RDSWeb issue

Hi all,

I have a RDS Farm with one broker which also does RDWeb, and two host sessions.  All servers Win2012R2 fully patched.
I also have a wildcard certificate.

I can successfully get to the web portal, and open any of my remote apps internally.

I can successfully get to the web portal, but cannot open any of the remote apps externally however.  This throws an error "
"Your computer can't connect to the remote computer because of an error occurred on the remote computer that you want to connect to"

No errors logged on either the broker or the hosts.

I checked my collection settings and tried different combinations of authentication. Security layer is currently set to "Negotiate" but I tested "RDP Security Layer" as well, and encryption level is set to low, it was "Client Compatible" before.

any clues ? I tested on a Win7 client, a Win8 or a Win2008.  No luck so far.
CBM CorporateAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
To do this via RDWeb, you must set up the RDGateway role on a server, configure it with a publicly resolvable name, and configure your router to properly route traffic to the RDGateway server.
CBM CorporateAuthor Commented:
That's exactly how it's done.

public FQDN resolves to my fwall, which forwards 443 to my RD Gateway, who then in turn forwards the RDP requests to the host session servers.
The certificate (wildcard) matches the FQDN.
Cliff GaliherCommented:
Your orginal post hadn't mentioned rdgateway. Is it collocated with the rdweb and/or RDCB? Do these have unique names? As an aside, you mentioned having a "farm" which in 2012 is no longer technically accurate. Did you try to set up a farm as it was done in 2008 R2 with round robin DNS? Cuz *that* won't work...
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

CBM CorporateAuthor Commented:
Okay sorry, bad terminology. :)

Server #1 : Broker, Licensing, Web and Gateway.
Server #2 & 3 ; Host

public FQDN to my WAN IP (443 NAT'ed)
Internal DNS for FQDN to IP of Server #1

RDWeb works great internally. Doesn't externally.
Cliff GaliherCommented:
I understand that it works locally. That is why I was (and still am) suspecting the rdgateway. Start with a BPA scan. Also, on a remote machine exhibiting the issue, save an .rdp file that is sent by rdweb and open it in notepad. Look for significant discrepancies (no gateway defined, wrong collection or session host name, etc.) And, of course, the event logs on the rdgateway server. Bu default, a lot of logging is turned on (this can be adjusted in rdgateway manager, outside of server manager) and may reveal a misconfiguration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CBM CorporateAuthor Commented:
Here's some excerpt from the notepad file

session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
server port:i:3389
allow font smoothing:i:1
full address:s:rds.xxxxx.com.au
alternate shell:s:||EXCEL
remoteapplicationname:s:Excel 2013
workspace id:s:RDGATEWAYSERVER.XXXXX.local
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.CollectionName
alternate full address:s:rds.xxxxx.com.au

The rest is the digital signature.

Anything seems odd to you ?
Cliff GaliherCommented:
I am surprised to see a .local address in your workspace ID, while the rdgateway *and* full server name are the same public FQDN. This makes me strongly suspicious that the full name of the RDCB server is not being properly passed in the .rdp file and thus connections through the rdgateway to the rdcb are being rejected. Either by access policies (on the NPS server) or by a certificate mismatch from the rdcb.
CBM CorporateAuthor Commented:
Okay that would make sense, so where can I check the broker does pass the public FQDN ? I've looked where I could think of but there's no mention of the .local address in the collection or in the deployment, other than the name of the servers for each role (RD Web Access Server, license server).
Cliff GaliherCommented:
The default is to use the server name. You actually have to go out of your way to get the system to push artificial public names. And doing so can have seriously adverse effects. So honestly, at this point, there are already significant non-standard settings that have been changed. And trying to troubleshoot that after the fact is not something easily done.
CBM CorporateAuthor Commented:
So...what out of the box this solution by Msoft is not designed to work ? I find it hard to believe I have to "go out of my way" to fix this, when I just followed wizards and Technet articles.

Anyways.  Your suggestions are welcome mate.
Cliff GaliherCommented:
No, out of the box, it *does* work, when done right. But several common mistakes I see made:

1) Attempting to deploy a farm using 2008 era documentation. The RDCB role and load balancing has fundamentally been rearchitected in 2012. So following 2008 guidance often breaks deployments.

2) Annoyed by certificate warnings, users will follow non-standard practices (custom DNS records, unsupported WMI changes, etc) that they found/read about and get a deployment to use publicly resolvable names. The adage "it is on the internet so it must be true" holds true in these cases.

3) Other undocumented changes. The "it wasn't working so I tried X, Y, and Z" spaghetti against the wall approach. I see this a *ton* and not just with RDS. As market pressures and cloud economics drive down prices (the walk-mart effect), some I.T. Pros are taking on projects they probably shouldn't just to keep their business alive., Amd breaking things in phenomenally unique ways.

Now what I can tell you is that .rdp file doesn't look right. There are some references that I wouldn't expect, and those point to a deployment that was *not* done out of the box. So when you say you find it hard to believe that the out of the box solution would not work, I'd say you are right. That is hard to believe! Because out of the box, it DOES work! (And I have dozens of 2012 and 2012 R2 deployments backing that up!) But I am also saying your deployment, by appearances, is not out of the box. And given what I shared above regarding the common deployment mistakes, I can't even begin to narrow the possibilities beyond the questions I've already asked. I took the ball as far as I feel I can in this type of interaction. and there is something unique enough about your deployment that it didn't come out in my questioning.

I just don't have the institutional knowledge of what was done with that deployment (and I mean what was done with specificity, not the generic "I followed TechNet articles") and my attempts to find out were unsuccessful. Not your fault. Also not mine. It is what is. I'm taking the time to write *this* reply because I want you to understand, very accurately, what I'm saying regarding the problem and the usual "out of the box" experience, as you seem to have previously misinterpreted my statements.
CBM CorporateAuthor Commented:
Okay, thanks for that, but that's not really helping.  I get your point, and obviously I did not deploy it right.  But, no, there is no round-robin DNS, and no this was not done "as 2008".

Now if you can't help me. I understand, but I did not post this question to be patronized.

It might be a spaghetti, but can you help me with the sauce, or should I ask another chef ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.