I have a relatively simple setup. I have a previous 2012 R2 deployment that I am replacing with this 2016 deployment. 1 Gateway, 1 Broker, and 2 Load Balanced Hosts. Everything is working fine for users connecting from the local network. Users connecting remotely are getting a Code 0x607 authentication error when they are redirected to the second host.
Our gateway server is using a 3rd party certificate. This server is running 2012 R2. It is still part of the 2012 R2 deployment, but my understanding is that it should continue to work just fine. The eventual plan is to replace this server with a 2016 that is part of this deployment, once I have transitioned my users.
Our Broker server also serves as a host. This server is using a cert issued by our local domain CA. All is well on this machine. The RDWeb service is also installed here. I should mention that our users do not use the RDWeb service. Rather, I use the RDWeb to get an RDP file that I distribute to the users.
Our 2nd Host is where we are seeing the issue. This server is also using a cert issued by our local domain CA. When users are redirected to this serverwhile connecting remotely, they are getting the error I mentioned above.
My clients require TLS. The RDP files are directed toward the Broker and have all of the load balancing details and use redirection server name set to 1.
The 0x607 error seems to indicate that I have a certificate issue when the client is trying to connect to the host. What has me confused is the the fact that they work just fine locally, when only one of my servers has issues remotely (both using local domain cert).
It is my understanding that we should not be using a DNS Farm name with 2012+ versions of RDS. Perhaps I am breaking that logic by handing out a static RDP File. If that is the case how do I fix it? I have thought about getting a 3rd party cert for my internal domain servers, but that is an expensive guess if I am wrong about the issue.
What have I done wrong?