Avatar of Kenny Riley
Kenny Riley
 asked on

Trouble Accessing RDS Farm Externally

I'm setting up my first RDS farm consisting of 4 Windows Server 2019 VMs

  • Broker/License
  • Gateway/Webserver
  • Host1
  • Host2


Everything is up and running internally, I can hit the gateway/webserver, log in, download the RDP shortcut and connect into one of the hosts just fine.

https://pasteboard.co/kjjcHGKe79Pr.png


Externally is where I'm running into an issue.. I can hit the gateway/webserver just fine using the FQDN. It shows secured using my SSL cert purchased from Network Solutions. However, when I download the RDP shortcut and attempt to log in, I'm presented with the following error:

https://pasteboard.co/z9aIq6JeVpWk.png


Notice the certificate that I am seeing when I click to view it -- it's not showing my Network Solutions certificate for the FQDN of the gateway, https://rds.domain.com/.


Here are my RDS deployment settings, where I've applied my https://rds.domain.com/ Network Solutions certficate for all roles:

https://pasteboard.co/GiwRPYdpciIU.png


And here is my Network Solutions SSL cert that is applied to the RDS Gateway:

https://pasteboard.co/RIWcePgiDQkv.png


Where am I going wrong here? I'm totally stumped.. appreciate any help or guidance here :)

Remote AccessWindows Server 2019* Remote Desktop Connection* remote desktop farm

Avatar of undefined
Last Comment
Kenny Riley

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Michael Pfister

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Kenny Riley

ASKER
Turns out, you were right.. The Watchguard SSLVPN Policy was interferring since it uses port 443. Turning it off solved the error message I was receiving, however, I am still unable to RDP into the RDS farm and am instead receiving this error now:

"The remote resource can't be reached. Check your connection and try again or ask your network administrator for help."


Any idea why? This works perfectly fine from inside the LAN, so to me, it has to be firewall-related somehow. I am currently forwarding TCP/443 and UDP/3391 to the Static NAT rule that I've defined which points the public IP to the private IP of the RDS gateway server.




When I attempt to connect via RDS externally, I don't even see the traffic ever hit the firewall in the logs..

For what it's worth, I've also defined the DefaultTSGateway field to the FQDN of my RDS Gateway within IIS, which from my research is typically overlooked and required:

 
I feel like this is something small that I'm not noticing..Any help would be greatly appreciated!

Michael Pfister

Have a look at the downloaded .rds file (notepad) and check the server names
Are they resolvable from the external network?
Kenny Riley

ASKER
Here's the output:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.DOMAIN.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
alternate full address:s:RDS-BRK.DOMAIN.COM
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB  

I can resolve RDS.DOMAIN.COM, which is the RD Gateway and where I have a rule in my firewall to port forward 443 and 3391. I cannot resolve the broker server externally, RDS-BROKER.DOMAIN.COM. Am I supposed to create a port forwarding rule for this in my firewall to 443 and 3391 too? I doubt I would need to port forward 3389 as that would kill the purpose of an RD Gateway to begin with, right?

Thanks for your help!
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Michael Pfister

Maybe alternate full address  is the problem.

Set the custom property with PowerShell:

Import-Module RemoteDesktop
Set-RDSessionCollectionConfiguration -CollectionName "Your collection" -CustomRdpProperty "alternate full address:s:rds.domain.com"

Open in new window


of course replacing the collection name and the FQDN with the real values and re-check
Kenny Riley

ASKER
Thanks Michael. Am I supposed to be running this command on the RD Gateway server? Broker server? External client attempting to connect? Appreciate the guidance :) 
Michael Pfister

On the server where you created the session collection.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Kenny Riley

ASKER
Thanks for your help, Michael, it's a bit early here and my brain isn't fully awake.. this makes sense. I made the change on the broker server where the collection was created and unfortunately, that doesn't appear to have any effect as I am still receiving the same error when attempting to connect to the RDS environment externally.



Here is the latest output of the RDP shortcut after making these changes:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
alternate full address:s:rds.domain.com
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.domain.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB


Michael Pfister

Not sure if I can really help here. Since you're not seeing incoming traffic when starting the RDP session I still believe its not connecting to the gateway but instead directly to the (externally unknown) broker server.

Ok, one more try: check the deployment config, is it set to "Automatically detect RD Gateway server settings"?
If yes, enter the FQDN or your gateway instead.
Kenny Riley

ASKER
Thanks for your help, Michael. Unfortunately, this setting is already in place:



I'm completely out of ideas. This is all working perfectly fine from inside the LAN. I can connect to the RD Gateway, download the RDP shortcut and connect in with no issue.. I can log into the RDS Gateway and download the RDP shortcut externally, but it just won't connect... I'm stumped.
Any other suggestions would be greatly appreciated.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Michael Pfister

It tried to connect to the broker instead of the gateway. But I thought this is controlled by the above setting...
Maybe try a new question...
Michael Pfister

It will work internally because it can get to the broker
Kenny Riley

ASKER
I'll post a new question, thanks for your help, Michael. 
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.