[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 609
  • Last Modified:

How to configure Remote Desktop Gateway Behind a NAT

I am drawn a blank on how to get my RDG working behind a NAT I am getting this error message.  

Also I had to NAT port 443 to port 446 as this port is already in use by another service in our organization. This is also running on WIndows 2008R2.

RDG errorScreen-Shot-2016-08-07-at-9.07.33-AM.png
0
nappy_d
Asked:
nappy_d
  • 5
  • 4
  • 2
  • +2
1 Solution
 
bbaoIT ConsultantCommented:
it seems to be certificate issue rather than a NAT difficulty.

does the W2K8R2 server have Windows built-in firewall enabled? if yes, if its Port 446 has been opened for incoming RDP requests? does any local computer work with the RDP server behind the firewall or gateway? does the RDP server have valid certificates for the RDP services?
0
 
John HurstBusiness Consultant (Owner)Commented:
I am not sure in this case. Port 443 is used for SSL which is needed for many things. Can you try turning off the other service temporarily, revert to Port 443, and then does that work?
0
 
Manuel FloresCommented:
It seems that the connection is done, because it detects the certificate, indeed you can View the certificate of the RDG.  The problem seems to be the certificate installed in that server was issued for other server.

A second supposition is that the service is trying to connect to whatever is running at 443 port, so in this case, the configuration of the NAT is not properly done.

First of all, click View Certificate which would give us any clue.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
nappy_dAuthor Commented:
@bing_cism...
  • port 3389 is open on the server for RDP application access and functioning well with remote access as well as local lan access.
  • The server is being a firewall and NAT is also functioning well.
  • The server is using a self-signed certificate

@John Hurst... disabling the current 443 port is not an option as a critical external site is hosted and is not available to be taken off-line

@Manuel FLores Ruiz... Yes Here is a screen grab of the certificate when the error appears.  It is a self-signed cert.  The DNS name of course does not match as it is different from the server's internal name vs the external domain name.

cert
0
 
Manuel FloresCommented:
OK... so that is the problem.  Maybe you can instruct your client to avoid checking the certificate, something like;

options
0
 
Cliff GaliherCommented:
RdGateway uses 443, full stop. You can't remap the port. You don't need to forward 3389 (that defeats the purpose of RDGateway) but right now the client will get the certificate for this "critical" other service on 443 instead of your RDGateway certificate. So you'll chase your tail treating this as a certificate error. It is a NAT issue. Your choices are...
1) You get another public IP address so you can forward 443 to each service on each IP.

2) You don't forward 443 for the other service.

3) You configure a reverse proxy and UCC/SAN certificate so you can have both services on a single IP address.

4) Or you don't use RDGateway.
0
 
bbaoIT ConsultantCommented:
> RdGateway uses 443, full stop.

not really, it might be a comma. :) see below about how to alter the port.

http://m.windowsitpro.com/windows-server/change-remote-desktop-gateway-port
0
 
nappy_dAuthor Commented:
Sorry Bing, I see no such option to change the port.

Cliff, Thanks for that.  Currently looking into secondary IP.

more to follow...
0
 
John HurstBusiness Consultant (Owner)Commented:
You cannot do this the way you started. Do you have a resolution about a secondary IP
0
 
nappy_dAuthor Commented:
Hi, Second IP is not available.  

There is only one statically available IP.  It is not really hosting anything else but inbound RDP to an RDS server works 100%.  Just need to configure this work with RD Gateway, using the SAME ip.
0
 
John HurstBusiness Consultant (Owner)Commented:
I don't think you can do what you want with only one external IP address
0
 
John HurstBusiness Consultant (Owner)Commented:
@nappy_d - You cannot do what you want and must use port 443.  If you have no further comment, we should close it this way.
0
 
nappy_dAuthor Commented:
Hi everyone, I got this working.

  • Yes, this can be done with a single IP and NAT'ing to port 446

The issue was the cert.  
  • I created a new cert on my internal cert server

  • Added the cert to my RDGW server
  • imported the cert onto my remote computer that was connecting via the RDGW

These firewall rules I set work 100%

RDGW firewall settings
0
 
nappy_dAuthor Commented:
Hi everyone, I got this working.  The issue was that I did not specify port 446 on my RDP client for connection.

Yes, this can be done with a single IP and NAT'ing to port 446

  • imported the cert onto my remote computer that was connecting via the RDGW
  • set the rdgw settings to use port 446(or any other NAT port you choose)
  • These firewall rules I set work 100%

rdgw rdp settings
rdgw monitor connectionsfirewall rules
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 5
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now