+1 (866) 930-8356

We are experts on the entire Microsoft enterprise product stack. These are Microsoft technologies we regularly deploy. We provide real business value through strategic guidance, technical expertise, and knowledge transfer.

 

Most organizations share a core set of business needs. These solution categories apply across industries, helping line-of-business managers and the IT managers who support them apply genuine solutions to universal needs.

 

As an IT systems integrator, our expertise is putting all the pieces together to get the job done, so we never have to take “no” for an answer. We help organizations improve business productivity in any department.

 

We provide solutions customized to the needs of your industry. Whatever your industry or product, we can provide project, service, process, and content management solutions—to increase productivity and IT value.

 
Concurreny
Real Microsoft expertise. Real business value.
Microsoft Hybrid Cloud Event – Milwaukee
Concurrency To Share Microsoft eDiscovery Insights
Microsoft eDiscovery Event
2013 Wisconsin IT Symposium – An Invitation
Concurrency Offers In-Depth Course on Microsoft Dynamics CRM Extensions
Concurrency Educational Events On Combining Dynamics CRM and Lync
Blog
June 05, 2012 | Shannon Fritz | Infrastructure, Remote Desktop Services

RDS8 – Gateway and Certificates on Windows Server 2012

Read more Step-by-Step Guides on Remote Desktop Services in Windows Server 2012.

As the name implies, Remote Desktop Services is a way of delivering services for desktops that are not “local”. However, the Quick and Standard deployments of RDS do not include a key component that makes these services available from outside your organization: the RDS Gateway. This role is acts at a proxy over HTTPS to allow a client to tunnel over SSL to your internal resources, limiting exposure and securing communications.

In Server Manager, if you want to deploy a separate server for the RDGW role, you’ll want to add that new server to the console which is already managing the rest of your RDS environment. I like to use the manager on the RDCB for this, but any Server Manager console that is managing all of your RDS hosts will work just the same.

clip_image002

In this example I am going to be adding the role to the same server that is already running the RDWA role, so the RDGW and RDWA will be on one server. From the Remote Desktop Servcies area just click on the big green + above RD Gateway to get started.

clip_image004

Select the server that you want to install the role and add it to the Selected list on the right.

clip_image006

Pick a DNS name that clients will connect to in order to use the Gateway.

clip_image008

This should be the External DNS name that can be resolved to an IP address that will NAT port 443 to the RDGW server. NOTE: In this example the RDGW and RDGA roles are on the same server, both of which use port 443. However, if you also NAT port 80 then the RDWA server will redirect web browsers from HTTP to HTTPS. Without access to port 80 your users will have to remember to type https:// when accessing the RDWA. It’s just being nice to your users really.

Also notice that the wizard mentions a Self-Signed Certificate. We will change this in just a moment, so click Next.

On the Confirmation page just click Add if you’re happy with the config.

clip_image010

Once completed successfully click Close.

clip_image012

Notice the warning that a certificate must be configured. You can click on Configure certificate, but if you click Close you can still manage the certificate by selecting “Edit Deployment Properties” under the Overview Tasks.

clip_image014

At this point you can decide to create a new Self-signed certificate that you would apply to all roles or if you’re going to be putting this into production I would suggest that you should be using a 3rd party certificate that all clients will trust be default. I prefer a wildcard certificate for the external domain name being used for the RDWA and RDGW roles.

clip_image016

When you click “Select existing certificate” you will want to select a .pfx file that contains the Private Key of the certificate. Without the Private Key, the server will not be able to use the certificate.

clip_image018

Once you’ve entered the password and checked the box to allow it to be added to the trust root CAs, click OK and then Apply the changes.

clip_image020

Once you apply the certificate, do it again for all the remaining roles.

clip_image022

Now your client computers can use the Gateway setting found under More Options / Advanced / Connect from anywhere Settings. Under Server Name simply punch in the external FQDN of the gateway server.

clip_image024

With that set you can now try connecting to the internal name of any server on your company network. When you are prompted for credentials you’ll notice the broker name is listed as one of the servers in the connection path.

clip_image026

And you’re all set! Now you can use RemoteApp and Desktops from anywhere.

N’joy!

 
 

Shannon Fritz

Infrastructure Architect and Server Team Lead at Concurrency. Shannon is an MVP in Forefront and Enterprise Security, MCSE in Private Cloud and MCSA Windows Server 2012. He's also a self-professed media junkie. Just ask him about MediaCenter!

 

  • Pingback: Remote Desktop Services in Windows Server 2012, Step-by-Step Guides | Concurrency Blog

  • Wes

    Hi, I’ve got a server set up that is a gateway, rdweb server, and rdcb that has a wildcard cert from godaddy. I then have a separate server that is a RDSH. I published a basic desktop, and can sign into the rdweb website and connect. On my Win8 machine it connects smoothly even though I do see the rd.domain.local name of the RDSH box in the window. On an external win7 box, I get prompted an extra time for my credentials, and I get multiple squawks about the cert (*.domain.com) not matching the server name (rd.domain.local). How do I fix this?
    thanks!

    • http://www.linkedin.com/in/shannonfritz Shannon Fritz

      Hi Wes, this is the same issue as above. If you use one name that will be used both inside and outside then you will be able to connect without any certificate problems. since the .local namespace cannot exist on the Internet, that leaves you with hosting the .com on the inside.

  • pesos

    Hi Shannon, I feel I’m so close… I have a 2012 server that is the connection broker, gateway, and rd web server. Its name is rds.domain.local but the external name we are using is rd.domain.com and it has my wildcard cert installed for *.domain.com

    I then have a separate 2012 RDSH server named rd1.domain.local and have this in a collection for basic remote desktop access.

    I sign into rdweb just fine, and the connection is made, but then I get a certificate error which shows the internal name rd1.domain.local

    How do I get around these cert errors? Also, for external clients, after signing into rdweb and clicking on the icon, the RDC client makes me authenticate a 2nd time…

    • http://www.linkedin.com/in/shannonfritz Shannon Fritz

      This is basically the same question Ronald was asking (here). You’ll want to make sure you are accessing the RDS environment by using one name that is common between the inside and outside networks. This will let you use one certificate to secure the connection regardless of how you connect to it. So make a DNS record for the External name on your Internal DNS servers, and you should be good to go.

      Plus, this allows you to tell you users to access the RemoteApps by always going to “rd.domain.com” no matter where they are. Work one way from anywhere. even though that is sort of the mantra for DirectAccess ;]

  • Tom

    Thanks for this useful blog. I was able to successfully set up my gateway.

    However, I was under the impression I can point my external clients to the gateway https address and get the same page when accessing the Web Service server… Am I missing anything? I just get the standard IIS page…

    • http://www.linkedin.com/in/shannonfritz Shannon Fritz

      You will get the standard IIS page if you just visit the hostname of your RDWeb server. To see the RDWeb Access page you need to visit /RDWeb. I usually replace the default IIS page with a redirection page that will take visitor to /rdweb so they can get there really easily. Maybe another blog post in the future ;]

  • Bill Medland

    I am trying to import a certificate that we have generated ourselves (chained to a single trusted one) but when I apply it I get an error that “The certificate properties must match the requirements of the role service”. How do I find out what those requirements are and how to make a suitable certificate (for development work)?

  • tShabbir

    Hi SHANNON ,
    Thanks a lot for wonderful blog .I follow these guidelines and setup RDS 2012 environment . My only concern for now is SSO . I am trying to configure SSO for last two days with no success . Can you guide me or publish an article for SSO.
    I will defiantly wait for your response.
    Regards
    tShabbir

  • siyang

    Dear Shannon,

    I have one question which block me to use external user to access my internal VDI.
    After I configured VDI–Gateway, I would “Create new certificate”, but failed, and prompt error message”Could not find file C:users\TEMP.LAB\Documents\‘myFQDN‘.pfx”.
    Actually, I don’t know how to create .pfx certificate?
    Please give me some advices.
    Btw, I have created CA on gateway server, but this ca seems like can’t used for gateway server.

Categories

 

Get in touch

By Technology

By Solution

By Department

By Industry

You can find us at

Concurrency Building

Concurrency, Inc.
3190 Gateway Road
Brookfield, WI 53045
262.364.5800

 

All rights reserved © 2012

Concurrency

For technical support and additional information: Client Support,
Remote Support, Blog, Contact Us.

Our mission is to help clients increase business productivity and get more value from their IT investments. Let us know your business needs.

Microsoft Partner