Gateway web access configuration
We have an RD Gateway server hosted at our Central Office. We have 6 other sites that have RD host servers. I’ve been on the gateway and been on the Remote desktop web access configuration and seen that there is a list of programs from each site showing.
I’ve added a new program to one of the site but I can’t find if there is a way to replicate the changes or how to add the new program into the Web access on the gateway server? I’ve been looking into this but I can’t find any tutorials or support media on
it.
All servers are running server 2008 R2
If anyone can either point me in the right direction or let me know if there is a default replication time I’ll be great full. If this is in the wrong thread, please move this or let me know where to move it to.
Thank you.
Hi,
Thank you for posting in Windows Server Forum.
From your description it seems that you want to publish RD Web with RemoteApp on it. If misunderstand then please correct. If yes then you can follow the below link for information.
Remote Desktop Web Access (RD Web Access)
http://technet.microsoft.com/en-us/library/cc731923.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Similar Messages
-
Hi everybody,
I've been struggeling with this problem for a few weeks now and can't find a way to solve it.
We have an RD farm (Server 2012) which consists of two Remote Desktop Servers with Connection Broker and Web Access.
I've recently published a new server, containing RD Gateway and Web Access in our perimeter network.
Now we've got restrictions that OTP/2FA must be used for the external deployment and we've decided to go for a solution from Gemalto.
The "program" is called IDConfim and the server is called SA Server (Strong Authentication).
Also it's important that NO ISA/TMG server is supposed to be used, the OTP/2FA is supposed to work seamless with the Web Access/Gateway.
After hours discuss we came to a point were their NPS agent setup would be the only way to accomplish our goals.
The setup is supposed to be like this:
LAN:
1 DC (2008 R2)
RD Farm (2012)
1 SA Server (2012)
DMZ:
RD Gateway/Web Access (2012)
Were Gateway and Web Access should forward the authentications with NPS to the NPS agent on the SA server.
When you print your AD account to authenticate you add the 6 digits of OTP which you recieve from you mobile app.
Initially this seems to work, the Gateway forwards the request to the remote NPS server, BUT only if you write the correct AD password
(without the OTP extension).
If you write the correct AD password the authentication is forwarded to out SA Servern and it's beeing rejeced because the password doesn't
contain the correct OTP extension.
The problem comes here.
When you write you AD password along with the OTP extension you get a Windows Security error in the eventlog (On thw Gateway server) like this:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user
Account Domain: domain
Failure Information:
Failure Reason: Unknown username or password.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: server
Source Network Address: 192.168.x.x
Source Port: 63003
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
What i can see it's a NTLM error, but hey?! aren't we supposed to forward all authentication handeling to the remote NPS server?
The problem is that no matter what i try the above problem stays there.
Is it not possible to just forward ALL authentication handeling to a remote server?
The only solution I've found to get it working someday in the future is this:
"Remote Desktop Pluggable Authentication and Authorization", which is supposed to be introduced in 2012 R2.
Also this link describes it:
http://archive.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745
Please, bring me some answers before my head explodes! :)
PS, long question = maybe some errors, ask me if something is unclear.Hi,
Based on our experience, if the NTLM error occurs, please check the password.
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Connecting to Remote Desktop Published Apps through RD Web Access not working
Hello,
I have configured an RD Gateway server. My scenario is like I have a windows 2012R2 server with all RD components (Gateway, web access, connection broker, session host) configured, since this is for a poc. Externally I can access rd web access portal (https://<servername.domain.com>/rdweb)
and can connect to the target server using "Connect to a remote pc" tab without any issue.
But I can't connect to any published app from "Remote App and Desktop". The error I recieve is "unable to connect to remote pc. please provide the fully-qualified name......."
At the same time I can see below errors in event logs related to connection broker:
Error 802:
RD Connection Broker failed to process the connection request for user domain\Administrator.
Error: Element not found.
Event 1306:
Remote Desktop Connection Broker Client failed to redirect the user domain\Administrator.
Error: NULL
Error 1296:
Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : domain\Administrator
Error: Element not found.
Googling I could see some posts related to these issues, mentioning about to check the network connectivity between RDCB and the target server. I can defenitely say it is fine and already mentioned I can connect to the same server using "connect to
remote pc" tab.
Just FYI, I have this server as Amazon EC2 instance and the domain is configured as Amazon directory service. Can someone please help me at the earliest.. This is pretty urgent as my tasks are pending due to this issue..
VysakhHi,
I have seen similar issues with Essential role installed, if it’s installed on the terminal server, please remove it.
Please also ensure involved machines are fully patched and keep port 443 of the TS server open.
When external users connect to the Web Access page, are they able to see remote apps? If not, please check whether user assignment setting is configured correctly for remote apps.
Are users able to open remote apps from internal network?
Here are some related links below for you:
RDWeb URL Access Works Successful but cannot open Apps Externally only Internally
https://social.technet.microsoft.com/Forums/en-US/144a0543-7a7c-4899-a674-0fd29dacab7a/rdweb-url-access-works-successful-but-cannot-open-apps-externally-only-internally?forum=winserverTS
RemoteApp Internet
https://social.technet.microsoft.com/Forums/windowsserver/en-US/70a819de-3338-4427-a1c3-e38ef99dd4b3/remoteapp-internet?forum=winserverTS
Configuring RD web access for public/external access
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4396d3e9-2ac5-4d0b-baba-25471498a349/configuring-rd-web-access-for-publicexternal-access?forum=winserverTS
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Remote Desktop 2012 R2 - Can't get RD Gateway with RD Web Access working through just 443
I have one server (2012 r2 fully updated) running all remote desktop roles (RD Web Access, RD Gateway, RD Licensing, RD Connection Broker, RD Session Host) and a separate domain controller.
I have RD Web Access published to cloud.mydomain.co.uk and accessing cloud.mydomain.co.uk/RDWeb works fine.
I want to setup the environment so only port 443 is open from the outside (thus the RD Gateway is installed) and the user can login through RDWeb and click on an app to launch it.
If I leave port 3389 open along with 443 and log on to RDWeb and click the remote app, this works fine.
If I close 3389 on the external firewall and only leave open 443, I can connect AND login to RDWeb but I cannot open the connection
This is expected:
http://i.imgur.com/9j2HRqm.png
Error:
http://i.imgur.com/2LH2c7T.png
Digging in the event viewer yielded: http://i.imgur.com/M9uHm0o.png
Which led me to test change the following setting in the resource access policy, as a test:
http://i.imgur.com/FlGObFr.png
This still didn't work but yielded a different error in event viewer:
http://i.imgur.com/LkaCfU4.png
Now I suspect I have misconfigured something somewhere in terms of the last event where it suggests it can't connect to resource "cloud.mydomain.co.uk" I would have expected this to be the internal FQDN of my session host. Or, I am hitting some sort
of odd problem because I have all the roles on the same box.
Any assistance greatly appreciated. I'm keen to find the root cause behind this as I need to document this solution so don't want to invalidate by messing around too much with settings.Hi Gavin,
If you use RD Gateway then you only need to open TCP port 443 and UDP port 3391 and forward them to your RD Gateway server. You may have RD Web Access (uses TCP port 443) and RDG running on the same server.
When an external client launches a RemoteApp they will connect to your RD Gateway via TCP port 443 and UDP port 3391, then the RDG will connect to your internal RDSH servers using TCP port 3389 and UDP port 3389 on behalf of the external client. In
this way the RDG will act as a middleman between your external users and your internal RDSH servers.
In Server Manager - Remote Desktop Services - Overview - Tasks - Deployment Properties you need to specify the external FQDN of your RD Gateway server. If you have RDWeb and RDG on the same server this would be the same FQDN that your users will use
for RDWeb. For example, if your users use https://rds1.yourdomain.com/rdweb to connect to your RD Web Access site, then you would enter rds1.yourdomain.com for the RD Gateway name in deployment properties.
(Above one Quoted from this thread answered by TP).
In addition please see that you have properly configured RD Rap & RD Rap policy under RD Gateway manager and also properly configured certificates to match server name.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Remote Web Access (remote desktop gateway) issue with WHS2011
I have been using Remote Web Access on my Windows Home Server 2011 for several years with no problems. Over the past several weeks, though, I have been receiving an error when I try to connect to a computer through WHS's Remote Web Access:
"...the Remote Desktop Gateway is temporarily unavailable." Interestingly, when I try to connect from a Windows 8.1 computer, I just get a dialog box that says "Initiating connection," but the connection is never established. I cannot
find any relevant errors in any of the event logs.
I have read numerous articles relating to WHS configuration and port forwarding, but these do not have any information that addresses my situation. I have ports 4125, 80, and 443 forwarded to my Home Server. As I said, everything has been working fine with
this configuration until several weeks ago -- I suspect it might have something to do with a .NET Framework 4.5 update that was recently installed (and that has now been uninstalled), but that is the only change I can think of.
Any help would be greatly appreciated! Thanks!Hi,
As you have commented that after installing .Net framework you are facing this issue. So after uninstalling still you are facing the same issue. Apart from installing .Net framework 4.5, have you installed or done any other change on your server?
Here you can check that “Remote Gateway Service” is running. Please check and restart the service if it’s stop. Apart you can check below 2 article for more detail step.
1. Can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable error via SBS 2011
2. This computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable (Try to perform the steps as suggested for
WHS 2011)
Hope it helps!
Thanks,
Dharmesh -
RD Gateway and RD Web Access - better together or on different servers?
I am evaluating Remote Desktop Services with 2012 R2 and initially I had all the roles on 1 server for testing. I began thinking it would be a better setup to split the RD Gateway role and the RD Webaccess role into different servers for security purposes.
This way I could expose only the RD Gateway to the internet and the Web Access role would not be exposed. In all my reading and searching it seems that nearly every article I come upon has both RD Gateway and Web Access installed on the same system.
What is the ideal setup from a security standpoint to have the these two roles separate or does it not mater? If it does not mater then I will setup 1 server with Gateway and Web Access and I will then have other servers for licensing, broker, session
host, and visualization host once I move this into production.
If these roles are on the same system how do I know if the gateway role is doing anything? Is the FQDN\rdweb the correct URL to use even when the gateway is implemented?
If they are separate how do I tell the gateway and web access servers to use each other?Hi,
As far as I know, it’s fine to have RD Gateway and RD Web Access roles installed on the same server.
“Normally external users would log on to RD Web Access via tcp port 443, click on a RemoteApp and connect to RD Gateway via
tcp 443/udp 3391, RDG connects them to RDCB on tcp 3389 which redirects them to a RDSH server, finally the RDG connects to the RDSH on tcp 3389/udp 3389.”
Quoted from TP in this post below:
RD Gateway and RD web issue
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5ab40559-23f7-4ebc-b60d-87375cc55674/rd-gateway-and-rd-web-issue?forum=winserverTS
More links below for you:
RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Remote Desktop Gateway/Web Server Placement
https://social.technet.microsoft.com/forums/windowsserver/en-US/b2970cf5-a5b5-494c-88b7-cd6e01f84bb6/remote-desktop-gatewayweb-server-placement
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
Cannot Access IP Web Browser Configuration Page OfficeJet 8600 Plus
Win 7 64-bit
HP OfficeJet Pro 8600 Plus
Wireless Connection
Hi:
The printout of wireless network test page shows IP address for HP Officejet Pro 8600 Plus as: http://192.168.1.104 (The HP Home Network Diagnostic Utility v4.3.0.002 also shows: 192.168.1.104)
When I try to access http://192.168.1.104 with either IE 9 or Firefox 10 I get an error message: "The website is unable to display the webpage"
But, on the same computer I CAN access http://192.168.1.103 HP Officejet 6480 web browser configuration page with either IE 9 or Firefox 10
Why I can't access the web configuration page: http://192.168.1.104
Thanks
FYI: I set the router to various other network modes, channel widths, channels and ssid broadcast on/off, and also removed power from router and printer, reconnected power and restarted computer, all these efforts did NOT allow access to http://192.168.1.104
This question was solved.
View Solution.On the front of the printer: Setup > Network > Wireless Setup Wizard. Run it.
Next, on your PC, delete all instances of your printer in Control Panel > Devices and Printers.
Finally, re-add the printer this way:
1. Make sure the printer is turned on and connected to your network. Verify that you can access the printer's internal web page by browsing to its IP address before continuing. Get its IP from a Network Test printed from the front panel of the printer.
2. Click >> Start >> Control panel >> Devices & Printers.
3. Click the Add a printer
4. Select Local printer
5. Select Create a new port and select Standard TCP/IP Port and click Next button.
6. Under Device type, select TCP/IP Device. Under Hostname or IP address, enter the printer's IP address. Click Next.
7. Select Hewlett-Packard from the list of manufacturers and select and select your printer model. Click Next.
If your printer model was not listed, then select Have Disk, browse the HP CD that came with your printer and select the first file that starts with hp and ends with inf. Click Open then OK. Select your printer model. Click Next.
8. If you are asked, use the currently installed driver.
9. It will ask for the Printer name -- enter a new name or use the existing one. This will be the name of the printer that you select from other applications.
10. You may be asked to share the printer. Choose NO.
11. The Print Test Page box appears. Go ahead and print it.
12. Click Finish.
Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
I am employed by HP -
Outlook Web Access fails after migrating SSL certificate to dedicated SSL gateway
Hi we have just migrated our SSL certificate form our Outlook exchange server, outlook web access works perfectly but two of our users who have Blackberry devices set up to get their email via owa now fail.
Everything worked fine before the migration.
The new SSL gateway is an Apache box running mod_proxy, mod_SSL and mod_sec. Protecting the box running owa and IIS6.
I can provide the http.conf etc, but I can see the traffic passed by Apache but I am getting a 401 message on the way back through to the device.
Is there a specific IIS/Exchange or Apache config I need to enable to allow BB access?
Thanks in advance
MikeHello there!
You may have run up against some of the complexities between BIS and OWA. There are a couple of circumstances where BIS can't integrate to OWA. Plus, if the mailbox name changed, that may be the problem as well. While I'm neither a BIS nor OWA admin, I can point you to information resources that hopefully can help you.
Try this article.
And this one.
And this one.
And this one.
You also can search the public KBs for more relevant articles:
http://www.blackberry.com/btsc/microsites/microsite.do
Good luck and let us know!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code -
SSL VPN message "This (client) machine does not have the web access privilege."
Hello!
I am trying to configure the SSL VPN (WebVPN) and I am almost done but when clicking on the URL's I configured in the bookmarks, I get the message "This (client) machine does not have the web access privilege. Please contact your SSLVPN provider for assistance." I looked through the many tutorials and guides in existence and none talks about such error and the fix for it. In fact, if I search the net for this error message I get only one match, in the Cisco website, where is say that "The client computer does not meet the security criteria of having web access functionality through the SSL VPN gateway." and as fix it gave this tip "Check the URL to the gateway or contact the administrator if it persists." So, nothing on the website about what this issue is and how to fix it. I will provide my IOS configuration and hopefully someone will spot the issue. Here it goes:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
enable secret 5 $1$1LLX$u7aTc8XfNqPZhPVGwEF/J0
enable password xxxxxxxx
aaa new-model
aaa authentication login userAuthen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
aaa session-id common
crypto pki trustpoint TP-self-signed-1279712955
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1279712955
revocation-check none
rsakeypair TP-self-signed-1279712955
crypto pki certificate chain TP-self-signed-1279712955
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323739 37313239 3535301E 170D3130 30333233 31313030
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373937
31323935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A8EF 34E3E792 36660498 9801F934 E8A41865 3599EA35 B073AC91 D7A53AF4
A4390D2F CB3DB2DE 936B28F0 A25F3CE1 6F40FD9E E79096F2 F89620E0 B31A7B34
649BBA22 AE44CB55 9F38BF0C 2F2770CF 8380C167 C17D760C 380E28E4 FF7D6874
9EFC310A 2AA60835 F1AA384F CD1A0173 19C98192 EBFBD531 24CB9203 EA9E7D54
B2C30203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523130 1F060355 1D230418 30168014 0D9D62EC DA77EAF3
11ABF64D 933633F9 2BA362DC 301D0603 551D0E04 1604140D 9D62ECDA 77EAF311
ABF64D93 3633F92B A362DC30 0D06092A 864886F7 0D010104 05000381 81006853
48ED4E3E 5721C653 D9A2547C 36E4F0CB A6764B29 9AFFD30A 1B382C8C C6FDAA55
265BCF6C 51023F5D 4AF6E177 C76C4560 57DE5259 40DE4254 E79B3E13 ABD0A78D
7E0B623A 0F2D9C01 E72EF37D 5BAB72FF 65A176A1 E3709758 0229A66B 510F9AA2
495CBB4B 2CD721A7 D6F6EB43 65538BE6 B45550D7 A80A4504 E529D092 73CD
quit
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp pool myPOOL
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 87.216.1.65 87.216.1.66
ip cef
ip name-server 87.216.1.65
ip name-server 87.216.1.66
ip ddns update method mydyndnsupdate
HTTP
add http://username:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group pppoe
request-dialin
protocol pppoe
username cisco privilege 15 password 0 xxxxxxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
crypto isakmp client configuration group vpnclient
key cisco123
domain selfip.net
pool ippool
acl 110
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userAuthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Loopback2
description SSL VPN Website IP address
ip address 10.10.10.1 255.255.255.0
interface Loopback1
description SSL DHCP Pool Gateway Address
ip address 192.168.250.1 255.255.255.0
interface FastEthernet0
description $ES_LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface BRI0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet1
interface FastEthernet2
switchport access vlan 2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
bundle-enable
dsl operating-mode auto
interface Vlan1
no ip address
interface Dialer1
ip ddns update hostname myserver.selfip.net
ip ddns update mydyndnsupdate host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
ppp chap hostname xxx
ppp chap password 0 xxxx
ppp pap sent-username xxx password 0 xxxx
crypto map clientmap
ip local pool ippool 192.168.50.100 192.168.50.200
ip local pool sslvpnpool 192.168.250.2 192.168.250.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.0.2 21 interface Dialer1 790
ip nat inside source static tcp 192.168.0.15 21 interface Dialer1 789
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.1 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.1 80 interface Dialer1 80
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 144 permit ip 192.168.50.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
control-plane
banner motd ^C
================================================================
UNAUTHORISED ACCESS IS PROHIBITED!!!
=================================================================
^C
line con 0
line aux 0
line vty 0 4
password mypassword
transport input telnet ssh
webvpn gateway MyGateway
ip address 10.10.10.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1279712955
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context SecureMeContext
title "My SSL VPN Service"
secondary-color #C0C0C0
title-color #808080
ssl authenticate verify all
url-list "MyServers"
heading "My Intranet"
url-text "Cisco" url-value "http://192.168.0.2"
url-text "NetGear" url-value "http://192.168.0.3"
login-message "Welcome to My VPN"
policy group MyDefaultPolicy
url-list "MyServers"
functions svc-enabled
svc address-pool "sslvpnpool"
svc keep-client-installed
default-group-policy MyDefaultPolicy
aaa authentication list userAuthen
gateway MyGateway domain testvpn
max-users 100
csd enable
inservice
end
Thank you!Hi,
Please check SAP note:
2004579 - You cannot create a FR company from a Package
Thanks & Regards,
Nagarajan -
Cisco ASA 5505 - Basic Web Access
Hello all,
Not posted here in a while but thought you guys might be able to help me out with a little problem. Okay, I have a Cisco ASA5505 running the latest asdm and ios...
[I]Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206[/I]
I am trying to get basic web resolution and access but not having any luck. I just wanted to know if there is anything special that I needed to do with the ASA before I can do this. I've made a quick visio diagram of the network, see below:
[URL=http://imageshack.us/photo/my-images/4/diag.png/][IMG]http://img4.imageshack.us/img4/94/diag.th.png[/IMG][/URL]
The Vigor has a local subnet of 192.168.0.x/24 however there is also a "For routing use only" option. See below:
[URL=http://imageshack.us/photo/my-images/717/diag2.png/][IMG]http://img717.imageshack.us/img717/9131/diag2.th.png[/IMG][/URL]
I'm hopeful that by configuring the "For routing use ip address" as one of my allocation of public ip's, that it should work okay. I can actually ping by IP and name from the interface of the ASA but can't do that or browse to websites from clients which have their default gateway set to 192.168.0.252.
I was under the assumption web browsing should work out of the box almost as it's treated as an outgoing connection. Here is my config for you to look at:
(note, I've tried to set the route outside to the local ip of the draytek and also the "For routing usage only" IP address)
ASA Version 8.4(2)
hostname gilwoodasa
domain-name gilwood.local
enable password 9PvFytIZ2Vpy8Gon encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.252 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 82.70.231.xx 255.255.255.248
interface Vlan5
no nameif
security-level 50
ip address dhcp
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 192.168.0.3
domain-name xxxxxxxxx
object-group network obj_any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 82.70.231.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http [url]https://tools.cisco.com/its/service/oddce/services/DDCEService[/url]
destination address email [email][email protected][/email]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4c06870d7d65d349cb63bd8044d61b35
: end
So, if you're still reading this - all I am after is a way to get basic web browsing working. Here are the logs which show the attempted web access...
[URL=http://imageshack.us/photo/my-images/338/logsi.png/][IMG]http://img338.imageshack.us/img338/671/logsi.th.png[/IMG][/URL]
Big thank you in advance!Hey, thanks for the reply. I have tried the suggestion but to no avail. I can ping google from the outside interface but can't ping it from anything on the inside. This does tend to point towards a NAT issue. Hopefully someone has another suggestion?
Here are the results from the ASA console when trying to ping from both the inside and outside interface. The successful ones re from the outside.
http://imageshack.us/photo/my-images/209/pingbf.png/
Thanks again! Complete config now is as follows:
ASA Version 8.4(2)
hostname xxxxx
domain-name xxxx
enable password 9PvFytIZ2Vpy8Gon encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.252 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 82.70.231.xx 255.255.255.248
interface Vlan5
no nameif
security-level 50
ip address dhcp
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 192.168.0.3
domain-name gilwood.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 82.70.231.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5caa6e14d9c76e0858b055316071710f
: end -
How do I change the URL to the Remote Web Access server in Windows Server 2012?
Hallo!
I have set up a Remote Dexktop Service using the "Quick" deployment method in Server Manager and everything is working greate internally, but I cannot start an app published in Remote Web Access from outside our network.
The problem is that it wants to start the using the internal URL, for example, server.domain.local, instead of the external one, for example remote.server.com.
I therefore want to know how I can change the default URL for the Remote Web Access server and all the Remote Web Apps in Windows Server 2012?
I have allready looked in Server Manager and I can change some of the deployment settings in server manager, but there is no way to alter the URL of the Remote Web Access server. See below images:
Pressing the internal URL only results in opening the internal URL.
This was very simple to do in Windows Server 2008 R2 using the tsconfig tool, but it does not seam to be any way of solving this in server manager.
A possible sollution would be to alter the registry someware in HKLM->Software->Microsoft->Windows NT->Terminal Services. But this can easaly lead to problems due to wrong format, etc. and is probably not supported.
Is there a simpler and supported way?That option can be used to connect to any machine that you want. The error message indicates that the client machine cannot resolve the name "server.domain.local" to an IP address that it can connect to.
You have several options for configuring that tab on the RDweb site. You can even remove it entirely.
Customization of RD Web Site
RD Web provides a number of customization options for the RD Web interface, including the ability to control default Gateway server settings and redirection settings. These settings
are controlled by editing the web.config file located in %SYSTEMROOT%\Web\RDWeb\Pages.
Displaying Local Help
To display local help for users instead of the web-based help, edit the LocalHelp value and change the value from false to true.
<!-- LocalHelp: Displays local help for users, instead of the web-based help. Value must be "true" or "false" -->
<add key="LocalHelp" value="false" />
When this value is changed, a user that clicks on Help in the upper right corner of the RD Web login page will open the local help file instead of web-based help.
Hiding the Connect to a Remote PC Tab
The RDWeb page
Connect to a Remote PC tab can be hidden from users to prevent connections to any servers through RD Web other than the servers configured in a collection. By default, this setting is set to true and the
Remote Desktops tab is displayed. To hide the tab, set the value to false.
<!-- ShowDesktops: Displays or hides the Remote Desktops tab. Value must be "true" or "false" -->
<add key="ShowDesktops" value="true" />
When the value is set to false, a user will not see the Connect to a Remote PC tab when logged on to the RD Web page
RD Gateway Settings
If the Connect to a Remote PC tab is enabled, an administrator can configure RD Web to use a Gateway server when connecting to remote computers. To specify a gateway, edit the below
value with the name of the RD Gateway server:
<!-- DefaultTSGateway: Admin can preset this to a given Gateway name, or set to "" for no gateway. -->
<add key="DefaultTSGateway" value="" />
The default authentication method for the RD Gateway server can also be configured by editing the following section of the web.config:
<!-- GatewayCredentialsSource: TS Gateway Authentication Type.
Admins can preset this.
0 = User Password
1 = Smartcard
4 = "Ask me later"
-->
<add key="GatewayCredentialsSource" value="0" />
Devices and Resources
By default, only Printers and Clipboard are redirected on connections made using the Connect to a Remote PC tab. If the user clicks the
Options << button, the redirection settings for a specific connection can be modified
To configure each specified redirection option to be enabled or disabled by default, edit the following section in the web.config file:
<!-- Devices and resources: Preset the Checkbox values to either true or false -->
<add key="xPrinterRedirection" value="true" />
<add key="xClipboard" value="true" />
<add key="xDriveRedirection" value="false" />
<add key="xPnPRedirection" value="false" />
<add key="xPortRedirection" value="false" />
LAN Experience Defaults
Windows Server 2012 RD Web Access can display a new user selectable option for optimizing the connection for a LAN experience. This option is displayed at the bottom of the RD Web
page and can be controlled by the administrator using the following section of the web.config file:
<!-- Checkbox to opt for optimized LAN experience -->
<add key="ShowOptimizeExperience" value="false" />
<add key="OptimizeExperienceState" value="false" />
This value is set to false by default, but when changed to true, the following checkbox will display at the bottom of the webpage. The LAN experience
checkbox can also be set as enabled by default.
Each setting can also be modified using the IIS Manager user interface:
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging -
RD Web access SSO - remote desktop doesn't work
Hi,
This is my first post in here, and I hope you gays can help me out.
I am currently experiencing some issues with RD Web SSO not working as I would like it to work. I have found countless articles and guides describing how to get it to work, but no guide have yet helped me.
The problem is that when I log in on the web access and open a published application everything works fine I wait 5 sec and the application pups up, but when I try to open "Remote Desktop" then I get a new log in box where I must enter my log in credentials
again (after entering my credentials everything work great.)
The problems I am currently facing is produced in a demo environment configured as follows:
1x DC server (DC01) also the lic server
2x RDS server (RDS01/02)
1x RDS Connection broker (RDCM01) I have created a farm named "farm01.mydomain.com"
1x RDS Web access server (RDWA01)
1x RDS Gateway (RDSGW01)
(All the Servers are installed with Windows server 2008 (R2) SP1, and have the latest update.)
I am publishing my demo environment on the internet, i have created a domain name for my gateway and my web access and they are both accessible from the web (rdwa.mydomain.com and rdsgw.mydomaim,com). I also have secured everything with an SSL wildcard certificate
( my external and intern domain names are the same so I am using one SSl certificate) that is trusted on the web.
when I log in on the web access server trough (IE9 or IE8 ) from another network(wan) and I open a published application (calculator), it pop ups in just a few seconds. But when I try to open my Remote desktop I get a login box where I must enter my
username and password one more time.. after that remote desktop opens and everything works great.
My laptop is a Windows 7 professional with RDP 7 and IE 9, and is not member of a domain (just a workstation), I have tested it from multiple workstations and networks(Also win 7 and RDP7) but even there I have the same problem.
Thinks that I have tried tell now:
I have created a kerberos account as mentioned on
MSDN
I have checked my group permissions as mentioned
here
And many more blogs and forums
I have tried multiple settings on RDCM, RDWA, RDSGW and RDS server
Right now I am out of ideas, and I hope you gays can help me out..
thanks in advance,
PouyanThnx for you advise,
Did you go into your RemoteApp Deployment settings and change the server name to the farm name "farm01.mydomain.com?"
Yes
Also in the Session Broker's RemoteApp and Desktop Connection Properties window change the Connection ID to the farm name as well.
actually I couldn't find out what to put on the connection ID so I had left it just default, but after changing it to the farm name it still doesn't work
Did you sign you apps with the cert used on your RDS servers?
yes, I am using a wildcard ssl certificate to sign all the servers/apps with.
there is
something that
strikes me, when I log on the web access and click on a published application (that is hosted from the same RDS servers) then I get a information box. when I click on the "details" button I see on the bottom "use the following credentials to connect" and my
domain and username are published there. But when I click on the "Remote desktop" icon and do the same I can't see this information!!
Also I don't think that its an SSL problem, because after log in again it works perfect without any warning. -
RD Web Access SSO not working correctly
I have two Win 2008 r2 sp1 servers. Both are RD Session host servers. One of them is also serving as a RD Gateway server AND RD Web access server. Most everything is working well and as planned. However, I am having an issue with
the the RD Web Access.
In the RD Web access server configuration page, I've set "One or more RemoteApp sources" and I've added two servers there, separated by a semicolon (eg RDServer1;RDServer2), and as expected a long list of RemoteApps hosted on both servers is shown . The
issue is that whatever server is listed second (eg RDServer2) won't allow sso to work right -- when I click a link for a RemoteApp hosted on RDServer1 I am not prompted again for login credentials. However, when clicking a link for a RemoteApp
hosted on RDServer2 I am prompted "Enter Your Credentials". I've tried swapping the order of the "Source Name" servers, and after a reboot indeed links to the RemoteApps hosted on that second server now prompt for me to "Enter your credentials".
Things I've tried:
1. Trying various server name formats (IP address, NetBIOS name, FQDN, and more) to no apparent effect.
2. Applied the hotfix from KB2524668 to both servers.
3. Flushed the IE caches for the client machines.
4. Tried various AD login accounts
5. Ensuring that the RD Web Access server is added to the local group "TS Web Access Computers" on both servers.
This is one step that I'm not 100% sure of -- it is clear to me that the RD Session host server that doesn't contain RD Web access should be there, but I'm not totally clear as to whether the dual-duty RD Web server/RD Session host should have this setting.
I've tried it both ways, but it doesn't seem to make a difference.
I'm stumped.Kevin,
That's it! I have a separate SSL cert for each RD Session Host, and used the corresponding certs to sign RemoteApps for each. I still don't see this requirement in the documentation (although they do mention exporting self-signed certs, but that
is due to the fact that they are self-signed and not automatically trusted by client machines), but maybe I'm just blind.
Regardless, the fix to my problem was to export the cert from my RDServer1, import it to RDServer2, then set RDServer2 to use that cert to sign the RemoteApp connections.
Thanks for your assistance, I was really stuck.
Chris -
Windows 2008 R2 + Remote Desktop Web Access + Single Sign-On + 2 servers
Hi
First sorry for my English. I have got problem with run SSO with RDWeb. I configured everything follow this instructions: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
and http://blogs.technet.com/b/mrsnrub/archive/2010/03/22/remote-desktop-services-websso.aspx. After logon to RDWeb web page I click application icon. Then I see dialog box for credentials - SSO not working.
I have got 2 servers with Windows Server 2008 R2 Standard:
Server OL-AP1 with role Remote Desktop Session Host (RDSH) and certificate for digital sign RemoteApps
Server OL-AP04 with ONLY Remote Desktop Web Access (RD Web) with certificate for https
Client PC: Windows 7 SP1 with installing certificate for OL-AP01 witch I used for digital sign RemoteApps
All certificates created by enterprise domain CA - Active Directory Certificate Services (AD CS)Hi,
Thank you for posting in Windows Server Forum.
Do you have RD Gateway setup in your environment?
Have you configure RD Connection Broker and set the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.
Client operating systems must trust the certificate with which the RemoteApp programs are signed. Suggest to install RDP 8.1 for client OS.
Do you have a trusted certificate with a matching name configured on your RDSH server in RD Session Host Configuration? (Means cert must match the name that clients use to connect to it for running the RemoteApp).
Hope it helps!
Thanks.
Dharmesh Solanki -
Web Access for Remote Desktop on Windows Server 2012
Hello,
i've a Windows Server 2012 without a domain. So i installed the remote desktop session host, the remote desktop license server and the remote desktop gateway as a server role only. All is working fine. Without a domain, no management tools for remote
desktop are available. So i configure the remote desktop via the registry. I define (via registry) some remoteapps, too. All values are copied from a running Windows Server 2008 R2. So the remoteapps are runing.
Now i want to use the new Microsoft Remote Desktop client for Android. To use a remoteapp i must define a remote resource. To define a remote resource i need a url to the web access for remote desktop. So i installed the web access. But if i login to the
web access, i don't see any remoteapp. What's wrong? I've set the ShowInTSWA to 1. What must i do to access an existing remoteapp via web access?
MartinHi Martin,
Server 2012 RD Web Access is designed to retrieve published RemoteApps and Desktops from a Server 2012 RD Connection Broker and/or a Server 2008 R2 RD Session Host server. From your description it doesn't appear that you are using either of the above.
I know it is a more complicated set up, but you should consider having a domain, creating a RDS deployment, etc., so that you can use the full featureset as it was intended. You can do it all on a single server if needed. For Server 2012
there is a hotfix that needs to be applied to permit RD Connection Broker to work on the same server instance as active directory.
-TP
Maybe you are looking for
-
Scanning Negatives - File Size Error
I receive the error that follows while scanning negatives: "Failed to obtain files from the device. The files size exceeds the maximum size allowed..." What is PSE maximum size for scanned images.
-
We have a output xml in BPM as shown below : <?xml version="1.0" encoding="utf-8" ?> <Product> <ProductRecord> <ProductID schemeID="MaterialNumber" schemeAgencyID="MDM30_FILEADAPTER01" schemeAgencySchemeAgencyID="ZZZ">KRANTI_MAT1</ProductID> <Pro
-
How to get Current row of ViewObject in the DoDML methode
Hi all I have two ViewObject EmplyesView and DeptView How to get Current row of ViewObject DeptView in the DoDML methode of EmplyesView
-
Purchase requisiton/RFQ/Q/PO what we do configuration settings
pls guide what we do configuration settings PR/RFQ/Q/PO ? In real time project shall we use standard document types or configured documents use it ? in what situation get the situation to crate the new document types?
-
My notebook was fall down under the table. And it was broken edges. It was too weak. I want to repair it. Does it cover the warranty? I bought it last December. Where can I ask it?