I have an issue with Azure VMs and the RDWeb Gateway.
Our intent is to create a cloud-based service on Azure using Session-based hosting through RDS as an alternate method to deploy our subscription-based application which includes an embedded database.
I have defined a Virtual Network, Cloud service , Storage service and 3 VMs as laid out in the “Azure Desktop Hosting - Reference Architecture and Deployment Guides” page (http://msdn.microsoft.com/library/azure/dn451351.aspx)– specifically the “Desktop Hosting Deployment Guide”. Since the service will be for end-users (our clients) we have defined a new domain (and acquired the domain name) so that we can create and admin the AD within the DC that is one of the VMs. Since I have the Domain name, I have also acquired an SSL Certificate from Verisign. I have installed the certificate to all roles in the RDS configuration and have also installed it to the Cloud Service. So far, so good.
The problem is that when I try to connect to my RDS Host through the RDWeb Gateway I get a certificate error. When I choose to connect to the RDWeb page (the not recommended operation) the RemoteApp and Desktop Connection page comes up with my RDS Session icon. When I click on it to connect to the RDS Host I get an error message that the publisher of the remote connection can’t be identified. If I click the Connect button I get the following Remote Desktop Connection error (“xxxxxx” = the Cloud Service name):
This computer can’t verify the identity of the RD Gateway “xxxxxx.cloudapp.net”. It’s not safe to connect to servers that can’t be identified. Contact your network administrator for assistance.
[OK] [View Certificate…]
If I click on the View Certificate… button I see that the Certificate being presented is not my Trusted Certificate from Verisign, but an untrusted Certificate for xxxxxx.cloudapp.net. And if I click OK then the session is dismissed.
Presumably I could export and add the untrusted certificate to my local Trusted Certificates, but I don’t want to have to explain that to each of my customers and have them do that for each computer that they may use to connect to the service, especially since I have a domain and a Trusted certificate available.
What am I missing????