Secure an RD Gateway using Let’s Encrypt

I have recently been working on a project to build and deploy a Terminal Server for a client and configure an RD Gateway to allow for external contractors to use it.

After some internal discussion, it was decided that we would use a Let’s Encrypt SSL certificate for the gateway. One downside of using Let’s Encrypt however is that the certificates expire every 90 days. As such we needed to find a solution to automate the renewal process.

We settled on using an application called Certify the Web, a GUI which allows you to obtain a Let’s Encrypt certificate and have it renew automatically.

Prerequisites

Certify the Web needs to validate that you own the domain which you want to generate a certificate for. This can be done by either an HTTP validation or DNS validation. For this example, I have chosen to use HTTP validation. As such, there are a couple of things which need to be done first:

  1. Ensure you have set an FQDN for the RD Gateway server name (We’ll be using terminal.customer.domain for this example)

  2. Create an A record in your public facing DNS point the gateway FQDN to your public IP address

  3. Create a new zone & A record in your internal DNS pointing the servers FQDN it’s internal IP address.

  4. Create a NAT rule in your firewall to forward TCP port 80 and 443 from the public IP address to the servers internal IP address.

  5. Add an HTTP binding to the default website in IIS on your RDS server. This should match the RD Gateway server FQDN.

The above will need to be done in order for the HTTP validation to complete successfully. You can confirm that all this is working by opening your web browser and navigating to the gateways FQDN you set. In this case, http://terminal.customer.domain. You should see the IIS splash screen.

1
Install Certify the Web

Now that we have the pre-requisites out of the way, you will need to go to https://docs.certifytheweb.com in your web browser and download the Certify the Web installation file.

This will need to be installed onto your RDS server. If you downloaded it on this server then go ahead and install the application. If not, copy it to the correct server.

Configure Certify the Web

Once you have the application installed, go ahead and launch it. Immediately you will be asked for an email address contact. Provide desired email address, click the Yes I Agree option and then register.

When you are shown the main application interface, click on New Certificate.

3

On the Certificate Domains tab you will need to change the website in the dropdown to be the Default Web Site. In the Add Domains to certificate, enter the FQDN for the RD Gateway Server. Once done, click the Add Domains button.

Once you have added the domain, you will see a new row is added to the Certificate Domains tab. Confirm that the domain is there and then click the Authorization tab.

On the Authorization tab, there are 3 pieces of information which we need to provide, the Domain Match, Challenge Type and Website root directory.

The domain match will be the same as what we entered on the previous page. You will need to select HTTP-01 in the Challenge Type drop down menu. You can obtain the website root directory by Exploring the website within IIS.

Once these 3 field are completed, proceed to the Deployment tab. On this tab you will need to make sure that the Deployment Mode drop down is set to Single Site (Selected in Domains tab) and also ensure only the Binding hostname not specified (IP only or all Unassigned) option is set.

Now we are ready to test and make sure our HTTP validation is going to be successful. Click on the Test button above the tab selection. If it works successfully then you should see the following:

Great! We have confirmed that our HTTP validation is going to be successful. However, we aren’t yet ready to request the certificate. This application will automatically renew the certificate for us and update the IIS bindings however, it won’t install the certificate into our RDS server.

Handily, Certify the Web’s functionality can be expanded with PowerShell. The application is able to run PowerShell scripts both before and/or after renewal.

When running after renewal, the parameter $result can be passed through to PowerShell which can then used to do various things with the generated certificate. In our case, we will be using a script to update the certificate used by our different RDS roles.

Go ahead and launch PowerShell and create a new file. Copy and past the following into the file.

param($result)

set-alias ps64 "$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"

ps64 -args $result -command {

   $result = $args[0]

   $pfxpath = $result.ManagedItem.CertificatePath

   Import-Module RemoteDesktop

   Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force

   Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

}

Save this script to an easily accessible location such as C:\Admin.

Now we want to go back to our Certify the Web application. Check the Show Advanced Options button. This will add the Scripting tab. Go ahead and click on the Scripting tab.

This is where you can specify the scripts you wish to run. We want to click on the … button for the Post-request PS Script section and browse to where we saved our PowerShell script.

Excellent, we’re now ready to request and generate our certificate. Go ahead and click the Request Certificate button.

This will take a short while to complete. If it completes successfully you should see the following:

Verify the Certificate Installation

Now that our certificate has been generated, we need to verify that it has been bound to the IIS site and installed into our RDS roles.

Firstly, go ahead and launch IIS. Expand the site tree and locate the site which we generated the certificate for. Right click on the site and click on Bindings.

Locate the HTTPS binding and then click Edit.

12

You should be able to see the SSL certificate which we generated select in the drop down SSL certificate menu.

13

Finally we need to confirm that our RDS roles have been updated. Launch Server Manager and click on the Remote Desktop Services role.

Under the Deployment Overview section, go to Tasks -> Edit Deployment Properties.

Go to the Certificate tabs. You should now be able to see all the RDS roles are trusted. Select each one and click View Details to confirm that our new certificate has been selected.

16

Fantastic! You have successfully configured and deployed a Let’s Encrypt certificate which will automatically renew itself, update the IIS bindings and install into your RDS roles.

Like this article?

Share on facebook
Share on Facebook
Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share through Email