1

With a Remote Desktop Services deployment in a domain ad.company.com, I have RDG and RDSH installed on the same server, rd.ad.company.com.

I can use a wildcard cert on *.company.com for access to the Gateway using the Remote Desktop Gateway Manager, and I can also make the rdp connection present this certificate to the client following this guide.

enter image description here

If I try to connect from a remote client using rd.company.com as the gateway address and the server address, it fails even though I've added rd.company.com to the hosts file on the server.

If I try to connect using rd.company.com as the gateway and rd.ad.company.com as the server a certificate warning appears because rd.ad.company.com doesn't match the wildcard certificate *.company.com - I can connect but my aim is have no warning message.

Is it possible to cover both gateway and server with *.company.com, or will I need to get another cert for rd.ad.company.com or *.ad.company.com.

I don't want to use company.com as the domain instead of ad.company.com, because I understand that would be a bad idea.

barbecue
  • 361

2 Answers2

1

Wildcard certificates work for only one level of domains, that is, the most specific domain level.

So, you need to get another certificate for *.ad.company.com.

Tero Kilkanen
  • 38,887
0

This can be done and it turns out it's not that difficult. You need to:

  1. Makes sure rd.company.com points at the IP address of rd.ad.company.com on the RDG server. You can either add a new DNS zone for rd.company.com and add an empty A record pointing to the correct IP, or add an entry in the hosts file on the RDG. You could add the internal IP to your external DNS instead but I think that's a bit ugly.
  2. Configure the RAP (Resource Authorization Policies) on the RDG using Remote Desktop Gateway Manager to allow rd.company.com. I did this by creating a new RD Gateway-Managed Group.

Now my rdp clients can connect with the standard RDP client software using rd.company.com as the address for both server and gateway, and the wildcard cert for *.company.com covers both.