Solved

Remote Desktop Services 2012

Posted on 2013-10-28
7
788 Views
Last Modified: 2013-11-14
We have set up a Remote Desktop Server.  It is 2012r2.  I have the cert working on it for the remote address and all works fine.  However, when I go through Web Access to open published apps, it is trying to open the local server name.  You can see from Screen shot 1 that I attached. incorrect server When I tell it to connect, I get an error on this stating that the name in cert doesn't match. Error I know this because my internal server has different name then FQDN.  However, you can't get a trusted cert for an internal server(domain) anymore or I would have purchased a UCC and solved this.  Now, I have looked all over and I can't find a solution.  I see many have this error, but nobody knows how to resolve it.  If I could somehow change the RD Web Access server address to match my FQDN, this would be great.  I already have the Internal and External DNS set up, I just need to know how to do this.  Now, to save some time, understand that 2008 RDS and 2012 RDS are totally different in regards to how you configure and the tools to configure.  So, if you have no experience with this on 2012 server, please don't respond since that was 90% of the posts I came across on the web.  Thanks for your help in advance.
0
Comment
Question by:jruskey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39608992
There is actually no difference between 2008 and 2012 in this regard. Yes the setup and management screens are quite different, but the underlying logic remains unchanged. And yes, I've done this reliably with both.

You have a couple of choices:

1) Use private names (such as .local) and issue certs from a local CA with the appropriate name. For this to work, you must also distribute the trusted root from your local CA to users who will be connecting from non-domain machines.

The pros is that this is easy to set up, and for many corporations that use corporate issues laptops or have some sort of MDM management in place and only allow BYOD devices to connect after being authorized via MDM, this is a non-issue. It works because the certificate name matches the machine name and the certificate chain is trusted.

The cons are that it does require MDM, a more formal BYOD policy, or limited access from corporate resources, such as domain-joined laptops. That is more infrastructure and a bit of a learning curve if you don't have IT staff familiar with the process.

2) Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.

The pros is that this lets you use public names and certificates, can be accessed from any machine including kiosks or machines in hotel business centers, and requires less administrative work.

The cons are that this can be more difficult to secure and is more prone to brute-force attempts, as well as requires a bit more knowledge of DNS and can be complicated to diagnose problems.

----

Both have merits. I prefer some level of access management, so in general I recommend the former. If people *really* need remote access then they should have a device they can use or that is issued. However there are some clients and business cases where true universal roaming fits better, so the second option is definitely worth mentioning in that scenario.

Hope that helps.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39609750
Can you accomplish scenario 2 with a single server?  If so, can you tell me how to accomplish this?  I do have internally a dns entry for both internal and external going to the same location.  So, I could make it work.  However, I don't know how to get the app to publish with the external name. Thanks.
0
 

Expert Comment

by:Peter Steger
ID: 39614393
I would say you just use a SAN / UCC Certificate. with that you can add internal names.

cheers
Thomas
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jruskey
ID: 39615207
You can't add internal names any more to UCC Certs.  

http://www.digicert.com/internal-names.htm?SSAID=314743
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 39615222
If by single server in the entire environment, the I'd say no. Running the session host on a domain controller is a very bad idea, and running a session host without Active Directory is difficult (near impossible) to administer. That is a significant change from earlier versions of Windows.

But as far as colocating various RDS roles, sure, that can be done. I'd personally prefer to spread them out. Since users have access to the RDSH server, I am not a fan of colocating roles with that particular role. So licensing can go on the DC, for example. The gateway provides some semblance of separation, so I prefer that to be an edge server (DMZ, whatever you prefer for terminology) and the broker can colocate there as well if desired.

At any rate, I prefer 2 - 3 server setups. And with 2012 virtualization rights, that isn't a significant hurdle anymore.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39615232
You state -

Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.


How do you get your publish apps to you a public name instead of the internal name?  That is the problem I am having.
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 39615276
You do this by using the public name of the server when setting up  or changing the RDS environment itself. In 2012 in server manager, you definte the various servers. Simply add (or rename) the RDSH server using the public name. Then the remoteapp wizard will create the .rdp files that are published to RDWeb using that name.

-Cliff
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question