5 Replies
Where did you generate the CSR? on the RDS server? If so have you completed the cert request with the new cert?
Server manager > Remote Desktop Services > Overview
In the deployment overview section, click tasks > edit deployment properties > certificates
You will need to go into IIS and add a binding for the address you want to use[rds.company.com for example] and use the cert.
You will also need to create a cname or A record in DNS for this hostname.
I just generated the new CSR from the server IIS [with the correct information, CN as my wildcard domain name] I imported the certificate into IIS with installing the intermediate certification authority certificate as well.
Right now the RDWeb is on the default site, can I change that to use my new domain that I bought from godaddy?
Also, I have two companies in the same building that both have servers that have DNS servers on them for different domains. These DNS servers are not separated on the network at all currently. Would I add an A record in both of these servers for the hostname?
- jrp78Habanero
devinsantillanes wrote:
I just generated the new CSR from the server IIS [with the correct information, CN as my wildcard domain name] I imported the certificate into IIS with installing the intermediate certification authority certificate as well.
Right now the RDWeb is on the default site, can I change that to use my new domain that I bought from godaddy?
Also, I have two companies in the same building that both have servers that have DNS servers on them for different domains. These DNS servers are not separated on the network at all currently. Would I add an A record in both of these servers for the hostname?
1. Yes, that is what I meant by adding the binding in IIS.
2a. If both servers have a Forward lookup zone for the new domain and the servers don't replicate between each other then yes, you'd add it on both.
2b. If you don't have a forward lookup zone for the new domain in your internal domain DNS servers then you would need to add the record wherever you host your external DNS records.
3. In both cases, you very well may get into nat'ing a public IP to a private IP.
Make sure that internal clients can locate servername.companyname.com that is pointing to your internal resource that is actually servername.company.local.
1] Identify which DNS server is being used by external clients when they connect via VPN. Let's say it's the Active Directory DNS on DC. Then create a new Forward Lookup Zone "servername.companyname.com" [yes, include the servername in the zone name]. Then create a Host A record inside: leave the name blank, just enter the IP address of your RDS server. Run a test from a client connected over VPN if it can resolve the servername.companyname.com.
Then:
2] Make sure to add the certificate to all entries under your RDS deployment properties.
3] Your connection broker role might continue using its local FQDN when replying to incoming remote connections, so you'll need to change it using powershell:
HTH.
devinsantillanes wrote:
**EDIT:
Is it considered unsafe to direct a domain from godaddy to hit the external IP address of my network to access RDWeb resources?
No, it is not unsafe. But this is different from what you wanted to accomplish in first place. Your clients were connecting to RDS internally, while on VPN, no?
To configure external access to RemoteApps etc without VPN, you need to change your deployment strategy. RD Gateway server must be used to secure and monitor incoming connections. It will be listening on 443 and relaying to Connection Broker over 3389.
You either configure forwarding on the firewall WANIP:pickaport ---> Gatewayserver:443. Or, to increase security even more you'll need to set up a Reverse Proxy [aka Web Server Protection feature]. In both cases you will need to place your cert onto the firewall in addition to RDS server.
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.