question

BH-3934 avatar image
0 Votes"
BH-3934 asked LeilaKong-MSFT answered

I need to publish an RDWEB application from an Internal Server using RDGateway.

I need to publish an RDWEB application from an Internal Server using RDGateway.

Here are the details:

  1. I have an internal Terminal Server on a Domain Private VLAN running Windows 2016.

  2. It only has inbound public access on TCP Port 443 and UDP Port 3391 with DUO MFA through a Load-Balancing Proxy, which offloads SSL and then re-encrypts the 443 traffic for the RDG..

  3. It is NOT on a DMZ, and is NOT using Citrix.

  4. I need to use the same server for both RDG and RDWEB.

  5. Internal domain RDG server is (fake name and domain): "RDServer1.xyzdomain.local"

  6. External domain is (fake name and domain): "xyzdomain.com"

  7. I have published the RDWEB Portal at: "https://appname.xyzdomain.com/RDWEB";

  8. I have published the RD Gateway at: "https://apps.xyzdomain.com";

  9. I have installed a wildcard cert (*.xyzdomain.com) on both the RDG and RDWEB instances.

  10. When I connect to the RDWEB Portal from outside the domain, it connects fine (no cert errors) and shows the published apps.

  11. When I click on a published app, it downloads a .RDP file that is set to connect on Port 3389, and points to my internal private domain server (RDServer1.xyzdomain.local), which cannot work, because,

 a. My certificate does not cover my internal domain, and

 b. Port 3389 is not open from the outside.

  1. I've tried editing the .RDP file, but still get errors such as: "RD Gateway not available", etc.

HOW DO I MAKE THIS WORK???

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @BH-3934 ,

The following link for your reference:
https://social.technet.microsoft.com/Forums/en-US/20dab778-99fc-4f17-ac78-89ae05173084/remoteapp-access-through-rd-gateway?forum=winserverTS


Best regards,
Leila


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @BH-3934 ,

Could you please contact with the public CA vendor to check if they can add internal domain name (.xyzdomain.local or RDServer1.xyzdomain.local) in Alternative name of exist third party wildcard cert.
If they can't do that, I think we can install internal CA server and publish a certificate for RDCB server with common name
.xyzdomain.local.

86912-certificate.png



In general, TCP 3389 is default port for RDCB server to communicating to RDSH server.
client--RDgateway(TCP443 and UDP 3391)-->RDCB(3389)-->RDSH(3389)
https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx


If your company don't allow TCP 3389 port,we can refer below document for testing.
RDS Deployment Port Change
https://social.technet.microsoft.com/Forums/windowsserver/en-US/1df4869e-1858-4598-b7fb-121e8d5e2d06/rds-deployment-port-change?forum=winserverTS


certificate.png (234.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BH-3934 avatar image
0 Votes"
BH-3934 answered LeilaKong-MSFT commented

Thank you for the answers. I will attempt to apply them and report back within the next day or two.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BH-3934 ,

My pleasure. Looking forward to your good news.

0 Votes 0 ·
BH-3934 avatar image
0 Votes"
BH-3934 answered

The certification cannot have an additional subject name added, since it is a public wildcard certificate.
It only covers the public domain, not the internal domain.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BH-3934 avatar image
0 Votes"
BH-3934 answered

Also, I cannot put this server in a DMZ, as the published application has direct access to an internal database. Therefore, the server is on an internal lan, within it's own vlan.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @BH-3934 ,

Did you install internal CA server (with enterprise CA) and publish a certificate for RDCB server with common name *.xyzdomain.local?

The following video also for your reference: https://www.youtube.com/watch?v=IGIon1d17Xc

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @BH-3934 ,

How are things going there on this issue?
Please let me know if you would like further assistance.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.