Announcement

Collapse
No announcement yet.

SSL certificate for RD server when public & private server names differ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL certificate for RD server when public & private server names differ

    I setup a new server 2008 R2 joined to a 2003 domain as a member server.

    I added the RD Services, gateway and web access roles.

    The server is named server.company.local and is on an internal network. There is an external DNS record rd.company.com pointing at the static IP which has ports forwarded to the RD server.

    There is another server on the network that has a wildcard SSL certificate for *.company.com, I exported it and imported it it into the certificate store on the new server.

    I published calculator as a Remoteapp and created an RDP file. When I launch the RDP file from my computer that is outside the network it tells me it is connecting to GW rd.company.com and remote computer server.company.local I then get a warning telling me that the "identity of the remote computer cannot be verified" because the certificate for server.company.local isn't trusted because it is self signed. If I agree to proceed the remoteapp loads.

    I get the same behavior when going to the web gateway. If I go to https://rd.company.com/rdweb the browser shows the connection is secure and the certificate is good. If I launch my remoteapp I get the same "identity of the remote computer cannot be verified". If I agree the remoteapp loads.

    I originally thought it would be sufficient for the RD gateway to have a valid SSL certificate. Did I misconfigure this or is this expected behavior?

    Any suggestions appreciated.

  • #2
    Re: SSL certificate for RD server when public & private server names differ

    You can use SAN based certificate - This will allow you to use external and internal domain name in the same certificate. I didnt tried this solution, but you can use it in a lab first.
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: SSL certificate for RD server when public & private server names differ

      Originally posted by yuval14 View Post
      You can use SAN based certificate - .
      That idea crossed my mind. I have used those types of certificates on Exchange servers.

      I thought I read that as long as you have a certificate for the RD gateway it would work. So I wondered if I missed something or there was a workaround.

      Comment


      • #4
        Re: SSL certificate for RD server when public & private server names differ

        This issue is what FQDN the user use to connect to the TS... I donít think that you would like that users will think that they connect to the TS Gateway in the company, but another server (hacker server) will obtain the user authentication.
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment


        • #5
          Re: SSL certificate for RD server when public & private server names differ

          The users can only connect using the FQDN "rd.company.com" and the wildcard I have installed is for *.company.com

          The certificate error they get is when the gateway connects to the RD session server which has the name server.company.local

          Comment

          Working...
          X