Can't join Gateway Servers to RD Web Farm

Alex Burling 5 Reputation points
2023-09-26T21:26:39.62+00:00

I have two RD Gateway servers, and I am trying to follow the guide posted here:

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha

However, when I try to add them to the farm in the gateway, it says 'Unreachable'.
I don't think this should be the case though, as there are no blocked ports between the two servers, and both are domain-joined.

I can see a 629 event in event viewer saying that:
The RD Gateway servers "EC2AMAZ-96JEUUN;EC2AMAZ-96JEUUN.internal.myobpayglobal.com" were set to the RD Gateway managed group. No user action is required

Would appreciate any help on this one
Thanks,
Alex

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,547 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,316 Reputation points
    2023-09-27T08:43:08.62+00:00

    Hello ,

    Initially the Unreachable error may indicate some network issue, but it can also be related to AD trust relationships or certificates. A failure on those could stop the connection before even reaches the server. You can check those with next steps:

    1. Test the connection first, using Powershell, as it may give you more details. From the client, run:

    Test-Connection -ComputerName ServerName

    (Replace "ServerName" with the name or IP address of the other RD Gateway server.)

    1. Check you firewall setting is enabled:

    Check with: Get-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP | Format-Table Name,Enabled

    If is not enabled, enable it using: Enable-NetFirewallRule -Name RemoteDesktop-UserMode-In-TCP

    1. Check the RD certificate on the Gateway servers:

    To check the SSL certificate on an RD Gateway server, you can use the following PowerShell command:

    Get-ChildItem -Path Cert:\LocalMachine\My

    (This command lists the certificates in the "Personal" certificate store. Look for the certificate that is bound to the RD Gateway service.)

    You can also check the certificate thumbprint, issuer, and other details by running:

    (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -like "RD Gateway" }).Thumbprint

    1. To ensure that both RD Gateway servers trust the same root certificate authority (CA), you can check the list of trusted root CAs on each server. Here's how you can do it:

    List trusted root CAs on the local machine

    Get-ChildItem -Path Cert:\LocalMachine\Root

    Export the list of trusted root CAs to a file for comparison

    Get-ChildItem -Path Cert:\LocalMachine\Root | Export-Csv -Path "C:\TrustedRootCAs.csv" -NoTypeInformation

    --If the reply is helpful, please Upvote and Accept as answer--


  2. Alex Burling 5 Reputation points
    2023-09-29T09:27:01.9833333+00:00

    Hey,
    To follow up, we have found the source of our issue.

    It seems that the 3388 port needs to be allowed to the Gateway (we previously had this open but have narrowed down the specific port for others looking at this issue

    Additionally, it seems that the Domain firewall in Windows Defender was blocking communications between the two gateway servers

    This can be resolved by disabling the Domain firewall (Private and Public seem to have no effect), alternatively, we have added an Inbound TCP rule to the Domain to allow RPC protocol, for ports 49150-65535, and now the two gateways are communicating

    Thanks all for your help

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.