I need to publish an RDWEB application from an Internal Server using RDGateway.

Question

I need to publish an RDWEB application from an Internal Server using RDGateway.

Here are the details:

1. I have an internal Terminal Server on a Domain Private VLAN running Windows 2016.
2. It only has inbound public access on TCP Port 443 and UDP Port 3391 with DUO MFA through a Load-Balancing Proxy, which offloads SSL and then re-encrypts the 443 traffic for the RDG..
3. It is NOT on a DMZ, and is NOT using Citrix.
4. I need to use the same server for both RDG and RDWEB.
5. Internal domain RDG server is (fake name and domain): "RDServer1.xyzdomain.local"
6. External domain is (fake name and domain): "xyzdomain.com"
7. I have published the RDWEB Portal at: "https://appname.xyzdomain.com/RDWEB";
8. I have published the RD Gateway at: "https://apps.xyzdomain.com";
9. I have installed a wildcard cert (*.xyzdomain.com) on both the RDG and RDWEB instances.
10. When I connect to the RDWEB Portal from outside the domain, it connects fine (no cert errors) and shows the published apps.
11. When I click on a published app, it downloads a .RDP file that is set to connect on Port 3389, and points to my internal private domain server (RDServer1.xyzdomain.local), which cannot work, because,  a. My certificate does not cover my internal domain, and  b. Port 3389 is not open from the outside.
12. I've tried editing the .RDP file, but still get errors such as: "RD Gateway not available", etc.

HOW DO I MAKE THIS WORK???

Answer 1

Hello @BH ,

The following link for your reference:
https://social.technet.microsoft.com/Forums/en-US/20dab778-99fc-4f17-ac78-89ae05173084/remoteapp-access-through-rd-gateway?forum=winserverTS

Best regards,
Leila

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello @BH ,

Could you please contact with the public CA vendor to check if they can add internal domain name (*.xyzdomain.local or RDServer1.xyzdomain.local) in Alternative name of exist third party wildcard cert.
If they can't do that, I think we can install internal CA server and publish a certificate for RDCB server with common name *.xyzdomain.local.

In general, TCP 3389 is default port for RDCB server to communicating to RDSH server.
client--RDgateway(TCP443 and UDP 3391)-->RDCB(3389)-->RDSH(3389)
https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

If your company don't allow TCP 3389 port,we can refer below document for testing.
RDS Deployment Port Change
https://social.technet.microsoft.com/Forums/windowsserver/en-US/1df4869e-1858-4598-b7fb-121e8d5e2d06/rds-deployment-port-change?forum=winserverTS

Answer 3

Thank you for the answers. I will attempt to apply them and report back within the next day or two.

Answer 4

The certification cannot have an additional subject name added, since it is a public wildcard certificate.
It only covers the public domain, not the internal domain.

Answer 5

Also, I cannot put this server in a DMZ, as the published application has direct access to an internal database. Therefore, the server is on an internal lan, within it's own vlan.