Jay Schwegler
asked on
Remote Desktop Certificates
I've been trying to figure out the answer to this question, but seem to be getting conflicting answers. Both involve the certificate requirements for RDS so there are no certificate warnings or failures.
In a 2008r2 farm environment, does the certificate applied to the RDS session hosts only need to contain the farm DNS name or the farm DNS name plus the names of all the individual session hosts?
In a 2012 environment, does the certificate only need to cover the connection broker name, or the connection broker name plus each individual session host name?
Note that in both situations, I already know that I need certificates for The gateway and rdweb, this is just for the relationship between the connection broker and the session hosts in the case where you aren't using a wildcard and rather a SAN cert. Thanks!
Thanks for your input
In a 2008r2 farm environment, does the certificate applied to the RDS session hosts only need to contain the farm DNS name or the farm DNS name plus the names of all the individual session hosts?
In a 2012 environment, does the certificate only need to cover the connection broker name, or the connection broker name plus each individual session host name?
Note that in both situations, I already know that I need certificates for The gateway and rdweb, this is just for the relationship between the connection broker and the session hosts in the case where you aren't using a wildcard and rather a SAN cert. Thanks!
Thanks for your input
The answer is the same for both versions. The certificate must have all names to work properly.
ASKER
Thansk!
That totally makes sense for 2008 since you are hitting one of the RDS servers on the initial connection, then possibly getting redirected by the session broker after that.
Are you certain about 2012? In the certificate section it specifies gateway, web, and connection broker specifically. It doesn't say anything about the actual session hosts unless that falls under that other SSO cert option.
That totally makes sense for 2008 since you are hitting one of the RDS servers on the initial connection, then possibly getting redirected by the session broker after that.
Are you certain about 2012? In the certificate section it specifies gateway, web, and connection broker specifically. It doesn't say anything about the actual session hosts unless that falls under that other SSO cert option.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay, so then what happens in the case where you have .local internal domain names?
You can change the connection broker DNS name via the below and setup and internal DNS zone so it matches your certificate:
https://technet.microsoft.com/en-us/library/jj215484.aspx
To get around that (which I've done before), but if the session hosts behind the CB all have .local addresses that would theoretically fail no?
Thanks for the response, not arguing with you, I just want to understand this once and for all.
You can change the connection broker DNS name via the below and setup and internal DNS zone so it matches your certificate:
https://technet.microsoft.com/en-us/library/jj215484.aspx
To get around that (which I've done before), but if the session hosts behind the CB all have .local addresses that would theoretically fail no?
Thanks for the response, not arguing with you, I just want to understand this once and for all.
There are some workarounds. But realistically I think the beat option is to use a private certificate from an enterprise CA. Done properly, domain-joined machines will trust it by default, and I'd deploy the CA to non-domain machines through an MDM solution. From a security stand point, I would want only machines vetted and managed (domain/MDM) accessing a server behind my firewalls anyways, so this isn't a big hurdle. And an enterprise CA can include .local in the SAN names, unlike a public CA.
ASKER
Yes, I cried a little when public CA's announced that they would no longer issue certificates to not routable domains a year or two ago.
Thanks for your insight and help on the matter.
Thanks for your insight and help on the matter.