SSL Certificate Required for SBS + Secondary Remote Desktop Server

Posted on 2011-09-27
Medium Priority
Last Modified: 2012-05-17
Hey Experts,
I get very confused around the area of SSL Certificates and I am hoping someone can lend a hand and clear this up for me:

I need to know the SSL setup I must use for the following 2 server implementation:

SBS 2008 STD Server
Secondary 2008 R2 Server with Remote Desktop Services Installed

I have already setup the SBS2008 server with an SSL cert purchased from GoDaddy so that users can use RWW and Outlook Anywhere.
The certificate is a Standard (Turbo) SSL certificate.

1 year later, I now want to install remote desktop services on a secondary server so that I can serve up a third party application over Terminal Services and allow users to log into a session on the server instead of directly to their workstation.
I see that the Remote Desktop Services Role requires an SSL certificate.


Do I have to buy another certificate for this?

If this was in the design phase (SBS2008 section had not been implemented yet) would there be a special SSL cert that could cover both servers?
Question by:IT101
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Author Comment

ID: 36714678
What I want to achieve at the end of the day is:

Internal users can access RDWeb Apps and remote desktop connections to the  Secondary Server from their internal PC's.
External users can log onto a remote desktop session on the Remote Desktop Secondary Server via SBS2008's RWW site. from their external PC's.

To my knowledge... (which is very limited as I said before) the ssl cert will verify against the host.FQDN for my turbo SSL cert.
From the outside the user would use the host.FQDN which would point to the companies router and then get port forwarded to the SBS2008 server which holds the correct certificate. Therefore that connection would be valid to the cert and a secure connection would be created.
But where does the SSL cert come into play for the 2nd Server? I do not believe the same cert used on the SBS2008 server could be used as its certified to the FQDN (wouldn't the RDGateway of the SBS2008 server be redirecting to the 2nd server using internal DNS names which therefore have nothing to do with that cert?)

:) As you can see... I need your help.
LVL 42

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 36720136
For the second server you can create and use a Self-Signed certificate if the RDWeb applications are only accessible internally. You could also generate a certificate using Certificate Services in Windows 2008, but this requires a lot more work. To generate a self-signed certificate on the second server, you'll need to make sure IIS 7 is installed (makes things easier) then follow these instructions: http://technet.microsoft.com/en-us/library/cc753127%28WS.10%29.aspx

After that, you will want to deploy the Self-signed certificate to your workstations so they will trust it and not throw out an error every time they connect to the server. http://www.unixwiz.net/techtips/deploy-webcert-gp.html has some instructions on doing that.

Basically, the main different between an SSL certificate from a public Certificate Authority like Turbo SSL and a self-signed/internal CA cert is that the public CAs are all trusted by Windows by default, so you don't have to instruct the computers to trust the certificates and thus not get an error when you connect. There is also a lessened level of security associated with Self-signed certificates, but the lowered security level is based on the idea that an untrusted source can also create a self-signed certificate that matches the name of your server and use that to launch a man-in-the-middle attack, but the likelihood of that happening is very low.

Author Comment

ID: 36907503
Thanks for the prompt reply acbrown2010,
I wanted to keep to public certs so that there was no additional work to be performed on any external devices though.
My main confusion however is how to remote directly into a session on the second server via the RWW of the SBS server when a user is outside of the company.

Are their additional certificates that I need to setup for this?
I use a public CA cert on the SBS server which allows users to remotely connect to workstations in the domain.
How do I get the same functionality but where they can log into a session on the second server that has the remote desktop service role instead of relying on a workstation to be on at the time in the domain.
What certificate do I use on the second server to make this possible?

Do I have to scrap the whole idea of going through RWW? And instead create another Public SSL cert that points to the same IP but instead goes over another port and forwards to the second server on the internal subnet?
LVL 42

Accepted Solution

Adam Brown earned 2000 total points
ID: 36907764
Each host name you use to connect externally will require its own Certificate unless you purchase a Wildcard Cert or a cert with Subject Alternate Names (SAN). Wildcards and SAN certs allow you to have multiple valid host names tied to the cert. You can use the same Certificate on the second server if you use a second port on the same IP address to point to the RWW server. You'll also need to have some routing to forward traffic from that port to the RWW server. The real issue you're going to run into is connecting to computers. RWW uses the internal name of the computers when it connects you to them, so you're always going to get certificate errors when you connect to a computer through RWW if the internal domain is different from the external domain name. There isn't really a way to bypass that issue because third party CAs will not issue wildcards and SANs for domains you don't own or that can't be owned.

It's important to note, though, that encryption of data through SSL still occurs even when there is a certificate error. The certificate provides server authentication, so you know you're talking to the server/device you mean to be, but a valid certificate isn't required for encryption to occur.

As long as the server you want them to connect to is made available through RWW, it's possible to connect with an encrypted tunnel, you'll just need to let your users know that they will receive a certificate error and that it's okay to accept it and continue.

Author Comment

ID: 36913882
OK thanks,
I will have a go and update this post when I have more info.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question