Link to home
Start Free TrialLog in
Avatar of Craig LaDuke
Craig LaDukeFlag for United States of America

asked on

Creating and applying Certificates for Remote Desktop Gateway Server

Does anyone have a step by step process on creating/applying certificates for Remote Desktop Gateway server. Everything I read is so vague about the process.
Avatar of Mahesh
Mahesh
Flag of India image
it needs SL certificate

U need to provide more info

Are you also using RD session host and connection broker and Rd web access etc - in short you are using full RDS deployment or just wanted to use RD gateway functionality to remote in corporate resources from internet?
Are you using RDS gateway on 2008 R2 or 2012 R2? I believe its 2012 R2

Either way is possible and nothing is vague as long s you know the RDS basics

If you are using full deployment, you can get SAN certificate with multiple host names

one for connection broker - rdcb.domain.com
one for Rd web access - rdweb.domain.com
one for gateway server - rdgateway.domain.com
where domain.com must be internet routable domain
https://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/

If you are only interested in RD gateway standalone deployment - check below
https://www.lemonbits.com/2014/06/20/installing-standalone-remote-desktop-gateway-on-the-windows-server-2012-r2-without-complete-remote-desktop-services-infrastructure/

With RDS 2012 R2, everything is under one console, there you can install RD Gateway certificate
U can get one free from Lets Encrypt - however it will expire after 3 months and you need to renew it every 3 months
Else get one from 3rd party public CA
Certificate request would be standard SSL certificate request and you can generate cert from any well known CA web site, they have all step by step documentation available on their web sites including tools with user friendly gui
OR
U may generate one SSL certificate request from custom MMC console on any Microsoft server platform ad submit request to public CA if wanted to
Study your deployment model, design your RDS infrastructure and start deployment and if find any difficulty, shoot question here
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image
From experience a wildcard certificate is the best choice as it gives you the flexibily to cover all functionality of the RDS i.e. all the components Mamesh has thoroughly gone through above.

You should make it a publicly signed certificate at all tiers as it can lead to issues using internally Signed certificates on any component i.e. the Sessions hosts.

From a technical process then you can use a variety of tools to generate CSR's and the corresponding private keys - my recommendation would be to use OpenSSL but there are some easier tools offered by some of the Public CA's

https://www.digicert.com/csr-creation-ssl-installation-windows-server-2016-digicert-utility.htm#create_csr

In terms of applying it the RDS management conosle can do all of this from there
here is a useful Youtube video that steps through it
https://www.youtube.com/watch?v=VzIvGvpLx2I
Avatar of Mahesh
Mahesh
Flag of India image
if you have 50 / 100s of servers which need SSL cert, its beter you get wildcard cert, else get simple SAN cert with required entries
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image
the number of servers doesn't matter its the quanitiy of URL/FQDN's thats the deciding factor...if you use DNS names to route to session collections then you can end up with a lot of FQDN's and on an average price you only need about 5 or 6 before a wildcard has a better cost/value price.
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image
I prefer to use letsencrypt and automate the certificate deployment, it takes a little more time up front, but then has a much reduced operating overhead
Avatar of Mahesh
Mahesh
Flag of India image
Ya, I mean number of FQDNs, will not use multiple FQDNs to connect to single host, so we must have multiple hosts to connect with
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image
there are limitations to LetsEncrypt that may inhibit larger scale business use.
As long as it matches/meets requirements then it can be considered
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image
@chris, could you please expand on what limitations you mean ?
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image
mostly about rate limits and the lifespan of the certificates

some details here

https://letsencrypt.org/docs/rate-limits/

if you had any consumers of a service that pinned certificaets for secuirty then a 90 day expiriy period would cause issues with a management overhead

just making sure all requirements are gathered and met
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image
The rate limits could theoreticaly be an issue, but if a platform requires more than 50 unique new certificates per week in the same domain, I might suggest that the method needed examination.

If certificates need to be pinned for security, then a private PKI deployment with private certs make more sense.
Avatar of Chris
Chris
Flag of United Kingdom of Great Britain and Northern Ireland image
it certainly makes LetsEncypt attractive for smaller buisnesses
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.