0

Is there any difference at all connecting to remote desktop via host name or ip address, other than an initial dns lookup for the former?

i've been having a a strange issue using rdp over cloudflare zero trust.

say the host name in the internal network is host.example.com. its ip is 192.0.0.10. on the client host.example.com always resolves to 192.0.0.10. other services such as web service (http://host.example.com) work just fine.

when connecting to host.example.com remote desktop, i get the initial NLA login popup and then it hangs on securing remote connection forever. but on rare occasions it connects.

but no issues when specifying 192.0.0.10 for remote desktop, it always works.

so back to the original question, is there a difference in how rdp treats connecting using a host name vs a host ip address other than a simple normal initial dns lookup? i wouldn't think so, but now having doubts.

Improve this question
6
  • You should probably specify if you are subscribed to and using the private subnet routing over WARP using the WARP client installed on the endpoint, public hostname routing, or both.
    – Greg Askew
    Commented Oct 24, 2023 at 14:34
  • Cloudflare Tunnel can also route applications through a public hostname, which allows users to connect to the application without the WARP client. This method requires having cloudflared installed on both the server machine and on the client machine, as well as an active zone on Cloudflare. The traffic is proxied over this connection, and the user logs in to the server with their Cloudflare Access credentials. The public hostname method can be implemented in conjunction with routing over WARP so that there are multiple ways to connect to the server. You can reuse the same tunnel for both.
    – Greg Askew
    Commented Oct 24, 2023 at 14:36
  • developers.cloudflare.com/cloudflare-one/connections/…
    – Greg Askew
    Commented Oct 24, 2023 at 14:36
  • when connecting to host.example.com remote desktop, i get the initial NLA login popup and then it hangs probably a good idea to perform a packet capture to confirm what it is communicating with. We're assuming that domain and host name is only present at the endpoint you are connecting to and not associated with something else.
    – Greg Askew
    Commented Oct 24, 2023 at 14:42
  • 2
    In a traditional environment, using an IP address typically cannot use Kerberos. That is one difference. Using TLS is a bit more complex.
    – Greg Askew
    Commented Oct 24, 2023 at 15:44

1 Answer 1

Reset to default
1

The only difference is the security certificate that is bind to the name usually. To see which one is used, see here; “Certificates (Local Computer)”->"Remote Desktop"->"Certificates"

Thus it should only impact the NLA warning. For a RDH/TS server you would want the client to connect to the correct FQDN name to prevent a warning, and to be able to install the certificate to the user store, but for an admin session its not an issue.

Improve this answer
1
  • very helpful suggestion, but the cert wouldn't be the issue here. internally i can reach the host using all kinds of host names as long as they resolve to the host's ip. the cert warning pops up, i click don't-ask-me-again and continue or i have the authentication warning disabled on the client. again i can always connect via ip and on rare occasions via the host name. this issue must be related to the cloudflare tunnel.
    – rvh
    Commented Oct 24, 2023 at 14:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .