SSL certificates for Windows 2012 RDS environment.
I am trying to create a seamless login experience for my Windows 2012 RDS environment.
Currently, in my collection broker security settings, I am using "Negotiate" under security layer, and I have "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked.
When I purchase a SSL certificate for the RD Connection Broker Enable Single Sign On and Publishing role services, can I just use a single cert such as mybrokerserver.mydomain.co
As for the RD Web Access role service and RD Gateway, can I use another single cert such as remote.mydomain.com?
Using a wildcard probably makes more sense here, but we want to use an already existed Go Daddy UCC and add additional websites.
Please advise if you have an idea of what I should get.
Thanks.
Currently, in my collection broker security settings, I am using "Negotiate" under security layer, and I have "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked.
When I purchase a SSL certificate for the RD Connection Broker Enable Single Sign On and Publishing role services, can I just use a single cert such as mybrokerserver.mydomain.co
As for the RD Web Access role service and RD Gateway, can I use another single cert such as remote.mydomain.com?
Using a wildcard probably makes more sense here, but we want to use an already existed Go Daddy UCC and add additional websites.
Please advise if you have an idea of what I should get.
Thanks.
David Johnson, CD
add your gateway address i.e. remote.domain.com and every server that has a connection broker or will be connected to i.e. server1.domain.com server2.domain.com, wks1.domain.com
Ideally you need cert for all servers part of RDS deployment
I don't know how big your environment, wild card cert can be useful if you have so many servers in deployment or if you already have existing one because it is very expensive as compared to UCC cert
Ideally you should get one UCC cert for connection broker, RD gateway, session hosts and web access
If your internal and external domain name is same, then you don't need any other modifications in config other than getting UCC cert, however if that is not the case, you need to make few changes in RDS deployment config
Such as use redirected server name for RDS collections to hide certificate errors - redirected server name is nothing but the name in certificate which points to RD connection broker - this step is required because RDS session host FQDN do not match one in provided in cert
Another alternative could be you can rename RDS deployment name through PowerShell - script
In above script - Set-RDPublishedName "remote.contoso.com" - where remote.domain.com is RD connection broker FQDN - note that this FQDN must be resolvable from intranet dns and internet public dns
Check below blog post so that you will come to know what I mean
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
I don't know how big your environment, wild card cert can be useful if you have so many servers in deployment or if you already have existing one because it is very expensive as compared to UCC cert
Ideally you should get one UCC cert for connection broker, RD gateway, session hosts and web access
If your internal and external domain name is same, then you don't need any other modifications in config other than getting UCC cert, however if that is not the case, you need to make few changes in RDS deployment config
Such as use redirected server name for RDS collections to hide certificate errors - redirected server name is nothing but the name in certificate which points to RD connection broker - this step is required because RDS session host FQDN do not match one in provided in cert
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”Another alternative could be you can rename RDS deployment name through PowerShell - script
In above script - Set-RDPublishedName "remote.contoso.com" - where remote.domain.com is RD connection broker FQDN - note that this FQDN must be resolvable from intranet dns and internet public dns
Check below blog post so that you will come to know what I mean
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/
ASKER
We use split dns so our external and internal domains have the same name.
I need to get a UCC cert for each of the component in my farm:
remote.mydomain.com
myconnectionbrokerserver.m
myrdshost1.mydomain.com
myrdshost2.mydomain.com
The first one is a WEB site for people to access which I know how to generate a CSR in IIS.
As for the other three, do I go to MMC on each server and generate a CSR from the Certificate>personal folder? Request a cert and import it in there?
As for the most important part, which cert do I use to specify in the RD Connection Broker - Enable SSO and RD Connection Broker - Publishing under manage certificates in my connection broker server?
Please advise again.
Thanks.
I need to get a UCC cert for each of the component in my farm:
remote.mydomain.com
myconnectionbrokerserver.m
myrdshost1.mydomain.com
myrdshost2.mydomain.com
The first one is a WEB site for people to access which I know how to generate a CSR in IIS.
As for the other three, do I go to MMC on each server and generate a CSR from the Certificate>personal folder? Request a cert and import it in there?
As for the most important part, which cert do I use to specify in the RD Connection Broker - Enable SSO and RD Connection Broker - Publishing under manage certificates in my connection broker server?
Please advise again.
Thanks.
most CA's allow you to use 1 generated CSR and allow you to add the additional names. Download and install the new certificate on the machine that created the CSR, export the certificate with the private key and import it into the other servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.