't think of any off-hand).


0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566449
On your external client - does that valeofglamorgan address actually point to the external IP address of your firewall/gateway?

You will need to forward ports 443 and for good measure 3389 to the RD server on the firewall. Well your LEA will.
0
 

Author Comment

by:sidnuts
ID: 36566563
OK, have checked the scope options on the DC, and it states the DC as the DNS server OK. As regards the gateway, it's the switch between us and the LEA. Before we had the server, and just used a NAS, it acted as de facto DHCP, distributing one range (10.35.8.*), and now we have the server, it distributes another range (10.35.10.*). As regards an external redirect name, we've been given folders.ashgrove.valeofglamorgan.sch.uk, and port 443 has already been released on it (was having problems even getting the rdweb screen on a remote till they did this) and will use portqryui to see if 3389 is free on it too. I'll look into getting an externally signed certificate with all those entries in it. Is it relatively straightforward importing it into the RDserver? Would you be averse to me poking you in the event that I get another blonde moment?
Cheers
Andy
0
 

Author Comment

by:sidnuts
ID: 36566588
valeofglamorgan address redirects to the internal IP of the RD server, yes.
0
 

Author Comment

by:sidnuts
ID: 36566607
Have just checked 3389 externally from portqry, and it's coming back as filtered/blocked, which was what I got before 443 was released. Is this port specific to RDweb services, or just an "in case" free up.
0
 
LVL 25

Accepted Solution

by:
Tony1044 earned 500 total points
ID: 36566635
3389 TCP is the RDP protocol port. I cannot, for the life of me, remember if it's 100% required with RDWeb now so it was more of a in case thing. I think, in honesty, that it is fully encapsulated in the HTTPS stream from point to point so not necessary.

But it does give you a way to remote into a server from home :-)

And as long as you don't use blank/simple administrator passwords you'll be as secure as opening 443 to the same box.

Adding a certificate is not tricky at all.

I have a bookmarked URL at home with step-by-step instructions of all the RDWeb/Farm etc configuration steps. I'll try to remember to look it up and drop it here for you.

I have no problem at all and I'm always happy to help.

If you look at my profile here, you can follow me. You can then always get hold of me via the "hire me" button on my profile even if it is just to ping me a message to say you've opened another question on E-E.
0
 

Author Comment

by:sidnuts
ID: 36566670
You, sir, are a Prince amongst Men! If I could award you 1000 points, I would deem it too little!!
Very grateful for all your help. I'll look into the certificate business right away.
0
 

Author Closing Comment

by:sidnuts
ID: 36566674
This bloke RAWKS!!!
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36566686
Thank you for the points.

Good luck with putting it into production - you'll like it, as it really does _just work_ now.

And as I say, please feel free to get in touch if you have any other problems.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now