Solved

HA RD ConnectionBroker/SessionHost SSL certificate issue

Posted on 2014-02-07
5
709 Views
Last Modified: 2014-03-10
I'm trying to get proper certificates on the connection broker/session host server to avoid warnings on external clients connecting through RDWeb
Spent some time testing but got nowhere so far

Thanks,
Alex
0
Comment
Question by:D-Tech Consulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39843950
The SSL certificate you use for RDWeb server must include external FQDN of RDWeb server in subject (CN) OR as Subject Alternate Name (SAN) entry
Also if this is certificate issued from internal CA server, you must install public key of internal CA root certificate on client computers in there trusted root certificate store in order to avoid warning messages.
If intermediate CA is also in certificate chain that cert also need to be installed on client computers

If this is public certificate, then probably you will not face issues.

The same process as above applied to public certificate as well if there is any warnings

Mahesh
0
 

Author Comment

by:D-Tech Consulting
ID: 39844200
Hi,

Thanks for replying
The Gateway/rdweb servers are using a public certificate, which works fine
The issue is when the connection is passed over to the connection broker/Session host servers
That's when the certificate issue arises

How can I configure/use a public certificate on cb/sh servers?
It seems to want to connect to internal names all the time
Not very clear about setup. I'm using HA for CB servers

The setup is functional, except the certificate warning

Thanks,
Alex
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39844524
You only connect to the internal Connection Broker once a connection is established through the RD Gateway using valid credentials. Since Your Connection broker \ session host servers are not exposed to the public and is part of internal network these error are expected

Previously a simple resolution to this issue is to use SAN certificate that allows you to add internal hostnames as SAN entry in public certs. But now this is not possible as public CA refuses to assign internal hostnames in public certificate.

Hence only work around are:
You could use split dns so that internal domain and external domain name is same and then you could use wild card \ standard ssl SAN cert from public CA for session host and  connection broker.
OR
you could use wild card cert \ standard SSL SAN cert from internal CA server on sessions host and connection broker servers so that cert errors can be resolved.
Check below excellent articles on the same issue
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Also to setup certificates check below article
http://www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/

Hope that helps

Mahesh
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question