RDS Gateway naming & setup best practice

Alexandre Takacs
Alexandre Takacs used Ask the Experts™
on
We have the following scenario
  • A plain vanilla 2012R2 based RDS deployment in which we want to use a RD Gateway (wasn't the case so far)
  • The local domain named domain.local - public domain domain.com
  • A vaéid wildcard cert for *.domain.com
  • Gateway machine is named rdshost.domain.local and session host rdshost.domain.local

We have performed the various setup and everything works fine, except that we have a certificate mismatch because the user connecting is redirected by the gateway to rdshost.domain.local (the name of the machine in the local domain) whereas the cert is for domain.local. And obviously we will never have a CA cert for domain.local

What is the best practice in such circumstances (I guess it is a pretty classic use case) ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Architect
Distinguished Expert 2018
Commented:
Install domain.com cert on RD session host server and Replace RD session host cert to domain.com certificate

Look "Configuring RDSH Server Certificates" topic in below for steps
https://ryanmangansitblog.com/2013/03/10/configuring-rds-2012-certificates-and-sso/

Author

Commented:
Will have a read to the linked doc but the RD Session Host server has the domain.com cert  (there is no other cert in any case...) - that is actually the whole issue, as it's cert does not match it's local (LAN) name which is being referenced by the RD Gateway.
MaheshArchitect
Distinguished Expert 2018

Commented:
Even you install cert on RDS, you need to tell RDS session host server to use that with command.
and access RD Connection broker FQDN instead of RD session host FQDN while accessing through RD gateway

Author

Commented:
After reviewing the article it gave me the solution - used this linked script

https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

that allowed me to change the published FQDN so that the client would "think" it connects to a domain.com (vs domain.local) machine, thus accepting the presented certificate as valid.
MaheshArchitect
Distinguished Expert 2018

Commented:
Alternatively you can redirect requests to domain.com with below cmdlet

Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty “use redirection server name:i:1 `n alternate full address:s:remote.domain.com”

In above remote.domain.com should points to rd connection broker from internal and external network

Check 'Certificate Missmatch' topic in above article

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial