Question: How do i tell RDWeb to launch apps from remote.domain.com rather then host.internaldomain.local?
Environment:
Existing org with AD forest. New single Server 2012 running all Remote Desktop Services roles for session host. Used the new 2012 wizard to setup "QuickSessionCollection" with roles:
- RD Session Host
- RD Connection Broker
- RD Gateway
- RD Web Access
- RD Licensing
Everything works with self-signed cert, but we want to prevent those.
The users are potentially non-domain machines so sticking a private root cert for on their machines isn't an option. Every part of the solution needs to use public cert.
Added public remote.domain.com cert to all roles using Server Manager GUI:
- RD Connection Broker - Enable Single Sign On
- RD Connection Broker - Publishing
- RD Web Access
- RD Gateway
So now everything works beautifully except the last step:
- user logs into https://remote.domain.com
- user clicks a app icon, which in background downloads a .rdp file that is signed by remote.domain.com.
- .rdp is set to use RD Gateway, which is remote.domain.com
- .rdp says app is hosted on internal host.internaldomain.local, which doesn't match the RDP-tcp TLS cert of remote.domain.com, and pops a warning.
It's this last step that I'd like to fix. Is there a config option in PowerShell, WMI, or .config to tell RDWeb/RemoteApp to use remote.domain.com for all published apps so the TLS cert for RDP matches what the Session Host is using?
NOTE: This question talks about this issue, and this answer mentions how you might fix it in 2008, but that GUI doesn't exist in 2012 for RemoteApp, and I can't find a PowerShell setting for it.
NOTE: Here's a screenshot of the setting in 2008R2 that I need to change. It tells RemoteApp what to use for the Session Host server name. How can I set that in 2012?
This PowerShell worked: tell the Session Collection to add a alternate address for Session Host connections. This is also what you would do for a Session Host farm with round robin.
Once I ran this, launching apps from RDWeb would give a single prompt that now matches the three settings without warnings:
Depending on any other Custom RDP Properties, the above command may be different because you have to include them all in one command with a linefeed between each.
Background Info:
Adding custom RDP settings: http://social.technet.microsoft.com/wiki/contents/articles/15719.adding-custom-rdp-properties-in-windows-server-2012-vdi-rds-environments.aspx
Using this setting for HA: http://microsoftplatform.blogspot.com/2012/04/rd-connection-broker-ha-and-rdp.html
I am pretty sure that you need a cert valid for both the internal and external namespace. If you have .local internally (yuck) then you may have a hard time acquiring a cert with .local in either the Subject or Subject Alternative Name fields. If you can't get a cert from a public provider for this, then an internal PKI setup is your only option here.
If you don't have a UC certificate you can use this powershell script to update the FQDN to match your external host name / certificate name:
http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80