RDS gateway deployment options with no DMZ

Similar Messages

• Just FYI, new blog post "Deploy Border Gateway Protocol (BGP) with the RRAS Multitenant Gateway"

  This is just FYI about the new blog post for Windows Server 2012 R2, "Deploy Border Gateway Protocol (BGP) with the RRAS Multitenant Gateway," at
  http://bit.ly/OfDkty
  James McIllece

  Hi,
  Thanks for sharing and it would be greatly helpful to anyone who has requirements for that.
  Best regards,
  Susie

• RDS 2012 Deployment guide

  Hi,
  I'm looking for a RDS 2012 Deployment Guide or best practices document but not finding it.  Basically I'm looking for the equivalent of the document below but for Server 2012 R2 instead of 2008 R2
  <won't let me add link to body yet>
  We are planning a new RDS implementation and want to make sure we get the environment and resources right from the beginning.  Initially I'm mainly curious about the recommendations on how many servers are needed and which roles can be combined
  on single servers and which need to be broken out onto their own boxes.  For example is it best to have the RD Gateway and the RD Web Access roles on their own individual servers or should/can they be combined on to one box in the DMZ? 
  If separate; can one of them also double as the connection broker?  That sort of thing. 
  Any help is appreciated.  Thanks

  Hi Col,
  Have a look at the following articles:
  http://ryanmangansitblog.com/2013/09/27/rds-2012-deployment-and-configuration-guides/ 
  I would recommend that you look at splitting the roles on a large environment or use a layer 7 load balancer so you can scale up the number of Gateway/RDweb servers if your connections grow.
  I would advise against configuring the connection broker on a server which has a connection to the public interface (web and remote access via gateway). I would advise against exceeding 400 connections per RD Gateway server.
  a example configuration:
  Server 1 : connection broker and Licensing role
  Server 2 : Session host
  Server 3 : RDWeb and RD Gateway.
  This may help you with regards to capacity planning:
  http://ryanmangansitblog.com/2014/06/24/capacity-planning-for-a-rds-2012-pooled-2000-seat-vdi-collection/
  Ryan Mangan | Ryanmangansitblog.wordpress.com | Help keep the forums tidy, if this has helped please mark it as an answer

• RDS Gateway Best practices Dual-Homed?

  Good Day,
  I am wondering what is a typical amount of time others see when end users launch a RemoteApp session that goes through the RDS Gateway.
  Our two RDS Gateway servers (entire environment is W2k12R2) seem slow to me. They are both Dual-Homed and with a Nic on the DMZ and Internal side of the network. Maybe I would be better off disabling the Internal Nics and reconfiguring the firewall rules
  so that everything routes through the DMZ nic?
  Steve J.

  Hi Steve,
  Thank you for posting in Windows Server Forum.
  Best practice for any server is depends on your environment scenario as you need to decide whether to place the gateway in DMZ or allow 443 to be opened to the internal network. Placing the RDS Gateway in DMZ is more secure, you can have more information from
  beneath article.
  RD Gateway deployment in a perimeter network & Firewall rules
  http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
  For more detail and understand RD Gateway refer this article.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS Gateway 2012, RemoteApp Displays "A Revocation check could not be performed for the Certificate" via RDWEB

  I have searched through the forums and there are a number of posts that are similar but all the checks they list seem to not apply to this one.
  My current setup is as follows
  All Servers are 2012 R2
  1 x DC server
  1 x RDS Gateway server with RDS Web installed
  1 x Session Host Server
  Certificate supplied by godaddy with 5 names. (included is the name of the RDS Gateway/Web server in the certificate, the internal name of the session host server is not included as the internal names are differnet to the external)
  My tests are as follows
  Navigating to the RDSWEB page from a machine inside the same network (windows 7 sp1) but not on the same domain is fine no errors and logging in and launching any published application is fine with no errors.
  However logging in on another machine that is external from the network (windows 7 sp1) is ok up to the point of launching any of the published apps I get the error about ""A Revocation check could not be performed for the Certificate". this
  prompts twice but does allow you to continue and login and use the app till the next time. If I view the certificate from the warning message all appears to be ok with all certs in the chain.
  I have imported the root and intermediate certs to each of the gateway/rdsweb server and session host server into the computer cert store just to be on the safe side. This has not helped, I have also run the following command from both windows 7 machines
  with no errors on either
  certutil -f –urlfetch -verify c:\export.cer
  I cant seem to see where this is failing and I am beginning to think there is something wrong with godaddy cert itself somehow.
  If I skip rdsweb and just use MSTSC with the gateway server settings then I can login to any machine on the network with no errors so this is only related to launching published apps on the 2012 R2 RDWEB or session host servers.
  Any help appreciated

  Hi,
  1. Please make sure the client PCs have mstsc.exe (6.3.9600) installed.
  2. If you are seeing a name mismatch error, you can set the published name via this cmdlet:
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  To be clear, the above cmdlet changes the name that shows up next to Remote computer on the prompt you see when launching a RemoteApp.  You should have a DNS A record on your internal network pointing to the private ip address of your RDCB server. 
  Additionally, in RD Gateway Manager, Properties of your RD RAP, Network Resource tab, you should select Allow users to connect to any network resource or if you choose to use RD Gateway Managed group you will need to add all of the appropriate names to the
  group.
  For example, when launching a RemoteApp you would see something like Remote computer: rdcb.domain.com and Gateway server: gateway.domain.com .  Both of these names need to be on your GoDaddy certificate.
  Please verify the above and reply back so that we may assist you further if needed.  It is possible you have an issue with the revocation check but I would like you to make sure that the above is in place first.
  Thanks.
  -TP
  Thanks for the response.
  To be clear I am only seeing a name mismatch and revocation error if I assign a self signed cert to the session host as advised earlier in the thread by "Dharmesh Solanki", if I remove this and assign the 3rd party certificate I then
  just get the revocation error , I have already ran the powershell to change the FQDN's but this has not resolved the issue although the RDP connection details now match the external url for RDWEB when looking at one of the remoteapp files. The workspace
  ID still shows an internal name though inside this same file. 
  RD Gateway is already set to connect any resource, when connecting using remote app both names (RDCB/RDGateway) show as being correct and are contained within the same UCC certificate. I also already have a DNS entry for the Connection broker pointing to
  the internal ip.
  Do you know if the I need the internal name of the session host servers contained within the same UCC certificate seeing as they are different fqdn's than what I am using for external access ? I resigned the UCC certificate and included the internal name
  of the session host server to see if this would help but for some reason I am still seeing the revocation error. I will check on a windows 8 client pc this evening to see if this gets any further as the majority of the testing has been done on windows 7 sp1
  client pc's
  Thanks

• Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2

  Remote App and Desktop RDP client never succeed to logon the RDS gateway server running Windows 2012R2
  1. Client Os : Windows 7 Pro
  2. Server OS : Windows Server 2012R2 with RDS broker and RDS Gateway server with 3.part Certificate  with friendly name sky.mti-itservice.no activated.
  The  main problem is following: The RDP logon session never ends
  Any ideas ?
  Regards
  Kenneth Knudsen
  Email : [email protected]
  mvh Kenneth Knudsen MCSE 2003 HP ASE

  Hi Kenneth,
  Here for your case suggest you to configure RDP session time limit so that your user can disconnect\log off once the specific time limit reached.
  You can setup the session time limit in different method.
  1. Open the Server Manager, select Remote Desktop Services.
  2. In Remote desktop Services, in right side you can drop down to collections.
  3. Select the collection which you want to edit the settings.
  4. Under collections Properties, select Task and then Edit Properties.
  5. In Properties dialog box, select Session.
  6. You can find all thetimeout settings under session collection properties; edit according to your requirements and then OK. 
  And apart also by group policy setting as below.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits 
  -  Set time limit for disconnected sessions
  -  Set time limit for active but idle Remote Desktop Services sessions
  -  Set time limit for active Remote Desktop Services sessions
  -  End session when time limits are reached
  Please check which setting suitable for your environment and you can apply for your case.
  [Forum FAQ] Restrict number of Active Sessions in RDS 2012 and 2012 R2
  https://social.technet.microsoft.com/Forums/en-US/00c2252b-8ec0-489f-8da2-07a434a9b5a2/forum-faq-restrict-number-of-active-sessions-in-rds-2012-and-2012-r2?forum=winserverTS
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RDS Gateway + Smart Card Error [ The specified user name does not exist.]

  I have the following Windows Server 2008 R2 servers:
  addsdc.contoso.com, AD DS Domain Controller for contoso.com
  adcsca.contoso.com, AD CS Enterprise CA, CDPs/AIAs published externally.
  fileserver.contoso.com, RDS Session Host for Administration enabled
  rdsgateway.contoso.com, RDS Gateway enabled
  tmgserver.contoso.com, 'Publishing' rdsgateway.contoso.com but with pass-through authentication
  And the following Windows 7 PCs:
  internalclient.contoso.com
  externalclient.fabrikam.com
  There's no trust between the domains, the external client is completely separate on the internet but the CA certificate for contoso.com has been installed in the trusted Root CA store. All servers have certificates for secure RDP.
  I enrolled for a custom 'Smart Card Authentication' certificate with Client Authentication and Smart Card Logon EKUs from the CA, stored on my new Gemalto smart card using the Microsoft Base Smart Card CSP.
  From internalclient.contoso.com, I can RDP to fileserver.contoso.com
  using the smart card just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using a username and password just fine with no certificate errors.
  From externalclient.fabrikam.com, I can RDP to fileserver.contoso.com
  via rdsgateway.contoso.com using the smart card to authenticate to the gateway, and a username and password to authenticate to the end server, just fine.
  BUT from when using a smart card to authenticate to the end server via the gateway, it fails with:
       The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support. 
  When I move the client into the internal network and try the connection again (still via the RDS Gateway), it works fine - the only thing I can think of is being outside the network and not being able to contact the AD DS DC for Kerberos is causing the issue
  - but I'm pretty sure this is a supported scenario?
  The smart card works fine internally, the subject of the certificate is the user's common name (John Smith) and the only SAN is
  [email protected] which matches the UPN of the user account as it was auto-enrolled.
  Does anyone have any ideas?

  I had a similar issue where I am using a smart card through a Remote Desktop Gateway. I had to disable Network Level Authentication (NLA) on the destination Remote Desktop Server. If anyone has another way around this, I'd appreciate hearing it. I'd prefer
  to use NLA.

• Deployment option under publish settings....

  ello.
  My problem has to do with under the DEPLOYMENT option in the
  publish settings when your trying to import a video file, Im
  wondering what the actionscript would perhaps look like if say I
  want to take multiple videos and load them into one player. Im
  trying to set up an empty flash player that when a user clicks on
  say a thumbnail image the video corresponding to that image gets
  loaded and autoplays in the player. Any ideas are
  GREEEAAATTTLLLYY appreciated, cause im stuck.
  Thanks, Joe.

  don't import it unless you want a low-quality video that
  takes a long time to load before it begins to display. use an flv
  playback component or the video class or the video player
  class.

• Deployment projects with other installers inside?

  Hello,
  I'm developing application with Kinect and I want to create an installer to distribute it. Also, I need to install .NET Framework 4.0 if it is not installed. I'm working with VS 2012, so I had to install InstallShield LE but does not seem to have the option
  to add an external installer. Do you know how can I do it? Maybe with WiX projects or Nullsoft?
  Thank you!

  Hello,
  Thank you for your post.
  I am afraid that the issue is out of support range of VS General Question forum which mainly discusses the usage of Visual Studio IDE such as
  WPF & SL designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help System
  and Visual Studio Editor.
  I did some search and find an article which may help you:
  http://www.microsoft.com/en-us/kinectforwindows/faq.aspx
  About deploying projects with Kinect, please reference ‘Can you provide some examples of recent Kinect for Windows
  deployments?’ section on that article above. For detailed information and more support, please consult on Kinect for Windows SDK forum:
  http://social.msdn.microsoft.com/Forums/en-US/home?category=kinectsdk
  Best regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Deployment Implications with 9IAS

  From another thread it appears that 9IAS is not going to be certified for XP Pro.
  Does anybody have a view on how this is going to effect web deployment (the only option with 9i Forms).
  It looks like Unix/Linux is the only option from what I read (NT & W2k don't count, one is acient history the other is being replaced by XP Pro)

  From another thread it appears that 9IAS is not going to be certified for XP Pro.
  Does anybody have a view on how this is going to effect web deployment (the only option with 9i Forms).
  It looks like Unix/Linux is the only option from what I read (NT & W2k don't count, one is acient history the other is being replaced by XP Pro)

• Deploying BPEL with Ant Problems

  Hi, I am trying to automate BPEL deployment using HP Deployment Manager, and need to learn how to use Ant to deploy our BPEL processes. I have setup a SOA Suite installation to play around with Ant, but I can't seem to get Ant to work from command line. I am able to deploy a sample process using JDev both by the Deploy option or with the Ant option, but I get errors when using command line.
  I navigated to the location of build.xml in a DOS prompt, ran ant, and get the following error:
  C:\JDeveloper\jdev\mywork\BPEL\HelloWorld\build.xml:27: Cannot find ${oracle.home}/integration/bpel/utilities/ant-orabpel.xml imported from C:\JDeveloper\jdev\mywork\BPEL\HelloWorld\build.xml
  I'm assuming this is because JDeveloper sets up it's own environment variables for running Ant within the IDE - what do I need to do to have it run in command line mode? The deployments will ultimately be run on RHEL4 - but for testing on windows do I need to set these to look like %ORACLE_HOME%, etc in build.xml?
  Any ideas?
  Thanks,
  Kevin

  Update: Problem solved by setting ORACLE_HOME and BPEL_HOME

• SCCM 2012 Deployment Option Missing

  Hey all,
  I have a strange problem. I have build a custom task sequence (TS) to install operating systems on our computers. This TS runs scripts, installs applications and packages. I also have a front-end HTA that allows us to select certain software to be installed
  and which OS image to apply. The issue I have is that every time the TS gets to the Run HTA part of the TS, which may I add is the very first step, the TS fails with error code 0x800700A1.
  Now after several days of investigation I believe that the issue is that the deployment option is set to 'Download Content Locally when needed by running Task Sequence.' The problem, that is the only deployment option I can select. The other option, which
  should be 'Access content directly from distribution point' is not even available. Researching this issue I found that I should make sure all my packages were copied to shares on the distribution points. So I did this, and to no avail. I made sure that a NAA
  is set. Still, same error. A couple more things to note.
  I am testing in a VMWare environment.
  I have added the appropriate drivers to the boot image
  Software deployments are working appropriately including the app catalog.
  The NAA is a local admin on the distribution point.
  All servers in the environment are Server 2012
  So, I also began to think, "Well maybe SCCM doesn't like installing Applications from a TS and only handles packages...since applications are new to 2012."So I created a very simple TS that only installed an OS and still the same error. I added
  the HTA just for kicks, same error. I have combed the smsts.log file and all of the errors keep leading me to dead ends or repeating steps I had already performed and then hoping for a different result. That's insane right?! If anyone has encountered this
  error, and knows how to fix it, I would be forever grateful. If you would like the log file, I can accommodate. I just figured pasting a 4159 line long log file was a bit much.

  >The problem, that is the only deployment option I can select. 
  The 'Run from DP' option is a Task Sequence-wide option in general, meaning that all the content would have to be duplicated to the package share in order to use it.  Unless all the content is on the package share, this option is not available.  The
  only exception is the Apply OS step has its own setting.
  If you have a step that uses content, but there is no formatted partition for the TS to download content to, you will receive an error.  So, your first steps need to partition/format the drive if there is no usable partition before you try to download
  content (like the files required for your HTA).
  I usually steal the logic from the default MDT 2013 task sequence when integrated with ConfigMgr 2012 R2, even though I don't use MDT with ConfigMgr.  The first real step is a format with this condition on it so it only runs if there isn't already a
  local disk available:
  If None of the Conditions are true:
  select * from Win32_LogicalDisk where DriveType=3 and DeviceID != 'X:'
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.

• NI Industrial Communications for EtherCAT 2.4 requires FPGA deployment option?

  I am using NI Industrial Communications for EtherCAT 2.4, along with PXI real time target and some third party EtherCAT devices.
  When I right clicked on my third party slave device in the LabVIEW project tree and selected Online Device State it started searching for NiFpgaBitfileGet_all.vi, then put up a message Cannot display selected category. I have temporarily fixed it by installing the FPGA deployment option. Will the fix still work once the 30-day evaluation period is over? I shouldn't need FPGA deployment option so why is there a dependency?

  I do not have any NI slave devices. The third party device is a Micro-Epsilon confocalDT 2451 distance measurement probe. My controller is a NI PXI-8109, and I am using a PXI-8231 as the EtherCAT master. I am using LabVIEW 2011 with LabVIEW Real-Time 11.1. As an initial test setup I have just the one slave, as the attached project tree shows. I eventually want to have eight of these slaves, but that will need another thread. I have not had the opportunity to try "Revert to Default Personality" yet.
  Paul
  Attachments:
  LV2.jpg ‏34 KB

• Extension Jar deployment option is disabeled on JDev11

  Hi,
  Why "Extension Jar" is disabeled on Jdev11, i could not create deployment descriptor with this option ?
  I f i go back to Jdev10, i could use my old .jar file ?
  Regards
  Philippe

  Hi Nasir,
  It looks like that Admin url is not set correctly can you take look on your configuration again.
  Regards,
  Kal

• Deployment Options

  OWB newbie here - previous experience in custom built ETL. Multiple clients using our Oracle OLTP. Now need to build a warehouse that can be deployed to all clients but with options to switch on/off relevant components. Possibility/probability of moving into disparate source systems in future. So I have questions about deployment options.
  1. Deploying to many targets when we cannot see the target. Brief reading tells me that we need to export the metadata, install the OWB client and runtime repository on site & deploy it all there? If all sources are Oracle, then the "here's your script, execute it every night" would be a simple deployment. Maybe with more disparate sources (flat files, etc), having to install OWB is a small overhead compared to the potential pain? Any advice welcome!
  2. Core source schema is the same, but some modules may not exist on some client sites (e.g. different countries use different third party data). So invalid staging packages result in invalid parent packages? I suppose a possible workaround is to put the staging extract in dynamic sql so it always compiles and only run when the parameter is switched on. But then we're possibly losing some OWB benefits (source tracing, etc). Are there other options for this sort of thing?
  Thanks for your help!

  Or you could also assume that you have to do the initial leg work...
  Analyze all sources which could be different based on the country, region, etc.
  But that's not a problem because you can handle that using custom view in your integration layer to make all sources look at some point idential
  Then you could load all this wonderfull data in your target DW using the same processes ....