RD Gateway Server and IIS Reverse Proxy

Legacy777 96 Reputation points
2020-10-08T02:31:26.983+00:00

Hello,

I've setup Remote Desktop Gateway Server on Windows Server 2019 and I'm using url rewrite on my internet facing IIS server to rewrite the url to the Remote desktop gateway server. I can access the server via http and https. I get the default IIS webpage on the remote desktop gateway server. The remote desktop connection via the gateway server works from my internal network. However, when I try to connect via an external laptop running windows 10 enterprise I get the error "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance."

I have reviewed the logs on the server and the client, and on the gateway server under TerminalServices-Gateway and Operational I have event 312 "The user "user@keyman ", on client computer "xxx.xxx.xxx.xxx:48471" has initiated an outbound connection. This connection may not be authenticated yet. On the client side there are several errors, but I'm not exactly sure what I'm looking for.

I tried changing my firewall settings and routed port 443 directly to the gateway server and was able to login and remote desktop worked as expected. So the gateway server appears to be ok and is working, but something appears to not be working between the hand off of the IIS server that is reverse proxying things.

The one thing to note is I only installed the remote desktop gateway server, but have not installed the connection broker. Out of curiosity do I need to have that installed for this scenario to work?

If there is any specific log or error details you would like to see or I should be looking for please let me know.

Thanks
Josh

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,241 questions
0 comments
Accepted answer
  1. Legacy777 96 Reputation points
    2020-10-14T09:07:33.207+00:00

    UPDATED with solution for RD WebTools.

    I've done some additional testing and research and from what I can tell IIS's application reverse proxy & URL rewrite do not pass authentication information on. There were some pages that talk about configuring IIS to pass on authentication, but I didn't try them due to the fact I don't really have any more time to test this.

    So if all you're wanting to use is the RD gateway server to access computers behind your firewall and you're already using port 443 then the solution is to use another port and everything works as expected.  If you want to use RD webtools & applications then you need to manually set the gateway using the following PowerShell commands on the Broker machine: 

    Import-Module RemoteDesktop
Set-RDSessionCollectionConfiguration -CollectionName "YourCollectionName" -CustomRdpProperty "gatewayhostname:s:rdgateway.domain.com:port"

    I created a post on IIS.net forums and will link that below as well as some of the other pages I found for future reference in case anyone else runs across this.

    Josh

    Reference Links:

    IIS Reverse Proxy and RD Gateway Server - 401 error
    ARR Unable to pass through Windows Authentication
    Configure Application Request Routing with Windows Authentication, Kerberos
    Configure Application Request Routing
    Forwarding NTLM credentials from IIS with ARR and URL Rewrite
    NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error
    DefaultTSGateway settings for RDS 2016 doesn't apply - External Users RD Can't find Computer

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karlie Weng 14,031 Reputation points Microsoft Vendor
    2020-10-09T06:33:42.627+00:00

    Hello @Legacy777-8030

    As far as I know, the client side events lie within Microsoft-Windows-TerminalServices-RDPClient/Operational, you might find more error details there.

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards
    Karlie

    0 comments
  2. Legacy777 96 Reputation points
    2020-10-09T16:36:31.277+00:00

    Hi,

    I've been doing some more research on the client side and getting several event 1033 errors when connecting even before authenticating (see below).

    I was able to find this post that notes about some dynamic RPC port, however they didn't indicate what that was.

    https://social.technet.microsoft.com/Forums/azure/en-US/caff1ed6-9b35-47bf-9a7d-bc6bb7318c67/remoteapp-needs-local-user-logged-in-to-work?forum=winserverTS

    Any additional input/feedback is welcome. I will continue to do some more research/testing on this. I may have to setup wireshark to see if I can figure out what port is being used.

    Thanks
    Josh 

    Component name:CClientProxyTransport, :: 'm_ClientAdapter->CreateTunnel failed' in CProxyRawTrans::CreateProxyConnection at 2119 err=[0x800759d9], Error code:0x800759D9

Component name:CClientProxyTransport, :: 'Gateway connection time out is 90' in CClientHTTPProxyTransport::Connect at 1196 err=[0x800759d9], Error code:0x800759D9

Component name:CClientProxyTransport, :: 'CreateConnection failed' in CClientHTTPProxyTransport::Connect at 1205 err=[0x800759d9], Error code:0x800759D9

Component name:CClientProxyTransport, :: 'Gateway Error' in CClientProxyTransport::SetErrorStatus at 2853 err=[0x800759d9], Error code:0x800759D9
    0 comments
  3. Legacy777 96 Reputation points
    2020-10-11T18:18:29.147+00:00

    As an update I found a work around to this issue. I created another port forwarding rule to open a different port and then forward to the gateway server 443 port. This is working for me. I'd still like to see if I can figure out why this issue is occurring, but at least have a work around for the time being.

    Josh