1

We are planning on a deployment of Remote Desktop Sservices (Windows Server 2012 R2) with 2 RD Web Access Servers. In the past I have requested a single cert using an external CA (via an IIS 7 cert request), installed it, and then exported it into the *.pfx format to use. That was straightforward.

Our production deployment will have 2 RD Web Access servers behind a Cisco ACE for failover and load balancing. My question is, how do I go about requesting the certificate now? Other than using a wildcard or SAN cert (to include the "friendly" name we are using) I am not sure how to start this process.

Do I request a cert from one of the RD Web Access servers, export, and use it for both of them? Or do I request one from each with the SAN/wildcard as part of the request? Or, am I completely off track here? I am only familiar with basic HTTPS web cert requests so this is all a mystery to me.

The help from MS I have gotten via docs and forum seems to assume we are using an internal AD CA or a Gateway, neither of which we are using (We are requiring VPN for off site access for now).

Bryan Powell
  • 93
  • 1
  • 9

1 Answers1

1

Do you actually need your two RD Web Access servers to use different domain names? Seeing as this is a load balance / fail-over scenario, then normally you would install the same certificate on both servers. Using a wildcard / SAN certificate is only necessary if you intend on accessing one or both of the servers using different names.

Simply create the certificate request as you normally would, and install the certificate on both servers - just ensure that the cert is licensed for use on 2 servers when you purchase it.

If for whatever reason you really do need different domain names, then you will create a single certificate request using your preferred method. (e.g. openssl, certreq, iss, etc). If you decide to run with a wildcard certificate, then you simply specify your domain as *.your.domain and purchase it from the external CA using their wildcard purchasing plan. Or if you decide to run with a SAN then you will need to specify the SAN in the certificate request.

http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Another option would be to install a single certificate on the Cisco ACE in order to perform SSL termination on that device instead of the RD Web Servers. In fact, this is usually the preferred method when performing load balancing as it keeps things simple, and allows the ACE to perform application layer balancing.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml

blacklight
  • 1,389
  • 1
  • 10
  • 19
  • This looks like just the guidance I needed. Thanks, and any other comments from anyone are appreciated! – Bryan Powell Feb 03 '14 at 14:38
  • I guess I do have one follow up Q: If we elect to deploy a gateway later (which is definitely a possibility), will that affect this at all? – Bryan Powell Feb 03 '14 at 14:41
  • @BryanPowell Only if you intended to access it via a different name - otherwise you can use the same certificate. If you choose the install the cert on the load balancer, then that's even better as you'll still only need the one cert, as SSL would be terminating on that device. This would also allow the balancer to split traffic between the three servers using different URL's (while still using the same cert for all SSL/TLS requests). As you can see, this is why it's the preferred method, it's quite scale-able and makes managing your certificates trivial. – blacklight Feb 03 '14 at 22:14