WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network. Check out this quarters report on the threats that shook the industry in Q4 2017.
Certificates and RDS on Windows Srvr 2012 R@
Setup:
RDCB, RDWA, RDGW, License Server installed on one 2012 Server
RDSH installed on two separate 2012 servers.
My internal domain is a trusted.local
Our external domain is companyname.com
I need both internal and external users to be able to access internal resources.
I have been trying to find out what type of certificates I need, how many and what domain names should be used for the certificates. Also, once I have the certs where do they get installed?
Any help would be appreciated.
RDCB, RDWA, RDGW, License Server installed on one 2012 Server
RDSH installed on two separate 2012 servers.
My internal domain is a trusted.local
Our external domain is companyname.com
I need both internal and external users to be able to access internal resources.
I have been trying to find out what type of certificates I need, how many and what domain names should be used for the certificates. Also, once I have the certs where do they get installed?
Any help would be appreciated.
Who is Participating?
The problem here is that you won't be able to get a certificate for the .local aspect of this due to current SSL policies (ability to prove ownership of domain).
If all of these are domain computers and you have a CA I would use a CA issued cert for the .local since all your domain computers should trust it.
Normally you could have gotten a SAN / UC cert for this.
If all of these are domain computers and you have a CA I would use a CA issued cert for the .local since all your domain computers should trust it.
Normally you could have gotten a SAN / UC cert for this.
What about computers outside our local network who need to access network resources via RDS....don't I need a trusted certificate?
Just reconfigure both to use .com and update internal dns.
Or distribute your ca root to clients connecting
Info on .local.
http://www.digicert.com/internal-names.htm
Or distribute your ca root to clients connecting
Info on .local.
http://www.digicert.com/internal-names.htm
How to get certificates for a .com domain to also work inside a network that is running .local domain name.
Update your internal instance to use the same .com certificate and add an A or CName record to point to the same IP address that trusted.local now resolves to.
Certificate resolve to NAMES and DNS names resolve to IP address resources.
You cannot work around a certificate responding the right name but you can get DNS to point to any resource if you have control of DNS.
Certificate resolve to NAMES and DNS names resolve to IP address resources.
You cannot work around a certificate responding the right name but you can get DNS to point to any resource if you have control of DNS.
Really sorry the solution was actually very simple:
1) DNS resolves to the name you have configured for RDS server
(since you cannot get a valid .local certificate- you can simply use you.com certificate and update your dns to use the .com name on the certificate and point it to the IP of the RDS server)
2) Create an internal .local certificate and simply ask your users to click past it not being trusted when they attempt to login.
Either one of the above would work perfectly for you, I can provide instructions as detailed as needed to get there but it is not excessively difficult.
1) DNS resolves to the name you have configured for RDS server
(since you cannot get a valid .local certificate- you can simply use you.com certificate and update your dns to use the .com name on the certificate and point it to the IP of the RDS server)
2) Create an internal .local certificate and simply ask your users to click past it not being trusted when they attempt to login.
Either one of the above would work perfectly for you, I can provide instructions as detailed as needed to get there but it is not excessively difficult.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
-
Course of the Month7 days, 18 hours left to enrollMonitoring and Operating a Private Cloud with System Center 2012 R2 273 lessons
Here is a link on configuring SSL for RDS:
http://technet.microsoft.com/en-us/library/dd320345%28v=ws.10%29.aspx
I would just create an additional DNS record for the internal users:
e.g
external:
RDS.companyname.com - pointing to the external IP
Internal:
RDS.trusted.local - pointing to the internal IP
RDS.companyname.com - pointing to the internal IP
Once the RDS server is configured to answer on RDS.companyname.com external folks will get the external IP but the server configured for eXternal users
Internal Users will get the one configured for internal users.
Or you can simply create an A record pointing to the internal server that does not match and request a SAN name for the cert that matches that name e.g:
One cert with two SANS
Subject for external:
RDS.RDS.companyname.com
Subject for Internal
InternalRDS.companyname.co
All you would do is configure the external server to match the DNS name and the internal to match the internal DNS name.