HA RD ConnectionBroker/SessionHost SSL certificate issue

I'm trying to get proper certificates on the connection broker/session host server to avoid warnings on external clients connecting through RDWeb
Spent some time testing but got nowhere so far

Thanks,
Alex
D-Tech ConsultingAsked:
Who is Participating?
 
MaheshArchitectCommented:
You only connect to the internal Connection Broker once a connection is established through the RD Gateway using valid credentials. Since Your Connection broker \ session host servers are not exposed to the public and is part of internal network these error are expected

Previously a simple resolution to this issue is to use SAN certificate that allows you to add internal hostnames as SAN entry in public certs. But now this is not possible as public CA refuses to assign internal hostnames in public certificate.

Hence only work around are:
You could use split dns so that internal domain and external domain name is same and then you could use wild card \ standard ssl SAN cert from public CA for session host and  connection broker.
OR
you could use wild card cert \ standard SSL SAN cert from internal CA server on sessions host and connection broker servers so that cert errors can be resolved.
Check below excellent articles on the same issue
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Also to setup certificates check below article
http://www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/

Hope that helps

Mahesh
0
 
MaheshArchitectCommented:
The SSL certificate you use for RDWeb server must include external FQDN of RDWeb server in subject (CN) OR as Subject Alternate Name (SAN) entry
Also if this is certificate issued from internal CA server, you must install public key of internal CA root certificate on client computers in there trusted root certificate store in order to avoid warning messages.
If intermediate CA is also in certificate chain that cert also need to be installed on client computers

If this is public certificate, then probably you will not face issues.

The same process as above applied to public certificate as well if there is any warnings

Mahesh
0
 
D-Tech ConsultingAuthor Commented:
Hi,

Thanks for replying
The Gateway/rdweb servers are using a public certificate, which works fine
The issue is when the connection is passed over to the connection broker/Session host servers
That's when the certificate issue arises

How can I configure/use a public certificate on cb/sh servers?
It seems to want to connect to internal names all the time
Not very clear about setup. I'm using HA for CB servers

The setup is functional, except the certificate warning

Thanks,
Alex
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.