RD Gateway and not being able to purchase SAN Certificates with internal domain names

I am looking for a solution to get around the problem of not being able to purchase a new Subject alternate name SSL certificate (SAN Certificate) that contain internal (not fully qualified) domain names. EG servername.internal.local

Currently I am using a number of TS Gateway setups (or RDS Gateway for those using the new lingo) and have SAN certificates with the public DNS name then with the internal server names listed for the servers that we are connecting to internally.  Now that the CA\Browser forum rules have come into affect CA's are not issuing certificates with internal DNS names.

The last thing I want to consider is changing the internal domain name and I don't want to use self signed certificates as a number of these are accessed by people that I do not control their desktops.

Does anyone have any ideas?  Is there a way to change Gateway services to not use the internal server name but an external name using DNS trickery?

Thanks in advance.
LVL 2
Dave_IT_FellowAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
JAN PAKULAICT Infranstructure ManagerCommented:
modify that


C:\Windows\system32\drivers\etc\hosts
you need to run the editor (eg. notepad) as administrator, which you do by locating it through the Start menu and then right clicking on the editor's icon, then manually open and edit the hosts file.

#      127.0.0.1       localhost
#      ::1             localhost

You can setup as many host names as you like all pointing to your localhost, each in most cases should be accessible with the ip, 127.0.0.1.

For example:

 127.0.0.1               local.project1
 127.0.0.1               local.project2
 127.0.0.1               youcanuseany.name.here


or like you said modify local domain to match external domain (i use that myself)  ans use Split DNS

http://www.youtube.com/watch?v=yPH02ZcfFtc
0
 
Dave_IT_FellowAuthor Commented:
Thanks for your reply,  but I have found the answer.  

My TS Farm settings needed to be externally resolvable (ts.domain.com instead of ts.domain.local),  then using a standard SSL Certificate it no long prompts with an error in the certificate name vs the server name.

This removed the requirement for needing a SAN certificate.
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
Dave_IT_FellowAuthor Commented:
I found the solution reading further forum posts saying that my TS farm name should be the same as my SSL certificate.

I tested this in a clean environment and the solution works perfectly using approved Microsoft methods.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.