1

With a Remote Desktop Services deployment in a domain ad.company.com, I have RDG and RDSH installed on the same server, rd.ad.company.com.

I can use a wildcard cert on *.company.com for access to the Gateway using the Remote Desktop Gateway Manager, and I can also make the rdp connection present this certificate to the client following this guide.

enter image description here

If I try to connect from a remote client using rd.company.com as the gateway address and the server address, it fails even though I've added rd.company.com to the hosts file on the server.

If I try to connect using rd.company.com as the gateway and rd.ad.company.com as the server a certificate warning appears because rd.ad.company.com doesn't match the wildcard certificate *.company.com - I can connect but my aim is have no warning message.

Is it possible to cover both gateway and server with *.company.com, or will I need to get another cert for rd.ad.company.com or *.ad.company.com.

I don't want to use company.com as the domain instead of ad.company.com, because I understand that would be a bad idea.

barbecue
  • 342
  • 1
  • 15

2 Answers2

1

Wildcard certificates work for only one level of domains, that is, the most specific domain level.

So, you need to get another certificate for *.ad.company.com.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • I know how wildcard certs work. So I can't make RDG act as gateway to `rd.company.com` to `rd.ad.company.com`? I'm asking if there is some way of aliasing in RDG I guess. –  Jul 25 '15 at 17:20
  • Unfortunately I know only how certificates work in the general use, I don't know about Remote Desktop. – Tero Kilkanen Jul 26 '15 at 02:05
  • Thanks Tero, I [figured it out](http://serverfault.com/a/708586/83664) :) –  Jul 26 '15 at 11:59
0

This can be done and it turns out it's not that difficult. You need to:

  1. Makes sure rd.company.com points at the IP address of rd.ad.company.com on the RDG server. You can either add a new DNS zone for rd.company.com and add an empty A record pointing to the correct IP, or add an entry in the hosts file on the RDG. You could add the internal IP to your external DNS instead but I think that's a bit ugly.
  2. Configure the RAP (Resource Authorization Policies) on the RDG using Remote Desktop Gateway Manager to allow rd.company.com. I did this by creating a new RD Gateway-Managed Group.

Now my rdp clients can connect with the standard RDP client software using rd.company.com as the address for both server and gateway, and the wildcard cert for *.company.com covers both.