Link to home
Start Free TrialLog in
Avatar of CBM Corporate
CBM CorporateFlag for Australia

asked on

RDSWeb issue

Hi all,

I have a RDS Farm with one broker which also does RDWeb, and two host sessions.  All servers Win2012R2 fully patched.
I also have a wildcard certificate.

I can successfully get to the web portal, and open any of my remote apps internally.

I can successfully get to the web portal, but cannot open any of the remote apps externally however.  This throws an error "
"Your computer can't connect to the remote computer because of an error occurred on the remote computer that you want to connect to"

No errors logged on either the broker or the hosts.

I checked my collection settings and tried different combinations of authentication. Security layer is currently set to "Negotiate" but I tested "RDP Security Layer" as well, and encryption level is set to low, it was "Client Compatible" before.

any clues ? I tested on a Win7 client, a Win8 or a Win2008.  No luck so far.
Txs.
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

To do this via RDWeb, you must set up the RDGateway role on a server, configure it with a publicly resolvable name, and configure your router to properly route traffic to the RDGateway server.
Avatar of CBM Corporate

ASKER

That's exactly how it's done.

public FQDN resolves to my fwall, which forwards 443 to my RD Gateway, who then in turn forwards the RDP requests to the host session servers.
The certificate (wildcard) matches the FQDN.
Your orginal post hadn't mentioned rdgateway. Is it collocated with the rdweb and/or RDCB? Do these have unique names? As an aside, you mentioned having a "farm" which in 2012 is no longer technically accurate. Did you try to set up a farm as it was done in 2008 R2 with round robin DNS? Cuz *that* won't work...
Okay sorry, bad terminology. :)

Server #1 : Broker, Licensing, Web and Gateway.
Server #2 & 3 ; Host

public FQDN to my WAN IP (443 NAT'ed)
Internal DNS for FQDN to IP of Server #1

RDWeb works great internally. Doesn't externally.
ASKER CERTIFIED SOLUTION
Avatar of Cliff Galiher
Cliff Galiher
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Here's some excerpt from the notepad file

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:rds.xxxxx.com.au
alternate shell:s:||EXCEL
remoteapplicationprogram:s:||EXCEL
gatewayhostname:s:rds.xxxxx.com.au
remoteapplicationname:s:Excel 2013
remoteapplicationcmdline:s:
workspace id:s:RDGATEWAYSERVER.XXXXX.local
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.CollectionName
alternate full address:s:rds.xxxxx.com.au

The rest is the digital signature.

Anything seems odd to you ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay that would make sense, so where can I check the broker does pass the public FQDN ? I've looked where I could think of but there's no mention of the .local address in the collection or in the deployment, other than the name of the servers for each role (RD Web Access Server, license server).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So...what out of the box this solution by Msoft is not designed to work ? I find it hard to believe I have to "go out of my way" to fix this, when I just followed wizards and Technet articles.

Anyways.  Your suggestions are welcome mate.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay, thanks for that, but that's not really helping.  I get your point, and obviously I did not deploy it right.  But, no, there is no round-robin DNS, and no this was not done "as 2008".

Now if you can't help me. I understand, but I did not post this question to be patronized.

It might be a spaghetti, but can you help me with the sauce, or should I ask another chef ?