Solved

Remote Desktop Services 2012

Posted on 2013-10-28
7
776 Views
Last Modified: 2013-11-14
We have set up a Remote Desktop Server.  It is 2012r2.  I have the cert working on it for the remote address and all works fine.  However, when I go through Web Access to open published apps, it is trying to open the local server name.  You can see from Screen shot 1 that I attached. incorrect server When I tell it to connect, I get an error on this stating that the name in cert doesn't match. Error I know this because my internal server has different name then FQDN.  However, you can't get a trusted cert for an internal server(domain) anymore or I would have purchased a UCC and solved this.  Now, I have looked all over and I can't find a solution.  I see many have this error, but nobody knows how to resolve it.  If I could somehow change the RD Web Access server address to match my FQDN, this would be great.  I already have the Internal and External DNS set up, I just need to know how to do this.  Now, to save some time, understand that 2008 RDS and 2012 RDS are totally different in regards to how you configure and the tools to configure.  So, if you have no experience with this on 2012 server, please don't respond since that was 90% of the posts I came across on the web.  Thanks for your help in advance.
0
Comment
Question by:jruskey
  • 3
  • 3
7 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39608992
There is actually no difference between 2008 and 2012 in this regard. Yes the setup and management screens are quite different, but the underlying logic remains unchanged. And yes, I've done this reliably with both.

You have a couple of choices:

1) Use private names (such as .local) and issue certs from a local CA with the appropriate name. For this to work, you must also distribute the trusted root from your local CA to users who will be connecting from non-domain machines.

The pros is that this is easy to set up, and for many corporations that use corporate issues laptops or have some sort of MDM management in place and only allow BYOD devices to connect after being authorized via MDM, this is a non-issue. It works because the certificate name matches the machine name and the certificate chain is trusted.

The cons are that it does require MDM, a more formal BYOD policy, or limited access from corporate resources, such as domain-joined laptops. That is more infrastructure and a bit of a learning curve if you don't have IT staff familiar with the process.

2) Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.

The pros is that this lets you use public names and certificates, can be accessed from any machine including kiosks or machines in hotel business centers, and requires less administrative work.

The cons are that this can be more difficult to secure and is more prone to brute-force attempts, as well as requires a bit more knowledge of DNS and can be complicated to diagnose problems.

----

Both have merits. I prefer some level of access management, so in general I recommend the former. If people *really* need remote access then they should have a device they can use or that is issued. However there are some clients and business cases where true universal roaming fits better, so the second option is definitely worth mentioning in that scenario.

Hope that helps.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39609750
Can you accomplish scenario 2 with a single server?  If so, can you tell me how to accomplish this?  I do have internally a dns entry for both internal and external going to the same location.  So, I could make it work.  However, I don't know how to get the app to publish with the external name. Thanks.
0
 

Expert Comment

by:Peter Steger
ID: 39614393
I would say you just use a SAN / UCC Certificate. with that you can add internal names.

cheers
Thomas
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:jruskey
ID: 39615207
You can't add internal names any more to UCC Certs.  

http://www.digicert.com/internal-names.htm?SSAID=314743
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 39615222
If by single server in the entire environment, the I'd say no. Running the session host on a domain controller is a very bad idea, and running a session host without Active Directory is difficult (near impossible) to administer. That is a significant change from earlier versions of Windows.

But as far as colocating various RDS roles, sure, that can be done. I'd personally prefer to spread them out. Since users have access to the RDSH server, I am not a fan of colocating roles with that particular role. So licensing can go on the DC, for example. The gateway provides some semblance of separation, so I prefer that to be an edge server (DMZ, whatever you prefer for terminology) and the broker can colocate there as well if desired.

At any rate, I prefer 2 - 3 server setups. And with 2012 virtualization rights, that isn't a significant hurdle anymore.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39615232
You state -

Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.


How do you get your publish apps to you a public name instead of the internal name?  That is the problem I am having.
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39615276
You do this by using the public name of the server when setting up  or changing the RDS environment itself. In 2012 in server manager, you definte the various servers. Simply add (or rename) the RDSH server using the public name. Then the remoteapp wizard will create the .rdp files that are published to RDWeb using that name.

-Cliff
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Remote Desktop Shadowing often has a lot of benefits. When helping end users determine problems, it is much easier to see what is going on, what is being slecected and what is being clicked on. While the industry has many products to help with this,…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now