Solved

How to configure Remote Desktop Gateway Behind a NAT

Posted on 2016-08-07
15
100 Views
Last Modified: 2016-09-17
I am drawn a blank on how to get my RDG working behind a NAT I am getting this error message.  

Also I had to NAT port 443 to port 446 as this port is already in use by another service in our organization. This is also running on WIndows 2008R2.

RDG errorScreen-Shot-2016-08-07-at-9.07.33-AM.png
0
Comment
Question by:nappy_d
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41746186
it seems to be certificate issue rather than a NAT difficulty.

does the W2K8R2 server have Windows built-in firewall enabled? if yes, if its Port 446 has been opened for incoming RDP requests? does any local computer work with the RDP server behind the firewall or gateway? does the RDP server have valid certificates for the RDP services?
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41746187
I am not sure in this case. Port 443 is used for SSL which is needed for many things. Can you try turning off the other service temporarily, revert to Port 443, and then does that work?
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746214
It seems that the connection is done, because it detects the certificate, indeed you can View the certificate of the RDG.  The problem seems to be the certificate installed in that server was issued for other server.

A second supposition is that the service is trying to connect to whatever is running at 443 port, so in this case, the configuration of the NAT is not properly done.

First of all, click View Certificate which would give us any clue.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 32

Author Comment

by:nappy_d
ID: 41746226
@bing_cism...
  • port 3389 is open on the server for RDP application access and functioning well with remote access as well as local lan access.
  • The server is being a firewall and NAT is also functioning well.
  • The server is using a self-signed certificate

@John Hurst... disabling the current 443 port is not an option as a critical external site is hosted and is not available to be taken off-line

@Manuel FLores Ruiz... Yes Here is a screen grab of the certificate when the error appears.  It is a self-signed cert.  The DNS name of course does not match as it is different from the server's internal name vs the external domain name.

cert
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746232
OK... so that is the problem.  Maybe you can instruct your client to avoid checking the certificate, something like;

options
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 41746456
RdGateway uses 443, full stop. You can't remap the port. You don't need to forward 3389 (that defeats the purpose of RDGateway) but right now the client will get the certificate for this "critical" other service on 443 instead of your RDGateway certificate. So you'll chase your tail treating this as a certificate error. It is a NAT issue. Your choices are...
1) You get another public IP address so you can forward 443 to each service on each IP.

2) You don't forward 443 for the other service.

3) You configure a reverse proxy and UCC/SAN certificate so you can have both services on a single IP address.

4) Or you don't use RDGateway.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41746521
> RdGateway uses 443, full stop.

not really, it might be a comma. :) see below about how to alter the port.

http://m.windowsitpro.com/windows-server/change-remote-desktop-gateway-port
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41747757
Sorry Bing, I see no such option to change the port.

Cliff, Thanks for that.  Currently looking into secondary IP.

more to follow...
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41765846
You cannot do this the way you started. Do you have a resolution about a secondary IP
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41774919
Hi, Second IP is not available.  

There is only one statically available IP.  It is not really hosting anything else but inbound RDP to an RDS server works 100%.  Just need to configure this work with RD Gateway, using the SAME ip.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41774923
I don't think you can do what you want with only one external IP address
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41794526
@nappy_d - You cannot do what you want and must use port 443.  If you have no further comment, we should close it this way.
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41794793
Hi everyone, I got this working.

  • Yes, this can be done with a single IP and NAT'ing to port 446

The issue was the cert.  
  • I created a new cert on my internal cert server

  • Added the cert to my RDGW server
  • imported the cert onto my remote computer that was connecting via the RDGW

These firewall rules I set work 100%

RDGW firewall settings
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points (awarded by participants)
ID: 41794833
Hi everyone, I got this working.  The issue was that I did not specify port 446 on my RDP client for connection.

Yes, this can be done with a single IP and NAT'ing to port 446

  • imported the cert onto my remote computer that was connecting via the RDGW
  • set the rdgw settings to use port 446(or any other NAT port you choose)
  • These firewall rules I set work 100%

rdgw rdp settings
rdgw monitor connectionsfirewall rules
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now