RemoteApp failing after reconstructing my entire network and server
Since, I'm getting close to where I was before the virus attack from my previous question, I've decided to open up a new question. I'm taking everything step by step, so the server's up and running and connecting to both my network and the internet, going thru the SonicWALL device. I've reinstalled my SQL Server and restored all the databases and I can run the software application from the server (have an issue when running from my workstation, but that can wait for later since my clients run directly on my server anyhow). I've re-keyed and downloaded new versions of my SSL Certificates required for my clients to be able to connect remotely to my system using Remote Desktop Services (one SSL for the Remote Gateway and one for the Host Session server). Setting up the Remote Desktop Services has always been a nightmare for me and, again, despite the number of times I've been thru this process, it's biting me in the "butt" again. I've got tons of screen shots that I took the last couple of times I went thru this process and, together with what I remember about the process, I really thought I had everything set up just the way it was before. But, of course, something's off and it's not working. Here's the error message I'm receiving and I'm hoping that someone who has worked with RDS and has set up RemoteApps for remote users to access will have some insight into this:
As always, I'm going to keep working on this, but if anyone has any suggestions, please pass them on....
As always, I'm going to keep working on this, but if anyone has any suggestions, please pass them on....
ASKER
That's not how RDS works. RDS uses a "Gateway Server" (which is on a public IP address and can be pinged), then internally uses a "connection broker" to route the user to whatever computer is set up in the RDS setup (in this case: otserver.daisrvr.com). While there certainly appears to be a disconnect between the Gateway and the Host Session server (otserver), the Host Session server does not have to reside on a public network. Appreciate the input still the same!
ASKER
I've been running the Best Practices Analyzer on my RDS setup and I'm getting 2 errors that appear to shed some light on what's actually happening, but the errors don't make sense to me in that, when I check, it appears to me that I already have each of these items covered in my setup. That said, maybe I don't and maybe I'm just not reading them right since resolving at least one of the two issues would apparently get me to where I need to be!? Here are the two messages:
The first message implies that I don't have a valid SSL certificate on my RD Gateway, but I know that I do and, what's more, that does not seem to be the issue. When I try to connect remotely, I'm getting past the RD Gateway, the problem appears to be with the Host Session server that can't be located. Now the second message seems to address my issue, but the problem I have with that one is that, again, I believe I do have domain users in my Remote Desktop Users group!? I'm just not sure what I'm missing here!
The first message implies that I don't have a valid SSL certificate on my RD Gateway, but I know that I do and, what's more, that does not seem to be the issue. When I try to connect remotely, I'm getting past the RD Gateway, the problem appears to be with the Host Session server that can't be located. Now the second message seems to address my issue, but the problem I have with that one is that, again, I believe I do have domain users in my Remote Desktop Users group!? I'm just not sure what I'm missing here!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How is your Remote Desktop Gateway (RDG) server configured on the various networks? You mention it "has a public IP". Is it actually outside the firewall (not a common practice), or is a public IP being NATted by the firewall to the RDG box, which has a local IP address (most common setup), or a DMZ IP address (next most common setup)?
First, everything is set up on a single physical server and this configuration has worked fine for at least 2 years prior to my virus attack. I have a separate "domain" for my RDG which resolves to my public IP address for my network. The public address gets translated by the cable modem into a NAT address in the format of 10.1.x.x which goes directly to my SonicWALL firewall which translates it to my network's default gateway address in the format of 192.168.x.x (spoke with a network security expert last night who tells me this "double NAT-ing" could be an issue, but, again, this is how it's been working for 2+ years now. From the SonicWALL, it goes into a "dumb switch" which my server (RDG server) also connects to and since this is all contained within one server, my Host Session server is on the same box. So, if I'm reading your comments correctly, I have a version of your "most common setup".
Most common setup:
Internet - Firewall (NAT) - Local Network - RDG - RD Host
Next most common:
Internet - Firewall - DMZ Network - RDG Server - Firewall (NAT) - Local Network - RD Host
Possible, I suppose, but insecure, and not a good idea:
Internet - RDG server - Firewall (NAT) - Local Network - RD Host
Never even seen it, wouldn't do it,and if you've done it, you probably need to fix it:
Internet - (Interface1: public IP) RDG Server (Interface 2: private IP) - Local Network
It would be enormously helpful if you could just show us the adapter settings for the RDG box (for every active interface), and could save a lot of back and forth. Obscure the middle two octets of any public addresses if you prefer not to give out specific IPs.
The adapter setting on my server (RDG and Host Session) are "192.168.1.25" and "192.168.1.26" (dual NICs), my default gateway (also the SonicWALL address is "192.168.1.55". Not sure what else you might be looking for here, but if I haven't provided it, I'll be glad to...
Next, are you using a self-signed certificate, or a third party certificate on the RDG server?
Finally, I am NOT using any self-signed certificates. I have 2 valid certificates, one for the RDG and one for the Host Session server. And I do have to respectfully disagree with your statement regarding DNS. As I've stated, this configuration has been working for some time now (prior to the virus attack) and the Host Session Server could never be "pinged", primarily, I suppose, since it sits on the same physical box as my RDG server....
All that said, you'll have to provide me with more specifics regarding this GIGs session and how it actually works. Also, I don't have Paypal, so that may not be an option for me. But, that said, I do need to get this resolved just as quickly as humanly possible to preserve any chance of keeping my current arrangement with my "one and only" client which I depend on for my entire family's livelihood.....Thanks!
First, everything is set up on a single physical server and this configuration has worked fine for at least 2 years prior to my virus attack. I have a separate "domain" for my RDG which resolves to my public IP address for my network. The public address gets translated by the cable modem into a NAT address in the format of 10.1.x.x which goes directly to my SonicWALL firewall which translates it to my network's default gateway address in the format of 192.168.x.x (spoke with a network security expert last night who tells me this "double NAT-ing" could be an issue, but, again, this is how it's been working for 2+ years now. From the SonicWALL, it goes into a "dumb switch" which my server (RDG server) also connects to and since this is all contained within one server, my Host Session server is on the same box. So, if I'm reading your comments correctly, I have a version of your "most common setup".
Most common setup:
Internet - Firewall (NAT) - Local Network - RDG - RD Host
Next most common:
Internet - Firewall - DMZ Network - RDG Server - Firewall (NAT) - Local Network - RD Host
Possible, I suppose, but insecure, and not a good idea:
Internet - RDG server - Firewall (NAT) - Local Network - RD Host
Never even seen it, wouldn't do it,and if you've done it, you probably need to fix it:
Internet - (Interface1: public IP) RDG Server (Interface 2: private IP) - Local Network
It would be enormously helpful if you could just show us the adapter settings for the RDG box (for every active interface), and could save a lot of back and forth. Obscure the middle two octets of any public addresses if you prefer not to give out specific IPs.
The adapter setting on my server (RDG and Host Session) are "192.168.1.25" and "192.168.1.26" (dual NICs), my default gateway (also the SonicWALL address is "192.168.1.55". Not sure what else you might be looking for here, but if I haven't provided it, I'll be glad to...
Next, are you using a self-signed certificate, or a third party certificate on the RDG server?
Finally, I am NOT using any self-signed certificates. I have 2 valid certificates, one for the RDG and one for the Host Session server. And I do have to respectfully disagree with your statement regarding DNS. As I've stated, this configuration has been working for some time now (prior to the virus attack) and the Host Session Server could never be "pinged", primarily, I suppose, since it sits on the same physical box as my RDG server....
All that said, you'll have to provide me with more specifics regarding this GIGs session and how it actually works. Also, I don't have Paypal, so that may not be an option for me. But, that said, I do need to get this resolved just as quickly as humanly possible to preserve any chance of keeping my current arrangement with my "one and only" client which I depend on for my entire family's livelihood.....Thanks!
after repairing did any of the machines change their ip address? perhaps an ipconfig /flushdns after checking that your DNS entries are correct for the machine i.e. do a nslookup and verify
ASKER
I've definitely learned a lot thru this entire ordeal (which isn't totally rectified yet...), but I managed to complete a "bare metal" restore from a backup of my server just before the system got infected. I'm currently back up and running (essentially my system is currently where is was at on 2/15 prior to the virus attack). I've learned enough to be able to restore my server using my "bare metal" backup which I've got on a daily schedule, so any future intrusions can be dealt with quickly. Admittedly, I didn't (and still don't) have the expertise to perform a lot of these network troubleshooting processes, but I now have some contacts to turn to if I need this type of assistance in the future. I worked "one-on-one" with Gary Patterson who, graciously, spent the vast majority of this past weekend helping me work thru this issue and I want to thank him for all the time and effort he spent working thru this with me. Just one last point here. I joined EE as a computer programmer who realized that he would never be able to become knowledgeable in all aspects of IT required by my own pursuit of creating and maintaining custom software applications and generating a business out of this pursuit. While there have been times in the past where simply asking a question on this forum has resolved a minor "non-urgent" issue without any further payment on my part (beyond my annual fee), I now know that there are resources on this forum that, while additional payment is required, are invaluable when a crisis arises and you really, really need to resolve an issue in the shortest amount of time possible.
ASKER
Gary, I wrote a lengthy closing comment which somehow got lost on this web site. I don't remember everything I said, but, in short, without your resolve and determination to help me resolve my issues, I would still be banging my head against the wall, cursing at my computer, and wishing I'd never gotten myself so deeply involved with this business. Thanks for all your time and dedication to helping me resolve my issues after this malware attack and I would recommend Gary to anyone who finds themselves in a seeming overwhelming situation (as I did) as a knowledgeable and understanding individual, willing to help others, like myself, that he doesn't even know (like me...) and not only provide the patient technical advice, while, at the same time, being second-guessed and having to deal with a level of knowledge from someone (again, like me....) who thinks they know more about certain things than they actually do!
Is it a valid domain?
That looks like the system trying to connect can't resolve the name