'Deploy to RDP Gateway Service' Task

KillHawk · October 15, 2020, 8:09am

Hi!
I’m trying to roll out CTW to automate RDS cert updates across about 40 different client RDS environments.
I’m just confused on the best way to get CTW to actually install the cert on all roles.
I thought (maybe incorrectly) that the ‘Deploy to RDP Gateway Service’ task would do that, but it doesn’t and I can’t actually figure out what it does do?
IIS bindings get updated as soon as the cert renews even without a task.
The task says it runs successfully. What step am I missing?
Is the best way to just run a script to install?
Like this one I found elsewhere:
param($result)

set-alias ps64 “$env:C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe”

ps64 -args $result -command {

$result = $args[0]

$pfxpath = $result.ManagedItem.CertificatePath

Import-Module RemoteDesktop

Set-RDCertificate -Role RDPublishing -ImportPath $pfxpath -Force

Set-RDCertificate -Role RDWebAcces -ImportPath $pfxpath -Force

Set-RDCertificate -Role RDGateway -ImportPath $pfxpath -Force

Set-RDCertificate -Role RDRedirector -ImportPath $pfxpath -Force

}

Thanks everyone

webprofusion · October 15, 2020, 8:28am

Hi,

So the default task runs the following script which doesn’t seem to be enough for your use case:

github.com

webprofusion/certify-plugins/blob/master/src/DeploymentTasks/Core/Providers/Assets/RDPGatewayServices.ps1

# This is an example script and it will be overwritten when the next update is installed. 
# To use this script copy it to another location and modify as required

# Enable certificate for RDP Gateway
# For more script info see https://docs.certifytheweb.com/docs/script-hooks.html

param($result, [switch] $restartServices = $false)

Import-Module RemoteDesktopServices

# Apply certificate
Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $result.ManagedItem.CertificateThumbprintHash -ErrorAction Stop

# Optionally restart TSGateway and related service

if ($restartServices -eq $true)
{

	Restart-Service IAS -Force -ErrorAction Stop
	Restart-Service TSGateway -Force -ErrorAction Stop

This file has been truncated. show original

In the example script you’ve indicated above you can skip the who ps64 wrapper thing and just go straight to the $pfxpath line, the ps64 thing was just for very old versions of certify that were 32-bit.

Best strategy is to start with your certificate as the provided PFX file then devise a script to deploy that however you need it. I don’t know about RDS administration at all so can only go on examples others have provided. It sounds like you have a bunch of RDS servers across a bunch of different companies so yes it’s a good idea to set those up separately but start with one test system and get that right first.

For instance other users have gone to great lengths with their scripts and what you require will depend a lot on which services you’re running: https://github.com/webprofusion/certify/issues/519

I’m guessing you have managed to get a cert already and you just need to the task to deploy it. It would be useful if you could help figure out why our default task (Script) didn’t work for you - didn’t it restart the service? Note also that you can manually add tasks to restart any service that needs to be restarted as part of the deployment using the Start/Stop service task.

KillHawk · October 16, 2020, 2:52am

Thanks heaps for such a quick reply!
It’s helpful to see what the task is doing.

I can’t pretend to be too knowledgeable on RDS infrastructure so am not sure the specifics of what that task is trying to do, but there is definitely a distinction between updating the cert in that location; and installing the certificate on all services.

Yeah, for one I just nabbed the cert file from the Certify folder and installed manually,
For others I’ve gone with the task to run that script and it worked flawlessly.

So I will just keep my procedure as using the script which I’ve confirmed installs the cert in all necessary roles

Thanks again!
Sorry I’m no use on the detailed troubleshooting

webprofusion · October 16, 2020, 3:16am

Cool, also that script doesn’t configure certificates on RDS, it just updates them so if the RDS isn’t configured with a certificate already then it wouldn’t make a difference. I’m not sure if all RDS deployments already have a self-hosted cert or not.