Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 809
  • Last Modified:

Remote Desktop Services 2012

We have set up a Remote Desktop Server.  It is 2012r2.  I have the cert working on it for the remote address and all works fine.  However, when I go through Web Access to open published apps, it is trying to open the local server name.  You can see from Screen shot 1 that I attached. incorrect server When I tell it to connect, I get an error on this stating that the name in cert doesn't match. Error I know this because my internal server has different name then FQDN.  However, you can't get a trusted cert for an internal server(domain) anymore or I would have purchased a UCC and solved this.  Now, I have looked all over and I can't find a solution.  I see many have this error, but nobody knows how to resolve it.  If I could somehow change the RD Web Access server address to match my FQDN, this would be great.  I already have the Internal and External DNS set up, I just need to know how to do this.  Now, to save some time, understand that 2008 RDS and 2012 RDS are totally different in regards to how you configure and the tools to configure.  So, if you have no experience with this on 2012 server, please don't respond since that was 90% of the posts I came across on the web.  Thanks for your help in advance.
0
jruskey
Asked:
jruskey
  • 3
  • 3
1 Solution
 
Cliff GaliherCommented:
There is actually no difference between 2008 and 2012 in this regard. Yes the setup and management screens are quite different, but the underlying logic remains unchanged. And yes, I've done this reliably with both.

You have a couple of choices:

1) Use private names (such as .local) and issue certs from a local CA with the appropriate name. For this to work, you must also distribute the trusted root from your local CA to users who will be connecting from non-domain machines.

The pros is that this is easy to set up, and for many corporations that use corporate issues laptops or have some sort of MDM management in place and only allow BYOD devices to connect after being authorized via MDM, this is a non-issue. It works because the certificate name matches the machine name and the certificate chain is trusted.

The cons are that it does require MDM, a more formal BYOD policy, or limited access from corporate resources, such as domain-joined laptops. That is more infrastructure and a bit of a learning curve if you don't have IT staff familiar with the process.

2) Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.

The pros is that this lets you use public names and certificates, can be accessed from any machine including kiosks or machines in hotel business centers, and requires less administrative work.

The cons are that this can be more difficult to secure and is more prone to brute-force attempts, as well as requires a bit more knowledge of DNS and can be complicated to diagnose problems.

----

Both have merits. I prefer some level of access management, so in general I recommend the former. If people *really* need remote access then they should have a device they can use or that is issued. However there are some clients and business cases where true universal roaming fits better, so the second option is definitely worth mentioning in that scenario.

Hope that helps.

-Cliff
0
 
jruskeyAuthor Commented:
Can you accomplish scenario 2 with a single server?  If so, can you tell me how to accomplish this?  I do have internally a dns entry for both internal and external going to the same location.  So, I could make it work.  However, I don't know how to get the app to publish with the external name. Thanks.
0
 
Thomas UCommented:
I would say you just use a SAN / UCC Certificate. with that you can add internal names.

cheers
Thomas
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jruskeyAuthor Commented:
You can't add internal names any more to UCC Certs.  

http://www.digicert.com/internal-names.htm?SSAID=314743
0
 
Cliff GaliherCommented:
If by single server in the entire environment, the I'd say no. Running the session host on a domain controller is a very bad idea, and running a session host without Active Directory is difficult (near impossible) to administer. That is a significant change from earlier versions of Windows.

But as far as colocating various RDS roles, sure, that can be done. I'd personally prefer to spread them out. Since users have access to the RDSH server, I am not a fan of colocating roles with that particular role. So licensing can go on the DC, for example. The gateway provides some semblance of separation, so I prefer that to be an edge server (DMZ, whatever you prefer for terminology) and the broker can colocate there as well if desired.

At any rate, I prefer 2 - 3 server setups. And with 2012 virtualization rights, that isn't a significant hurdle anymore.

-Cliff
0
 
jruskeyAuthor Commented:
You state -

Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.


How do you get your publish apps to you a public name instead of the internal name?  That is the problem I am having.
0
 
Cliff GaliherCommented:
You do this by using the public name of the server when setting up  or changing the RDS environment itself. In 2012 in server manager, you definte the various servers. Simply add (or rename) the RDSH server using the public name. Then the remoteapp wizard will create the .rdp files that are published to RDWeb using that name.

-Cliff
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now