One thing im having trouble with is the actual creation of the certificate. Some sites which helped me a lot to get this going.ĮDIT: Forgot to mention, for assigning the certs RDGateway and RDWeb Access need your cert for external access, your connection brokers use your internal cert This will then allow you to edit the gateway address to use your WAN IP rather than DNS name. Remove everything from the start of signedscope section to the end of the file, this section is like an in-built checksum. rdp in notepad, at the bottom you should see a section for SignedScope or similar. One last thing I'll mention is if you're load balancing 2 or more TS and so using a gateway, but not using an external DNS but rather relying on WAN IP, you'll need to create your certs using WAN IP and then tweak your. Then you simply need to provide the user with the link, an exe downloads and sets the whole thing up for them, shortcut included. The ASPX is configured simply to point to that exe, although you can also modify the default RDWeb page to include a button which also downloads this file. Then simply set up a subpage under your rdweb page which links to the exe. The second batch file then installed the CA cert to the computers trusted root store. rdp shortcut on the logged on users desktop, then uses elevate.exe to load a second batch file under admin rights. I then created a batch file which puts the.
#WINDOWS SERVER 2012 R2 REMOTE DESKTOP SERVICES CERTIFICATE INSTALL#
rdp link, the CA certificate, CertMgr.exe to install the CA cert, and elevate.exe (3rd party). You can OK the message and continue anyway, so this isn't necessary.Īs for setting up remote users to easily get logged in, I created an. This stops an error message you get logging onto the TS from outside the company. The console provides options for internal and external stores so configure them appropriately and then you'll need to recreate your certs to include the store. You just need to configure your CA to use a sharable revocation store which I think was done through the console in server properties, then create an IIS page to point to that location and set it up in directory browsing mode. I can't remember the specifics, but it's simple enough. Next is to import your wildcard cert psk into your terminal server nodes (gateway, RDhost ect)įor access outside the organization, you may want to look into creating a revocation check site. Once you have the cert from your internal CA, import it back into the IIS you created the request from and you'll then see the cert in your list, at which point you can export it to a PSK. I ended up creating a cert request using IIS on the CA server for a wildcard cert (*.), then complete the request via your CA web page. It can be done but quite fiddly some times. I recently set up our 2012R2 TS's with internal CA's.
0 kommentar(er)
