Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

HA RD ConnectionBroker/SessionHost SSL certificate issue

Posted on 2014-02-07
5
Medium Priority
?
733 Views
Last Modified: 2014-03-10
I'm trying to get proper certificates on the connection broker/session host server to avoid warnings on external clients connecting through RDWeb
Spent some time testing but got nowhere so far

Thanks,
Alex
0
Comment
Question by:D-Tech Consulting
  • 2
3 Comments
 
LVL 39

Expert Comment

by:Mahesh
ID: 39843950
The SSL certificate you use for RDWeb server must include external FQDN of RDWeb server in subject (CN) OR as Subject Alternate Name (SAN) entry
Also if this is certificate issued from internal CA server, you must install public key of internal CA root certificate on client computers in there trusted root certificate store in order to avoid warning messages.
If intermediate CA is also in certificate chain that cert also need to be installed on client computers

If this is public certificate, then probably you will not face issues.

The same process as above applied to public certificate as well if there is any warnings

Mahesh
0
 

Author Comment

by:D-Tech Consulting
ID: 39844200
Hi,

Thanks for replying
The Gateway/rdweb servers are using a public certificate, which works fine
The issue is when the connection is passed over to the connection broker/Session host servers
That's when the certificate issue arises

How can I configure/use a public certificate on cb/sh servers?
It seems to want to connect to internal names all the time
Not very clear about setup. I'm using HA for CB servers

The setup is functional, except the certificate warning

Thanks,
Alex
0
 
LVL 39

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39844524
You only connect to the internal Connection Broker once a connection is established through the RD Gateway using valid credentials. Since Your Connection broker \ session host servers are not exposed to the public and is part of internal network these error are expected

Previously a simple resolution to this issue is to use SAN certificate that allows you to add internal hostnames as SAN entry in public certs. But now this is not possible as public CA refuses to assign internal hostnames in public certificate.

Hence only work around are:
You could use split dns so that internal domain and external domain name is same and then you could use wild card \ standard ssl SAN cert from public CA for session host and  connection broker.
OR
you could use wild card cert \ standard SSL SAN cert from internal CA server on sessions host and connection broker servers so that cert errors can be resolved.
Check below excellent articles on the same issue
http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
Also to setup certificates check below article
http://www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/

Hope that helps

Mahesh
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question