No announcement yet.

TS Gateway Certificate Nightmare

  • Filter
  • Time
  • Show
Clear All
new posts

  • TS Gateway Certificate Nightmare

    I am attempting to provision a single Server 2008 SP1 as a TS Gateway and TS Server to allow around 10 users external access via RDP. I have a public domain <> domain and the internal domain is <domain.local>.

    The server is in our internal network and is a member of the domain.

    I cannot get the externally named certificate to bind to the TS Gateway.

    In IIS I am able to bind the default web site address to, however that option is greyed out in the https binding. So I am assuming the binding will be to the tserv01.domain.local address and this is why I cannot get the certificate which has the external address as its CN to bind.

    How can I solve this so that the machine can have an internal DNS address, whilst the secure web address is correctly named as the external address so that it matches the external published DNS address of the machine?

    I have looked and looked around and I cannot see how to achieve this.

    Thanks Chris
    Last edited by themadprofessor; 6th April 2009, 17:24.

  • #2
    Re: TS Gateway Certificate Nightmare

    Will this help?
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: TS Gateway Certificate Nightmare

      Thanks, however I have read that. I then beat up the CA that issued my original certificate as they included roles in addition to "Server Authentication" which meant that the numeric field was different, and eventually obtained a certificate that has exactly the required parameters. However this still does exactly the same thing.

      The only issue I could see was the fact that the certificate is in the name by which the server is seen externally, however the host name of the server is the internal domain.

      I have been trying for three weeks to get this to work. I can get a self issued certificate to "stick" every time, but I seemingly cannot get the externally issued one to work with this server. I AM using other certificates issued by the same CA on other Windows 2K servers for Exchange OWA and mobile access without any issue.

      I suspect that Microsoft have greatly tightened their security in Server 2008 (Well I know they did ) and I am falling foul of some arcane aspect of the new more secure configuration. However I cannot see what I have done wrongly.

      Thanks Chris


      • #4
        Re: TS Gateway Certificate Nightmare

        quite time passed!

        but here it goes.

        I had the same problem and it's solved.
        The certificate has to be with the .com name.
        Create a host record in your local DNS with the .com name pointed to the ts gateway lan IP.

        In the TS Gateway manager go to the properties of the server:

        -SSL Certificate tab. install the certificate with the .com entry
        -Sever Farm. add the *.com FQDN to the Ts Farm.
        In the TS GAteway manager (if using local policies) go to the RAP policies, create a new one, go the properties of it and in the computer group select (select existing TS Gatewaycomputer group...) , click Browse... create a new one with the *.com entry.

        Be sure to configure the CAPS too.


        Ts Remote APP Manager.
        Terminal services settings-*.com
        TS gateway settings - put auto or input the *.com DName
        Digital Signature - Install the cretificate with the *.com domain name.

        And that's it, I think.