Hi there,
I'm setting up a remote desktop farm. Here's my general config:
-All servers running Windows Server 2012.
-Three domain controllers, configured for a domain named internal.domain.org.
-Three remote desktop session host servers.
-One server hosting RemoteApp and the Remote Desktop web service.
-One Remote Desktop Gateway server.
-One Remote Desktop Connection Broker server.
The three Remote Desktop Session Host servers have been combined into a collection named "Farm" and there are three DNS records for Farm - one pointed to each of the servers' IP addresses. The Gateway server has been left at the defaults for CAP & RAP policies for now, which allows all users in the Domain Users group to access all resources on all Domain Computers.
A wildcard certificate has been purchased for *.internal.domain.org, which is what we're going to use for addressing the remote desktop farm both internally and externally. The wildcard certificate was applied using Server Manager to all four of the functions listed under the Remote Desktop certificates config (RD CB Signing, RD CB Publishing, RD Web Access, RD Gateway) and I have also manually installed it to the three remote desktop session hosts, using Certmgr.msc to put it in the Local Computer Account's personal folder, mirroring the automatic configuration that Server Manager did for the Gateway & Connection Broker servers.
Now, on to the issues:
First, when I try to connect internally to the session hosts, I *have* to use the farm name. If I try to use a single RDSH server name, it pops up an error saying you must use the farm name. That's all fine - redirection happens correctly, etc. However, when I try to connect from outside using the gateway, the exact *opposite* happens - it refuses to connect to the farm name, but will connect to individual servers, and appears to be doing the redirection correctly as well. The thing is, I don't want people putting in individual server names - I want the farm name to work when they're connecting through the gateway. How can I make that happen?
Second, when I connect internally to the farm name, it redirects to one of the RDSH servers, but then pops up an error saying the "certificate is not from a trusted certifying authority" even though the wildcard SSL certificate is installed on all of the servers. When I view the certificate, it's definitely not the wildcard cert - it appears to be the self-signed cert that was generated by the RDSH server. This error does not occur when connecting through the gateway. What can I do to make this error go away?
Third, when I add the RemoteApp feed URL to Control Panel\RemoteApp and Desktop Connections, it asks for credentials to add it - even though I have the default credentials (and default credentials for NTLM) settings in group policy set to allow the delegation of credentials to the RemoteApp server. Any way to get rid of this?
Fourth, once I add in those credentials and add the RemoteApps - I click to run one of the apps in my Start Menu, and I get a warning asking if I trust the publisher of this RemoteApp program. Again - the SSL cert is installed on the RemoteApp server, so I don't understand why I'm continuing to get these errors.
Fifth, from outside and coming through the gateway, I get the same error as above in #4, but then am prompted to enter credentials again (apparently for the Broker server), and then am denied a RemoteApp connection with the message "Your computer can't connect to the remote computer because a security package error occured in the transport layer."
Any help with any of these is much appreciated. Thank you!