Deployed "RD Gateway into a new VPC"

Walked through Post-Deployment Tasks

• create sg for private instance(s) w/ 3389 inbound from RDGW SG
• added fqdn host record to host file on admin client, matching the self signed certificate subject fqdn
• installed the root cert from RDgateway's c:\servername.cer on admin client within trusted root cert auth store
• added tcp 443 inbound to rdgw sg, from admin client ip
• verified instance associated with sg allowing 3389 from the rdgw sg
• configured rdp connection as described (instance private IP in general field, rdgw fqdn (as in host file) in rdgw settings)

Attempting to connect to a Windows Server 2016 instance (administrator, with aws generated password) in private subnet 1A.

• Get prompted for RDGW credentials
• Never get prompted to enter credentials for the private instance, RDP error pops up.

Receive the following error:
Remote Desktop can't connect to the remote computer "10.XXX.XXX.XXX" for one of these reasons:

1. Your user account is not listed in the RD Gateway's permission list
2. You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format (for example, computer1.fabrikam.com or 157.60.0.1).

TS event log on RDGW displays Event 301 (error 23002) at each attempt, detailing a resource authorization error.

Screenshots attached.

• All attempted deployments have been made with intention of utilizing standalone RDGW.
• Have made attempts with default domain (example.com), as well as ec2.internal and compute-1.amazonaws.com (for us-east-1).
• All attempts made with StackAdmin account to authenticate to RDGW
• Standard RDP from rdgw to private instance tested working
• TS Event Log states CAP authorization successful/allowed
• Verified RAP is configured to allow all network resources
• Tested RAP with local group (instance IP and AWS private DNS record); same error

Anyone come across this or can provide guidance?

Hi - I couldn't find any information if this CF Template includes creation (in addition to RD Gateway)
RD Connection Broker
RD Session Host
RD Web Access

Is this all installed on one EC2?

I am trying to deploy this into my account and it keeps failing when it tries to create the auto scaling group for the gateways. I have verified that there are no current issues being reported. I have verified in Trusted Advisor that I am not at my limit on anything. I have also tried deploying in a different region where we do not have anything else deployed and I am getting the same result. I do not think it is a problem with autoscaling itself as I was able to deploy 3 Elastic Beanstalks with auto scaling fine. Here are the failed events:

08:56:00 UTC-0600 | CREATE_FAILED | AWS::CloudFormation::Stack | nonprod-management-stack-RDGWStack-9W3CI7VMRIHQ | The following resource(s) failed to create: [RDGWAutoScalingGroup].

  | 08:55:51 UTC-0600 | CREATE_FAILED | AWS::AutoScaling::AutoScalingGroup | RDGWAutoScalingGroup | Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

  | 08:55:50 UTC-0600 | UPDATE_IN_PROGRESS | AWS::AutoScaling::AutoScalingGroup | RDGWAutoScalingGroup | Failed to receive 1 resource signal(s) for the current batch. Each resource signal timeout is counted as a FAILURE

Any help would be appreciated

Deploying via CloudFormation. EC2 resource is created via ASG and fails during the Systems Manager automation.
Confirmed that previously supplied domain credentials are for 'Domain Admin'

Here is the output from Systems Manager Automation Step 7: configurerdgw:

Creating DSC Certificate to Encrypt Credentials in MOF File
Exporting the public key certificate


    Directory: C:\


Mode                LastWriteTime         Length Name                          
----                -------------         ------ ----                          
-a----        2/21/2023   7:50 PM            862 EC2AMAZ-8PMN9QH.cer           
Setting Default CAP
Failed to set Default CAP Access to the object at RDS:\GatewayServer\CAP\Default-CAP is denied for the cmdlet New-Item.The supplied value is not valid, or you do not have sufficient permissions.

I've seen this error a few times on different AWS quick starts so while this pertains to the rdgateway quick start it also impacts others.

Issue: When specifying the password for the Admin account during the setup, certain special symbols will be interpreted as commands rather than as password characters.

Ex1:
Command invoked: Command b-create-admin (net user /add Admin abc123<123ABC /y)
failure: Command b-create-admin output: The filename, directory name, or volume label syntax is incorrect.

Ex2:
Command invoked: Command b-create-admin (net user /add Admin abc123&123ABC /y)
failure: '123ABC' is not recognized as an internal or external command, operable program or batch file.

Thanks,
K

Can you please alter the quicklaunch templates to include a parameter that can be set for permissions boundaries? This is problematic when trying to use quicklaunch and the configuration to set everything within the template is time consuming.

I'm using an item at the following location in my LaunchConfiguration:

https://s3.amazonaws.com/quickstart-reference/microsoft/rdgateway/latest/submodules/quickstart-microsoft-utilities/modules/AWSQuickStart.zip

Suddenly I am getting access denied. Is this expected?

When using the rdgw-domain.template (alone or with an other quickstart) it gets to the point its creating instances to add to the autoscale group but never adds them to the autoscale group. The instance spins up and looks healthy then it terminates.

The only errors I see in the cloudwatch log group for the setupconfiguration in the stdout log it says
"Failed to Initialize RDGW with Certs Access to the object at RDS:\GatewayServer\CAP\Default-CAP is denied for the cmdlet New-Item.The supplied value is not valid, or you do not have sufficient permissions."
log location = 9d276536-b525-4171-9c0f-76a1722151da/i-005d83973982626ac/runPowerShellScript/stdout

The stderr says "failed to run commands: exit status 255"

I've been trying to work through the error but haven't been having any success. Note that this seems to have started sometime in the last 2 weeks-ish, in late october it was working fine. The 29th I think was the last time I ran it successfully.

Not sufficient when relying on Amazon provided names like us-east-2.compute.internal (27)

CREATE_FAILED | AWS::AutoScaling::LaunchConfiguration | RDGWLaunchConfiguration | AMI cannot be described (Service: AmazonAutoScaling; Status Code: 400; Error Code: ValidationError; Request ID: b76ef062-ba33-11e9-ac30-3d96471c0de5)

For some reason the rdgw-standalone template doesn't use the mapped ami ids for the RDGWLaunchConfiguration. It instead relies on a param with value "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base" by default. This is fed to the image ID value in the launch configuration. It looks like an api call, but is being used as a string. Is that correct?

The CloudFormation template with existing VPC (domain-joined) keeps failing. The RDGW instances gets to running state and after a few minutes, it terminates the instances without any clue:

Also, The CloudFormation gets stuck in the RDGWAutoScalingGroup for more than 40 minutes then failed with this message

Group did not stabilize. {current/minSize/maxSize} group size = {0/2/2}.

here's the screenshot showing what I got after an hour of wait:

I receive logon failures connecting through the RDGW. Also, event 4625 is logged in the Security log on the RDGW. We need to turn off enforcement of channel bindings to fix this problem. Run this command and restart tsgateway service to correct the issue;
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core" /t REG_DWORD /v EnforceChannelBinding /d 0 /f

More info at; https://support.microsoft.com/en-us/help/2903333/terminal-services-client-connection-error-0xc000035b-when-you-use-lmco

I have successfully deployed the quickstart. So far so good.
My question is how to make "clients" choose a RDGW. As I see it, you passed this problem in the architecture drawing, by simply dragging a line from the client to both RDGW servers (one in each AZ). How does the auto scaling group (suddenly making more IP-adresses available) work in practice with regard to this.
I haven't found any good solutions. My initial approach would be to use round robin DNS, but this solution seems not to be functional with Windows server 2012 onwards?
I thought about using a load balancer, but as I understand it, UDP traffic is not supported by ELB.
Am I simply overthinking it ?
If I'm leaving out information, please ask me.
Thanks, Niels

I attempted to rightsize the RDGW from 8GB since it was using very little RAM. I changed it to a t3a.small and tried to start it. I received a message that the instance type was incompatible, I refreshed and saw that the instance was terminated. The public IP address showed as unassociated.

Is there anything that can be done to address this from the QuickStart? I don't know why this happened, but I think it has happened to me before.

A few ideas in case there is no technical solution or the problem lies with AWS design:

1. Offer .medium instances and make this the default for RDGWs
2. Make a note in the documentation, perhaps with a list of other precautions when deploying this quickstart (I am making a list)
3. Document this in tags noting the compatibility

This is the system log showing only the initial start.

2019/11/07 16:23:32Z: Windows sysprep configuration complete.
2019/11/07 16:23:35Z: Message: Waiting for meta-data accessibility...
2019/11/07 16:23:35Z: Message: Meta-data is now available.
2019/11/07 16:23:37Z: AMI Origin Version: 2019.10.09
2019/11/07 16:23:37Z: AMI Origin Name: Windows_Server-2016-English-Full-Base
2019/11/07 16:23:38Z: OS: Microsoft Windows NT 10.0
2019/11/07 16:23:38Z: OsProductName: Windows Server 2016 Datacenter
2019/11/07 16:23:38Z: OsInstallOption: Full
2019/11/07 16:23:38Z: OsVersion: 10.0
2019/11/07 16:23:38Z: OsBuildLabEx: 14393.3269.amd64fre.rs1_release.190929-1234
2019/11/07 16:23:38Z: Language: en-US
2019/11/07 16:23:38Z: TimeZone: Coordinated Universal Time
2019/11/07 16:23:38Z: Offset: UTC 00:00:00
2019/11/07 16:23:38Z: AMI-ID: ami-0df99cdd65bce4245
2019/11/07 16:23:38Z: Instance-ID: i-0c9e2e96005d7dcc9
2019/11/07 16:23:38Z: Instance Type: m4.large
2019/11/07 16:23:42Z: Driver: AWS PV Driver Package v8.3.2 
2019/11/07 16:23:42Z: Driver: Intel(R) 82599 Virtual Function v2.0.210.0 
2019/11/07 16:23:42Z: Launch: EC2 Launch v1.3.2001360
2019/11/07 16:23:42Z: SSM: Amazon SSM Agent v2.3.634.0
2019/11/07 16:23:43Z: RDPCERTIFICATE-SUBJECTNAME: EC2AMAZ-OA3DQG4
2019/11/07 16:23:43Z: RDPCERTIFICATE-THUMBPRINT: 6C554062536E7DAA97151D01E5EDA6396F72A58D
2019/11/07 16:23:56Z: HibernationEnabled: false
2019/11/07 16:23:56Z: Username: Administrator
2019/11/07 16:23:56Z: Password: <Password>
NlfobVz3SFbxDfEZqgOmsATgskaDUdyvNx3FEcQL/sRNYprTZuk/fDNvmdG/UQnr4hI5zQo2ZKDKihDMihLumHFgyL7yCZ4Ao9tVzrcnkkmbcCRP2t+BdF1FK6ZNYYKeKO2YdUBN+0es1sd+XIM5+nE6qF4sqGOtEkmRwG3LXhyFzPjqbnGJHa5Pf1Zf2mYEQTIUsKhf++EOGKq3o5cPBoXbR6EYSy2Ulr9p6nZMT+zxK0z/DEgejj/HZVqi7j8laSn8/0/Edl7FiH5AYAz2ewfAf6z1sWNW2CxaFVvqR3UYQr8D4iw47byQzgRcYs7JOjiaAd+V3JoO1AkOlcQbDQ==
</Password>
2019/11/07 16:23:58Z: Message: Windows is Ready to use

I am trying to deploy rdgw-domain.template CF template in my account. I am using existing VPC and passing on the parameters. However, I am getting an error saying "CREATE_FAILED | AWS::AutoScaling::AutoScalingGroup | RDGWAutoScalingGroup | Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement" Does anyone know about this?
Any help would be appreciated.

When deploying the QS there is an domain\admin user created but the group for that domain\admin user is not added to the network authentication policy, resource authentication policy or connection authentication policy. The domain\admin user can RDP to the RDGW instances but cannot use the instances as a gateway server without manually adding the user (domain\admin) or group ( domain\users) to the various policies.

Stack is failing to create resources due to an invalid arn when launching in a gov-cloud region. We can see this is an issue when creating the "ExecutionResourceRole":

Resource: !Sub arn:aws:autoscaling::${AWS::AccountId}:autoScalingGroup::autoScalingGroupName/${AWS::StackName}

This should be the following if not mistaken:

Resource: !Sub arn:${AWS::Partition}:autoscaling::${AWS::AccountId}:autoScalingGroup::autoScalingGroupName/${AWS::StackName}

Hi there

I noticed that the AWS Quick Start Documentation under the "Launch the Quick Start" table is pointing to the SharePoint templates in s3://aws-quickstart/quickstart-microsoft-sharepoint instead of the RDGateway templates in s3://aws-quickstart/quickstart-microsoft-rdgateway

See aws-quickstart/quickstart-microsoft-activedirectory#121

When creating the stack I get an error when creating Launch Configuration -
AMI cannot be described (Service: AmazonAutoScaling; Status Code: 400; Error Code: ValidationError; Request ID: b678fcba-58b4-11e8-aa61-0560b123affb)

Looking internally I see the ami-838b53fc is de-registered.

Whereas looking for public ami for Windows_Server-2016-English-Full-Base-2018.04.11 I find the new ami - ami-3633b149 created on 8th of May 2018.

Can you please look at this issue and change the ami of the template?