SSL Certificate Required for SBS + Secondary Remote Desktop Server

Posted on 2011-09-27
Last Modified: 2012-05-17
Hey Experts,
I get very confused around the area of SSL Certificates and I am hoping someone can lend a hand and clear this up for me:

I need to know the SSL setup I must use for the following 2 server implementation:

SBS 2008 STD Server
Secondary 2008 R2 Server with Remote Desktop Services Installed

I have already setup the SBS2008 server with an SSL cert purchased from GoDaddy so that users can use RWW and Outlook Anywhere.
The certificate is a Standard (Turbo) SSL certificate.

1 year later, I now want to install remote desktop services on a secondary server so that I can serve up a third party application over Terminal Services and allow users to log into a session on the server instead of directly to their workstation.
I see that the Remote Desktop Services Role requires an SSL certificate.


Do I have to buy another certificate for this?

If this was in the design phase (SBS2008 section had not been implemented yet) would there be a special SSL cert that could cover both servers?
Question by:IT101
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 36714678
What I want to achieve at the end of the day is:

Internal users can access RDWeb Apps and remote desktop connections to the  Secondary Server from their internal PC's.
External users can log onto a remote desktop session on the Remote Desktop Secondary Server via SBS2008's RWW site. from their external PC's.

To my knowledge... (which is very limited as I said before) the ssl cert will verify against the host.FQDN for my turbo SSL cert.
From the outside the user would use the host.FQDN which would point to the companies router and then get port forwarded to the SBS2008 server which holds the correct certificate. Therefore that connection would be valid to the cert and a secure connection would be created.
But where does the SSL cert come into play for the 2nd Server? I do not believe the same cert used on the SBS2008 server could be used as its certified to the FQDN (wouldn't the RDGateway of the SBS2008 server be redirecting to the 2nd server using internal DNS names which therefore have nothing to do with that cert?)

:) As you can see... I need your help.
LVL 41

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 36720136
For the second server you can create and use a Self-Signed certificate if the RDWeb applications are only accessible internally. You could also generate a certificate using Certificate Services in Windows 2008, but this requires a lot more work. To generate a self-signed certificate on the second server, you'll need to make sure IIS 7 is installed (makes things easier) then follow these instructions:

After that, you will want to deploy the Self-signed certificate to your workstations so they will trust it and not throw out an error every time they connect to the server. has some instructions on doing that.

Basically, the main different between an SSL certificate from a public Certificate Authority like Turbo SSL and a self-signed/internal CA cert is that the public CAs are all trusted by Windows by default, so you don't have to instruct the computers to trust the certificates and thus not get an error when you connect. There is also a lessened level of security associated with Self-signed certificates, but the lowered security level is based on the idea that an untrusted source can also create a self-signed certificate that matches the name of your server and use that to launch a man-in-the-middle attack, but the likelihood of that happening is very low.

Author Comment

ID: 36907503
Thanks for the prompt reply acbrown2010,
I wanted to keep to public certs so that there was no additional work to be performed on any external devices though.
My main confusion however is how to remote directly into a session on the second server via the RWW of the SBS server when a user is outside of the company.

Are their additional certificates that I need to setup for this?
I use a public CA cert on the SBS server which allows users to remotely connect to workstations in the domain.
How do I get the same functionality but where they can log into a session on the second server that has the remote desktop service role instead of relying on a workstation to be on at the time in the domain.
What certificate do I use on the second server to make this possible?

Do I have to scrap the whole idea of going through RWW? And instead create another Public SSL cert that points to the same IP but instead goes over another port and forwards to the second server on the internal subnet?
LVL 41

Accepted Solution

Adam Brown earned 500 total points
ID: 36907764
Each host name you use to connect externally will require its own Certificate unless you purchase a Wildcard Cert or a cert with Subject Alternate Names (SAN). Wildcards and SAN certs allow you to have multiple valid host names tied to the cert. You can use the same Certificate on the second server if you use a second port on the same IP address to point to the RWW server. You'll also need to have some routing to forward traffic from that port to the RWW server. The real issue you're going to run into is connecting to computers. RWW uses the internal name of the computers when it connects you to them, so you're always going to get certificate errors when you connect to a computer through RWW if the internal domain is different from the external domain name. There isn't really a way to bypass that issue because third party CAs will not issue wildcards and SANs for domains you don't own or that can't be owned.

It's important to note, though, that encryption of data through SSL still occurs even when there is a certificate error. The certificate provides server authentication, so you know you're talking to the server/device you mean to be, but a valid certificate isn't required for encryption to occur.

As long as the server you want them to connect to is made available through RWW, it's possible to connect with an encrypted tunnel, you'll just need to let your users know that they will receive a certificate error and that it's okay to accept it and continue.

Author Comment

ID: 36913882
OK thanks,
I will have a go and update this post when I have more info.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question