12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

HOME ABOUT NEWS EVENTS CAREERS CONTACT BLOG

Consulting: By Industry By Business Need By Technology

Real Microsoft expertise. Real business value.

Savage On IT – Microsoft Cloud Services and other top IT News

Blog Catego
Infrastructur

June 05, 2012 | SHANNON FRITZ | INFRASTRUCTURE, REMOTE DESKTOP SERVICES System Ce

RDS8 – Gateway and Certificates on Windows Virtualizat

DirectAcc
Server 2012 Unified A

Infrastruct
Read mo re Step-by-Step Guides on Remote Desktop Services in Windows Server 2012.
Remote D
As the name implies, Remote Desktop Services is a way of delivering services for desktops that are
SQL Serve
not “local”. However, the Quick and Standard deployments of RDS do not include a key component
that makes these services available from outside your organization: the RDS Gateway. This role is Azure
acts at a proxy over HTTPS to allow a client to tunnel over SSL to your internal resources, limiting IaaS
exposure and securing communications.
SharePoint
In Server Manager, if you want to deploy a separate server for the RDGW role, you’ll want to add Business I
that new server to the console which is already managing the rest of your RDS environment. I like
to use the manager on the RDCB for this, but any Server Manager console that is managing all of Developm
your RDS hosts will work just the same. Documen
www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 1/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Workflow

Deployme

Unified Com

Lync

Exchange

Uncategoriz

Dynamics CR
In this example I am going to be adding the role to the same server that is already running the
RDWA role, so the RDGW and RDWA will be on one server. From the Remote Desktop Servcies Data Migr

area just click on the big green + above RD Gateway to get started. System Cent

News

Events

Office 365

Podcast

Governance

Concurrency

System Ce

Demos

Careers

Presentation

Select the server that you want to install the role and add it to the Selected list on the right.

Microsof
April 2-4
http://t.c
37 mins ag

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 2/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Pick a DNS name that clients will connect to in order to use the Gateway.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 3/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

This should be the External DNS name that can be resolved to an IP address that will NAT port 443
to the RDGW server. NOTE: In this example the RDGW and RDGA roles are on the same server,
both of which use port 443. However, if you also NAT port 80 then the RDWA server will redirect
web browsers from HTTP to HTTPS. Without access to port 80 your users will have to remember
to type https:// when accessing the RDWA. It’s just being nice to your users really.

Also notice that the wizard mentions a Self-Signed Certificate. We will change this in just a moment,
so click Next.

On the Confirmation page just click Add if you’re happy with the config.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 4/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Once completed successfully click Close.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 5/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Notice the warning that a certificate must be configured. You can click on Configure certificate, but
if you click Close you can still manage the certificate by selecting “Edit Deployment Properties”
under the Overview Tasks.

At this point you can decide to create a new Self-signed certificate that you would apply to all roles
or if you’re going to be putting this into production I would suggest that you should be using a 3r d
party certificate that all clients will trust be default. I prefer a wildcard certificate for the external
domain name being used for the RDWA and RDGW roles.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 6/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

When you click “Select existing certificate” you will want to select a .pfx file that contains the
Private Key of the certificate. Without the Private Key, the server will not be able to use the
certificate.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 7/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Once you’ve entered the password and checked the box to allow it to be added to the trust root CAs,
click OK and then Apply the changes.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 8/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Once you apply the certificate, do it again for all the remaining roles.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 9/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

Now your client computers can use the Gateway setting found under More Options / Advanced /
Connect from anywhere Settings. Under Server Name simply punch in the external FQDN of the
gateway server.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 10/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

With that set you can now try connecting to the internal name of any server on your company
network. When you are prompted for credentials you’ll notice the broker name is listed as one of
the servers in the connection path.

And you’re all set! Now you can use RemoteApp and Desktops from anywhere.

N’joy!

Shannon Fritz
Infrastructure Architect and Server Team Lead at Concurrency.
Shannon is an MVP in Forefront and Enterprise Security, MCSE in
Private Cloud and MCSA Windows Server 2012. He's also a self-
professed media junkie. Just ask him about MediaCenter!

Find Shannon on: Linkedin

Like it, Pin it, Tweet and Share !

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 11/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.
Pingback: Remote Desktop Services in Windows Server 2012, Step-b y-Step Guides | Concurrency Blog
Wes
Hi, I’ve got a server set up that is a gateway, rdweb server, and rdcb that has a wildcard cert from godaddy. I then
have a separate server that is a RDSH. I published a basic desktop, and can sign into the rdweb website and
connect. On my Win8 machine it connects smoothly even though I do see the rd.domain.local name of the RDSH
box in the window. On an external win7 box, I get prompted an extra time for my credentials, and I get multiple
squawks about the cert (*.domain.com) not matching the server name (rd.domain.local). How do I fix this?
thanks!
http://www.linkedin.com/in/shannonfritz Shannon Fritz
Hi Wes, this is the same issue as above. If you use one name that will be used both inside and outside then you
will be able to connect without any certificate problems. since the .local namespace cannot exist on the Internet,
that leaves you with hosting the .com on the inside.
Wes Lazara
Thanks Shannon, although i’m not really following… Our AD domain is domain.local so how do I simply start
using domain.com internally since the fqdn of all the servers is already .local and we can’t change that?
Shannon Fritz
Basically what I am saying is that you can serve the .com domain space on your internal DNS, then create and
internal DNS record for something like “rds.domain.com” that resolves to your RDWeb/Gateway server. Then on
External DNS create the same “rds.domain.com” that resolves the external IP that is being NAT’d to your
RDWeb/GW server. Now tell users to always use “rds.domain.com” to get their remote apps from RDWeb (or the
RSS feed) and they will be able to get them wherever they might be.
Wes Lazara
Hi Shannon, I think you are missing the issue – the issue is that the RDSH servers are domain joined, thus they
use domain.local automatically and the poorly written RD gateway exposes that name to RDP clients, thus
causing the cert mismatch. So somehow we need a way to stop that behavior. I tried manually forcing the RDSH
servers to use the *.domain.com wildcard cert, but unfortunately that resulted in the dreaded 0×607 error coming
back. See here for a good rundown of this ridiculous issue:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-
authentication-error-has-occured-code-0×607
Microsoft should ONLY be exposing the gateway – and then the gateway server should be the only thing talking to
and authing with the RDSH servers. Exposing the RDSH servernames and certs to the client defeats the whole
purpose of the gateway – really stupid design flaw on Microsoft’s part.
Shannon Fritz
It sounds like what you need is a UC certificate, a certificate that can have different domains as Subject Alternative
names. That way you can have domain.com and domain.local. This does mean you cannot use a wildcard
certificate however as UC certs do not allow wildcard.
Wes Lazara
Yes, however as previously mentioned public cert providers are no longer selling non-routable domain names
such as .local after fall 2015, so this is an extremely shortsighted design flaw by Microsoft. The internal AD
domain name should never be exposed to the client at all, just the way citrix does it. In the citrix world, only the
gateway server (which doesn’t even necessarily have to be domain-joined!) with an external domain name is
seen by the client, and the internal security happens behind the scenes and can use an internal cert authority.
Microsoft is going to need to change this due to the cert changes in 2015, it’s absurd.
pesos
Hi Shannon, I feel I’m so close… I have a 2012 server that is the connection broker, gateway, and rd web server.
Its name is rds.domain.local but the external name we are using is rd.domain.com and it has my wildcard cert
installed for *.domain.com
I then have a separate 2012 RDSH server named rd1.domain.local and have this in a collection for basic remote
desktop access.
I sign into rdweb just fine, and the connection is made, but then I get a certificate error which shows the internal
name rd1.domain.local
How do I get around these cert errors? Also, for external clients, after signing into rdweb and clicking on the icon,
the RDC client makes me authenticate a 2nd time…
http://www.linkedin.com/in/shannonfritz Shannon Fritz
This is basically the same question Ronald was asking (here). You’ll want to make sure you are accessing the
RDS environment by using one name that is common between the inside and outside networks. This will let you
use one certificate to secure the connection regardless of how you connect to it. So make a DNS record for the
External name on your Internal DNS servers, and you should be good to go.
Plus, this allows you to tell you users to access the RemoteApps by always going to “rd.domain.com” no matter
where they are. Work one way from anywhere. even though that is sort of the mantra for DirectAccess ;]
Tom
www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 12/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.
Thanks for this useful blog. I was able to successfully set up my gateway.
However, I was under the impression I can point my external clients to the gateway https address and get the
same page when accessing the Web Service server… Am I missing anything? I just get the standard IIS page…
http://www.linkedin.com/in/shannonfritz Shannon Fritz
You will get the standard IIS page if you just visit the hostname of your RDWeb server. To see the RDWeb Access
page you need to visit /RDWeb. I usually replace the default IIS page with a redirection page that will take visitor to
/rdweb so they can get there really easily. Maybe another blog post in the future ;]
Bill Medland
I am trying to import a certificate that we have generated ourselves (chained to a single trusted one) but when I
apply it I get an error that “The certificate properties must match the requirements of the role service”. How do I find
out what those requirements are and how to make a suitable certificate (for development work)?
Shannon Fritz
The certificate is really just a web server certificate. So if you create an SSL certificate from the default Web Server
template you should be good.
tShabbir
Hi SHANNON ,
Thanks a lot for wonderful blog .I follow these guidelines and setup RDS 2012 environment . My only concern for
now is SSO . I am trying to configure SSO for last two days with no success . Can you guide me or publish an
article for SSO.
I will defiantly wait for your response.
Regards
tShabbir
Shannon Fritz
SSO for RDS 2012 is mainly dependent on getting the right / trusted certificates installed and when logging in to
RDWeb, use “this is a private computer”.
siyang
Dear Shannon,
I have one question which block me to use external user to access my internal VDI.
After I configured VDI–Gateway, I would “Create new certificate”, but failed, and prompt error message”Could not
find file C:usersTEMP.LABDocuments‘myFQDN‘.pfx”.
Actually, I don’t know how to create .pfx certificate?
Please give me some advices.
Btw, I have created CA on gateway server, but this ca seems like can’t used for gateway server.
Shannon Fritz
If you generate your own certificate (using something like “makecert”) then you have to also import that certificate
(without the private key) on the client computers. The easiest thing to do is generate a wildcard for your domain,
as long as the inside and outside domains match, and you’re golden.
If you are trying to stand up your own CA, that is a whole ‘nother ball of wax that is well outside the scope of this
particular blog post. Maybe I should write that out…
Private Joker
Thanks Shannon, although i’m not really following… Our AD domain is domain.local so how do I simply start
using domain.com internally since the fqdn of all the servers is already .local and we can’t change that?
Shannon Fritz
Basically what I am saying is that you can serve the .com domain space on your internal DNS, then create and
internal DNS record for something like “rds.domain.com” that resolves to your RDWeb/Gateway server. Then on
External DNS create the same “rds.domain.com” that resolves the external IP that is being NAT’d to your
RDWeb/GW server. Now tell users to always use “rds.domain.com” to get their remote apps from RDWeb (or the
RSS feed) and they will be able to get them wherever they might be.
Private Joker
Hi Shannon, I think you are missing the issue – the issue is that the RDSH servers are domain joined, thus they
use domain.local automatically and the poorly written RD gateway exposes that name to RDP clients, thus
causing the cert mismatch. So somehow we need a way to stop that behavior. I tried manually forcing the RDSH
servers to use the *.domain.com wildcard cert, but unfortunately that resulted in the dreaded 0×607 error coming
back. See here for a good rundown of this ridiculous issue:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94780a11-23ba-4a3c-b11a-734007c2d2fd/an-
authentication-error-has-occured-code-0×607
Microsoft should ONLY be exposing the gateway – and then the gateway server should be the only thing talking to
and authing with the RDSH servers. Exposing the RDSH servernames and certs to the client defeats the whole
purpose of the gateway – really stupid design flaw on Microsoft’s part.
Shannon Fritz
It sounds like what you need is a UC certificate, a certificate that can have different domains as Subject Alternative
www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 13/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.
names. That way you can have domain.com and domain.local. This does mean you cannot use a wildcard
certificate however as UC certs do not allow wildcard.
Private Joker
Yes, however as previously mentioned public cert providers are no longer selling non-routable domain names
such as .local after fall 2015, so this is an extremely shortsighted design flaw by Microsoft. The internal AD
domain name should never be exposed to the client at all, just the way citrix does it. In the citrix world, only the
gateway server (which doesn’t even necessarily have to be domain-joined!) with an external domain name is
seen by the client, and the internal security happens behind the scenes and can use an internal cert authority.
Microsoft is going to need to change this due to the cert changes in 2015, it’s absurd.
Shannon Fritz
The certificate is really just a web server certificate. So if you create an SSL certificate from the default Web Server
template you should be good.
Shannon Fritz
SSO for RDS 2012 is mainly dependent on getting the right / trusted certificates installed and when logging in to
RDWeb, use “this is a private computer”.
Shannon Fritz
If you generate your own certificate (using something like “makecert”) then you have to also import that certificate
(without the private key) on the client computers. The easiest thing to do is generate a wildcard for your domain,
as long as the inside and outside domains match, and you’re golden.
If you are trying to stand up your own CA, that is a whole ‘nother ball of wax that is well outside the scope of this
particular blog post. Maybe I should write that out…
StanthewiZZard
Hello Shannon
I followed your very well documented tutorial.
Everything is on the same server:
RDweb, RDgateway, RDbroker
Internal DNS resolves to the correct IP
SSL Cert is trusted and on the client
I’m unable when I force the gateway on a client to connect to the RDgateway
Have you got any idea, it’s driving me mad ;)
Thanks
Shannon Fritz
Internally you will not use the Gateway. You only use the gateway when you are outside the corpnet. So you need
an external DNS record that goes to a public ip on your firewall that you then NAT port 443 to the Gateway server
internal address. (Note: This will also make RDWA available for you outside since it’s on the same box). Then a
client that is outside the corpnet can be configured to use the gateway address and try to connect to an internal
resource. Since it cannot find the internal name on the internet, it’ll hop through the gateway to find it.
StanthewiZZard
You’ re RIGHT
It’s perfectly working outside the network (not working with vpn because the gateway is not bypassed)
Another question if I may ask ;)
How to have on the same IP on the port 443 both :
exchange 2013 and the RDgateway ?
Thank you very much
Shannon Fritz
You probably won’t be able to unless you have a Reverse Proxy of some kind in front of the RDWA/RDGW and the
Exchange servers. Since the RD and EX services are on different hosts, they are reached using different internal
IP’s and you can only NAT a port (443) to one IP address.
That said, using HTTP/S gives you another option when you have a reverse proxy. That’s because the RP receives
the incoming URL request on port 443 and can redirect the individual URL paths to different internal servers. For
example, RDGW is located at https://ip/rdweb and the RDGW is on https://ip/rpc. If you have a RP listening on the
public https://ip/ then it can send each URL path to a different internal server if you wanted to.
In your case, the RDWA and RDGW are on the same server, so you don’t need to send them to different internal
servers, but you would need this capability to use the same external IP for Exchange. I’m not sure of al the URLs
for EX, but it’s something like /OWA, /EWS and /OAB (maybe more). Typically you would just have Exchange on it’s
own public IP address.
Examples of Reverse Proxies? Forefront TMG, the new Web Application Proxy in Windows Server 2012 R2
Remote Access, or the Application Request Routing (ARR3) add-in for IIS.
Good luck!
StanthewiZZard
Fot the time being, I have squid and it is unable to reverse proxy RPC.
www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 14/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.
I’m going to try App proxy … but I’m waiting for your tutorial ;)
Many many thanks
Marco
Hi Shannon,
A question: I have my RDWA and RDGA in same server ok. Internal my RemoteApps work. My server RDWA and
RDGA are in DMZ with public IP direct in network interface. Which ports I have to release the firewall and which
senses and servers?
Thank you
abatishchev
Hi Shannon,
A question please: I’m configuring virtual RD Gateway (running 2012 R2).
I created a self-signed cert with Purpose=Client Auth, Server Auth and Subject=domain.com (my external dns I’m
connecting over) and selected it using RD Gateway Manager snap-in.
But client (Win 7 MSTSC) shows an error that “Server address requested and the certificate subject do no match”.
Indeed a cert has Subject=tsg.domain.local (its internal domain name) and other Expiration Date than my.
What am I doing wrong? How to specify the cert properly?
If I select my cert instead of default one using RD Session Host Configuration snap-in then client just shows an
error that gateways is temporary unavailable.

HOME BY INDUSTRY BY BUSINESS NEED BY TECHNOLOGY

ABOUT CONSTRUCTION COMMUNICATION, MOBILE, AZURE

EMAIL
NEWS DISTRIBUTION DYNAMICS CRM
FINANCE, PAYMENTS, BILLING,
EVENTS EDUCATION ACCOUNTING EXCHANGE

CASE STUDIES FINANCIAL SERVICES HUMAN RESOURCES FOREFRONT

CAREERS HEALTHCARE IT ARCHITECTURE, STRATEGY, LYNC

MANAGEMENT
CONTACT LEGAL OFFICE 365
LEGAL, RISK MANAGEMENT
BLOG MANUFACTURING SHAREPOINT
R&D, ENGINEERING, PRODUCT
SITEMAP MEDIA AND MANAGEMENT SYSTEM CENTER
ENTERTAINMENT
PRIVACY POLICY SALES, MARKETING, CUSTOMER WINDOWS SERVER
PROFESSIONAL SERVICES SERVICE

GET IN TOUCH PUBLIC SECTOR SUPPLY CHAIN, LOGISTICS,

PLANT FLOOR
PINPOINT RETAIL

FACEBOOK TECHNOLOGY

UTILITIES
TWITTER

LINKEDIN

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 15/16
12/18/13 RDS8 - Gateway and Certificates on Windows Server 2012 - Concurrency, Inc.

ALL RIGHTS RESERVED © 2013 Our mission is to help clients increase

business productivity and get more value
from their I T investments. Let us know
your business needs.

www.concurrency.com/blog/rds8-gateway-and-certificates-on-windows-server-2012/ 16/16