@HCHTech You're chasing squirrels.
You just need to reset the published names, the cluster figures all that out. And yes, when you're done it's all RDP proxied over https, so you're only forwarding TCP 443 in from the world.
Set-RDPublishedName
Seems to be the powershell command to do this, it seems it was removed from the Server 2016 GUI? and never put back in 2019?
It absolutely feels like chasing squirrels - good call.
So I found, downloaded and ran the Set-RDPublishedName powershell script. My collection link now has the FQDM in the relevant sections:
==========
full address:s:rds.[mydomain].com
gatewayhostname:s:rds.[mydomain].com
workspace id:s:rds.rds.[mydomain].com
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.LAB_Collection
use multimon:i:1
alternate full address:s:rds.rds.[mydomain].com
==========
I've rebooted the gateway and the RDSH servers, but the something is still wrong.
If I download the RDP from the RDWeb page and run it with the VPN connected, I get prompted for credentials to connect to rds.[mydomain].com, I enter them, only to get the "The remote resource cannot be reached" error. By editing the RDP connector, I can see that the RD Gateway server is pointing to the FQDM, the login is set for "Ask for password", and the "Bypass RD Gateway for local addresses" box is checked. The "Use my RD Gateway credentials for the remote computer" box is also checked.
If I try to run that same RDP without the VPN connected, I get prompted for credentials like before, I enter them, and get the same "The remote resource cannot be reached" error. I've gone through the event logs again, but as usual, don't find anything that leads me to any conclusion.
As before, it all works from within the network just RDPing to the IP address of the gateway.
It also works from within the network if I edit the Connect From Anywhere advanced settings in a basic RDP window to specify the rds.[mydomain].com for the server name, and uncheck the "Bypass RD Gateway for local addresses". This tells me the gateway is doing its job. If it weren't for the fact that I could get to the RDWeb login page with a browser, I would say that the firewall rule is the culprit. Since that works, it has to be with the RDP configuration somewhere, doesn't it?
Honestly, I think I'm going to have to tear it all down again and built it up from scratch. I've had about enough of the squirrel-chasing.