Win 2012 RDS farm not accessible for external clients

remote desktopremote-desktop-serviceswindows-server-2012windows-server-2012-r2

External clients can't access my RDS farm – here's what I've set up:

(all servers are Win 2012 R2 and clients are Win 8.1)

Server: PDC1
ip: 10.0.0.2
roles: file, print, sql 2012, dhcp, dns, RD License Server, RD Gateway, RD Web Access

Server: SVRDS1
ip: 10.0.0.3
roles: RD Host Session, RD Connection Broker (HA)

Server: SVRDS2
ip: 10.0.0.4
roles: RD Host Session, RD Connection Broker (HA)

Server: SVRDS3
ip: 10.0.0.5
roles: RD Host Session, RD Connection Broker (HA)

RD Loadbalancing on all three servers.

I've set up round robin (rd.mycompany.local) on SVRDS1-3 and if I internally try to connect to rd.mycompany.local then it works. I'm guided to any of the host servers.

In my firewall, I've set port 3389 to point to SVRDS1. If I only have SVRDS1 in my host collection, every thing is fine – but if I add SVRDS2 and 3 to the host collection, trying to connect externally fails.

My own thoughts…

  • Client tries to connect and hits SVRDS1, but due to loadbalancing, RD want's to transfer to SVRDS2, which is not available from outside the network?

  • I need to use RD Gateway, but how? I don't have a DMZ and I'm not supposed to port forward 443 from PDC1?

  • I should find another job, because I'm a noob at this 😉

Hope you can guide me in a direction – thanks!!!

Best Answer

Using the Gateway is easy and will be very beneficial to you. What you need to do is:

  1. Get a 3rd party Cert from your CA of choice. Something like rdgateway.company.com
  2. You've already setup the Gateway role on PDC1 so just configure it to use 3389, and 443, or if you need another port instead of 443 use Eric's link in his answer to change it. Make sure you set up CAP and RAP groups (Computer Access Policy and Remote Access Policy groups) for people who will be accessing this from the outside.
  3. Set a DNS entry in your public DNS (i.e. GoDaddy, Network Solutions, etc.) provider for rdgateway.company.com that points to one of your public IPs.
  4. Port forward the correct ports on your router/firewall from the public IP mentioned in the step above externally, to the Gateway server internally and its local IP.
  5. To connect correctly to the Gateway you will need to (do this on a single computer first as a test) open up Remote Desktop Connection > Show Options > Advanced > Settings > Set the RD Gateway server name and logon method. Save all this and go back to the main Remote Desktop Connection screen.
  6. At this screen you will want to put the name of your Farm as the name of the server to connect to. So, the Gateway is already set on the advanced settings, and for the computer to connect to put the FQDN; example: rd.mycompany.local

There are a few more minor adjustments, but I'll let you decipher if you need them by reading this resource.

Also, I'd recommend not having all those roles you mentioned you have on your first server, if in fact it is a domain controller. It's always just safer to leave only AD roles on domain controllers, but if you can't change that, then obviously this is just 20/20 hindsight. Just my recommendation, but something I'd highly recommend.

Related Topic