RDS 2012R2 Gateway "Your computer cant connect to the remote computer because the Remote Desktop Gateway is temporarily unavailable"

First the environment.

Inside and outside domain match, mydomain.org
All servers are 2012R2, 3 RDSH servers running a single collection of remote desktops (no remote apps), 2 RD Broker servers in HA, 1 RD Gateway/Web access server
External name of the gateway server is remote.mydomain.org, which the SSL matches. Internal name is rdgwy01.mydomain.org. RDSH servers are rdsh01/03.mydomain.org. Brokers are rdbroker01/02.mydomain.org. Internal DNS has the name rdsh.mydomain.org as an A record for the IP's of each of the 3 rdsh servers. The Gateway server has a Local Computer Group for rdsh01/03.mydomain.org and rdsh.mydomain.org

The system worked great for many months, then suddenly, several users are randomly getting "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance". According to another admin, this issue started after a batch of windows updates months ago. I have personally never seen the error happen to me, nor has he. But we do have screenshots of it happening to others. Not really sure how to fix it because of this. When it happens to others, they are typically thousands of miles from us :). They complained about getting kicked out repeatedly as well. We didn't have that issue either. We'd take their accounts and use them on night shift all night for general purposes (writing reports, playing 10 hour youtube videos ect) and never have an issue. This has happened on both their home computers (which is the main purpose for the remote system) and with their company provided, domain joined computes taken off premises. This issue *has not* affected anyone inside the premises on the corporate network (there's about 200 systems that use it all day).

Any suggestions?
Casey WeaverManaged Services Windows Engineer IIIAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You should not be using round robin DNS for your session host servers. That rdsh.blah.org record is erroneous and is not letting the session broker do its job. I'm surprised this ever worked for you, as that is not an appropriate configuration.
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Well right now the systems are using that name both inside and out. What is the appropriate way to do it? When I pointed our Wyse thin clients at a broker, it just tried to do an RD session with the broker, which of course got denied. When we used a round robin name, the clients still got balanced. The articles for 2012 also stated I was supposed to make a local group with the RDSH servers and the farm name, which I was told was the round robin name.
Cliff GaliherCommented:
"The articles for 2012 told me" ....what articles? Certainly (hopefully!) not any Microsoft TechNet articles.  There are bad articles from third parties out there still trying to do things the 2008 way.

In 2012, you will want to use a modern RDP client (ones found in the app stores for their various platforms), RDWeb, or the RD desktops and apps control panel to subscribe to a feed. Those RDP files contain the appropriate settings you need.

The "classic" RDC has not been updated with GUI settings to define a collection, so connecting to a broker via RDC will indeed just connect to the broker since no collection was specified. But connecting via round robin does not pass the appropriate settings to the client, so licensing doesn't work as expected, nor does session affinity, which both will cause the symptoms you describe. Yes, round robin will *loosely* load balance, but you get none of the other benefits, or even necessary functions, of the broker in 2012.  Using one of the above methods to connect resolves this issue as the .rdp files sent to the modern client, via the web, or via the subscribed feed, define the extra settings in the file that the broker needs to properly create a session affinity and license model.

The only place you should be using round robin DNS is for the brokers themselves, and that works because the SQL database backing the brokers is shared by two in HA, and thus the data itself is a single source that either broker can read or update as needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
So if I'm not supposed to round robin, am I just supposed to leave the rdsh severs in the Gateway RAP, and no farm name? As for not using round robin with the Thin Clients, they are Wyse ThinOS8.0.512, so they are supposed to be RDP8 complaint, and 2012 certified. I'll have to test to see if I can make it work without a farm name. At the time we were using them, the systems were stuck on Wyse 7.1.x, which was not 2012 certified.

So what do clients actually target? Just any of the 3 session hosts, or point them at one of the two brokers? Or use a round robin name for the brokers? The goal is that should either a broke or rdsh server fail, people will still get connected to a resource.
Cliff GaliherCommented:
If your thin clients are certified, they should have a way to subscribe to the remote desktop feed or have a basic web browser. Since each thin client is different, that is the most specific I can  get. I dropped Wyse shortly after Dell bought them, so what they expose and how to configure them is definitely not something I can comment on. I can only tell you that server-side, you currently have it wrong.
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Ok ignoring the thin clients, how should the gateway be set up to connect. If I remove the round robin, does it still avaoid the single point of failure.
Cliff GaliherCommented:
IN a default configuration, yes. As long as you make changes via server manager, and set up the broker as HA through server manager, it will update the gateway to connect to the broker's cluster network name, so that will continue to be HA. And the brokers will then load balance across the individual session hosts. So those will also remain highly available without round robin in the mix there.

Now, if you are going in in and manually configuring gateway settings, you'd need to update them accordingly, but it is still possible, yes, without round robin. But this should also be an edge case. Stick to server manager for configuring RDS whenever possible.
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
This worked out for us. It required buying a wildcard to properly secure the rest of the servers, and not just the gateway. I will do a writeup over Christmas to show how to get WYSE units to properly work with a solution like this.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.