RDS WebClient through AppProxy failing for external access while using a program

Chad Petersen 0 Reputation points
2024-08-27T21:28:33.18+00:00

RDS WebClient through AppProxy failing for external access while using a program

 

Hi all,

 

I am having the same problems described in these following two articles with the web client failing while trying to open a remote program with old error “Oops, we couldn't connect to "app"

The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening ask your admin or tech support for help" or the new error “The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening, ask your admin or tech support for help”.

 

This happens only when a remote program is used through the web client and going through the App Proxy.

 

At current my lab:

I have set up a single server RDS farm that houses the gateway, broker, session host, and web client. I have done many DNS/App Proxy configuration iterations that I cannot keep track of any more (ongoing month of no fun). I have also tried different certificate types and settled on the custom wild card.

 

Server 2022 (new build including newest webclient, which looks weird)

RDS build is just the Quick Start

WildCard cert for all roles

Custom domain name (wildcard cert)

Same custom domain name for Internal/External FQDN

              Internal DNS points to the RDS server on the LAN

              External DNS points to proxy address (.msappproxy.net)

RD Gateway points to proxy address (.msappproxy.net)

Gateway Manager has 3389;443 opened for all RAP or CAP (per another article)

Entra app proxy URL’s internal and external both have the same custom domain name

              From this prospective the external address is just to match the cert (just for show I think)

              From this prospective the proxy address (.msappproxy.net) address points to the internal, LAN, custom domain

Pre-auth server set to proxy address (.msappproxy.net)

 

Resulting in:

Works fine internally

Externally we get connection error after trying to open remote port, takes only a few seconds in most cases.

 

(No fix in article)

https://learn.microsoft.com/en-us/answers/questions/1690961/trouble-with-remote-desktop-and-entra-app-proxy?comment=question#newest-question-comment

 

(Fix in article, but did not work for me)

https://learn.microsoft.com/en-us/answers/questions/996055/rds-webclient-through-appproxy-failing-for-externa

 

Any help here would be greatly appreciated, tired of tearing my hair out.

 

Thanks, Chad

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,221 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,600 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Karlie Weng 18,521 Reputation points Microsoft Vendor
    2024-09-06T01:35:41.33+00:00

    Hello,

    I think you can narrow down your issue by remoting to your server directly. (with gateway and don't bypass gateway for internal pc)

    If you can log in, it should be a remote app / redirection issue. Then you can confirm if there's any error / warning in your event log.


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Chad Petersen 0 Reputation points
    2024-09-16T21:09:39.2633333+00:00

    Karlie,

    I navigated to the hostname of the server (FQDN) webclient URL and got the same result, because the gateway is still pointed to the proxy address (.msappproxy.net). Once we go through that, we get the WebSocket error consistently.

     

    Also if we are talking about Event Logs, nothing was logged for this specific event in either Windows Logs\Application or \Security.

     

    Went through the Applications and Service Logs for \TerminalServices-* and \RemoteDesktopServices-* and nothing was glaring there either.

    IIS logs were not very telling either.

     

    I am still at a loss to what is still ailing RDS. I think I will hit up parveensingh on Twitter, see if he has any ideas.

     

    Thanks, Chad


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.