question

Legacy777 avatar image
0 Votes"
Legacy777 asked Legacy777 edited

RD Gateway Server and IIS Reverse Proxy

Hello,

I've setup Remote Desktop Gateway Server on Windows Server 2019 and I'm using url rewrite on my internet facing IIS server to rewrite the url to the Remote desktop gateway server. I can access the server via http and https. I get the default IIS webpage on the remote desktop gateway server. The remote desktop connection via the gateway server works from my internal network. However, when I try to connect via an external laptop running windows 10 enterprise I get the error "Your computer can't connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance."

I have reviewed the logs on the server and the client, and on the gateway server under TerminalServices-Gateway and Operational I have event 312 "The user "user@domain", on client computer "xxx.xxx.xxx.xxx:48471" has initiated an outbound connection. This connection may not be authenticated yet. On the client side there are several errors, but I'm not exactly sure what I'm looking for.

I tried changing my firewall settings and routed port 443 directly to the gateway server and was able to login and remote desktop worked as expected. So the gateway server appears to be ok and is working, but something appears to not be working between the hand off of the IIS server that is reverse proxying things.

The one thing to note is I only installed the remote desktop gateway server, but have not installed the connection broker. Out of curiosity do I need to have that installed for this scenario to work?

If there is any specific log or error details you would like to see or I should be looking for please let me know.

Thanks
Josh

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Legacy777 avatar image
0 Votes"
Legacy777 answered Legacy777 edited

UPDATED with solution for RD WebTools.

I've done some additional testing and research and from what I can tell IIS's application reverse proxy & URL rewrite do not pass authentication information on. There were some pages that talk about configuring IIS to pass on authentication, but I didn't try them due to the fact I don't really have any more time to test this.

So if all you're wanting to use is the RD gateway server to access computers behind your firewall and you're already using port 443 then the solution is to use another port and everything works as expected.  If you want to use RD webtools & applications then you need to manually set the gateway using the following PowerShell commands on the Broker machine:

 Import-Module RemoteDesktop
 Set-RDSessionCollectionConfiguration -CollectionName "YourCollectionName" -CustomRdpProperty "gatewayhostname:s:rdgateway.domain.com:port"

I created a post on IIS.net forums and will link that below as well as some of the other pages I found for future reference in case anyone else runs across this.

Josh

Reference Links:

IIS Reverse Proxy and RD Gateway Server - 401 error
ARR Unable to pass through Windows Authentication
Configure Application Request Routing with Windows Authentication, Kerberos
Configure Application Request Routing
Forwarding NTLM credentials from IIS with ARR and URL Rewrite
NTLM authentication via ARR Reverse Proxy and Identity Server gives 502.3 error
DefaultTSGateway settings for RDS 2016 doesn't apply - External Users RD Can't find Computer


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered

Hello @Legacy777-8030

As far as I know, the client side events lie within Microsoft-Windows-TerminalServices-RDPClient/Operational, you might find more error details there.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Legacy777 avatar image
0 Votes"
Legacy777 answered

Hi,

I've been doing some more research on the client side and getting several event 1033 errors when connecting even before authenticating (see below).

I was able to find this post that notes about some dynamic RPC port, however they didn't indicate what that was.

https://social.technet.microsoft.com/Forums/azure/en-US/caff1ed6-9b35-47bf-9a7d-bc6bb7318c67/remoteapp-needs-local-user-logged-in-to-work?forum=winserverTS

Any additional input/feedback is welcome. I will continue to do some more research/testing on this. I may have to setup wireshark to see if I can figure out what port is being used.

Thanks
Josh

 Component name:CClientProxyTransport, :: 'm_ClientAdapter->CreateTunnel failed' in CProxyRawTrans::CreateProxyConnection at 2119 err=[0x800759d9], Error code:0x800759D9
    
 Component name:CClientProxyTransport, :: 'Gateway connection time out is 90' in CClientHTTPProxyTransport::Connect at 1196 err=[0x800759d9], Error code:0x800759D9
    
 Component name:CClientProxyTransport, :: 'CreateConnection failed' in CClientHTTPProxyTransport::Connect at 1205 err=[0x800759d9], Error code:0x800759D9
    
 Component name:CClientProxyTransport, :: 'Gateway Error' in CClientProxyTransport::SetErrorStatus at 2853 err=[0x800759d9], Error code:0x800759D9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Legacy777 avatar image
0 Votes"
Legacy777 answered KarlieWeng-MSFT commented

As an update I found a work around to this issue. I created another port forwarding rule to open a different port and then forward to the gateway server 443 port. This is working for me. I'd still like to see if I can figure out why this issue is occurring, but at least have a work around for the time being.

Josh

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey Josh @Legacy777-8030

Thanks for the update and sharing! :)


karlie

0 Votes 0 ·