I have a new RDS 2012 R2 installation with a gateway problem. Users can connect to VMs by VM name but not by Collection. I am using the following configuration:
- 2 connection brokers in the internal 10.5.1.0 subnet also running RD web access
- 1 gateway in the DMZ 10.0.0.0 subnet also running RD web access with a public facing DNS name of RDSVM.contoso.com and a gateway name of RDSVMGW.contoso.com.
- 4 VDI Hosts in the 10.5.1.0 subnet running 12 collections of Windows 7 VMs.
- All server firewalls are turned off on all nodes.
- All ports to the internal network from the gateways servers are enabled.
- CAP and RAP on Gateway are set to allow domain_users to access any resource.
- All RDS resources are configured to use a wild card certificate where sn=*.contoso.com.
- Al servers are members of the contoso.com domain.
From the internal network I have NO problems connecting to VMs in any collection using the URL: htps://RDSVM.contoso.com/rdweb. This traffic does not go through the gateway, rather it goes directly to the connection broker.
From the Internet I get the following strange results:
Case 1: Windows 7 cant connect to a collection through the gateway
A windows 7 machine connecting to the gateway server authenticates properly to the gateway and display the collections, but when the user click on one of the collections he cannot connect to the associated VM.
When I click on collection icon "wsoo1" I get the following event log messages on the gateway server:
The user "rick", on client computer "68.36.14.7:65535", has initiated an outbound connection. This connection may not be authenticated yet.
The user "rick", on client computer "68.36.14.7:65535", has initiated an outbound connection. This connection may not be authenticated yet.
The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.
The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.
The user "rick", on client computer "68.36.14.7:49154", has initiated an inbound connection. This connection may not be authenticated yet.
The user "CONTOSO\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "RDSVM.CONTOSO.COM".
The user "CONTOSO\Rick", on client computer "68.36.14.7", connected to resource "RDSVM.CONTOSO.COM". Connection protocol used: "HTTP".
The user "CONTOSO\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "RDSVM.CONTOSO.COM". Before the user disconnected, the client transferred 6338 bytes and received 7673 bytes. The client session duration was 1 seconds. Connection protocol used: "HTTP".
Case 2: Windows 7 can connect to a named VM through the gateway.
If the same windows 7 machine connects to the gateway, selects connect to remote PC, and manually names a VM in the previously selected collection, he can connect to the VM.
When I specify a specific VM in the collection, it works and I get this on the gateway:
The user "Rick@Contoso", on client computer "68.36.14.7:56587", has initiated an outbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:56588", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:56588", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 2235 bytes and received 2402 bytes. The client session duration was 20 seconds. Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 2235 bytes and received 2706 bytes. The client session duration was 2 seconds. Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "wsoo1-1".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "wsoo1-1". Connection protocol used: "HTTP".
Case 3: IPad can connect to a collection through the gateway
IPad connecting to a collection through the gateway authenticates properly to the gateway, displays the collections, and CAN connect to the associated VM.
When I click on collection icon "wsoo1" from my IPad I get the following event log messages on the gateway server:
The user "Rick@Contoso.com", on client computer "68.36.14.7:49170", has initiated an outbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:49170", has initiated an outbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso.com", on client computer "68.36.14.7:49167", has initiated an outbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "Rick@Contoso", on client computer "68.36.14.7:49171", has initiated an inbound connection. This connection may not be authenticated yet.
The user "Contoso\Rick", on client computer "68.36.14.7", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "RDSVM.CONTOSO.COM".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "RDSVM.CONTOSO.COM". Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "RDSVM.CONTOSO.COM". Before the user disconnected, the client transferred 6418 bytes and received 8945 bytes. The client session duration was 1 seconds. Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "172.26.0.51".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "172.26.0.51". Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "172.26.0.51". Before the user disconnected, the client transferred 937 bytes and received 1750 bytes. The client session duration was 0 seconds. Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", met resource authorization policy requirements and was therefore authorized to connect to resource "172.26.0.51".
The user "Contoso\Rick", on client computer "68.36.14.7", connected to resource "172.26.0.51". Connection protocol used: "HTTP".
The user "Contoso\Rick", on client computer "68.36.14.7", disconnected from the following network resource: "wsoo1-1". Before the user disconnected, the client transferred 59920 bytes and received 865127 bytes. The client session duration was 833 seconds. Connection protocol used: "HTTP".
And at this point my IPad connects to wsoo1-1.
I have been trying to resolve this problem for a month now and have found nothing on the Internet or the forums that is applicable.
Any assistance available would be appreciated.
What am I doing wrong?