When installing an Remote Desktop farm with a RD Gateway on Windows Server 2012, you install a certificate for the Broker, Web Access and Gateway roles using Server Manager. However, this does not add the certificate to the Remote Desktop Session Host (RDSH) servers. This means that you get a warning when connecting to a RemoteApp or desktop, because the RDSH severs will have a self-signed certificate. You can replace this certificate using a valid certificate. You will continue to get warnings for the following reasons:
The name on the certificate does not match the RDSH server name
The certificate is not from a trusted root certificate authority
The best way to resolve this is to purchase a single wilcard certificate e.g. *.domain.com that covers both the RDWeb URL, as well as the server names. This also requires that your internal domain is a subdomain of your external domain. So you might use domain.com on the web, and internal.domain.com as your AD domain. Your RDSH server is then e.g. rdsh01.internal.domain.com. You could also use a SAN certificate.
If you are just connecting internally from clients in the same domain, you should be able to use an internal Enterprise CA to create a SAN or wildcard certificate which you can use on your servers. So, only replace the certificates on the RDSH servers if:
Clients are all in the same domain and you are using internal certificates
Clients are outside the domain, but you have purchased commercial certificates
It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.
Open the MMC and open the Certificates snapin
Add the Local Computer
Import the certificate into Computer\Personal
Open the certificate and find the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
Open up an elevated PowerShell prompt and write:
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”PASTE_THUMBPRINT_STRING”
This outlines the customisation options with the default RDWeb page in Microsoft Server 2012, when using Remote Desktop Services with RDWeb. You can easily replace the logon and text at the top of the page.
As an example, you can change the default:
To something like this:
Replaceable Company Logo Image
Add the new Icon into the image folder
Add the new icon into the images folder located in:
Modify the site.xsl file
Backup this file:
To e.g. C:\Windows\Web\RDWeb\Pages\Site.xsl.bak
The word Replaceable appears 3 times in this file. Do a find for this word to find the sections below:
Run notepad as admin and open. I find the easiest way to do this is to run Powershell as admin, and then launch notepad from there. That way if you close down notepad, you quickly launch as admin again without finding notepad.
The Remote Desktop web site, which is a component of Remote Desktop Services in Windows Server 2012 and 2008, has a page called ‘Connect to a remote PC’.
This page will allow you to connect to servers or computers behind your Remote Desktop Gateway server, which is a handy feature if users need to connect to a full remote desktop behind the gateway, rather than just a remote app. This will also allow you to connect to your servers on an internal network directly, even if you are behind a web proxy server, so can be useful for remote management purposes when connected to a corporate network.
However, by default, this page will only allow you to connect to local resources, and will not use the gateway server.
To fix this, you need to make a change in IIS:
On your RD Web Access server, open IIS Manager
In the left pane, navigate to and Sites\Default Web Site\RDWeb\Pages
In the middle pane, double-click on Application Settings
Double-click on DefaultTSGateway and enter the external FQDN of your RD Gateway
Refresh the RDWeb page on the client and then test using an external client
Now, to connect to other machines on your network other than ones already in your RDSH farm, you also need to modify the RD Gateway policies to allow you to connect to those other resources. You probably already have an AD group configured in your RD Gateway policies, and you can just add to this group, but in case you don’t then can configure this as follows:
Create a new group in AD called e.g. SERVERNAME RD Gateway allowed servers, where SERVERNAME is the name of your RD Gateway server.
Add all the servers that you want to be able to connect to into this group. For a start this should include all of your RDSH servers, but you can also add other Windows servers on the network.
Open RD Gateway Manger (in the Tools/Terminal Services menu in the Server Manager in 2012), expand Policies, and click on the Resource Authorization Policy
On the Network Resource tab, change the AD group to SERVERNAME RD Gateway allowed servers
Note that you could also do this using an RD Gateway-managed group if you are using that feature
You will now be able to connect to any servers that are a member of this group using the ‘Connect to a remote PC’ page in RDWeb. You should be able to use the internal NETBIOS name of the servers, no need to use the FQDN.