Link to home
Start Free TrialLog in
Avatar of Kenny Riley
Kenny Riley

asked on

Trouble Accessing RDS Farm Externally

I'm setting up my first RDS farm consisting of 4 Windows Server 2019 VMs

  • Broker/License
  • Gateway/Webserver
  • Host1
  • Host2


Everything is up and running internally, I can hit the gateway/webserver, log in, download the RDP shortcut and connect into one of the hosts just fine.

https://pasteboard.co/kjjcHGKe79Pr.png


Externally is where I'm running into an issue.. I can hit the gateway/webserver just fine using the FQDN. It shows secured using my SSL cert purchased from Network Solutions. However, when I download the RDP shortcut and attempt to log in, I'm presented with the following error:

https://pasteboard.co/z9aIq6JeVpWk.png


Notice the certificate that I am seeing when I click to view it -- it's not showing my Network Solutions certificate for the FQDN of the gateway, https://rds.domain.com/.


Here are my RDS deployment settings, where I've applied my https://rds.domain.com/ Network Solutions certficate for all roles:

https://pasteboard.co/GiwRPYdpciIU.png


And here is my Network Solutions SSL cert that is applied to the RDS Gateway:

https://pasteboard.co/RIWcePgiDQkv.png


Where am I going wrong here? I'm totally stumped.. appreciate any help or guidance here :)

ASKER CERTIFIED SOLUTION
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kenny Riley
Kenny Riley

ASKER

Turns out, you were right.. The Watchguard SSLVPN Policy was interferring since it uses port 443. Turning it off solved the error message I was receiving, however, I am still unable to RDP into the RDS farm and am instead receiving this error now:

"The remote resource can't be reached. Check your connection and try again or ask your network administrator for help."
User generated image

Any idea why? This works perfectly fine from inside the LAN, so to me, it has to be firewall-related somehow. I am currently forwarding TCP/443 and UDP/3391 to the Static NAT rule that I've defined which points the public IP to the private IP of the RDS gateway server.
User generated image

User generated image

When I attempt to connect via RDS externally, I don't even see the traffic ever hit the firewall in the logs..

For what it's worth, I've also defined the DefaultTSGateway field to the FQDN of my RDS Gateway within IIS, which from my research is typically overlooked and required:
User generated image
 
I feel like this is something small that I'm not noticing..Any help would be greatly appreciated!

Have a look at the downloaded .rds file (notepad) and check the server names
Are they resolvable from the external network?
Here's the output:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.DOMAIN.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
alternate full address:s:RDS-BRK.DOMAIN.COM
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB  

I can resolve RDS.DOMAIN.COM, which is the RD Gateway and where I have a rule in my firewall to port forward 443 and 3391. I cannot resolve the broker server externally, RDS-BROKER.DOMAIN.COM. Am I supposed to create a port forwarding rule for this in my firewall to 443 and 3391 too? I doubt I would need to port forward 3389 as that would kill the purpose of an RD Gateway to begin with, right?

Thanks for your help!
Maybe alternate full address  is the problem.

Set the custom property with PowerShell:

Import-Module RemoteDesktop
Set-RDSessionCollectionConfiguration -CollectionName "Your collection" -CustomRdpProperty "alternate full address:s:rds.domain.com"

Open in new window


of course replacing the collection name and the FQDN with the real values and re-check
Thanks Michael. Am I supposed to be running this command on the RD Gateway server? Broker server? External client attempting to connect? Appreciate the guidance :) 
On the server where you created the session collection.
Thanks for your help, Michael, it's a bit early here and my brain isn't fully awake.. this makes sense. I made the change on the broker server where the collection was created and unfortunately, that doesn't appear to have any effect as I am still receiving the same error when attempting to connect to the RDS environment externally.

User generated image

Here is the latest output of the RDP shortcut after making these changes:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
alternate full address:s:rds.domain.com
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.domain.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB


Not sure if I can really help here. Since you're not seeing incoming traffic when starting the RDP session I still believe its not connecting to the gateway but instead directly to the (externally unknown) broker server.

Ok, one more try: check the deployment config, is it set to "Automatically detect RD Gateway server settings"?
If yes, enter the FQDN or your gateway instead.
Thanks for your help, Michael. Unfortunately, this setting is already in place:


User generated image
I'm completely out of ideas. This is all working perfectly fine from inside the LAN. I can connect to the RD Gateway, download the RDP shortcut and connect in with no issue.. I can log into the RDS Gateway and download the RDP shortcut externally, but it just won't connect... I'm stumped.
User generated imageAny other suggestions would be greatly appreciated.
It tried to connect to the broker instead of the gateway. But I thought this is controlled by the above setting...
Maybe try a new question...
It will work internally because it can get to the broker
I'll post a new question, thanks for your help, Michael.