We just had a vendor configure Remoteapp on a brand new windows 2012 R2 Standard Server for us. From inside our network, the Remoteapp server works as expected. We can open a browser, navigate to rdweb, log in, and launch published apps.
From outside our network, however, we can get to the rdweb page and sign in, but no published apps will launch--when we double click one we get an error message stating "your computer can't connect to the remote computer because an error occurred on the remote computer that you want to connect to." The event log on the server then throws a 4625 audit failure. One account (only) can launch apps from outside--the "built in account for administering the computer/domain." This is the same domain account on the server where the remoteapp role is installed. No other accounts can launch apps from the outside.
We can RDP into the server from the outside no problem (from the same accounts that can't launch apps.) I am certain that our hardware firewall is not the issue. The vendor that set up the server says the server and the certificate are configured properly, and they think it's an issue with our domain policy/policies.
Interestingly, if I go into a user account in AD users and computers, add the name of the computer he is trying to launch apps FROM into the "Logon workstations" list, it fixes the problem--the user can then launch apps. However this is not an option, because we can't determine the name of every computer that every remote user might use to log in.
Alternatively, If I go into the user account in AD users and computers and select "All computers" for "logon workstations", that also fixes the problem--the user can launch apps remotely. However this isn't an option either, because we don't want internal users to be able to log into every machine on our network.
I'm not sure why we don't experience the "log on to" dilemma when launching remoteapps inside of our network--only from the outside.
Any ideas to fix this would be greatly appreciated. Thanks!
From outside our network, however, we can get to the rdweb page and sign in, but no published apps will launch--when we double click one we get an error message stating "your computer can't connect to the remote computer because an error occurred on the remote computer that you want to connect to." The event log on the server then throws a 4625 audit failure. One account (only) can launch apps from outside--the "built in account for administering the computer/domain." This is the same domain account on the server where the remoteapp role is installed. No other accounts can launch apps from the outside.
We can RDP into the server from the outside no problem (from the same accounts that can't launch apps.) I am certain that our hardware firewall is not the issue. The vendor that set up the server says the server and the certificate are configured properly, and they think it's an issue with our domain policy/policies.
Interestingly, if I go into a user account in AD users and computers, add the name of the computer he is trying to launch apps FROM into the "Logon workstations" list, it fixes the problem--the user can then launch apps. However this is not an option, because we can't determine the name of every computer that every remote user might use to log in.
Alternatively, If I go into the user account in AD users and computers and select "All computers" for "logon workstations", that also fixes the problem--the user can launch apps remotely. However this isn't an option either, because we don't want internal users to be able to log into every machine on our network.
I'm not sure why we don't experience the "log on to" dilemma when launching remoteapps inside of our network--only from the outside.
Any ideas to fix this would be greatly appreciated. Thanks!