4

The Enviroment We do have a RemoteApp Terminalserver, based on a Windows Server 2016. Latest Updates are installed. We have provisioned multiple apps through this server. There is one Session Collection with all app's in it. This server has no internet connection. The Windows Firewall is turned off for testing purposes. Lets call it RAS (RemoteAppServer) for explanation. The FQDN of this server is RAS-01.ad2.domain.com (different than the AD of the client who will connect, the user will connect as AD1\Username). The Server is fully domain Joined. A valid license is installed. The Server has the license Role, the Gateway role, the Web Role and the Session Manager installed. Everything is on the same server.

The users are connecting to this server from an another Terminalserver, based on a Windows Server 2012 R2 Server, latest Updates are installed. Let's call this Server TS for explanation. The fully qualified Domain name is ts-01.ad1.domain.com The Server is fully domain joined. The Terminalserver has acces to the internet via a proxy-server. We do have defined an exclusion for *.domain.com and have opened these ports:

Which Ports are open?

  • Port 443 FROM TS to RAS
  • AD-Port FROM RAS to DC's in both AD's.

Both Servers are in separate network zones AND different Active Directories. The Active directories are fully joined. The "Main" AD is AD1. Also the user will use a user of the domain ad1 (AD1\Username) to log in to both servers, TS and RAS. The login on the web-Interface is pretty fast. They also have different DNS-Servers.

We do use an official certificate for the connection.

This is the content of the rdp-file which a user use to connect:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:0
devicestoredirect:s:
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:0
audiocapturemode:i:0
gatewayusagemethod:i:1
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:ras.domain.com
alternate shell:s:||EXCEL
remoteapplicationprogram:s:||EXCEL
gatewayhostname:s:ras.domain.com
remoteapplicationname:s:Excel 2016
remoteapplicationcmdline:s:
workspace id:s:RAS-01.ad2.domain.com 
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Factory
alternate full address:s:ras.domain.com
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectDrives,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:some information removed :)

The Problem The User will open the browser (IE and Chrome tested, doesn't matter, just differences in login, in IE the user do not have to prompt the credentials again). Then they will klick on a app and this windows will be shown: RemoteApp Loading Screen 1

Then it tooks about 60 seconds and it will ask for accepting the certificate, as the server was not able to check the revocation list. If i open the revocation list URL in the Browser on TS, it works. But not on RAS logically as it has no internet connection. In my understanding, the check will be made by TS (as this is the client in this moment) and not by the RemoteApp Server itself: RemoteApp Loading Screen 2

After klicking on yes, it tooks another 60 seconds and greyed out button "Show Details" will no longer be greyed out and can be clicked. If you click on it, you can see, that the login procedure is starting: RemoteApp Loading Screen 3

At the end, the whole process is taking 2 minutes and 15 seconds. After the first connection is etablished, all other RemoteApps are loaded instantly.

Does anyone of you have any idea, how we can fix that time? I do not know, where I have to look at? Is it because of the certificate, because of the DNS, because of the domain join, because of me? :) Thanks for any suggestion!

drunkenhusky
  • 39
  • 3
  • 1
    Start this command from the client while you are waiting and see if you can find interesting IP/Ports: `netstat -an |findstr SYN` it will show you the connection stuck in SYN_SENT state, this typically indicates a closed port or unreachable destination. – Swisstone May 06 '19 at 16:53
  • Can you test try by installing the certificate inside a test computer, and test again ? – yagmoth555 May 06 '19 at 19:20
  • Hi @Swisstone thank you for the input, I will check that out :) – drunkenhusky May 07 '19 at 06:13
  • @yagmoth555 the certificate is a wildcard cert and we have this installed on an another computer where it is used without any issues (of course for an another use case). – drunkenhusky May 07 '19 at 06:13
  • @Swisstone I can see some blocked request via Port 80 on the TS Server. On RAS I can't see any blocked requests. I can't really make sure if this are the related but I found this article: https://styletronix.wordpress.com/2011/02/12/rdp-crl-check/ The article explains, that the proxy settings of IE will be ignored by winhttp. But winhttp makes the crl check, I will try to get the proxy configured for winhttp. – drunkenhusky May 07 '19 at 15:07

0 Answers0