?
Solved

How to configure Remote Desktop Gateway Behind a NAT

Posted on 2016-08-07
15
Medium Priority
?
347 Views
Last Modified: 2016-09-17
I am drawn a blank on how to get my RDG working behind a NAT I am getting this error message.  

Also I had to NAT port 443 to port 446 as this port is already in use by another service in our organization. This is also running on WIndows 2008R2.

RDG errorScreen-Shot-2016-08-07-at-9.07.33-AM.png
0
Comment
Question by:nappy_d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41746186
it seems to be certificate issue rather than a NAT difficulty.

does the W2K8R2 server have Windows built-in firewall enabled? if yes, if its Port 446 has been opened for incoming RDP requests? does any local computer work with the RDP server behind the firewall or gateway? does the RDP server have valid certificates for the RDP services?
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41746187
I am not sure in this case. Port 443 is used for SSL which is needed for many things. Can you try turning off the other service temporarily, revert to Port 443, and then does that work?
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746214
It seems that the connection is done, because it detects the certificate, indeed you can View the certificate of the RDG.  The problem seems to be the certificate installed in that server was issued for other server.

A second supposition is that the service is trying to connect to whatever is running at 443 port, so in this case, the configuration of the NAT is not properly done.

First of all, click View Certificate which would give us any clue.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 32

Author Comment

by:nappy_d
ID: 41746226
@bing_cism...
  • port 3389 is open on the server for RDP application access and functioning well with remote access as well as local lan access.
  • The server is being a firewall and NAT is also functioning well.
  • The server is using a self-signed certificate

@John Hurst... disabling the current 443 port is not an option as a critical external site is hosted and is not available to be taken off-line

@Manuel FLores Ruiz... Yes Here is a screen grab of the certificate when the error appears.  It is a self-signed cert.  The DNS name of course does not match as it is different from the server's internal name vs the external domain name.

cert
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746232
OK... so that is the problem.  Maybe you can instruct your client to avoid checking the certificate, something like;

options
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 41746456
RdGateway uses 443, full stop. You can't remap the port. You don't need to forward 3389 (that defeats the purpose of RDGateway) but right now the client will get the certificate for this "critical" other service on 443 instead of your RDGateway certificate. So you'll chase your tail treating this as a certificate error. It is a NAT issue. Your choices are...
1) You get another public IP address so you can forward 443 to each service on each IP.

2) You don't forward 443 for the other service.

3) You configure a reverse proxy and UCC/SAN certificate so you can have both services on a single IP address.

4) Or you don't use RDGateway.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41746521
> RdGateway uses 443, full stop.

not really, it might be a comma. :) see below about how to alter the port.

http://m.windowsitpro.com/windows-server/change-remote-desktop-gateway-port
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41747757
Sorry Bing, I see no such option to change the port.

Cliff, Thanks for that.  Currently looking into secondary IP.

more to follow...
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41765846
You cannot do this the way you started. Do you have a resolution about a secondary IP
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41774919
Hi, Second IP is not available.  

There is only one statically available IP.  It is not really hosting anything else but inbound RDP to an RDS server works 100%.  Just need to configure this work with RD Gateway, using the SAME ip.
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41774923
I don't think you can do what you want with only one external IP address
0
 
LVL 97

Expert Comment

by:Experienced Member
ID: 41794526
@nappy_d - You cannot do what you want and must use port 443.  If you have no further comment, we should close it this way.
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41794793
Hi everyone, I got this working.

  • Yes, this can be done with a single IP and NAT'ing to port 446

The issue was the cert.  
  • I created a new cert on my internal cert server

  • Added the cert to my RDGW server
  • imported the cert onto my remote computer that was connecting via the RDGW

These firewall rules I set work 100%

RDGW firewall settings
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 2000 total points (awarded by participants)
ID: 41794833
Hi everyone, I got this working.  The issue was that I did not specify port 446 on my RDP client for connection.

Yes, this can be done with a single IP and NAT'ing to port 446

  • imported the cert onto my remote computer that was connecting via the RDGW
  • set the rdgw settings to use port 446(or any other NAT port you choose)
  • These firewall rules I set work 100%

rdgw rdp settings
rdgw monitor connectionsfirewall rules
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question