• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 329
  • Last Modified:

SSL certificates for Windows 2012 RDS environment.

I am trying to create a seamless login experience for my Windows 2012 RDS environment.

Currently, in my collection broker security settings, I am using "Negotiate" under security layer, and I have "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked.  

When I purchase a SSL certificate for the RD Connection Broker Enable Single Sign On and Publishing role services, can I just use a single cert such as mybrokerserver.mydomain.com?  

As for the RD Web Access role service and RD Gateway, can I use another single cert such as remote.mydomain.com?

Using a wildcard probably makes more sense here, but we want to use an already existed Go Daddy UCC and add additional websites.  

Please advise if you have an idea of what I should get.  

Thanks.
0
nav2567
Asked:
nav2567
  • 2
  • 2
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
add your gateway address i.e. remote.domain.com and every server that has a connection broker or will be connected to i.e. server1.domain.com server2.domain.com, wks1.domain.com
0
 
MaheshArchitectCommented:
Ideally you need cert for all servers part of RDS deployment

I don't know how big your environment, wild card cert can be useful if you have so many servers in deployment or if you already have existing one because it is very expensive as compared to UCC cert

Ideally you should get one UCC cert for connection broker, RD gateway, session hosts and web access
If your internal and external domain name is same, then you don't need any other modifications in config other than getting UCC cert, however if that is not the case, you need to make few changes in RDS deployment config
Such as use redirected server name for RDS collections to hide certificate errors - redirected server name is nothing but the name in certificate which points to RD connection broker - this step is required because RDS session host FQDN do not match one in provided in cert
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”

Open in new window

- remote.domain.com is rd connection broker FQDN

Another alternative could be you can rename RDS deployment name through PowerShell - script
In above script - Set-RDPublishedName "remote.contoso.com" - where remote.domain.com is RD connection broker FQDN - note that this FQDN must be resolvable from intranet dns and internet public dns

Check below blog post so that you will come to know what I mean
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
0
 
nav2567Author Commented:
We use split dns so our external and internal domains have the same name.

I need to get a UCC cert for each of the component in my farm:

     remote.mydomain.com
     myconnectionbrokerserver.mydomain.com
     myrdshost1.mydomain.com
     myrdshost2.mydomain.com

The first one is a WEB site for people to access which I know how to generate a CSR in IIS.

As for the other three, do I go to MMC on each server and generate a CSR from the Certificate>personal folder?  Request a cert and import it in there?

As for the most important part, which cert do I use to specify in the RD Connection Broker - Enable SSO and RD Connection Broker - Publishing under manage certificates in my connection broker server?

Please advise again.  

Thanks.
0
 
David Johnson, CD, MVPOwnerCommented:
most CA's allow you to use 1 generated CSR and allow you to add the additional names.  Download and install the new certificate on the machine that created the CSR, export the certificate with the private key and import it into the other servers.
0
 
MaheshArchitectCommented:
SAN certificate is innovated so that you can generate CSR request from only one server with all hostnames. Infact only that machine have certificate private key which is generated when you raise request, hence you have to install it on same machine

Later on you need to export it with private key and import on other servers
If you try to install cert on another server directly, it won't have private key

keep remote.domain.com as your cert common name (CN) - This should be hostname of RD connection broker
other names should come as alternate names (Subject alternative names - DNS names)

Ultimately system checks if provided hostname is part of cert (either CN or SAN entry)

Logon to any RDS server or other server (2008 and above) and generate CSR with all hostnames
follow below article to generate CSR
http://www.entrust.net/knowledge-base/technote.cfm?tn=8924
Ensure that cert will be installed on same server 1st from where you generate CSR
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now