Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can't connect using Remote Desktop Gateway

Posted on 2014-08-12
6
Medium Priority
?
10,428 Views
Last Modified: 2014-08-18
- Workstations run Windows 7 64-Bit SP1
- Server is running Windows Server 2012 R2
- Network is pretty simple, consumer-grade routers on both ends, no advanced firewalls.
- We have a trusted certificate provided by www.certificatesforexchange.com, we created the CSR using IIS.
- This server runs a few different roles, in particular, IIS hosts an internal company website, it runs WSUS, WDS, and RRAS.

We are attempting to set up Remote Desktop Gateway so that a home user can connect to their work PC from home, via the gateway on the server. I've followed the various guides for setting up Remote Desktop Gateway, set up the RAP and CAP, installed the trusted SSL cert.

When I try to connect using the Remote Desktop client, it hangs at "Initiation remote connection"... then fails with the error:

Remote Desktop Client error
In the event log on the RD Gateway server, I see this:

Error in RD Gateway server's event log  under "TerminalServices-Gateway" section
Here's some screenshots of how NPS and RD Gateway are configured:

NPS ConfigurationNPS ConfigurationRD Gateway Configuration
0
Comment
Question by:Frosty555
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 40256714
make sure that you install RDP 8.1 client on win 7 machines
http://support.microsoft.com/kb/2923545/en-us
Also ensure that you are entering RD gateway public FQDN in RDP connection under RD gateway settings
This FQDN should match certificate you installed on RD Gateway server
Ensure that you can telnet on tcp 443 to RD gateway server public IP
0
 
LVL 31

Author Comment

by:Frosty555
ID: 40257279
Latest RDP client is installed. Done.

I am entering the public FQDN for the RD Gateway in the client, it is not the common name of the certificate but it is one of the SANs.

I was able to go to https://<fqdn> and see the IIS start page in a web browser, so that works.

But oddly enough if I attempt to use telnet, it sits and hangs at "Connecting to <fqdn>...". Same thing if I use putty, it sits there and doesn't seem to establish the connection. What could that mean?

--edit-- nevermind, telnet DOES work, the response looks weird since the server doesn't really reply to anything I say, unlike an HTTP connection where it responds with an HTTP 400 error, but the behavior I see when I telnet to my RD gateway is identical to the behavior I see if I telnet into Google.
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 40257708
If you have RD gateway server public name in certificate as SAN, it should work

One more thing,
Please check RD gateway console and navigate to RAP and CAP, these two needs to be setup correctly
http://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/

Also if your internal domain name and external dns name is different, you need to either create rdp custom property to avoid certificate errors or you need to change RDS deployment name
Check below article
http://social.technet.microsoft.com/Forums/windowsserver/en-US/cf67f986-a507-46cb-b19e-d6d94236549a/how-to-setup-rds-custom-property-when-internal-and-external-domain-name-space-is-different?forum=winserverTS
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Author Comment

by:Frosty555
ID: 40265284
So I ended up going the "kill a fly with a sledgehammer" approach. I removed all of the Remote Desktop gateway roles from this server, and spun up a brand new virtual machine which would be dedicated to the task. Decided to use Server 2008 R2 because we had a license for it available.

Followed these instructions verbatim:

http://technet.microsoft.com/en-us/library/dd983941(v=WS.10).aspx

Made sure to export my trusted SSL certificate + primary key from the old server, and import it into the new server, and then assigned it in RD Gateway. And then made sure to register NPS in Active Directory.

We had a spare public static IP address for our Internet and a spare SAN available on the certificate, so I used that.

Boom. Everything works immediately, with no trouble whatsoever.

I have no idea what was wrong with the main server but I imagine it's something to do with IIS.
0
 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 1500 total points
ID: 40266354
With 2012 RDS, Microsoft increased use of certificates and flow is little bit changed

The general rule to avoid failures with RD Gateway 2012

Ensure you use RDS Public FQDN in RD gateway settings on client computers and certificate should contains that FQDN
All hosts you are connecting to through RD Gateway must have valid RDP certificate with proper FQDN (The common name of certificate must match to RD session host server FQDN)
The RDS publishing name on RD Connection broker must match to public certificate that is binded to RD connection broker, if there is mismatch, you should change RDS deployment name with TP's script as mentioned in above post or you need to use alternate server name for RD connection broker publishing to avoid errors
Please check The social. TechNet article in earlier link on the same question
0
 
LVL 31

Author Closing Comment

by:Frosty555
ID: 40268742
You're probably right that there was some kind of certificate issue, or wrong FQDN used somewhere, it would make sense. It's hard to say what the real problem was.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question