Is there any way to secure an entire Active Directory (AD) domain using a single trusted, third-party Certification Authority (CA)-signed wildcard security certificate so that remote access will be seamless for:
- RDP using Remote Web Access (RWA) via Remote Desktop Gateway (RDG) to PCs.
- RDP using Remote Desktop Connection via Remote Desktop Gateway (RDG) to Remote Desktop Services (RDS) server.
Ideally, I'd like it so that the users get no security certificate warnings (regardless of the where the computer is or whether the computer is domain-joined) when remoting in by:
- Browsing to
https://internal.domain.com/remote
, signing in, and selectingPC-01
. - Opening a RemoteApp and signing in.
Details:
- Internet Domain Name:
domain.com
- AD Domain Name:
internal.domain.com
- AD Domain Controller and RDG server Fully Qualified Domain Name:
server-01.internal.domain.com
- RDS server Fully Qualified Domain Name:
server-02.internal.domain.com
- PC Fully Qualified Domain Name:
pc-01.internal.domain.com
- Wildcard security certificate:
*.internal.domain.com
As far as I'm aware, it cannot be done as a single security certificate can only be installed on a single computer and this scenario would require the security certificate to be installed on 3 computers (RDG server, RDS server, and PC).
However, I know that AD has its own Public Key Infrastructure (PKI) and "internal" CA which is used to ensure trust between its domain and domain-joined computers. So, is there any way to replace AD's CA root security certificate with the trusted, third-party CA-signed wildcard security certificate?
Update 2016/06/30 16:33: I have made significant progress with this and will write up the answer once the problems have been fixed.
Best Answer
Disclaimer: This is to the best of my recollection
Our security certificate provider, SSL247, informed me that wildcard security certificates:
In simple terms, the full resolution was to:
internal.domain.com
toremote.internal.domain.com
.On the Internet domain
domain.com
's authoritative name servers, create the DNS Resource Record (RR):remote.internal.domain.com 3600 IN A <public IP address>
On the router, create firewall and NAT rules to allow and forward port TCP 443 to the RDG server.
*.internal.domain.com
In actuality, our resolution was a lot more complicated.
Our original setup was as follows:
server-01.internal.domain.com
running Windows Server 2012 R2 Essentials.server-02.internal.domain.com
running Windows Server 2008 R2 Standard.Long story short (ask for clarification if required), this setup just did not work. Despite using the domain administrative user account and all settings (RDG, CAPs, RAPs, NPS, etc) being configured as low / open as possible, external RDP failed consistently with the following errors:
I heavily researched this scenario and these errors and found a fair amount of resources but none resolved the problems.
I had our Network Operations Center (NOC) investigate and they concluded that the problem was caused by the use of Essentials.
I moved the role RDG from server #1 to server #2 (I realise this is nearly pointless), updated the network, and it worked pretty much instantly.
Oh, well. At least it works.