Solved

SSL Certificate Required for SBS + Secondary Remote Desktop Server

Posted on 2011-09-27
7
508 Views
Last Modified: 2012-05-17
Hey Experts,
I get very confused around the area of SSL Certificates and I am hoping someone can lend a hand and clear this up for me:

I need to know the SSL setup I must use for the following 2 server implementation:

SBS 2008 STD Server
Secondary 2008 R2 Server with Remote Desktop Services Installed

I have already setup the SBS2008 server with an SSL cert purchased from GoDaddy so that users can use RWW and Outlook Anywhere.
The certificate is a Standard (Turbo) SSL certificate.

1 year later, I now want to install remote desktop services on a secondary server so that I can serve up a third party application over Terminal Services and allow users to log into a session on the server instead of directly to their workstation.
I see that the Remote Desktop Services Role requires an SSL certificate.

So...

Do I have to buy another certificate for this?

If this was in the design phase (SBS2008 section had not been implemented yet) would there be a special SSL cert that could cover both servers?
0
Comment
Question by:IT101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 

Author Comment

by:IT101
ID: 36714678
UPDATE:
What I want to achieve at the end of the day is:

Internal users can access RDWeb Apps and remote desktop connections to the  Secondary Server from their internal PC's.
External users can log onto a remote desktop session on the Remote Desktop Secondary Server via SBS2008's RWW site. from their external PC's.

To my knowledge... (which is very limited as I said before) the ssl cert will verify against the host.FQDN for my turbo SSL cert.
From the outside the user would use the host.FQDN which would point to the companies router and then get port forwarded to the SBS2008 server which holds the correct certificate. Therefore that connection would be valid to the cert and a secure connection would be created.
But where does the SSL cert come into play for the 2nd Server? I do not believe the same cert used on the SBS2008 server could be used as its certified to the FQDN (wouldn't the RDGateway of the SBS2008 server be redirecting to the 2nd server using internal DNS names which therefore have nothing to do with that cert?)

:) As you can see... I need your help.
0
 
LVL 40

Assisted Solution

by:Adam Brown
Adam Brown earned 500 total points
ID: 36720136
For the second server you can create and use a Self-Signed certificate if the RDWeb applications are only accessible internally. You could also generate a certificate using Certificate Services in Windows 2008, but this requires a lot more work. To generate a self-signed certificate on the second server, you'll need to make sure IIS 7 is installed (makes things easier) then follow these instructions: http://technet.microsoft.com/en-us/library/cc753127%28WS.10%29.aspx

After that, you will want to deploy the Self-signed certificate to your workstations so they will trust it and not throw out an error every time they connect to the server. http://www.unixwiz.net/techtips/deploy-webcert-gp.html has some instructions on doing that.

Basically, the main different between an SSL certificate from a public Certificate Authority like Turbo SSL and a self-signed/internal CA cert is that the public CAs are all trusted by Windows by default, so you don't have to instruct the computers to trust the certificates and thus not get an error when you connect. There is also a lessened level of security associated with Self-signed certificates, but the lowered security level is based on the idea that an untrusted source can also create a self-signed certificate that matches the name of your server and use that to launch a man-in-the-middle attack, but the likelihood of that happening is very low.
0
 

Author Comment

by:IT101
ID: 36907503
Thanks for the prompt reply acbrown2010,
I wanted to keep to public certs so that there was no additional work to be performed on any external devices though.
My main confusion however is how to remote directly into a session on the second server via the RWW of the SBS server when a user is outside of the company.

Are their additional certificates that I need to setup for this?
I use a public CA cert on the SBS server which allows users to remotely connect to workstations in the domain.
How do I get the same functionality but where they can log into a session on the second server that has the remote desktop service role instead of relying on a workstation to be on at the time in the domain.
What certificate do I use on the second server to make this possible?

Do I have to scrap the whole idea of going through RWW? And instead create another Public SSL cert that points to the same IP but instead goes over another port and forwards to the second server on the internal subnet?
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 36907764
Each host name you use to connect externally will require its own Certificate unless you purchase a Wildcard Cert or a cert with Subject Alternate Names (SAN). Wildcards and SAN certs allow you to have multiple valid host names tied to the cert. You can use the same Certificate on the second server if you use a second port on the same IP address to point to the RWW server. You'll also need to have some routing to forward traffic from that port to the RWW server. The real issue you're going to run into is connecting to computers. RWW uses the internal name of the computers when it connects you to them, so you're always going to get certificate errors when you connect to a computer through RWW if the internal domain is different from the external domain name. There isn't really a way to bypass that issue because third party CAs will not issue wildcards and SANs for domains you don't own or that can't be owned.

It's important to note, though, that encryption of data through SSL still occurs even when there is a certificate error. The certificate provides server authentication, so you know you're talking to the server/device you mean to be, but a valid certificate isn't required for encryption to occur.

As long as the server you want them to connect to is made available through RWW, it's possible to connect with an encrypted tunnel, you'll just need to let your users know that they will receive a certificate error and that it's okay to accept it and continue.
0
 

Author Comment

by:IT101
ID: 36913882
OK thanks,
I will have a go and update this post when I have more info.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question