Go Premium for a chance to win a PS4. Enter to Win


SSL Certificate Required for SBS + Secondary Remote Desktop Server

Posted on 2011-09-27
Medium Priority
Last Modified: 2012-05-17
Hey Experts,
I get very confused around the area of SSL Certificates and I am hoping someone can lend a hand and clear this up for me:

I need to know the SSL setup I must use for the following 2 server implementation:

SBS 2008 STD Server
Secondary 2008 R2 Server with Remote Desktop Services Installed

I have already setup the SBS2008 server with an SSL cert purchased from GoDaddy so that users can use RWW and Outlook Anywhere.
The certificate is a Standard (Turbo) SSL certificate.

1 year later, I now want to install remote desktop services on a secondary server so that I can serve up a third party application over Terminal Services and allow users to log into a session on the server instead of directly to their workstation.
I see that the Remote Desktop Services Role requires an SSL certificate.


Do I have to buy another certificate for this?

If this was in the design phase (SBS2008 section had not been implemented yet) would there be a special SSL cert that could cover both servers?
Question by:IT101
  • 3
  • 2

Author Comment

ID: 36714678
What I want to achieve at the end of the day is:

Internal users can access RDWeb Apps and remote desktop connections to the  Secondary Server from their internal PC's.
External users can log onto a remote desktop session on the Remote Desktop Secondary Server via SBS2008's RWW site. from their external PC's.

To my knowledge... (which is very limited as I said before) the ssl cert will verify against the host.FQDN for my turbo SSL cert.
From the outside the user would use the host.FQDN which would point to the companies router and then get port forwarded to the SBS2008 server which holds the correct certificate. Therefore that connection would be valid to the cert and a secure connection would be created.
But where does the SSL cert come into play for the 2nd Server? I do not believe the same cert used on the SBS2008 server could be used as its certified to the FQDN (wouldn't the RDGateway of the SBS2008 server be redirecting to the 2nd server using internal DNS names which therefore have nothing to do with that cert?)

:) As you can see... I need your help.
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 2000 total points
ID: 36720136
For the second server you can create and use a Self-Signed certificate if the RDWeb applications are only accessible internally. You could also generate a certificate using Certificate Services in Windows 2008, but this requires a lot more work. To generate a self-signed certificate on the second server, you'll need to make sure IIS 7 is installed (makes things easier) then follow these instructions: http://technet.microsoft.com/en-us/library/cc753127%28WS.10%29.aspx

After that, you will want to deploy the Self-signed certificate to your workstations so they will trust it and not throw out an error every time they connect to the server. http://www.unixwiz.net/techtips/deploy-webcert-gp.html has some instructions on doing that.

Basically, the main different between an SSL certificate from a public Certificate Authority like Turbo SSL and a self-signed/internal CA cert is that the public CAs are all trusted by Windows by default, so you don't have to instruct the computers to trust the certificates and thus not get an error when you connect. There is also a lessened level of security associated with Self-signed certificates, but the lowered security level is based on the idea that an untrusted source can also create a self-signed certificate that matches the name of your server and use that to launch a man-in-the-middle attack, but the likelihood of that happening is very low.

Author Comment

ID: 36907503
Thanks for the prompt reply acbrown2010,
I wanted to keep to public certs so that there was no additional work to be performed on any external devices though.
My main confusion however is how to remote directly into a session on the second server via the RWW of the SBS server when a user is outside of the company.

Are their additional certificates that I need to setup for this?
I use a public CA cert on the SBS server which allows users to remotely connect to workstations in the domain.
How do I get the same functionality but where they can log into a session on the second server that has the remote desktop service role instead of relying on a workstation to be on at the time in the domain.
What certificate do I use on the second server to make this possible?

Do I have to scrap the whole idea of going through RWW? And instead create another Public SSL cert that points to the same IP but instead goes over another port and forwards to the second server on the internal subnet?
LVL 43

Accepted Solution

Adam Brown earned 2000 total points
ID: 36907764
Each host name you use to connect externally will require its own Certificate unless you purchase a Wildcard Cert or a cert with Subject Alternate Names (SAN). Wildcards and SAN certs allow you to have multiple valid host names tied to the cert. You can use the same Certificate on the second server if you use a second port on the same IP address to point to the RWW server. You'll also need to have some routing to forward traffic from that port to the RWW server. The real issue you're going to run into is connecting to computers. RWW uses the internal name of the computers when it connects you to them, so you're always going to get certificate errors when you connect to a computer through RWW if the internal domain is different from the external domain name. There isn't really a way to bypass that issue because third party CAs will not issue wildcards and SANs for domains you don't own or that can't be owned.

It's important to note, though, that encryption of data through SSL still occurs even when there is a certificate error. The certificate provides server authentication, so you know you're talking to the server/device you mean to be, but a valid certificate isn't required for encryption to occur.

As long as the server you want them to connect to is made available through RWW, it's possible to connect with an encrypted tunnel, you'll just need to let your users know that they will receive a certificate error and that it's okay to accept it and continue.

Author Comment

ID: 36913882
OK thanks,
I will have a go and update this post when I have more info.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question