• Implement HA for your RDS gateways
• Put a session host into maintenance

9.4. Secure the 1st RDS web access

To secure your 1st RDS web access, you will need to go through the Internet Information Services (IIS) Manager.

In the window that opens :

• choose your server
• click on "Server certificates" in the middle section
• then, on "Create Certificate Request" in the right column

Since your users will access your RDS web accesses via the cluster name, the certificate to be used will have to be generated for the cluster name and NOT for the name of each RDS web access server.
So, in our case, we'll make a certificate request for the "rds.informatiweb.lan" domain name.

Submit the request to your certification authority via its web interface and download the provided certificate.
Then, in IIS, click "Complete Certificate Request".

In the "Complete Certificate Request" window that appears :

• select the certificate you just downloaded
• specify the name of your RDS cluster (in our case : rds.informatiweb.lan) as the friendly name
• select what you want for the certificate store

The "rds.informatiweb.lan" certificate appears in the list of server certificates.

Select the default site in : [Name of your 1st RDS server] -> Sites.
Then, click Links in the right column.
Edit the HTTPS binding and select your new certificate : rds.informatiweb.lan.

9.5. Secure the 2nd RDS web access

Since the certificate to be used will be the same, you only need to export the one obtained from the first RDS server and then import it on your 2nd RDS server.
However, you will not be able to simply copy/paste the certificate downloaded from the web interface of your CA, because the downloaded file is in "cer" format and not "pfx".
Indeed, the downloaded certificate doesn't contain the private key that goes with it.

In order to obtain the certificate and the associated private key, and therefore a certificate in pfx format, you will need to export it from the certificate store of your 1st RDS server.

For those who don't know how to access the certificate store of your server, here is the procedure :

• launch the "mmc.exe" program
• go to the File menu and click : Add/Remove Snap-in
• select the "Certificates" component for the local computer

Then, in "Personnel -> Certificates", export the "rds.informatiweb.lan" certificate.

Select "Yes, export the private key" to obtain a certificate in PFX format.

Leave the default options and click Next.

Provide a password to protect the private key.

Select where you want to save the certificate in PFX format.

Open the certificate store on your 2nd RDS server and go back to : Personal -> Certificates.
Then, right click "All Tasks -> Import".

Copy/paste the certificate exported from your 1st server to your 2nd RDS server and select it here.

Enter the password previously specified to protect the private key.

The destination certificate store must be : Personal.

Your "rds.informatiweb.lan" certificate appears with a small key displayed on the certificate icon.

Open the Internet Information Services (IIS) Manager on your 2nd RDS server and go back to: [Your server name] -> Server Certificates (in the middle part).
You should see your "rds.informatiweb.lan" certificate.

If this is not the case, the private key associated with this certificate is probably missing. This can happen if you export a certificate in "cer" format (without private key) instead of the "pfx" format (certificate + private key).

Select the default site for your RDS server and edit the HTTPS binding.
In the list of SSL certificates available, you will find your "rds.informatiweb.lan" certificate.

9.6. Test access to the RDS web access cluster

To test access to your cluster, try to access the "https://rds.informatiweb.lan/RDWeb" address from a client computer.
Then, log in with a user of your Active Directory.

RemoteApp programs or desktops appear.