In an environment where the RD Gateway servers don’t have full internet access.We found out that starting a remote application (after logging in the rd web) took very long, about 2-3 minutes. Subsequent logins were fast though. When clients only login once or twice a day, the initial wait of 3 minutes can be quite annoying. the SSO of the Win08R2′ feature set (http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx) relies on certificates to work, we found out that the gateway servers need to check the certificates on the internet. As these servers didn’t have a direct connection to the internet, this took 3 minutes to load.
Giving the RD Gateway servers access to the client revocation list (crl) sites for the certificate providers (for example: *.verisign.* and crl.microsoft.com) on the firewall fixes the issue. In most cases this is the easiest way to resolve this issue. If the RD Gateway servers are published using a hardware load balancer, and use a proxy server for internet access. You can also create a rule to allow this communication on the proxy server. But this will only work after setting the proxy server for the networkservice and localsystem account. It is important to exclude the local network on name and ip, , you don’t want all local traffic going through the proxy server. This setting can be changed with bitsadmin:
bitsadmin /util /setieproxy networkservice manual_proxy YourProxyserver:8080 “192.168.1.*;”
You can’t use masks here, If you want to exclude 172.16.0.0/16, use 172.16.*.*
we repeated this for the localsystem, networkservice and localservice.
You can find more on bitsadmin on msdn: