Getting RDWeb to send over 443 instead of 3389....
Hi all, having a bit of a problem at the moment with our RDS Remote Web Access and getting it to work with some other organizations firewalls/proxies etc.
Just a bit of background, the RDS server is setup and running fine, the certificate is installed correctly and users can access the web gateway via https://remote.ourdomain.co.uk/, they can log in and they can run either a published App or click Remote Desktop to load straight into a desktop. All of this works fine.
We have some members of staff who have been seconded out to work in other partner organizations and I am coming against a problem whereby our remote access isn't being allowed through their proxies/firewall/whatever because when it makes a connection back to our server it does so on port 3389 directly, which is a big no-no. Now i'm under the understanding that the SSL port 443 is a port which will allow the traffic through but i'm a bit stumped at the moment in how to get the traffic routing over that so that it can traverse any firewalls and proxies it comes to without any problems.
I'm not the greatest with all this RD Web remote access stuff so i'm not entirely sure if ive missed off a simple option, or if the way I have configured it is prohibiting it from being sent out over 443.
I have 2 rules set up on our Draytek. One is to forward port 3389 on one WAN IP (the one that is pointing to our web access page) to 3389 on the RDS server (if I don't have this setup when a user clicks on the remote desktop link they can't get in, it just thros up an error when trying to connect).
And another is port forwarding of 443 from the same WAN IP to the same RDS server (if I dont have this setup users can't access our https://remote.ourdomain.co.uk/ )
I'm not sure if these play any part in all of this.
I have no idea if this is the correct way to do things but that's how I got it all to work in the first instance and upon looking at a packet tracer I can see that when it does connect it connects on 3389.
Is anyone able to offer any advice/guidance on how I might get it so that all the data is sent over 443 instead of 3389?
You need to setup RDGateway between your RD server and router(can be on the same server). once this is in place it'll tunnel the traffic over HTTPS for you and means you don't need to expose port 3389 at all. When connecting via the RDP client directly staff would connect to the internal server name and have the gateway address in the gateway options, the client would then connect to the gateway and then tell it which internal server to connect to and pass the credentials over.
Think I've managed it actually. I had installed the Gateway Role when I initially created the server. I popped in our remote.domain.co.uk in to the server name on the RemoteApp settings and fired up packet sniffer and then tried connecting up again from a laptop with a dongle. Voila not a 3389 in sight, and it looked as though it was going through 443. I disconnected and tried again and it error'd saying it couldnt find the server so I tried again and it worked!
Not sure why it was intermittent though but at least I'm getting somewhere (I think!)
Just encountered one last problem. They can access it fine from Windows 7 clients, however the majority of them are based on Windows XP machines. Is there any configuration I need to take into account if the user is coming in from an XP client? Apparantly they can access our 2 published apps (Web pages) fine, but when they click on to load up an actual desktop its throwing up another Username and Pass box and the credentials aren't working.
Take a look at the setup on the Session Host Configuration - it sounds as though you may have the "allow connections only from computers running Remote Desktop with Network Level Authentication" enabled.