RDS 2019 Gateway - Problem adding certificate - says network problem

Question

Hi everyone,

i am deploying a brand new RDS19 farm at the moment.
But the RDS Gateway does not take my certificate.

Setup
Broker to complete configuration - Account is admin on both servers.
Getting error after some time:

But:
System Log on Gateway says - "SSL Certificate Settings created by an admin process for endpoint : 0.0.0.0:443 ."
And the certificate is there!
The certificate is signed by internal PKI. With Servername in CN, and DNS FQDN + external DNS in SubjectAlternateNames.
Firewall says "no drops" - corp and Windows.

I have the same setup with 2012 R2 - and it is working there.

Any hints where to search next?

BR
Stephan

Answer 1

Ok last word from me.

Consider the following when trying this solution:
Using a "Webapplication Firewall" can cause problems ;) use NAT instead
If you install the NPS MFA Extension - it will trigger on every authentication at this Server - install an extra one -> Uservoice for better scoping: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36157615-control-what-nps-policies-are-forced-for-secondary
Register every NPS server always - If it is an NPS server on Win2019 - you need to add the firewall rules manually.

Working now - i am happy. Now i need to migrate my existing session hosts to this Broker and inplace update them

Answer 2

The time i wrote it - it finished.
It seems that the Gateway needs to connect to a writeable DC during this phase. I only had a read only accessible in the DMZ.
Allowed the traffic temporary - and done.

Answer 3

Well not there yet.

After this i get the error

Which is normally a cert issue (like it seems).
So my question - i have an external and internal DNS.
I have an official wildcard for the external - and from my PKI the certificates for the internal.

In my previous deployment i had to replace the internal also with an official wildcard certificate. With my new setup i do not want it anymore as this costs money ;)

Why does the Gateway seems to need an official certificate? It is already trusted by the server.

Answer 4

HI

1.How many RDgateway servers in the same environment?

2.What's your RDS architecture?

3.Are you using wildcard certificate issued by internal CA?

4."So my question - i have an external and internal DNS."
Do you mean you have external name and internal name for RDgateway server？
for example；
internal domain name:RDgateway.mydomain.local
external domain name:rdgateway.mydomain.com

5."I have an official wildcard for the external - and from my PKI the certificates for the internal."
Are both internal CA issue certificate and public CA issue certificate wildcard certificate?

6."Why does the Gateway seems to need an official certificate? It is already trusted by the server."
In general, RD gateway server is an entrance for external users, external computer needs external trust public CA issued certificate. Like below document mentioned.

"If you are going to let users to connect externally, and they are not part of your AD domain, you need to deploy certificates from a public CA, such as GoDaddy, Verisign, Entrust, Thawte, or DigiCert."

Using certificates in Remote Desktop Services
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)

What’s the Difference Between a Public and Private Trust Certificate?
https://www.entrust.com/blog/2019/03/difference-between-a-public-and-private-trust-certificate/
Please Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice.

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.