How to Install an SSL Certificate on a Remote Desktop Gateway server
The following instructions will guide you through the SSL installation process on a Remote Desktop Gateway server. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our CSR Generation Instructions and disregard the steps below.
A Complete Guide to Install SSL certificate on Remote Desktop Gateway Server
Remote Desktop Gateway server enables remote users to connect with resources of the internal or private network via any web connected device. RD Gateway uses RDP (Remote Desktop Protocol) to enable secure connection (HTTPS) between remote users and internal network. There is no need to configure VPS to enable secure communication with HTTPS. In this short piece of information, we will go through SSL installation process on RD Gateway server.
update certificate rd gateway and session hosts 2019
How do we update the ssl certificate for the rd gateway and session hosts 2019? Do we update it in IIS and Terminal Server configuration manager? IS there anything else we need to do?
And will the old rdp file to connect to the rd gateway still work?
I have to know how this works exactly to avoid long extended down time.
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
LimitlessTechnology-2700 answered • Oct 5, '21
Hello Henry N
Normally I follow the next steps:
- Start by importing the SSL certificate into the Computer Account. MMC (Add/Remove Snapins - Certificates -Computer Account). I imported the cert into the Personal and Remote Desktop stores.
- Import the SSL certificate into IIS. Run IIS Manager, select the ServerName (left side Connections), under the IIS section, open Server Certificates, import the SSL certificate here. Select the Web site (left side Connections), open Bindings (on the right side Actions) and associate/bind the wildcard cert with the appropriate https,host,port(443).
- TS RemoteApp Manager, Overview Section, Digital Signature Settings, Change, Digital Signature, Sign with a digital certificate checked Change, select the SSL certificate.
- TS Gateway Manager, select ServerName, Properties, SSL Certificate tab, select an existing certificate for SSL encryption (recommended), Browse Certificates, select the SSL certificate.
- Terminal Services Configuration, Connections area, select appropriate connection, Properties, General tab, Select, select the SSL certificate.
--If the reply is helpful, please Upvote and Accept as answer--
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
HenryNiekoop-2622 answered • Oct 7, '21 | HenryNiekoop-2622 edited • Oct 7, '21
something is missing for me from these steps. I've managed to setup a test environment to test this however the old rdp files work but the new ones (after configuring the new certificates) do not work. I see the new rdp files have the new certificate embedded.
What could I possibly be missing?
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
HenryNiekoop-2622 answered • Oct 9, '21
Sorry it worked fine in the production so I must have done something wrong when I tested it. Thanks!
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
14 Replies
· · ·
Chipotle
OP
IT7975 Sep 4, 2013 at 05:58 UTC
I had exactly the same error message however it was working the day I setup but next day it just died. However, my setup wasn't as like your external and internal - mine is purely internal.
I tried everything deleting certificate from IIS, RDP server, and client. Re-creating and assigning but none worked.
one thing I remembered as I was going thru the whole suite of RDP components: RDP Manager, RDP Session Host, RDP Remote App etc etc...
I found: RemoteApp Manager > RD Host Session Server Setting (click Change) > RD Gateway tab and ticked Automatically detect RD Gateway Server Settings. Then I restarted the Remote Desktop Gateway service and what do you know...DAMN THING ACTUALLY WORKED!!!
Wooohoooo...
So you might want to check in your environment this might help....
Cheers,
IT
1
· · ·
Jalapeno
OP
Eddie.Brown Sep 4, 2013 at 16:51 UTC
Hey thanks for the reply,
I tried to turn them to automatic and the results are not any better. Instead of the certificate error I know get an error stating: The gateway server you are trying to contact it temporarily unavailable.
It is actually working internally and I have rebuilt this server more than once. I have even gone as far as setting up a test environment to try to resolve the issues I see from a far. However nothing has worked yet, Microsoft's instructions to get this working are designed for internal use only and are convoluted to say the least. There is very little instruction or even experience around the external access for this service. I have already dumped so many hours into this, I am almost looking for a alternative solution. maybe I will just open a VPN tunnel to allow remote access to the server.
0
· · ·
Chipotle
OP
IT7975 Sep 4, 2013 at 23:55 UTC
Your main issue here is that externally not able to access - correct?
1-) I think you might want to try putting it on your DMZ just for test.
2-) Assuming that you have done the routing on your firewall?
3-) Assuming you have mapped to external IP (NATing)and published the URL externally?
4-) Check the port the RDP WebAccess connecting on - you need to open that port on your firewall.
5-) Assuming you have configured HTTPS traffic for this site with port?
0
· · ·
Jalapeno
OP
Best Answer
Eddie.Brown Sep 11, 2013 at 16:25 UTC
This has been resolved.
It was a problem with the certificate and where I was creating it from. I was creating a self-signed cert from IIS. in order to specify my external domain I had to create the self signed certificate through the RD gateway manager. After I did this BOOM everything was working.
1
· · ·
Chipotle
OP
IT7975 Sep 12, 2013 at 00:20 UTC
Good work!
0
· · ·
Pimiento
OP
ahmedali2 Mar 2, 2014 at 05:47 UTC
Please Can you explain what you did exactly to solve that issue ??!!
0
· · ·
Serrano
OP
dunBrokeIT Mar 4, 2014 at 22:55 UTC
Running into this problem ourselves, an explanation would be most appreciated :)
0
· · ·
Pure Capsaicin
OP
Little Green Man
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Eddie.Brown wrote:
This has been resolved.
It was a problem with the certificate and where I was creating it from. I was creating a self-signed cert from IIS. in order to specify my external domain I had to create the self signed certificate through the RD gateway manager. After I did this BOOM everything was working.
crowntech wrote:
Running into this problem ourselves, an explanation would be most appreciated :)
See Bold.
0
· · ·
Pure Capsaicin
OP
Little Green Man
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
ahmedali2 wrote:
Please Can you explain what you did exactly to solve that issue ??!!
See above BA.
0
· · ·
Pimiento
OP
stevensedory Jun 10, 2014 at 06:38 UTC
1st Post
If you still need help with this, I can expalin. I don't want to go through the trouble though if you don't need it, so let me know by replying.
0
· · ·
Jalapeno
OP
Eddie.Brown Jun 10, 2014 at 19:27 UTC
Sorry Bill,
I haven't circled back to this in quite sometime. Basically there are multiple ways to issue a self signed certificate to a server. In this particular situation there is three, one through IIS manager, one through the certificate MMC snap-in, and one through the RDP gateway properties.
The third place is where I was able to associate my server with my external domain and have it self sign. Once I created the certificate through the RDP gateway settings my website was loading my applications.
I hope this helps.
0
· · ·
Sonora
OP
pjens4962 Jan 15, 2015 at 16:55 UTC
1st Post
Hello all,
One of my clients had a certificate expire on their server yesterday and now all the users are getting the following error on their desktop. I issued a new certificate (Renewed) on the server and it took care of the local computer errors, however, the remote desktop users from outside the organization still can't get
Or this...
RWA users can't remote desktop in because they get this error...
And when you view certificate, the install certificate button is missing (See below)
I "copied to file" and installed it to the Trusted Root Cert folder, but they still can't get access through remote desktop. Any help would be greatly appreciated! I'm trying to learn this certificate stuff...
0
· · ·
Pimiento
OP
lynntober-rice2 Sep 11, 2015 at 15:15 UTC
1st Post
Were you able to resolve your issue? If so I would like to know how this was resolved.
%uFEFFI am having a similar problem with a traveling user and it references the Hotel's wireless certificate. There is no "install" option.
Thank you.
~Lynn
0
· · ·
Ghost Chili
OP
starg33ker
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.
Hilynntober-rice2, welcome to SpiceWorks!
When you see that there's been a "best answer" marked, that means the issue has been resolved. The poster mentioned the solution here //community.spiceworks.com/topic/post/2521776
If this does not fix your issue, I would recommend you starting a new topic as you'll receive little to no help in a 2 year old thread.
Hope to see you around!
lynntober-rice2
Pimiento
2
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
Configuring the remote desktop gateway
To increase the security level of the Windows server, it is not enough to change the TCP port RDP. Consider configuring the remote desktop gateway in the Active Directory domain.
Cloud ServersIntel Xeon Gold 6254 3.1 GHz CPU, SLA 99,9%, 100 Mbps channelfrom4 EUR/monthTry
Remote Desktop Gateway - what is it?
Remote Desktop Gateway is a Windows server role that provides a secure connection using the SSL protocol to the server via RDP. The main advantage of this solution is that you do not need to deploy a VPN server, and this is what the gateway is for.
It should be noted that starting with Windows Server 2008 R2, the names of all Remote Desktop Services were changed. The previously named Terminal Services were renamed Remote Desktop Services.
Advantages of Remote Desktop Gateway
- Using an encrypted connection, the gateway allows to connect to internal network resources without the need for a VPN connection by remote users;
- The gateway provides the ability to control access to certain network resources, thereby realizing comprehensive protection;
- The gateway allows connection to network resources that are located behind firewalls in private networks or NAT;
- You can use the gateway manager console to configure authorization policies for certain conditions that must be met when remote users connect to network resources. As an example, you can specify specific users who can connect to internal network resources, as well as whether the client computer should be a member of the AD security group, whether redirection of the device and disk is permissible;
- The gateway manager console contains tools designed to monitor the status of the gateway. Using them, you can assign monitored events for auditing, such as failed attempts to connect to the terminal services gateway server.
Important! The terminal services gateway must be part of an Active Directory domain. Gateway configuration is performed only on behalf of the domain administrator, on any server in the domain.
Setting the role.
Open the server manager.
Select “Add roles and components”.
At the stage “Installation type”, select “Installing roles and components”.
The next step is to select the current server.
Server role -Remote desktop service.
Go to the role service. Select “Remote desktop gateway”.
We proceed to the confirmation step, click the “Install” button.
Configuring the connection and resource authorization policy.
In the window that opens, the remote desktop gateway manager, in the left part of the window, open the branch with the server name → Policies → Connection authorization policies.
In the right part of the same window, select Create a new policy → Wizard.
In the window that opens, “Wizard for creating new authorization policies”, select the recommended option "Create a policy for authorization of remote desktop connections and authorization of remote desktop resources." Press the button “Next”.
In the next step, enter a convenient name for the connection authorization policy. We recommend giving names in English.
The next step will be to choose a convenient authentication method - password or smart card. In our case, we leave only “Password” checked. We add groups that can connect to this RD-gateway, for this, click the “Add Group ...” button.
In the group selection window, click on the button “Additionally”.
The window will resize. Click the “Search” button. In the search results, we find "Administrators of the domain” and click on the button “OK”.
In the group selection window, check the selected object names and click “OK”.
The group is added. To go to the next step, click the “Next” button.
In the next step, select “Enable device redirection for all client devices" and click "Next”.
Set timeouts - downtime and session time, values are indicated in hours. Click “Next”.
Check the settings. Everything is correct - click “Next”.
In the next step, configure the resource authorization policy. Specify the desired policy name. Click “Next”.
The next step is to establish group membership. Usually, the group is already installed, but if this is not done, you should follow the steps above. Click “Next”.
We select available network resources. To do this, select the group that contains the servers on which the required user groups could work with remote desktop. Press the button “Overview”.
In the group selection window, click the “Additionally” button.
In the changed window, click the “Search” button. In the result window, we find "Domain controllers”.
Click “OK”.
We check the selected objects and click “OK”.
Once again we check which network group is added and click “Next”.
If the RDP port number has not changed, set the switch value to “Allow the connection only to port 3389”. If the port has been changed, specify a new value.
Click “Done”
At the stage of confirming the creation of the policy, click the “Close” button.
At the end of the setup, the window will look similar.
Install the SSL certificate.
In the same window “Manager of the remote desktop gateway”, in the left window, click on the server icon, in the main part of the window - “View and change properties of the certificate".
In the opened window “Properties <server name>”, go to the tab “SSL Certificate”. Set the switch “Create a self-signed certificate” and click on the button “Create and import certificate ...”.
Although 2 more options are possible:
- import of a previously uploaded certificate (self-signed earlier or third-party);
- Download a third-party certificate (for example, Comodo) and import it;
In the window “Creating a self-signed certificate” we check the settings and click the button “OK”.
The system will notify that the certificate was created successfully, there is also information where you can find the certificate file itself. Press the button “OK”.
In the server properties window, click the “Apply” button.
The self-signed certificate is installed on TCP port 443 (SSL port by default).
For security reasons, we recommend that you change the default SSL port. To do this, in the main menu of the window, select “Actions” → “Properties”.
Go to the tab “Transport settings” and set the desired value for the field “HTTPS port”. Save the settings by clicking the “Apply” button.
The system will ask for confirmation - answer “Yes”.
Connecting via the gateway.
Open the RDP client, go to the tab “Additionally” and press the button “Settings”.
In the window that opens, select “Use the following Remote desktop gateway server settings". We indicate the domain name of the server and through the colon (:) indicate the SSL port. The login method is “Request Password”. Click “OK”.
Go to the tab “General”. Specify the address of the computer and the user under which the connection will be made. Push the button “Connect”
The program will ask for the password from the account.
The results of the gateway can be checked by tracing - the tracert command.
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98700 300
ITGLOBAL.COM NL1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98700 300
ITGLOBAL.COM NL700 300
See also
Configuring Samba
Install and configure MS SQL Server Express