We have recently set up a Terminal Services Gateway website to allow external access to a Remote Desktop server. Each user installs a client certificate on their personal computer, connects to the HTTPS TS Gateway site, logs in, then connects to the configured remote desktop machine.
All users have the same access rights and configurations on the server side, and all certificates are issued from our local CA; the certificate chain is also installed on their local PCs.
Out of 30 users, two specific users are unable to use the system. They connect to the TS Gateway site using their client certificate, can log into the the TS site using their user accounts, and can then click on the configured remote desktop machine. They are prompted for login username and password, then see a "Connecting" dialog. After a while, they receive the message:
The computer can't connect to the remote computer.
The two computers couldn't connect in the amount of time allotted.
We've checked everything we know how to, even silly items that shouldn't be related: they are using the same Windows XP SP3 as several other users, their Windows Firewall is enabled with port 443 open, each of them is using the same internet service provider and plan as another user who is connecting successfully, it still happens even after trying to issue a new certificate, and their system clocks are synchronized to the same public NTP source as the server they are connecting to.
Unfortunately, diagnosis is difficult since we don't have direct access to their home machines to try for ourselves.
What else should we check?
Try troubleshooting with their system hooked directly to their high speed modems (cable, DSL, etc.) to isolate any possibilities of their home NAT routers playing any part in the difficulties. Some "ping" samples may also reveal any network performance issues as well.