RDG Setup with DMZ

%3CLINGO-SUB%20id%3D%22lingo-sub-797737%22%20slang%3D%22en-US%22%3ERDG%20Setup%20with%20DMZ%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-797737%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20this%20setup%20with%20two%20servers%20-%20RDG%20and%20Terminal%20Server.%20RDG%20is%20in%20DMZ%20and%20Terminal%20Server%20is%20on%20the%20corporate%20network.%20I%20opened%20appropriate%20ports%20and%20things%20are%20running%20mostly%20OK%2C%20except%20that%20some%20users%20on%20some%20days%20need%20multiple%20attempts%20to%20connect%20successfully.%3C%2FP%3E%3CP%3EWhat%20user%20see%20is%20following%20%3CA%20href%3D%22http%3A%2F%2Flh4.ggpht.com%2F-M5Tjl5SzGkE%2FUsXz7Bri_gI%2FAAAAAAAAJps%2FVaMZu-9galo%2Fimage_thumb%2525255B2%2525255D.png%3Fimgmax%3D800%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERDG%20error%3C%2FA%3E%3C%2FP%3E%3CP%3EWhat%20I%20see%20event%20viewer%20on%20RDG%20server%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EEvent%20ID%20-%20201%20%7C%20Source%20-%20TerminalServices-Gateway%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EThe%20user%20%22DOMAIN%5CUSER%22%2C%20on%20client%20computer%20%2266.x.x.x%22%2C%20did%20not%20meet%20connection%20authorization%20policy%20requirements%20and%20was%20therefore%20not%20authorized%20to%20access%20the%20RD%20Gateway%20server.%20The%20authentication%20method%20used%20was%3A%20%22NTLM%22%20and%20connection%20protocol%20used%3A%20%22HTTP%22.%20The%20following%20error%20occurred%3A%20%2223003%22.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20have%20performed%20as%20much%20research%20as%20I%20could%20and%20everything%20points%20out%20that%20NPS%20server%20needs%20to%20be%20registered%2C%20and%20it%20is%20registered.%20RDG%20server%20is%20both%20on%20the%20domain%20and%20added%20to%20-%20RAS%20and%20IAS%20Servers%20AD%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20went%20step%20further%20in%20desperation%20and%20allowed%20all%20communication%20between%20RDG%20server%20and%20domain%20controllers%20defeating%20the%20purpose%20of%20DMZ%2C%20but%20that%20didn't%20bring%20desired%20outcome.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%20Is%20there%20official%20Microsoft%20documentation%20on%20how%20to%20set%20RDS%20where%20RDG%20server%20is%20in%20DMZ%3F%20I%20can't%20find%20any%20articles%20up%20to%20date%20which%20specify%20which%20ports%20need%20to%20be%20open%20for%20the%20setup%20to%20work.%3C%2FP%3E%3CP%3EBest%20I%20can%20find%20is%20this%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FRD-Gateway-deployment-in-a-perimeter-network-Firewall-rules%2Fba-p%2F246873%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FRD-Gateway-deployment-in-a-perimeter-network-Firewall-rules%2Fba-p%2F246873%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20everyone!%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-797737%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Bran100
Occasional Visitor

Hi Everyone!

 

I have this setup with two servers - RDG and Terminal Server. RDG is in DMZ and Terminal Server is on the corporate network. I opened appropriate ports and things are running mostly OK, except that some users on some days need multiple attempts to connect successfully.

What user see is following RDG error

What I see event viewer on RDG server:

Event ID - 201 | Source - TerminalServices-Gateway

The user "DOMAIN\USER", on client computer "66.x.x.x", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

 

Now I have performed as much research as I could and everything points out that NPS server needs to be registered, and it is registered. RDG server is both on the domain and added to - RAS and IAS Servers AD group.

 

I went step further in desperation and allowed all communication between RDG server and domain controllers defeating the purpose of DMZ, but that didn't bring desired outcome.

 

P.S. Is there official Microsoft documentation on how to set RDS where RDG server is in DMZ? I can't find any articles up to date which specify which ports need to be open for the setup to work.

Best I can find is this - https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/RD-Gateway-deployment-in-a-perim...

 

Thanks everyone!


Bran

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies