The RDS Gateway is crucial component for VM Clouds in Azure pack and gives your tenants option to connect to their VMs console. I found many guides how to configure it either with selfsigned certificate or certificates from internal CA. For production use, RDS Gateway needs to be published externally with Trusted certificate. Note that for Azurepack console connect we need second certificate from internal CA. Here is my approach.
- Internal Windows Certificate authority
- Dedicated server for RDS gateway (or two for HA)
- Functional VM Cloud infrastructure (Azurepack, VMM, SPF and Hyper-V hosts)
- Public certificate from trusted Certificate authority (I will use wildcard certificate from Godaddy)
- Public DNS and public IP pointing to your RDGW server
RDS Gateway installation
Run following in powershell:
Install-WindowsFeature -Name RDS-Gateway -IncludeManagementTools
RD Gateway Console Connect Installation
Insert System Center 2012 R2 VMM installation media into RDGW server and install the RD Gateway Console Connect pluggable, here is the path:
Import Public Certificate into RD Gateway Console
Next open the RDS Gateway console. Right click on the server name and select Properties.
In SSL Certificate, import your Public certificate(in my case wildcard certificate from Godaddy)
Internal Certificate Preparation
An internal certificate is needed to establish trust between VMM, RDS Gateway and Hyper-V hosts.
Create Certificate Template:
- Open the certificate template console, click Manage find Workstation Authentication template and duplicate it.
- Rename template to WapConsole. And change validity period to 2 years.
- On Request Handling tab, select Allow private key to be exported.
- On Cryptography tab, set the minimum key size to 4096. Next in Providers, you have to choose Microsoft Enhanced RSA and AES Cryptographic Provider.
- In Security tab, be sure that your servers and you can make enrollment. To make things simple, add the group Domain Computers and grant it Read and Enroll rights.
- Click on apply and close the certificate template console.
In the Certification Authority console, right click on Certificate Templates, New and Certificate Template to Issue. Select the WapConsole template and click OK.
Enroll Internal Certificate
- On the VMM Server, open a mmc and add the Local Certificate computer console. Navigate to Personal and right click on Certificates. Select All Tasks and Request New Certificate.
- On request certificates screen, select WapConsole template that you have just created and click on Click here to configure settings.
- In Subject Name, choose Common Name as type. In value I have specified rdgw.bkgcloud.sk
In Alternative name, I have added these DNS values: rdsgw01.cloud.local (I have added also rdsgw02.cloud.local as I will install second GW server later)
- Click on apply and click on Enroll.
Export Certificate as PFX and CER
Once you enrolled the certificate, we need to Export it as PFX and CER (with and without private key)
Import Certificate to VMM Database and Hyper-V hosts
Run below script on VMM server (make sure all Hyper-V hosts are reachable)
# Path to PFX certificate
$MyPFX = Get-ChildItem „c:\temp\rdgw.bkgcloud.sk.pfx“
# Password of the PFX
$PWD = Read-Host –AsSecureString
# VMM FQDN server name.
$VMM = „vmm01.cloud.local“
## Main Code
Set-SCVMMServer -VMMServer $VMM `
-VMConnectHostIdentificationMode FQDN `
-VMConnectGatewayCertificatePath $MyPFX `
-VMConnectGatewayCertificatePassword $PWD `
-VMConnectHyperVCertificatePath $MyPFX `
-VMConnectHyperVCertificatePassword $PWD `
Get-SCVMHost -VMMServer $VMM | Read-SCVMHost
Import internal certificate to RDS Gateway Server (CER)
Copy the CER certificate to RDS Gateway server and import it.
Add Certificate to Trusted Issuer Certificate
On RDS Gateway server, run following script (update your RDGW server name and CER certificate thumbprint):
$Server = “rdsgw01.cloud.local”
$Thumbprint = “9938B72078CE897466EFDSF69F78239FA5D30C6B3”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint
IIS Reset on RD Gateway server
Creating Internal DNS zone for bkgcloud.sk
I had to create internal DNS zone for bkgcloud.sk and add RDGW.bkgcloud.sk record pointing to RDS Gateway internal IP.
Publishing RDGW to the internet
- Updating public DNS record for RDGW.bkgcloud.sk, pointing to Public VIP assigned on my firewall
- Creating FW rules, NAT, allowing 443 from internet to my RDS Gateway server
Azure pack integration with RD Gateway
- Login to Azure pack admin portal, go to VMM properties and add the Remote Desktop Gateway FQDN, in my case rdgw.bkgcloud.sk
- Update your hosting plans and check the box Connect to the console of virtual machines
Once you finish all above, you can start testing your Console connect 🙂