SSL Certificate Required for SBS + Secondary Remote Desktop Server

Hey Experts,
I get very confused around the area of SSL Certificates and I am hoping someone can lend a hand and clear this up for me:

I need to know the SSL setup I must use for the following 2 server implementation:

SBS 2008 STD Server
Secondary 2008 R2 Server with Remote Desktop Services Installed

I have already setup the SBS2008 server with an SSL cert purchased from GoDaddy so that users can use RWW and Outlook Anywhere.
The certificate is a Standard (Turbo) SSL certificate.

1 year later, I now want to install remote desktop services on a secondary server so that I can serve up a third party application over Terminal Services and allow users to log into a session on the server instead of directly to their workstation.
I see that the Remote Desktop Services Role requires an SSL certificate.


Do I have to buy another certificate for this?

If this was in the design phase (SBS2008 section had not been implemented yet) would there be a special SSL cert that could cover both servers?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IT101Author Commented:
What I want to achieve at the end of the day is:

Internal users can access RDWeb Apps and remote desktop connections to the  Secondary Server from their internal PC's.
External users can log onto a remote desktop session on the Remote Desktop Secondary Server via SBS2008's RWW site. from their external PC's.

To my knowledge... (which is very limited as I said before) the ssl cert will verify against the host.FQDN for my turbo SSL cert.
From the outside the user would use the host.FQDN which would point to the companies router and then get port forwarded to the SBS2008 server which holds the correct certificate. Therefore that connection would be valid to the cert and a secure connection would be created.
But where does the SSL cert come into play for the 2nd Server? I do not believe the same cert used on the SBS2008 server could be used as its certified to the FQDN (wouldn't the RDGateway of the SBS2008 server be redirecting to the 2nd server using internal DNS names which therefore have nothing to do with that cert?)

:) As you can see... I need your help.
Adam BrownSr Solutions ArchitectCommented:
For the second server you can create and use a Self-Signed certificate if the RDWeb applications are only accessible internally. You could also generate a certificate using Certificate Services in Windows 2008, but this requires a lot more work. To generate a self-signed certificate on the second server, you'll need to make sure IIS 7 is installed (makes things easier) then follow these instructions:

After that, you will want to deploy the Self-signed certificate to your workstations so they will trust it and not throw out an error every time they connect to the server. has some instructions on doing that.

Basically, the main different between an SSL certificate from a public Certificate Authority like Turbo SSL and a self-signed/internal CA cert is that the public CAs are all trusted by Windows by default, so you don't have to instruct the computers to trust the certificates and thus not get an error when you connect. There is also a lessened level of security associated with Self-signed certificates, but the lowered security level is based on the idea that an untrusted source can also create a self-signed certificate that matches the name of your server and use that to launch a man-in-the-middle attack, but the likelihood of that happening is very low.
IT101Author Commented:
Thanks for the prompt reply acbrown2010,
I wanted to keep to public certs so that there was no additional work to be performed on any external devices though.
My main confusion however is how to remote directly into a session on the second server via the RWW of the SBS server when a user is outside of the company.

Are their additional certificates that I need to setup for this?
I use a public CA cert on the SBS server which allows users to remotely connect to workstations in the domain.
How do I get the same functionality but where they can log into a session on the second server that has the remote desktop service role instead of relying on a workstation to be on at the time in the domain.
What certificate do I use on the second server to make this possible?

Do I have to scrap the whole idea of going through RWW? And instead create another Public SSL cert that points to the same IP but instead goes over another port and forwards to the second server on the internal subnet?
Adam BrownSr Solutions ArchitectCommented:
Each host name you use to connect externally will require its own Certificate unless you purchase a Wildcard Cert or a cert with Subject Alternate Names (SAN). Wildcards and SAN certs allow you to have multiple valid host names tied to the cert. You can use the same Certificate on the second server if you use a second port on the same IP address to point to the RWW server. You'll also need to have some routing to forward traffic from that port to the RWW server. The real issue you're going to run into is connecting to computers. RWW uses the internal name of the computers when it connects you to them, so you're always going to get certificate errors when you connect to a computer through RWW if the internal domain is different from the external domain name. There isn't really a way to bypass that issue because third party CAs will not issue wildcards and SANs for domains you don't own or that can't be owned.

It's important to note, though, that encryption of data through SSL still occurs even when there is a certificate error. The certificate provides server authentication, so you know you're talking to the server/device you mean to be, but a valid certificate isn't required for encryption to occur.

As long as the server you want them to connect to is made available through RWW, it's possible to connect with an encrypted tunnel, you'll just need to let your users know that they will receive a certificate error and that it's okay to accept it and continue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT101Author Commented:
OK thanks,
I will have a go and update this post when I have more info.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.