Congratulations, you've successfully implemented a RD Web Access + RD Gateway solution. Perhaps you're trying to emulate Remote Web Workplace or Citrix XenApp. The accolades of your peers continued until that day when the primary internet line went down for 8 hours. Suddenly you've become the guy who implemented a business critical solution with a single point of failure in Baby Bell.
The problem, while RD Web Access (TS Web Access in the non-R2 version of 2008) will give you a warning about non-matching certificate which you can ignore, RD Gateway (TS Gateway in non-R2) simply fails. Changing DNS records to point to the secondary isp could take hours, and manually programming the DNS entry in every client's computer would likely take just as long (not to mention prevent you from failing back).
Microsoft doesn't seem to provide any obvious answer for this situation. However, the need for a certificate to work from multiple urls is not new. Star certs and UCC certs provide exactly this functionality. Furthermore there are millions of IIS and Apache servers out there which have successfully implemented multi-tenanted solutions which require the ability to determine which url the end user requested to provide the correct webpage.
The first step is go acquire a UCC or Star cert for the domain. Since it's still one site in IIS, it can't handle providing a different certificate based on each domain. If you do choose a UCC cert, I suggest not just putting one alternative name on there, but filling up whatever the allotment is for your price point with generic names. Trust me, you'll need a certificate again at some point, and wouldn't it be handy if you didn't need to go get another purchase approved?
When you install the certificate, make sure to do it both through the role services. You'll need to specify the certificate in IIS for RD Web Access and in under the RD Gateway Role settings. See the information here for setting this certificate for RD Gateway:
Now RD Web Access and RD Gateway should work fine on the primary internet line, and they will appear to work from the backup internet line, IF the primary internet line is up, but it won't work without the primary internet line. The reason is because the DNS entry for the RD Gateway server is hard coded into IIS. Even though you connected to the RD Web Access on the backup isp, the RD Gateway session will be initiated on the primary isp because that entry is specified as the DefaultTSGateway
You can see more detailed instructions on how to set this setting here:
However this only provides for a single hard-coded entry. The trick to give us support for multiple isps simultaneously is to modify the underlying asp coding. Open IIS, browse to Default Web Site -> RDWeb -> Pages -> "en-us" and select "Explore" from the action pane on the right. Finally edit the file "Desktops.aspx"
Find this line:
DefaultTSGateway = ConfigurationManager.AppSettings[“DefaultTSGateway”].ToString();
And change it to:
DefaultTSGateway = Request.ServerVariables[“SERVER_NAME”].ToString();
This tells IIS to use the name of the server as requested from the client. As long as RD Web Access and RD Gateway are running on the same server, this should be correct.
These instructions vary slightly for 2008 non-R2, but should be close enough to still follow. The skinny is that everything is named TS instead of Remote Desktop and the IIS folder is TS instead of RDWeb.
In addition to the websites listed above in this article, information was gathered from numerous other unmentioned websites. This question, and the solution, were originally posted by myself in the Microsoft Partner Forums. You can find the original thread here: