RD Gateway Server not bypassing local addresses

Question

Team, We have configured pretty simple environment with below servers. It was working fine that deployed remote app will work internally without any issues. But now it is prompting as a certificate error as below:

Server 1: Remote Desktop Broker Server
Server 2: Remote Desktop Web Access
Server 3: Remote Desktop License Server
Server 4: Remote Desktop Gateway Server
Server 5: Remote Desktop Session Host 1, 2, 3 and 4

1. Deployed app via RDSH servers and no issues for some PC and the error not appears
2. For few users this issue started occurring recently
3. Installed GoDaddy certificate on the Gateway Server
4. Not sure what happened and suddenly even local addresses is not bypassing I guess.

Please help.

Thanks, Ram

Answer 1

Hi,
1.When error message prompts, please choose view certificates and verify that the details and thumbprint match what is configured in RD Gateway Manager on the RD Gateway server.

2.Check one of the problematic clients PC and navigate to the Trusted Root Certification Authorities. If there is no certificate used for RDG, kindly export from RDG and import here as test.

3.On your RDWeb server, open IIS Manager. In left pane, navigate to and select Default Web Site\ RDWeb\ Pages In middle pane, double-click on Application Settings. Modify DefaultTSGateway and set it to the correct FQDN for your existing RD Gateway server.

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

Answer 2

Team,
Here is the detailed information.

1. We have a GoDaddy certificate imported on our Gateway server
   a. Certificate name: rds.mydomain.com
   b. Gateway Server Hostname: rdsh1.my-domain.com
2. I am able to access my remote app icon via the location DFS Path \my-domain.com\SYSVOL\my-domain.com\Apps inside DC2
3. I am connected to Corporate VPN and logon server is DC2 and I cannot access remote app icon shortcut. Also, not able to access remote app icon from the location \my-domain.com\SYSVOL\my-domain.com\Apps
4. While I am on VPN, while accessing remote app and this is not bypassing as local address and instead it is trying to reach app via gateway server rdsh1.my-domain.com using a certificate rds.mydomain.com and the certificate subject name mismatch and error occurs

Now, I need to see why this remote app icon is trying to launch via external certificate even I am on my corporate VPN.
Please note that this issue is not happening for all users. Sometimes inside my broker server also it happens. It was working fine these days without any issues and this issue started recently before 10 days where we had power outage and all VM’s got turned off and our rdsh old server was not turning on and we cloned from a backup and built a new rdsh1 server.
Any suggestions will be highly appreciated.

Answer 3

Hi @Jenny Yan-MSFT ,

I have added my server hostname into DefaultTSGateway field and restarted IIS. Still this certificate issue occurs.

As we are access remote app icon from a domain joined PC via VPN, do we need to really add certificate inside Trusted Root Certification Authorities?

Because I crossed checked with another PC which is domain joined member PC and not on VPN connection and there remote app icon works fine and no certificate inside Trusted Root Certification Authorities.

Thanks,
Ram

Answer 4

Hi Ram, Thanks for your update.

1. How did you configure the bypass local address via Gateway?
2. Another PC which is domain joined member PC and not on VPN connection and there remote app icon works fine and no certificate inside Trusted Root Certification Authorities. Kindly confirm if the PC is in the same network with RD Gateway server. Meanwhile, please also check the monitoring status on RD Gateway manager to verify if the connection went through Gateway or not.
3. For the working remote connection of remote app, is there any chance to view the certificate details? Is it the same one as RD Gateway?
4. What kind of certificate you've bought from Godaddy? The certificate should have the FQDN of RD Gateway as instructed in below article. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)

Hope this helps and please help to accept as Answer if the response is useful.

Thanks, Jenny

Answer 5

Hi @Jenny Yan-MSFT ,

Thank you for your reply. I was able to resolve this issue and I noticed something different this time.

1. After connecting to Cisco Any Connect VPN, my Cisco Network adapter should actually show as MYDOMAIN.COM. But the same was showing as unindentified network.
2. While checking Event Viewer on the PC, my PC was trying to register DNS via my ISP DNS Address which is public address and got failed. So my remote app was trying to establish a connection thinking of outside network.
3. I was able to resolve DNS issues on the PC and registered my PC DNS using corporate DNS on my Wi-Fi Adapter first then I changed it to automatic.
4. Then I see MYDOMAIN.COM in the Cisco Any Connect Network Adapter and I was able to reach remote app successfully.
5. This time it is not looking for a remote app connection externally and happened to connect via an internal connection as we have resolved DNS registration.

Thanks for your support.

Best regards,
Ram