Publishing Remote Desktop Services on UAG

by Shijaz Abdulla on 22.02.2010 at 22:22

If you’re trying to publish Remote Desktop Services or RemoteApp on Microsoft Forefront Unified Access Gateway 2010, and if you encounter the following error, read on:

“Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server. Contact your network administrator for assistance”.

image

Before we look into how to fix this, we need to understand how RDS publishing works with UAG:

  1. A UAG client accesses a Forefront UAG portal using a Web browser and evaluating the endpoint compliance and session access policies defined on UAG by the administrator.
  2. The end user launches a Remote Desktop application in the portal. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint. If the ActiveX component doesn’t exist, it is installed.
  3. The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.
  4. The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RD Gateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.
  5. An RDP session is established from Forefront UAG to the backend RDS hosts.

As you can see in step 3 and 4, the HTTPS connection terminates on the Forefront UAG server, which also acts a Remote Desktop Gateway. The error appears because no SSL certificate is configured by default on the RD Gateway running on the Forefront UAG computer.

The Solution

  1. On the computer running UAG, open the RD Gateway Manager (Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager)

    image

  2. You will see that “A server certificate is not yet installed or selected”. Click on View or modify certificate properties

    image
  3. Choose the option Select an existing certificate from the RD Gateway <computername>. Click the Import Certificate button.
  4. Choose the certificate that matches the public DNS name of your UAG portal. In my case it is uag.tech.com – this is the URL that users connecting from outside your organization will type into the browser to get into the UAG portal. It can be the same certificate that you are using on your HTTPS trunk.

    image

  5. Click Import and OK.
  6. Try to connect to the RDS Session Host from the UAG portal. It should work (if you have configured the application and your endpoint is compliant with the endpoint security policies that you defined).
Trackback Permanent Link

7 Responses to Publishing Remote Desktop Services on UAG

  1. Publishing Remote Desktop Services on #Forefront #UAG – http://tinyurl.com/yct4hj3

  2. Publishing Remote Desktop Services on UAG | microsoftNOW: As you can see in step 3 and 4, the HTTPS connection ter… http://bit.ly/drKnub

  3. EmanuelG says:

    Hi, I’ve been trying UAG and RDS but despite my RDS is working properly internally without gateway, I can’t get it working through UAG, I’ve configured a certificated that matches the public name on the uag, but the error I’m receiving now is “remote desktop gateway is unavailable”.

    The more frustating thing is that there is no logs about where the connection is being dropped or dennied, I never reach my session host, and the trunk I’ve configured is only publishing RDS, it’s not being used for anything else.

    Do you have any suggestions?, or maybe a way to look for more detailed info about the connection attempt to diagnose where exactly is the issue.

    I’m pretty sure it is something in the RDGateway at UAG, but since it has not much configuration options, I don’t know how is the propper configuration it requires.

    Thanks in advance Shijaz!!

    • Jason says:

      Hello,

      I had the same issue with earlier release of UAG and found that I had to re-install the UAG software to get around this. Not a great fix I no, but I tried everything else. It doesn’t seem to have occured in the Eval version however?

  4. Marc says:

    Check if the gateway service is running on the UAG server.

  5. Miguel says:

    Hi,

    A question. The certificate used must be a public certificate or can it be a private certificate?

    Thank You
    Miguel

  6. Box293 says:

    Miguel,
    The certificate can be a private one but the computer that you are connecting from must have the private CA certificate installed in their Trustred Root Certitificate Authorities.

Leave a Reply