Trouble Accessing RDS Farm Externally

Turns out, you were right.. The Watchguard SSLVPN Policy was interferring since it uses port 443. Turning it off solved the error message I was receiving, however, I am still unable to RDP into the RDS farm and am instead receiving this error now:

"The remote resource can't be reached. Check your connection and try again or ask your network administrator for help."


Any idea why? This works perfectly fine from inside the LAN, so to me, it has to be firewall-related somehow. I am currently forwarding TCP/443 and UDP/3391 to the Static NAT rule that I've defined which points the public IP to the private IP of the RDS gateway server.




When I attempt to connect via RDS externally, I don't even see the traffic ever hit the firewall in the logs..

For what it's worth, I've also defined the DefaultTSGateway field to the FQDN of my RDS Gateway within IIS, which from my research is typically overlooked and required:

 
I feel like this is something small that I'm not noticing..Any help would be greatly appreciated!

Have a look at the downloaded .rds file (notepad) and check the server names
Are they resolvable from the external network?

Here's the output:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.DOMAIN.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
alternate full address:s:RDS-BRK.DOMAIN.COM
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB  

I can resolve RDS.DOMAIN.COM, which is the RD Gateway and where I have a rule in my firewall to port forward 443 and 3391. I cannot resolve the broker server externally, RDS-BROKER.DOMAIN.COM. Am I supposed to create a port forwarding rule for this in my firewall to 443 and 3391 too? I doubt I would need to port forward 3389 as that would kill the purpose of an RD Gateway to begin with, right?

Thanks for your help!

Maybe alternate full address  is the problem.

Set the custom property with PowerShell:

Import-Module RemoteDesktop
Set-RDSessionCollectionConfiguration -CollectionName "Your collection" -CustomRdpProperty "alternate full address:s:rds.domain.com"

Select allOpen in new window

of course replacing the collection name and the FQDN with the real values and re-check

Thanks Michael. Am I supposed to be running this command on the RD Gateway server? Broker server? External client attempting to connect? Appreciate the guidance :) 

On the server where you created the session collection.

Thanks for your help, Michael, it's a bit early here and my brain isn't fully awake.. this makes sense. I made the change on the broker server where the collection was created and unfortunately, that doesn't appear to have any effect as I am still receiving the same error when attempting to connect to the RDS environment externally.



Here is the latest output of the RDP shortcut after making these changes:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDS-BRK.DOMAIN.COM
alternate full address:s:rds.domain.com
gatewayhostname:s:rds.domain.com
workspace id:s:RDS-BRK.domain.com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.STS
use multimon:i:1
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:AQABAAEAAACZFAAAMIIUlQYJKoZIhvcNAQcCoIIUhjCCFIICAQExDzANBglghkgB

Not sure if I can really help here. Since you're not seeing incoming traffic when starting the RDP session I still believe its not connecting to the gateway but instead directly to the (externally unknown) broker server.

Ok, one more try: check the deployment config, is it set to "Automatically detect RD Gateway server settings"?
If yes, enter the FQDN or your gateway instead.

Thanks for your help, Michael. Unfortunately, this setting is already in place:



I'm completely out of ideas. This is all working perfectly fine from inside the LAN. I can connect to the RD Gateway, download the RDP shortcut and connect in with no issue.. I can log into the RDS Gateway and download the RDP shortcut externally, but it just won't connect... I'm stumped.
Any other suggestions would be greatly appreciated.

It tried to connect to the broker instead of the gateway. But I thought this is controlled by the above setting...
Maybe try a new question...

It will work internally because it can get to the broker

I'll post a new question, thanks for your help, Michael.