3

External clients can't access my RDS farm - here's what I've set up:

(all servers are Win 2012 R2 and clients are Win 8.1)

Server: PDC1
ip: 10.0.0.2
roles: file, print, sql 2012, dhcp, dns, RD License Server, RD Gateway, RD Web Access

Server: SVRDS1
ip: 10.0.0.3
roles: RD Host Session, RD Connection Broker (HA)

Server: SVRDS2
ip: 10.0.0.4
roles: RD Host Session, RD Connection Broker (HA)

Server: SVRDS3
ip: 10.0.0.5
roles: RD Host Session, RD Connection Broker (HA)

RD Loadbalancing on all three servers.

I've set up round robin (rd.mycompany.local) on SVRDS1-3 and if I internally try to connect to rd.mycompany.local then it works. I'm guided to any of the host servers.

In my firewall, I've set port 3389 to point to SVRDS1. If I only have SVRDS1 in my host collection, every thing is fine - but if I add SVRDS2 and 3 to the host collection, trying to connect externally fails.

My own thoughts...

  • Client tries to connect and hits SVRDS1, but due to loadbalancing, RD want's to transfer to SVRDS2, which is not available from outside the network?

  • I need to use RD Gateway, but how? I don't have a DMZ and I'm not supposed to port forward 443 from PDC1?

  • I should find another job, because I'm a noob at this ;)

Hope you can guide me in a direction - thanks!!!

MojoDK
  • 519
  • 9
  • 13
  • 24

2 Answers2

2

Using the Gateway is easy and will be very beneficial to you. What you need to do is:

  1. Get a 3rd party Cert from your CA of choice. Something like rdgateway.company.com
  2. You've already setup the Gateway role on PDC1 so just configure it to use 3389, and 443, or if you need another port instead of 443 use Eric's link in his answer to change it. Make sure you set up CAP and RAP groups (Computer Access Policy and Remote Access Policy groups) for people who will be accessing this from the outside.
  3. Set a DNS entry in your public DNS (i.e. GoDaddy, Network Solutions, etc.) provider for rdgateway.company.com that points to one of your public IPs.
  4. Port forward the correct ports on your router/firewall from the public IP mentioned in the step above externally, to the Gateway server internally and its local IP.
  5. To connect correctly to the Gateway you will need to (do this on a single computer first as a test) open up Remote Desktop Connection > Show Options > Advanced > Settings > Set the RD Gateway server name and logon method. Save all this and go back to the main Remote Desktop Connection screen.
  6. At this screen you will want to put the name of your Farm as the name of the server to connect to. So, the Gateway is already set on the advanced settings, and for the computer to connect to put the FQDN; example: rd.mycompany.local

There are a few more minor adjustments, but I'll let you decipher if you need them by reading this resource.

Also, I'd recommend not having all those roles you mentioned you have on your first server, if in fact it is a domain controller. It's always just safer to leave only AD roles on domain controllers, but if you can't change that, then obviously this is just 20/20 hindsight. Just my recommendation, but something I'd highly recommend.

Brad Bouchard
  • 2,527
  • 2
  • 13
  • 22
  • First of al ... HUGE THANK for helping me out here!!! I've been working on this for like 4 days (and nights) and not being able to figure it out. I think I now have the Gateway set up properly, so I have a single question ... in your bullet 6, you say that address should be of my farm (eg rd.mycompany.com) ... but ... I can set up with my provider, that rd.mycompany.com points to a single IP in my firewall which again points to a single local IP - should that local IP be the IP of one of my rds-hosts? - or should I make an NLB with all the hosts and point the firewall to this? – MojoDK Apr 25 '14 at 10:21
  • No problem. To answer your question, you'd want to do the NLB option so that when people came in from the outside it sends them to the farm rather than to a single host. – Brad Bouchard Apr 25 '14 at 11:23
  • I do, however, want you to keep in mind that the more traditional use of the Gateway would be for people on the outside of your network, meaning off of your LAN, who want to access a resource on your network. We typically used it for someone who would want to Remote Desktop to their workstation on the network when they were traveling with a generic laptop. They would use the method described in point 6 and then they had access to their desktop. You can also access the farm if you do it right. Just FYI so you weren't misled. – Brad Bouchard Apr 25 '14 at 11:35
  • @MojoDK just a reminder to mark this as the answer if it did in fact answer your question as I suspect. – Brad Bouchard May 06 '14 at 19:58
0

Like you suspect you're probably being redirected to a different RDH host. Since your other hosts are not accessible from the outside it bombs.

The right way to do it, is use the gateway. Setting up 443 should't be that hard, but if you have other things using that port, not big deal. Follow this link to change the default port: http://social.technet.microsoft.com/wiki/contents/articles/10972.changing-the-default-port-of-rd-gateway-in-windows-server-2012.aspx

Second option, use a VPN.

Eric C. Singer
  • 2,329
  • 16
  • 17