Solved

How to configure Remote Desktop Gateway Behind a NAT

Posted on 2016-08-07
15
59 Views
Last Modified: 2016-09-17
I am drawn a blank on how to get my RDG working behind a NAT I am getting this error message.  

Also I had to NAT port 443 to port 446 as this port is already in use by another service in our organization. This is also running on WIndows 2008R2.

RDG errorScreen-Shot-2016-08-07-at-9.07.33-AM.png
0
Comment
Question by:nappy_d
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41746186
it seems to be certificate issue rather than a NAT difficulty.

does the W2K8R2 server have Windows built-in firewall enabled? if yes, if its Port 446 has been opened for incoming RDP requests? does any local computer work with the RDP server behind the firewall or gateway? does the RDP server have valid certificates for the RDP services?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41746187
I am not sure in this case. Port 443 is used for SSL which is needed for many things. Can you try turning off the other service temporarily, revert to Port 443, and then does that work?
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746214
It seems that the connection is done, because it detects the certificate, indeed you can View the certificate of the RDG.  The problem seems to be the certificate installed in that server was issued for other server.

A second supposition is that the service is trying to connect to whatever is running at 443 port, so in this case, the configuration of the NAT is not properly done.

First of all, click View Certificate which would give us any clue.
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41746226
@bing_cism...
  • port 3389 is open on the server for RDP application access and functioning well with remote access as well as local lan access.
  • The server is being a firewall and NAT is also functioning well.
  • The server is using a self-signed certificate

@John Hurst... disabling the current 443 port is not an option as a critical external site is hosted and is not available to be taken off-line

@Manuel FLores Ruiz... Yes Here is a screen grab of the certificate when the error appears.  It is a self-signed cert.  The DNS name of course does not match as it is different from the server's internal name vs the external domain name.

cert
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746232
OK... so that is the problem.  Maybe you can instruct your client to avoid checking the certificate, something like;

options
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41746456
RdGateway uses 443, full stop. You can't remap the port. You don't need to forward 3389 (that defeats the purpose of RDGateway) but right now the client will get the certificate for this "critical" other service on 443 instead of your RDGateway certificate. So you'll chase your tail treating this as a certificate error. It is a NAT issue. Your choices are...
1) You get another public IP address so you can forward 443 to each service on each IP.

2) You don't forward 443 for the other service.

3) You configure a reverse proxy and UCC/SAN certificate so you can have both services on a single IP address.

4) Or you don't use RDGateway.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41746521
> RdGateway uses 443, full stop.

not really, it might be a comma. :) see below about how to alter the port.

http://m.windowsitpro.com/windows-server/change-remote-desktop-gateway-port
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 32

Author Comment

by:nappy_d
ID: 41747757
Sorry Bing, I see no such option to change the port.

Cliff, Thanks for that.  Currently looking into secondary IP.

more to follow...
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41765846
You cannot do this the way you started. Do you have a resolution about a secondary IP
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41774919
Hi, Second IP is not available.  

There is only one statically available IP.  It is not really hosting anything else but inbound RDP to an RDS server works 100%.  Just need to configure this work with RD Gateway, using the SAME ip.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41774923
I don't think you can do what you want with only one external IP address
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41794526
@nappy_d - You cannot do what you want and must use port 443.  If you have no further comment, we should close it this way.
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41794793
Hi everyone, I got this working.

  • Yes, this can be done with a single IP and NAT'ing to port 446

The issue was the cert.  
  • I created a new cert on my internal cert server

  • Added the cert to my RDGW server
  • imported the cert onto my remote computer that was connecting via the RDGW

These firewall rules I set work 100%

RDGW firewall settings
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points (awarded by participants)
ID: 41794833
Hi everyone, I got this working.  The issue was that I did not specify port 446 on my RDP client for connection.

Yes, this can be done with a single IP and NAT'ing to port 446

  • imported the cert onto my remote computer that was connecting via the RDGW
  • set the rdgw settings to use port 446(or any other NAT port you choose)
  • These firewall rules I set work 100%

rdgw rdp settings
rdgw monitor connectionsfirewall rules
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now