We help IT Professionals succeed at work.

WAN IP redirection with Remote desktop session broker (server 200 R2)

antwerp2007
antwerp2007 asked
on


Hello,

 i will configure remote desktop session broker on a DC and create a remote desktop farm with 2 remote desktop services servers (SRV 2k8 R2)
I read that using this feature (rdp session broker) behind a firewall (from the internet) is only possible if you give the remote desktop servers a public ip addres and use the ip redirection option.
second scenario is installing a remote desktop gateway...
I would like to try the scenario by using ip redirection and allocating the server a public ip address.
However LAN users (internal) need also access to the remote desktop servers.. is this possible when they access the servers with lan computers that have ian nternal ip adress?
Are there other easy solutions,for example implementing RD web access ?

Thank you for a quick response

http://www.petri.co.il/forums/showthread.php?t=46911

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27047487.html?sfQueryTermInfo=1+10+30+broker+desktop+ip+redirect+remot+wan
Comment
Watch Question

Commented:
It depends on your firewall settings, but for most of the scenarios, the internal users should be able to access the remote desktop servers via the public IP address with no problem although I personally like the RD Gateway idea better.

Author

Commented:
OK thank you, can you provide some practical general information about Rd gateway
For example i will use it in combination with TS session broker
I have 2 remote desktop server's and will use DNS round robin (2  DNS a records with the name TS-FARM will be added in the  DSN zone )
The rd session broker role and rd gateway role will be installed on a DC
internal users use the name TS-FARM in their RDP settings to logon the remote desktop server and they can bypass the rd gateway
But which name (location) is needed for the internet users instead of TS-FARM?I don'tunderstand how internet users can reach the TS-Farm? I also know that installing a ssl certicate is needed for the rd gateway,i will use it with a self-signed certificate.Can i use the tool selfssl to create a certificate with multiple names because i am afraid that using a certificate with only the FQDN from teh rd gateway will not work for the internet users?

Author

Commented:
vahiid, i installed the remote gateway and session broker role on the DC meanwhile (dc1)
I tested the remote gateway also and succeeded in tha lan environment with dc1.domain.local as name in the ssl cert  and the dc1.domain.local  in the gateway settings from the RDP client
Unfortanetely this is not working from the internet,which name do i have to add in the ssl cert?
Are there different ways,because some people use the name from the farm in their cert or else the FQNM from the gateway server ? Can you give some practical examples?
hostname from the Dc is DC1.domain.local
internal domain is domain.local
external domain is domain.be
ithanks for your help

Commented:
OK, I think you're getting there nicely. As you mentioned before, for your internal users, you can bypass the Remote Gateway and use the Round Robin DNS name to connect to your farm.

For external users, you'll need a trusted security certificate setup on your Remote Gateway server, and you need to select it as the 'SSL Certificate' under -> RD Gateway Manager -> Server Name -> Properties -> SSL Certificate

In my test environment, I am using a wildcard certificate, but it has to represent your external domain name (i.e. *.domain.be or dc1.domain.be, DC1 can be any name that you set for your remote gateway's external access). Keep in mind that if this is a self-sign certificate, then your clients needs to add the CA's cert to their 'Trusted Root Certification Authorities' on their computer. If this is signed by your configured CA then this is done automatically.

In my case, I have my gateway external access named remoteapp.mydomain.com, the server's name itself is appv1.mydomain.com (mydomain.com is the AD name, I didn't go with the .local), my Remote Desktop Servers are named remote rapp1 to rapp4 (.mydomain.com) and my cert on the gateway server is *.mydomain.com, but I'm pretty sure I could've just used remoteapp.mydomain.com (what external users connect to).

Also when you say it is not working from internet, you need to troubleshoot which step is causing the problem. Remote Gateway could be complicated to troubleshoot. You'll need to make sure you have the right Policies (RD CAP and RD RAP), with proper groups, users, access list, ports, etc.

That should get you going for now.

Cheers,
Vahid

Author

Commented:
Thanks for the practical information Vahid.
I noticed also a wrong setup in the firewall probaly, I forwarded port 443 to the remote gayeway (static 1-1) while it should be redirected to the port 3389

Author

Commented:
vahhid, i could not make any changes today but i will continue on monday and let you know
Kind Reagrds

Author

Commented:
created first a cetificate with gateway.domain.be and later with a certificate with my wan ip ..
does not work unfortanetely. there is an A record on the external DNS servers for gateway.domain.be now also. I use a second wan ip address for the rd gateway
i have seen that het NAP was giving full acess to the user authentication so there is no problem with the policies.
i still dont understand how the hostanme form the farm can be located from the internet because  you cannot apply the farm name in the RDP connection computer field?
i cannot find other information in the eventviewer about rd gateway fotr the moment

Author

Commented:
ssl bindings in iis (on rpc dirs) seems to be fine when changing the certificate

Author

Commented:
perhaps there is (also) an issue with my firewall setup , i forward tcp port 443 to the rd gateway now, do i need more port forwarding rules ?
Commented:
Let's troubleshoot the Gateway first to make sure that it works OK first before jumping to the farm. Can you connect to any other computer in your network using the gateway? If not, you'll have to troubleshoot your gateway setup first. Also for the gateway you'll only need the SSL port 443.

Here is a good link for Remote Desktop Gateway Setup just to double check if you're missing anything: http://sharepointgeorge.com/2009/remote-desktop-services-windows-2008-r2-part-2-gateway/

Author

Commented:
I am going to install the NLB feature (with th rd session broker role ) and leave  the Rd gateway senario because i don't have time anymore to troubleshoot the issue.
thank you for providing the information.

Are there some difficulties i need to pay attention about the setup from petri?

http://www.petri.co.il/forums/showthread.php?t=46911

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_27047487.html?sfQueryTermInfo=1+10+30+broker+desktop+ip+redirect+remot+wan