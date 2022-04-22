Quite often we architect our environments without taking into account how applications are architected to run. We implement them based on our security architecture, which the application architecture doesn't know about or work properly with.

My expectation is the setting 'Bypass RD Gateway server for local addresses' is simple as when the client connects to the farm, the client will try to connect to the session host directly, if it can't connect to the session host directly it will use the gateway instead.

This is almost certainly a name resolution issue and or a certificate issue.

So make sure your DNS is working correctly. make sure you use FQDN's throughout your farm and network. Don't use NetBIOS names, don't use IP's. Don't use non-internet routable domains, e.g. internal.local (Even if the farm is not publically routable) Place your clients in the same DNS zone, when using internally, if you want to bypass the Gateway.

i.e From a terminal 'terminal1.corp.example.co.nz' when your ping 'sessionhost' ping will resolve to 'sessionhost.corp.example.co.nz' and the correct internal IP address. With 'sessionhost.corp.example.co.nz' being the correct internal hostname for that session host, and the correct FQDN in Windows sysdm.cpl on the server.

Understand the following about the certificate on the farm.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)#certificate-contents

I would recommend:

Assuming your farm is called rds.corp.example.co.nz

Your certificate should be as follows

CN=rds.corp.example.co.nz

DNS=rds.corp.example.co.nz

DNS=*.corp.example.co.nz

*.corp.example.co.nz

should cover your session hosts

sessionhost.corp.example.co.nz

sessionhost1.corp.example.co.nz

sessionhost2.corp.example.co.nz

This not being true may prevent your clients from failing 'Bypass RD Gateway server for local addresses' I'm not sure, to be honest.

If you have a mix of FQDNs like:

rds.corp.example.co.nz

sessionhost1.internal.local

If the certificate doesn't cover all the session host FQDNs.

Things won't work properly, it will work but not properly.