Solved

Certificates and RDS on Windows Srvr 2012 R@

Posted on 2014-04-01
12
568 Views
Last Modified: 2014-04-29
Setup:

RDCB, RDWA, RDGW, License Server installed on one 2012 Server

RDSH installed on two separate 2012 servers.

My internal domain is a trusted.local

Our external domain is companyname.com

I need both internal and external users to be able to access internal resources.

I have been trying to find out what type of certificates I need, how many and what domain names should be used for the certificates.  Also, once I have the certs where do they get installed?

Any help would be appreciated.
0
Comment
Question by:grayva
  • 7
  • 5
12 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39971000
The problem here is that you won't be able to get a certificate for the .local aspect of this due to current SSL policies (ability to prove ownership of domain).

If all of these are domain computers and you have a CA I would use a CA issued cert for the .local since all your domain computers should trust it.

Normally you could have gotten a SAN / UC cert for this.
0
 

Author Comment

by:grayva
ID: 39971013
What about computers outside our local network who need to access network resources via RDS....don't I need a trusted certificate?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39971035
Just reconfigure both to use .com and update internal dns.

Or distribute your ca root to clients connecting

Info on .local.
http://www.digicert.com/internal-names.htm
0
ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

 

Author Comment

by:grayva
ID: 39971042
Sorry, doesn't make sense to me.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39971050
What doesn't the determination to not  issue .local certificates  ?
0
 

Author Comment

by:grayva
ID: 39971052
How to get certificates for a .com domain to also work inside a network that is running .local domain name.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39971063
Update your internal instance to use the same .com certificate and add an A or CName record to point to the same IP address that trusted.local now resolves to.

Certificate resolve to NAMES and DNS names resolve to IP address resources.


You cannot work around a certificate responding the right name but you can get DNS to point to any resource if you have control of DNS.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39994935
Are you still having issues with this  ?
0
 

Author Comment

by:grayva
ID: 39995056
I gave up, thanks.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39995070
Really sorry the solution was actually very simple:

1) DNS resolves to the name you have configured for RDS server
(since you cannot get a valid .local certificate- you can simply use you.com certificate and update your dns to use the .com name on the certificate and point it to the IP of the RDS server)

2)  Create an internal .local certificate and simply ask your users to click past it not being trusted when they attempt to login.


Either one of the above would work perfectly for you, I can provide instructions as detailed as needed to get there but it is not excessively difficult.
0
 

Author Comment

by:grayva
ID: 39995084
I understand the DNS part but I don't know how to setup an internal CA and issue a local cert.
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39995187
Ok if you do not want to do a CA you can just do a self-signed cert- however this would lead you to getting a prompt indicating the certificate is not trusted.

Here is a link on configuring SSL for RDS:

http://technet.microsoft.com/en-us/library/dd320345%28v=ws.10%29.aspx


I would just create an additional DNS record for the internal users:
e.g
external:
RDS.companyname.com - pointing to the external IP
Internal:
RDS.trusted.local   - pointing to the internal IP
RDS.companyname.com - pointing to the internal IP

Once the RDS server is configured to answer on RDS.companyname.com external folks will get the external IP but the server configured for eXternal users

Internal Users will get the one configured for internal users.

Or you can simply create an A record pointing to the internal server that does not match and request a SAN name for the cert that matches that name e.g:

One cert with two SANS
Subject for external:
RDS.RDS.companyname.com

Subject for Internal
InternalRDS.companyname.com

All you would do is configure the external server to match the DNS name and the internal to match the internal DNS name.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question