I've seen a lot of discussions about this in this forum, but I'm not able to get this to work. 

I've got a single server with all of the RD roles installed on it with valid licenses. It's behind a router with a single static IP address assigned to the WAN interface with ports 3391-UDP and 443-TCP forwarded to my internal local static IP on my Windows Server 2012 R2 machine. It is part of local domain, let's call it, "server1.domain.local."

Connections from within my local network to https://server1.domain.local/RDWeb allow a published application to run properly. 

When I look at the Deployment Properties of RD Web Access Server it points to an non-editable entry called, https://server1.domain.local/RDWeb, not my external FQDN

I used the, "Change published FQDN for Server 2012 or 2012 R2 RDS Deployment" https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 to see if that helps, but it doesn't seem to work. The local value still shows up in the Deployment Properties of RD Web Access Server.

I am likely to be unable to set up a public network interface with the external FQDN on it, namely remote1.domain.com as an example. I need to keep the server behind the firewall and continue using port forwarding with NAT.

When I connect to https://remote1.domain.com/RDWeb I can see the published apps. I've had various failures from this point on. Right now I'm getting, RemoteApp Disconnected" User account not authorized, or computer not authorized, or incompatible method.  

I have a public Cert that works fine. The same cert was used for all 4 required roles. I created a .pfx exported from IIS for this purpose with a third party certificate authority. 

I also tried setting up an mstsc connection with the public external FQDN used as a gateway. This fails, too. 

I used the Add Roles and Features, RDS installation, Quick, Session-based to set this all up. 

I thought maybe my Gateway just wasn't working properly. I uninstalled it, rebooted, and re-installed it. No joy. 

Domain Users can access RDS via mstsc locally. 

I can't figure out where to look next. 

I thought this would be instructive:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/67dfab70-7e10-4e0b-a3c8-63ce776f2355/how-do-i-change-the-url-to-the-remote-web-access-server-in-windows-server-2012?forum=winserverTS

However I'm still getting nowhere. 

If you have any suggestions, please be specific and clear. I expect I'm missing something. For example someone posted this at the previously mentioned page, "1. Please configure the RD Gateway FQDN in deployment settings so that it is set to the external address for your server, for example, remote.yourdomain.com."

Obviously, if I could do that I might not have a problem, but how does one do that in my circumstance? 

Help.

Thanks,

Steven

Hi Steven,

It's behind a router with a single static IP address assigned to the WAN interface with ports 3391-UDP and 443-TCP forwarded to my internal local static IP on my Windows Server 2012 R2 machine.

To enable external users to access RD Web page, please register a public Host record for the public FQDN and IP address on a public DNS server.

When I connect to https://remote1.domain.com/RDWeb I can see the published apps. I've had various failures from this point on. Right now I'm getting, RemoteApp Disconnected" User account not authorized, or computer not authorized, or incompatible method.  

Please ensure appropriate Connection and Resource Authorization policies are configured.

More information for you:

Create an RD CAP

https://technet.microsoft.com/en-us/library/cc753324.aspx?f=255&MSPPError=-2147217396

Creating an RD RAP

https://technet.microsoft.com/en-us/library/gg675308(v=ws.10).aspx

Best Regards,

Amy

Hi Steven,

1. The url that shows in Deployment Properties -- RD Web Access tab is irrelevant, so there is no need to focus on how to change it.

2. Did you install RD Gateway Role Service using Server Manager -- RDS -- right-click on RD Gateway icon?  If yes, did you set the external FQDN for it in Server Manager -- RDS -- Overview -- Deployment Overview -- Tasks -- Edit Deployment Properties -- RD Gateway tab?  Please note you need to have a certificate configured for it issued from a trusted public authority and the name on the certificate needs to match the FQDN.

3. Have you created a DNS A record on the internal network pointing to the private ip address of your RD Connection Broker server for the published FQDN?  To be clear, I am referring to the name you configured using Set-RDPublishedName cmdlet, which in your case should be the same as your RDG since you have a single server.

4. As Amy mentioned, on the public Internet, have you created a DNS A record for your RD Gateway FQDN pointing to the public ip address?  I believe you already have done this, but I will mention it anyway for completeness.

5. In RD Gateway Manager, Properties of the RD RAP, Network Resource tab, please select Allow users to connect to any Network Resource.  Later you can create a local RDG-managed group with the required names if you want and choose that option instead.

6. If after completing the above you are still having issues please post the precise error message text you are seeing along with a description of the symptoms and steps taken.

Thanks.

-TP

I have a registered public host record pointing to my router's WAN IP on a public DNS server. 

I had an RD CAP and an RD RAP. I failed to check them again after re-installing the RD Gateway. They are gone.

However I can't create a new policy. Whenever I try to add a group, the MMC crashes, "Microsoft Management Console has stopped working"

It has always crashed when I tried to add a group. Now I have no policies even with the default group created by the wizard, namely, "domain users"

If I run the Debug  function I get, "Unhandled exception at 0x00007FFAA8658FA8 (clr.dll) in mmc.exe: Stack cookie instrumentation code detected a stack-based buffer overrun." This might just be a fault in the debugger. I have no symbols loaded. Especially, clr.pdb is not loaded. 

So I have a new problem now; I can't create either of the required policies. Any ideas? 

Hi TP,

1. Good.

2. Yes, I created  the external FQDN for it in Server Manager -- RDS -- Overview -- Deployment Overview -- Tasks -- Edit Deployment Properties -- RD Gateway tab pointing to my externally resolved DNS address. It matches the cert.

3. No, I didn't create it. That DNS entry is created automatically when I joined the computer to the domain. So the internal server's name is already in DNS. 

When I used Set-RDPublishedName cmdlet, I set the name to my external name of my host, not the internal one on my network. I suppose I could set it back, but that didn't work either. That's why I tried using Set-RDPublishedName cmdlet. 

Should I create a new zone in my local DNS for my externally resolved name? That seems unnecessary as public DNS does resolve already for that FQDN. My internal DNS does use external forwarders. 

4. Yes.

5. I can't really even create an RD RAP or RD CAP at this point because MMC crashes every time I try to add a group to either policy. Those policies had been created by the wizard, but now they are gone. I uninstalled the RD Gateway and re-installed it when all of this appeared not to be working. Now the policies, that didn't seem to work, aren't even there. 

Do you suppose I should wipe all of the roles and start over? 

Thanks,

Steven

Hi Steven,

Should I create a new zone in my local DNS for my externally resolved name? That seems unnecessary as public DNS does resolve already for that FQDN. My internal DNS does use external forwarders. 

A:  Yes, you should create a new zone in your local DNS for the external name.  In this zone you create a DNS A record for the published FQDN (the one used with Set-RDPublishedName) and point it to the private ip address of your server.  You want to use Set-RDPublishedName to make the published FQDN match your certificate.  In your case that means your RD Gateway FQDN and published FQDN will be the same (remote1.domain.com in your example).

I can't really even create an RD RAP or RD CAP at this point because MMC crashes every time I try to add a group to either policy. Those policies had been created by the wizard, but now they are gone. I uninstalled the RD Gateway and re-installed it when all of this appeared not to be working. Now the policies, that didn't seem to work, aren't even there. 

A:  This is not normal.  One thing you can try is to create a new domain admin account and try using RD Gateway Manager with it instead of your current account.  The idea is something is corrupt in your profile that is crashing RDG Manager and a new account will fix this.  It is important to modify the default RD RAP as I mentioned above in order to allow the external FQDN to be used.

If you cannot easily correct the issue with RD Gateway Manager then I suggest you consider wiping and starting over.  Before doing that please be sure to export your certificate and its private key to a .pfx file as well as backup any data you may need.

Thanks.

-TP