We are planning on a deployment of Remote Desktop Sservices (Windows Server 2012 R2) with 2 RD Web Access Servers. In the past I have requested a single cert using an external CA (via an IIS 7 cert request), installed it, and then exported it into the *.pfx format to use. That was straightforward.
Our production deployment will have 2 RD Web Access servers behind a Cisco ACE for failover and load balancing. My question is, how do I go about requesting the certificate now? Other than using a wildcard or SAN cert (to include the "friendly" name we are using) I am not sure how to start this process.
Do I request a cert from one of the RD Web Access servers, export, and use it for both of them? Or do I request one from each with the SAN/wildcard as part of the request? Or, am I completely off track here? I am only familiar with basic HTTPS web cert requests so this is all a mystery to me.
The help from MS I have gotten via docs and forum seems to assume we are using an internal AD CA or a Gateway, neither of which we are using (We are requiring VPN for off site access for now).
Best Answer
Do you actually need your two RD Web Access servers to use different domain names? Seeing as this is a load balance / fail-over scenario, then normally you would install the same certificate on both servers. Using a wildcard / SAN certificate is only necessary if you intend on accessing one or both of the servers using different names.
Simply create the certificate request as you normally would, and install the certificate on both servers - just ensure that the cert is licensed for use on 2 servers when you purchase it.
If for whatever reason you really do need different domain names, then you will create a single certificate request using your preferred method. (e.g. openssl, certreq, iss, etc). If you decide to run with a wildcard certificate, then you simply specify your domain as *.your.domain and purchase it from the external CA using their wildcard purchasing plan. Or if you decide to run with a SAN then you will need to specify the SAN in the certificate request.
http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx
Another option would be to install a single certificate on the Cisco ACE in order to perform SSL termination on that device instead of the RD Web Servers. In fact, this is usually the preferred method when performing load balancing as it keeps things simple, and allows the ACE to perform application layer balancing.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3045.shtml