Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remote Desktop Services 2012

Posted on 2013-10-28
7
Medium Priority
?
800 Views
Last Modified: 2013-11-14
We have set up a Remote Desktop Server.  It is 2012r2.  I have the cert working on it for the remote address and all works fine.  However, when I go through Web Access to open published apps, it is trying to open the local server name.  You can see from Screen shot 1 that I attached. incorrect server When I tell it to connect, I get an error on this stating that the name in cert doesn't match. Error I know this because my internal server has different name then FQDN.  However, you can't get a trusted cert for an internal server(domain) anymore or I would have purchased a UCC and solved this.  Now, I have looked all over and I can't find a solution.  I see many have this error, but nobody knows how to resolve it.  If I could somehow change the RD Web Access server address to match my FQDN, this would be great.  I already have the Internal and External DNS set up, I just need to know how to do this.  Now, to save some time, understand that 2008 RDS and 2012 RDS are totally different in regards to how you configure and the tools to configure.  So, if you have no experience with this on 2012 server, please don't respond since that was 90% of the posts I came across on the web.  Thanks for your help in advance.
0
Comment
Question by:jruskey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39608992
There is actually no difference between 2008 and 2012 in this regard. Yes the setup and management screens are quite different, but the underlying logic remains unchanged. And yes, I've done this reliably with both.

You have a couple of choices:

1) Use private names (such as .local) and issue certs from a local CA with the appropriate name. For this to work, you must also distribute the trusted root from your local CA to users who will be connecting from non-domain machines.

The pros is that this is easy to set up, and for many corporations that use corporate issues laptops or have some sort of MDM management in place and only allow BYOD devices to connect after being authorized via MDM, this is a non-issue. It works because the certificate name matches the machine name and the certificate chain is trusted.

The cons are that it does require MDM, a more formal BYOD policy, or limited access from corporate resources, such as domain-joined laptops. That is more infrastructure and a bit of a learning curve if you don't have IT staff familiar with the process.

2) Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.

The pros is that this lets you use public names and certificates, can be accessed from any machine including kiosks or machines in hotel business centers, and requires less administrative work.

The cons are that this can be more difficult to secure and is more prone to brute-force attempts, as well as requires a bit more knowledge of DNS and can be complicated to diagnose problems.

----

Both have merits. I prefer some level of access management, so in general I recommend the former. If people *really* need remote access then they should have a device they can use or that is issued. However there are some clients and business cases where true universal roaming fits better, so the second option is definitely worth mentioning in that scenario.

Hope that helps.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39609750
Can you accomplish scenario 2 with a single server?  If so, can you tell me how to accomplish this?  I do have internally a dns entry for both internal and external going to the same location.  So, I could make it work.  However, I don't know how to get the app to publish with the external name. Thanks.
0
 
LVL 2

Expert Comment

by:Thomas U
ID: 39614393
I would say you just use a SAN / UCC Certificate. with that you can add internal names.

cheers
Thomas
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:jruskey
ID: 39615207
You can't add internal names any more to UCC Certs.  

http://www.digicert.com/internal-names.htm?SSAID=314743
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39615222
If by single server in the entire environment, the I'd say no. Running the session host on a domain controller is a very bad idea, and running a session host without Active Directory is difficult (near impossible) to administer. That is a significant change from earlier versions of Windows.

But as far as colocating various RDS roles, sure, that can be done. I'd personally prefer to spread them out. Since users have access to the RDSH server, I am not a fan of colocating roles with that particular role. So licensing can go on the DC, for example. The gateway provides some semblance of separation, so I prefer that to be an edge server (DMZ, whatever you prefer for terminology) and the broker can colocate there as well if desired.

At any rate, I prefer 2 - 3 server setups. And with 2012 virtualization rights, that isn't a significant hurdle anymore.

-Cliff
0
 
LVL 1

Author Comment

by:jruskey
ID: 39615232
You state -

Your second option is to make sure your published apps and machines via RDWeb all use the public name you've chosen for your certificate. This type of setup usually requires some sort of split-DNS setup as well so the gateway server can find the back-end connections without using public DNS.


How do you get your publish apps to you a public name instead of the internal name?  That is the problem I am having.
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 1500 total points
ID: 39615276
You do this by using the public name of the server when setting up  or changing the RDS environment itself. In 2012 in server manager, you definte the various servers. Simply add (or rename) the RDSH server using the public name. Then the remoteapp wizard will create the .rdp files that are published to RDWeb using that name.

-Cliff
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question