Solved

How to configure Remote Desktop Gateway Behind a NAT

Posted on 2016-08-07
15
196 Views
Last Modified: 2016-09-17
I am drawn a blank on how to get my RDG working behind a NAT I am getting this error message.  

Also I had to NAT port 443 to port 446 as this port is already in use by another service in our organization. This is also running on WIndows 2008R2.

RDG errorScreen-Shot-2016-08-07-at-9.07.33-AM.png
0
Comment
Question by:nappy_d
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +2
15 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41746186
it seems to be certificate issue rather than a NAT difficulty.

does the W2K8R2 server have Windows built-in firewall enabled? if yes, if its Port 446 has been opened for incoming RDP requests? does any local computer work with the RDP server behind the firewall or gateway? does the RDP server have valid certificates for the RDP services?
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41746187
I am not sure in this case. Port 443 is used for SSL which is needed for many things. Can you try turning off the other service temporarily, revert to Port 443, and then does that work?
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746214
It seems that the connection is done, because it detects the certificate, indeed you can View the certificate of the RDG.  The problem seems to be the certificate installed in that server was issued for other server.

A second supposition is that the service is trying to connect to whatever is running at 443 port, so in this case, the configuration of the NAT is not properly done.

First of all, click View Certificate which would give us any clue.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 32

Author Comment

by:nappy_d
ID: 41746226
@bing_cism...
  • port 3389 is open on the server for RDP application access and functioning well with remote access as well as local lan access.
  • The server is being a firewall and NAT is also functioning well.
  • The server is using a self-signed certificate

@John Hurst... disabling the current 443 port is not an option as a critical external site is hosted and is not available to be taken off-line

@Manuel FLores Ruiz... Yes Here is a screen grab of the certificate when the error appears.  It is a self-signed cert.  The DNS name of course does not match as it is different from the server's internal name vs the external domain name.

cert
0
 
LVL 5

Expert Comment

by:Manuel Flores
ID: 41746232
OK... so that is the problem.  Maybe you can instruct your client to avoid checking the certificate, something like;

options
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 41746456
RdGateway uses 443, full stop. You can't remap the port. You don't need to forward 3389 (that defeats the purpose of RDGateway) but right now the client will get the certificate for this "critical" other service on 443 instead of your RDGateway certificate. So you'll chase your tail treating this as a certificate error. It is a NAT issue. Your choices are...
1) You get another public IP address so you can forward 443 to each service on each IP.

2) You don't forward 443 for the other service.

3) You configure a reverse proxy and UCC/SAN certificate so you can have both services on a single IP address.

4) Or you don't use RDGateway.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41746521
> RdGateway uses 443, full stop.

not really, it might be a comma. :) see below about how to alter the port.

http://m.windowsitpro.com/windows-server/change-remote-desktop-gateway-port
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41747757
Sorry Bing, I see no such option to change the port.

Cliff, Thanks for that.  Currently looking into secondary IP.

more to follow...
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41765846
You cannot do this the way you started. Do you have a resolution about a secondary IP
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41774919
Hi, Second IP is not available.  

There is only one statically available IP.  It is not really hosting anything else but inbound RDP to an RDS server works 100%.  Just need to configure this work with RD Gateway, using the SAME ip.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41774923
I don't think you can do what you want with only one external IP address
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41794526
@nappy_d - You cannot do what you want and must use port 443.  If you have no further comment, we should close it this way.
0
 
LVL 32

Author Comment

by:nappy_d
ID: 41794793
Hi everyone, I got this working.

  • Yes, this can be done with a single IP and NAT'ing to port 446

The issue was the cert.  
  • I created a new cert on my internal cert server

  • Added the cert to my RDGW server
  • imported the cert onto my remote computer that was connecting via the RDGW

These firewall rules I set work 100%

RDGW firewall settings
0
 
LVL 32

Accepted Solution

by:
nappy_d earned 500 total points (awarded by participants)
ID: 41794833
Hi everyone, I got this working.  The issue was that I did not specify port 446 on my RDP client for connection.

Yes, this can be done with a single IP and NAT'ing to port 446

  • imported the cert onto my remote computer that was connecting via the RDGW
  • set the rdgw settings to use port 446(or any other NAT port you choose)
  • These firewall rules I set work 100%

rdgw rdp settings
rdgw monitor connectionsfirewall rules
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question