Table of Contents
2
Home » Wiki » How to Install an SSL Certificate on Remote Desktop Services

How to Install an SSL Certificate on Remote Desktop Services

by | SSL Installation Guides

How to Install an SSL Certificate on Remote Desktop Services

Remote Desktop Services SSL Installation Guide

Remote Desktop Services (RDS), formerly known as Terminal Services, allows users to access Windows desktops and applications remotely. It provides a way for multiple users to connect remotely to a physical server running Windows Server and access desktops or applications.

RDS deployments are commonly used to provide virtual desktop infrastructure (VDI) and remote access solutions. They allow organizations to host Windows desktops and apps in the datacenter while providing remote access for workers.

While RDS provides flexibility and scalability, it also introduces security concerns. By default, the RDS connection is unencrypted, allowing sensitive data like credentials and application data to be intercepted by network sniffers.

To secure RDS deployments, administrators must implement SSL/TLS encryption. This requires obtaining and installing a valid SSL certificate on the RDS server.

In this comprehensive guide, we will walk through the entire process of installing an SSL certificate on Remote Desktop Services step-by-step.

Also Read: How to Install SSL Certificate on SurgeMail Mail Server

Prerequisites Before Installing SSL Certificate on Remote Desktop Services

Before starting the SSL installation process, make sure the following prerequisites are met:

  • A server running Windows Server with Remote Desktop Services role installed. This can be either RD Connection Broker, RD Web Access, or RD Gateway server.
  • Appropriate SSL certificate file and private key. This can be a domain validated (DV) or extended validation (EV) certificate purchased from a certificate authority (CA). Make sure the certificate is compatible with your server OS and applications.
  • Local administrator privileges on the RDS server where the certificate will be installed.
  • Remote Desktop Services Manager console accessible for certificate assignment.
  • Familiarity with PKI concepts like public/private keys, certificate signing requests, etc.

A Step-by-Step Guide to Install SSL Certificate on Remote Desktop Services

Installing SSL certificate on Remote Desktop Services involves a few key steps:

Step 1 – Obtain an SSL Certificate for RDS

The first step is to obtain a valid SSL certificate issued to the hostname you want to secure (e.g. rds.yourdomain.com).

You can purchase a single domain, wildcard, UCC or SAN certificate from any trusted SSL provider. Make sure to generate the certificate signing request on the RDS server itself.

The certificate should include:

  • Public key – This is contained in the SSL certificate itself with .CRT or .PEM extensions.
  • Private key – This is generated on the server when creating the CSR. Ensure the key is safely stored and backed up.
  • Intermediate certificates – These establish the chain of trust for your SSL certificate to the root CA certificate. The intermediate certs will be provided by the SSL provider in a bundle file.

When purchasing the cert, make sure to provide accurate information and validate domain ownership as required by the CA. Once issued, download the certificate package on the RDS server.

Step 2 – Import the SSL Certificate

  • Open the Remote Desktop Gateway Manager console on your RDS server. This can be accessed through Server Manager or as a standalone app.
  • Right-click on your RD Gateway Server node and click Properties.
  • Switch to the SSL Certificates tab. This panel allows assigning certificates to the SSTP, HTTPS and RDP ports.
  • Click Import to launch the import wizard.
  • Provide the path to your RDS SSL certificate file (with .crt or .pem extension).
  • Browse and select the corresponding private key file for this certificate.
  • Enter the password to decrypt the private key file.
  • Check the box to mark the certificate as exportable.
  • Select the Allow private key to be exported option. This enables backing up the private key.
  • Choose the RD Gateway Server store to import the certificate and key to.
  • Click OK to complete the import process.

The SSL certificate and private key are now imported to the RD Gateway certificates store.

Step 3 – Assign SSL Certificate to RDS Roles

Once imported, the SSL certificate must be properly assigned to the relevant RDS roles/connections:

Assign to RD Web Access

  • Open Server Manager and access Remote Desktop Services > Overview.
  • Right-click on your RD Web Access server and click Properties.
  • Go to the SSL Certificates tab.
  • Check Enable SSL and select the imported SSL certificate from the dropdown menu.
  • Click Apply and then OK to save changes.

Assign to RD Connection Broker

  • In Server Manager, right-click your RD Connection Broker server and open Properties.
  • Go to the SSL Certificates tab.
  • Check the option to Use TLS 1.0 for SSL connections.
  • Select the installed SSL certificate.
  • Click Apply and then OK to finish assignment.

Assign to RD Gateway Server

  • Open the RD Gateway Manager console again.
  • Right-click the RD Gateway Server node and choose Properties.
  • Switch to the SSL Certificates tab.
  • For the HTTPS section, enable SSL and bind the certificate. Do the same for RDP and SSTP if using those protocols.
  • Click OK to complete SSL binding.

The imported certificate is now assigned to the respective RDS server roles. This implements encryption across the remote desktop environment.

Step 4 – Export Certificate with Private Key

It’s recommended to export the SSL certificate along with its private key from the RDS server. This serves as a backup and allows you to migrate the certificate to another RDS deployment if needed.

To export the certificate and key:

  • Open the Microsoft Management Console (MMC).
  • Add the Certificates snap-in for the Local Computer.
  • Expand the console tree to Certificates (Local Computer) > Personal > Certificates.
  • Right-click the RDS SSL certificate and choose All Tasks > Export.
  • Click Next in the certificate export wizard.
  • Choose the option to export Private key and click Next.
  • Select Personal Information Exchange – PKCS #12 (.PFX) as the output file format.
  • Specify a filename to export as and complete the wizard.

This exports the SSL certificate along with private key in a .PFX file protected by a password. Store this backup file securely for future restore or migration needs.

Step 5 – Test and Verify the SSL Connection

After completing the above steps, test that SSL encryption is properly implemented on your RDS deployment:

  • Try launching an RDP session to the RD Gateway server – it should connect securely using SSL/TLS.
  • Access the RD Web Access portal and check for the padlock icon and green SSL indicator.
  • Verify there are no certificate warnings or errors shown in the browser.
  • Use online port scanners to check if SSL is correctly enabled on ports like 443 and 3389.
  • Use OpenSSL to test connectivity to the RDS hostname using openssl s_client -connect rds.yourdomain.com:443

The SSL handshake should successfully negotiate encryption without any issues. Confirm the correct SSL certificate is shown as identified.

Troubleshooting Common SSL Installation Problems

Some common errors faced when installing and assigning SSL certificates to RDS include:

SSL Certificate Not Imported to Personal Store

  • Double-check the certificate file path and ensure the .CRT or .PEM file is valid.
  • Verify intermediate certificates are also imported or bundled with the main cert.
  • Use the Certificates MMC snap-in to confirm import status.

Private Key Mismatch or Inaccessible

  • The imported private key should match the SSL certificate.
  • Check for typos in the password when importing the key.
  • Confirm the private key permissions allow access by Network Service.

Certificate Not Enabling SSL Encryption

  • After import and assignment, restart all RDS roles/services for changes to take effect.
  • Check protocols like HTTPS, RDP and STP have the certificate bound under properties.
  • Test connectivity using RDP client and web browser to isolate the issue.
  • Verify SSL is enabled on associated ports like 443 or 3389 using port scan or test tools.

SSL Certificate Warnings in Browser

  • Make sure to install all required intermediate certificates provided by the SSL provider.
  • Confirm the certificate is valid and not expired.
  • Check that the certificate is issued to the exact RDS hostname you are accessing.
  • Verify the RDS hostname resolves to the correct IP address.

Conclusion

Implementing SSL encryption on RDS is crucial to securing remote desktop access in any organization. By following the comprehensive step-by-step process outlined in this guide, administrators can effectively obtain a trusted SSL certificate, properly import, and assign it to RDS server roles, test the implementation, troubleshoot issues and validate secure connections. Proper SSL configuration hardens the RDS environment against threats like data interception and MitM attacks. Organizations should make SSL installation a top priority for any production RDS deployment allowing remote connectivity. Using best practices for certificate issuance, deployment and lifecycle management further ensures optimal SSL security is maintained on the RDS infrastructure.

Frequently Asked Questions

Here are some common FAQs about installing SSL certificates on Remote Desktop Services:

What type of SSL certificate do I need for RDS?

You can use a standard single domain, wildcard, UCC or SAN certificate. EV certificates provide maximum trust but are not mandatory.

Can I use an internally generated or self-signed certificate?

Self-signed certificates compromise security and are not recommended. Purchase an SSL cert from a trusted external provider.

Does the private key have to be generated on the RDS server?

Yes, the private key should be created on the same server where you generate the CSR and install the certificate.

What is the benefit of exporting the SSL certificate and private key?

Exporting creates a backup you can use to restore the certificate or migrate it to another RDS server if needed.

Do end users need to have the root CA installed to trust the RDS certificate?

No, the intermediate certificates establish a chain of trust between your SSL cert and root CA already trusted by clients.

Can I use the same SSL certificate on multiple RDS servers?

No, each RDS server should have a unique certificate issued specifically to its hostname for security reasons.

What is the best practice for renewing an RDS SSL certificate?

Request a new certificate from your CA provider before expiry and seamlessly replace the expiring cert following the same installation process.

What cipher suites should I use when enabling SSL on my RDS environment?

It is recommended to use modern cipher suites like AES-256 for encryption along with SHA-2 for message authentication and key exchange like ECDHE.

Related Articles:

How to Install an SSL Certificate on VestaCPHow to Install an SSL Certificate on VestaCP? How to Install SSL Certificate in FortiGateHow to Install SSL Certificate in FortiGate? Install SSL Certificate in JBossHow to Install an SSL Certificate in JBoss?