Link to home
Start Free TrialLog in
Avatar of jruskey
jruskeyFlag for United States of America

asked on

Remote Desktop Services 2012

We have set up a Remote Desktop Server.  It is 2012r2.  I have the cert working on it for the remote address and all works fine.  However, when I go through Web Access to open published apps, it is trying to open the local server name.  You can see from Screen shot 1 that I attached. User generated image When I tell it to connect, I get an error on this stating that the name in cert doesn't match. User generated image I know this because my internal server has different name then FQDN.  However, you can't get a trusted cert for an internal server(domain) anymore or I would have purchased a UCC and solved this.  Now, I have looked all over and I can't find a solution.  I see many have this error, but nobody knows how to resolve it.  If I could somehow change the RD Web Access server address to match my FQDN, this would be great.  I already have the Internal and External DNS set up, I just need to know how to do this.  Now, to save some time, understand that 2008 RDS and 2012 RDS are totally different in regards to how you configure and the tools to configure.  So, if you have no experience with this on 2012 server, please don't respond since that was 90% of the posts I came across on the web.  Thanks for your help in advance.
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

There is actually no difference between 2008 and 2012 in this regard. Yes the setup and management screens are quite different, but the underlying logic remains unchanged. And yes, I've done this reliably with both.

You have a couple of choices:

1) Use private names (such as .local) and issue certs from a local CA with the appropriate name. For this to work, you must also distribute the trusted root from your local CA to users who will be connecting from non-domain machines.

The pros is that this is easy to set up, and for many corporations that use corporate issues laptops or have some sort of MDM management in place and only allow BYOD devices to connect after being authorized via MDM, this is a non-issue. It works because the certificate name matches the machine name and the certificate chain is trusted.

The cons are that it does require MDM, a more formal BYOD policy, or limited access from corporate resources, such as domain-joined laptops. That is more infrastructure and a bit of a learning curve if you don't have IT staff familiar with the process.

2) Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.

The pros is that this lets you use public names and certificates, can be accessed from any machine including kiosks or machines in hotel business centers, and requires less administrative work.

The cons are that this can be more difficult to secure and is more prone to brute-force attempts, as well as requires a bit more knowledge of DNS and can be complicated to diagnose problems.

----

Both have merits. I prefer some level of access management, so in general I recommend the former. If people *really* need remote access then they should have a device they can use or that is issued. However there are some clients and business cases where true universal roaming fits better, so the second option is definitely worth mentioning in that scenario.

Hope that helps.

-Cliff
Avatar of jruskey

ASKER

Can you accomplish scenario 2 with a single server?  If so, can you tell me how to accomplish this?  I do have internally a dns entry for both internal and external going to the same location.  So, I could make it work.  However, I don't know how to get the app to publish with the external name. Thanks.
I would say you just use a SAN / UCC Certificate. with that you can add internal names.

cheers
Thomas
Avatar of jruskey

ASKER

You can't add internal names any more to UCC Certs.  

http://www.digicert.com/internal-names.htm?SSAID=314743
If by single server in the entire environment, the I'd say no. Running the session host on a domain controller is a very bad idea, and running a session host without Active Directory is difficult (near impossible) to administer. That is a significant change from earlier versions of Windows.

But as far as colocating various RDS roles, sure, that can be done. I'd personally prefer to spread them out. Since users have access to the RDSH server, I am not a fan of colocating roles with that particular role. So licensing can go on the DC, for example. The gateway provides some semblance of separation, so I prefer that to be an edge server (DMZ, whatever you prefer for terminology) and the broker can colocate there as well if desired.

At any rate, I prefer 2 - 3 server setups. And with 2012 virtualization rights, that isn't a significant hurdle anymore.

-Cliff
Avatar of jruskey

ASKER

You state -

Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.


How do you get your publish apps to you a public name instead of the internal name?  That is the problem I am having.
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial