vpnsol123
asked on
Web Cert for Internal RDS Farm
Trying to rid ourselves of the RDP Security Warnings when connecting to load balanced Hyper V Failover RDS Cluster.
"The identity of the remote computer cannot be verified."
"The certificate is not from a trusted certifying authority"
And we are using round robin DNS so sometimes you will get a second occurrence of the above message but from a different server.
I have a load balanced 2012 RDS host farm with two collections (one to farm1 for security Group x and one to farm2 for security group y) with two 2016 HA Connection Brokers/Licensing servers. No gateway server. Typical RDP is used to connect from PC one the two farms. The farms are internal - meaning no outside public access. The PC/devices that will RDP to the farm connect through site to site VPN tunnels and CISCO AnyConnect Agents but are not a part of the domain the farms reside in. The internal domain the farms are on for example is domain.net. The DNS entry for farm1 say is farm1.domain.net and for farm2 is - ready?...... farm2.domain.net
That is what end users will RDP to with farm1.domain.net entered in their internal DNS to round robin resolve to the hosts in that farm and same thing for users for farm2.
I see a lot of walk through on certs but since this isn't externally accessible but the clients are not on the same domain the farms are on - not sure how to handle.
"The identity of the remote computer cannot be verified."
"The certificate is not from a trusted certifying authority"
And we are using round robin DNS so sometimes you will get a second occurrence of the above message but from a different server.
I have a load balanced 2012 RDS host farm with two collections (one to farm1 for security Group x and one to farm2 for security group y) with two 2016 HA Connection Brokers/Licensing servers. No gateway server. Typical RDP is used to connect from PC one the two farms. The farms are internal - meaning no outside public access. The PC/devices that will RDP to the farm connect through site to site VPN tunnels and CISCO AnyConnect Agents but are not a part of the domain the farms reside in. The internal domain the farms are on for example is domain.net. The DNS entry for farm1 say is farm1.domain.net and for farm2 is - ready?...... farm2.domain.net
That is what end users will RDP to with farm1.domain.net entered in their internal DNS to round robin resolve to the hosts in that farm and same thing for users for farm2.
I see a lot of walk through on certs but since this isn't externally accessible but the clients are not on the same domain the farms are on - not sure how to handle.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
LetsEncrypt renewal is easy.
Just create a CRON to run certbot-auto renew every hour, then setup for certs to be propagated where ever they're required + then services restarted.
LE certs are setup once + forget forever.
The catch, as you mention, is automating this the first time. So a bit more work up front, then no mucking with certs ever again.
Just create a CRON to run certbot-auto renew every hour, then setup for certs to be propagated where ever they're required + then services restarted.
LE certs are setup once + forget forever.
The catch, as you mention, is automating this the first time. So a bit more work up front, then no mucking with certs ever again.
ASKER
Thanks all -
I'm not too worried about where to obtain a cert or cost etc - just more of the process of HOW to do since its not an external DNS name (I'm probably overthinking this)
Have you come across any articles that are applicable to my scenario?
I'm not too worried about where to obtain a cert or cost etc - just more of the process of HOW to do since its not an external DNS name (I'm probably overthinking this)
Have you come across any articles that are applicable to my scenario?
@David Favor - CRON to update Windows Certs for RDS?
With regard to LE expiring every 90 days, in Windows you can use the free Certify The Web application. Version 4 fully supports wildcard certificates now as well, should anyone need them.
It has support for scripts to automate things like RDS certificate distribution.
Download the application here: https://www.certifytheweb.com/
Examples on scripting here: https://docs.certifytheweb.com/docs/script-hooks.html and specifically for Remote Desktop here: https://docs.certifytheweb.com/docs/script-hooks.html#example-update-remote-desktop-role-certificates
With regard to LE expiring every 90 days, in Windows you can use the free Certify The Web application. Version 4 fully supports wildcard certificates now as well, should anyone need them.
It has support for scripts to automate things like RDS certificate distribution.
Download the application here: https://www.certifytheweb.com/
Examples on scripting here: https://docs.certifytheweb.com/docs/script-hooks.html and specifically for Remote Desktop here: https://docs.certifytheweb.com/docs/script-hooks.html#example-update-remote-desktop-role-certificates
Use free https://LetsEncrypt.org SSL certs which have trust chains built into pretty much every App you can run - Browsers, Email Clients, RDP Clients.