Solved

Windows Server 2012 Remote Desktop Gateway Problem?

Posted on 2013-12-25
20
2,796 Views
Last Modified: 2014-01-06
I configured RDS using the 2012 role wizard and I am able to connect via browser within the domain with no problem.  Login and run any published apps with no problem.

Login Page
However, I get nothing at all when trying to connect using the FQDN from outside (i.e. the Internet).  

From Internet
The RD machine has been added to all RD groups.

The DefaultTSGateway has been set.

DefaultTSGateway
Everything else about the environment and network (everything is within a virtual Hyper-V LAN) is configured with out-the-box standard settings.  My intention is to get everything working before tweaking and putting it into production.

How to fix (make it accessible from internet)?

Thanks in advance for all help.
0
Comment
Question by:CPA_MCSE
  • 11
  • 7
  • 2
20 Comments
 
LVL 6

Expert Comment

by:Brad Held
ID: 39739647
1) Does the dns record exist in the external dns zone?
2) Are you connecting via RDS Gateway it the default 3389 port?
3) Does the external router route to the RDS server or is there port forwarding going on.
4) As the environment is built on hyper-v, are the switches configured as external, and can the internet be accessed from the server?
0
 

Author Comment

by:CPA_MCSE
ID: 39739746
1) Does the dns record exist in the external dns zone?

How would I verify this?

2) Are you connecting via RDS Gateway it the default 3389 port?

I did not change any ports, so yes.

3) Does the external router route to the RDS server or is there port forwarding going on.

No.  The router is basic setup.  Nothing fancy going on there.  Except...come to think of it...that router is connected to the internet via StrongVPN (OpenVPN protocol).  So, all that traffic is actually going through their VPN server.  The machines are physically outside the USA and I have it going through the VPN so that when users access the internet from within any machine, sites default to what would be seen from within the USA (msn.com, for example, would default to English and news from the USA rather than the the language and news where the machines are physically located).

4) As the environment is built on hyper-v, are the switches configured as external, and can the internet be accessed from the server?

The switches are configured as external.  The internet can be accessed from the host server and the guest server.


...If #3 is the culprit, how would I go about making this all work?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39739891
Port TCP:443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server.

You need to assign public IP (minimum requirement) to RD gateway server so that you can access its url via IP address

If you want to access RD gateway server through DNS name, then you must create public DNS host (A) record as well for RD gateway server in registered DNS name space.

Check below article for more information:
http://social.technet.microsoft.com/Forums/en-US/a241a5be-e39d-4dfc-a513-e4f83c4dc906/rd-gateway-ports-and-certificates?forum=winserverTS

http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx

If you have firewall \ router, you can use Nat to map public IP with private IP of RD gateway server

Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39739973
I appreciate the advice.  I must admit my head is swirling with anxiety of things going wrong as I try to get my head around the many details.  So, to err on the side of caution until I feel more comfortable about doing as suggested (seems like a lot of decision points where I could err), I may just install TeamViewer on it and call it a day.  

I use it for support, anyway; and a quick test install seems to work just fine - including printing locally, clipboard, multiple simultaneous users, etc.

I will leave the question open for additional comments/suggestions another day or so before awarding points.  I am leaning towards TV, but if there is a better non-complex solution, I am all ears.
0
 

Author Comment

by:CPA_MCSE
ID: 39740900
Ok, so a chat with the friendly folks at TV regarding licensing makes that not a good solution.  So, I am back to trying to figure this one out.  Unfortunately, I am not up to speed on how to do everything proffered, but necessity is such that I need to brush up and get it done.

Any additional suggestions are welcomed.

bradheld, I am looking forward to your feedback regarding #3.

Mahesh, those are good links and I will try to step through them.  Before I do, I have to restate that the solutions suggested in those links presume the server(s)' traffic is not already going through a VPN.  In my case, all traffic goes through a 3rd party VPN solution because that affords the exit point in the USA.  I am thinking (but not sure) that is part of - if not all of - the problem.  I configured everything "by the book" and it might already work, otherwise.

Comment?
------

Another option on the table might be to have RDP01 go out on the local line (no VPN) and simply turn off IE and cmd.exe so they would not notice anything indicating where the server is physically.
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39740935
3) So does the website come up from one of the client machines via IP Address like https://192.168.1.2/rdweb - more than like likely this will throw a certificate error but should connect.

Router connects via strongVPN? Is that like a site to site vpn or is that actually a connection to the internet via some provider?

What is the IP Address of the server? Is it on a private network like 10.x.x.x, 172.16.x.x or 192.168.x.x or does it have a publically routable address.

A network diagram might be helpful to figure out where the issue is.
From the client can you ping the server? If not can you do a tracert to the server.

If it works on the local server lan but not from outside, we just need to figure out where the breakdown is. What kind of router is the vpn being built from?
0
 

Author Comment

by:CPA_MCSE
ID: 39741137
It is a site-to-site VPN.   One of their public connection points is 68.68.32.76 (San Francisco).

I do not currently have access to diagram tools, but here is a simple explanation:

RDP01 is the RDS of Domain.com.  The FQDN is RDP01.vlan.domain.com.  RDS services are running on it including Remote Gateway.  It runs no other roles other than RDS roles required to present applications (i.e. no VDI).

Domain.com is a Hyper-V virtual lan running on a 2012 server.  The Hyper-v host server is a stand-alone server not joined to any domain.  It is named Boopsie.  

The PDC of domain.com is also the DNS server for domain.com.  All domain.com machines, including RDP01, are configured to use that DNS server and no other.

Boopsie has 2 physical NICs.  One connected to the VPN router and used exclusively by Domain.com.  It is named USALAN.  The other NIC is connected to the local router and used for normal traffic.  It is named HOMELAN.

HOMELAN is connected to the ISP.  USALAN is connected to HOMELAN, but runs OpenVPN to connect to StrongVPN's server at the aforementioned IP.  So, USALAN piggybacks on HOMELAN's connection to the ISP.  USALAN and HOMELAN are on different network segments.  USALAN is 192.168.10.xxx and HOMELAN is 192.168.1.xxx.

The IP address of HOMELAN is 202.134.31.12

The entry side of USALAN is 68.68.32.76 (the router connects to this IP)
The exit side of USALAN is 216.131.103.50 (per IPMonkey.com)

NOTE:  The names and IP addresses given are all fictitious and the final configuration will be tweaked for redundancies and whatnot after it is all working.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39741373
Not sure how you want to access server from internet, directly or through VPN tunnel only ?

if you are trying to access server through VPN, since you are accessing through 3rd party and your AD domain is limited to guests on hyper-V host only (Hyper-V server itself is in workgroup), accessing gateway server web page through DNS name will not work most probably because its limited to Hyper-V guests only.
instead you could try to access gateway server through its IP address directly should work.
probably you could setup dns zone at ISP end in internal DNS (private network) and point it to private IP of gateway server

if I refer your question and if I assume you want to access it from internet directly, then you must publish it with routable IP \ dns host name on internet.
May be ISP can provision direct internet access for the server using their infrastructure
You should be able to telnet public IP \ DNS name of server on TCP 443 (SSL) in order to connect it and no additional ports are required from internet to server

Let me know if there is any misunderstanding or confusion please
 
Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39741539
I would be happy to access  RDP01 from the internet either via USALAN or HOMELAN connection.  Either would be fine.

Getting the folks at my ISP to even understand creating an external DNS record to point to RDP01 would be pretty much impossible.  Getting them to actually do it (correctly) would be impossible.

So, now I am thinking maybe using a DynDSN client.  Thoughts?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39741607
You can use above tool, still you require Public IP address

Mahesh
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:CPA_MCSE
ID: 39743767
Your feedback got me to realize that I may be dealing with more firewalls than I'd thought:

1.  Router (USALAN)
2.  RDG (guest)
3.  Domain
4.  RDP01 (guest)

I removed the RDG role from RDP01 and created a new VM running only RDG.  I need to put that outside the Domain and behind the router, according to the diagrams in your link.  I will be tinkering again today.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39743898
When there is no AD DS in the perimeter network, ideally the servers in the perimeter network should be in a workgroup, but the RD Gateway server has to be domain-joined because it has to authenticate and authorize corporate domain users and resources

I believe now you got exact requirement understanding..

I am not sure how to deal \ setup with 3rd party VPN services, you can take help from those 3rd party VPN services vendor so that RDG server can be accessed from internet directly \ through VPN

Again, if you are fine with just accessing RDG server URL with public IP, then you don't need to register domain name and host (A) record in public DNS
This will also help if you want to access RDG server with VPN over internet since VPN providers are 3rd party which may not be able to provide name resolution for RDG server which is part of corporate active directory \ DNS server on hyper-V.

You need to open AD authentication ports from RDG server to Domain controller on hyper-V. Also you need to open up TCP 3389 from RDG server to internal terminal servers

Please check link in my 1st comment for complete details

Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39743997
When configuring RDG using the Windows 2012 wizard, does it not automagically open the required ports between RDG and the PDC and RDS?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39744008
If there is hardware firewall device exists between RDG server and Domain controller and RDS (terminal servers), then only you need to open up above ports explicitly on firewall, otherwise no action is required

Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39744226
Thank you for your continued feedback and patience as I tinker with this thing.  

So far, I re-discovered the USALAN router I am using is running DD-WRT and has a built-in client for DynDNS.  I need the service because StrongVPN assigns a new IP when that router reboots and re-connects.  

So, I bought a new domain name (much, much better name for users to remember, btw) from Godaddy (I get 50% off everything), created an account with DynDNS, moved the domain name to DynDNS, configured the DDNS client on DD-WRT, and fired it up.  I tested and was able to connect to the router (it requested router credentials).  So far, so good.  

So, I thought I just needed to open port 443 and forward it to RDG port 443 as per the link instructions.  I then realized I can't have port 443 going to just RDG because other devices also need port 443.  So, I opened USALAN router port 55443 and mapped that to RDG's port 443.

At this point I am thinking I need only connect from a browser using the URL and specifying port 55443.  

For example, https://newhosting.com:55443/RDWeb/

However, I get "This page cannot be displayed".

So, a bit more testing was in order.  I decided to test back-to-front.  I logged into RDG, launched a browser, and was able to connect to the RDP01 RDS login page.  So, that communication works.  The breakdown seems to be at the router.

Earlier, I had tested running the DynDNS sofware client on RDG, but I was prompted for router authentication.  So, I uninstalled the software client and used the router's DDNS client and that does not seem to work, either.

Where am I going wrong?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39744371
Since RDG server URL is not configured to listen on custom port (55443), that's why you are getting error. According to me its not required.

It (RDG) allows authenticated and authorized remote users to securely connect to resources on an internal corporate or private network over the Internet. RD Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection.

If you are able to connect to RDG server URL with public FQDN (RDG.Publicdomain.com), this will allow you to connect to any internal terminal servers \ infra servers through terminal services (RDP - TCP 3389) only. This will applicable to any custom applications as well to which you can connect through RDP port only.
In short you need configure your custom applications as remote App on terminal servers if required.

You can't use RDG server like VPN to access rest of the devices with different ports.

Please check Point no.4 Firewall rule configurations required when RD Gateway is in the perimeter network: in the article in earlier comment.
RDG can deal with RDP protocol only.

Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39752248
Ok, so I made extra doubly sure everything was setup correctly and found that my problem was not on the server side.  I needed to configure the RDP client properly.  That has been corrected.  

Now I only need to resolve this last (?) error (and it may have been there all along, but I did not think to try the Best Practice Analyzer before)  :)

Best Practice Analyzer
1.  Users will type login.domain1.net into a browser
2.  login.domain1.net is being forwarded to domain2.net
3.  domain2.net is the DynDNS client running on the router
4.  The router is forwarding port 443 to the RD Gateway server
5.  The RDG server has the SSL certificate for domain2.net installed on it, but its FQDN is actually RDG.vlan.domain1.com.

Before I purchased the SSL certificate, I discussed the above with the SSL certificate expert at length and was assured I needed a certificate for domain2.net because that is what users are going to type into the browser...

Thoughts?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39752316
You could purchase SAN certificate that includes domain1.net, domain2.net and RDG.vlan.domain1.com

In case in feature if you change your forwarding addresses you will not face any issues in that case

I guess certificate need to be 2048 bit key length with server authentication and client authentication as Enhanced key usage (Typical SSL certificate)

You need to generate custom cert request from RDG server through certificate personal MMC snap in and add all required DNS hostnames there as DNS names
http://techontip.wordpress.com/2011/06/06/how-to-create-a-san-certificate-signing-request-for-iis-web-server/

Also you need to make sure if DynDNS client requires any certificates ?
Mahesh
0
 

Author Comment

by:CPA_MCSE
ID: 39754995
Ok, I am awaiting a refund for the single domain certificate and issuance of the SAN certificate as suggested.

Thanks for hanging in there with me as this gets resolved.
0
 

Author Comment

by:CPA_MCSE
ID: 39758902
Ok...

I am throwing in the towel trying to get this to work over the USALAN router.

I installed another virtual NIC onto the RDG and connected that to the HOMELAN router.  Reconfigured everything else accordingly including running the DDNS client on the HOMELAN router, fired it up, and everything worked first try.

Mahesh, I am giving you credit for the help you provided trying to get it to work over the USALAN router.  I will table it for now and revisit later this year...

Cheers!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now