Microsoft security administrators have always been a bit wary of publishing Terminal Servers to the Internet. And for good reason – there was no ability to pre-authenticate connections or use policy to determine which users could access which Terminal Servers. The lack of pre-authentication was an especially difficult problem. Without pre-authentication, anonymous users could leverage their anonymous connections to compromise the published Terminal Server. A compromised Terminal Server is perhaps the most dangerous exploit possible against your network, as the attacker has access to a full operating system to launch his attacks.
Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway. Using a Terminal Services Gateway, you can pre-authenticate users and control what Terminal Servers users can access based on credentials and policy. This gives you the fine grained control you need to insure that you have a secure remote access RDP solution.
In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you see in the figure below. The arrows show the flow of communications from the external RDP client to the Terminal Server.
Figure 1
Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition.
In this example network, I am using the Windows Server 2008 NAT server as my Internet gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that you forward TCP port 443 connections to the Terminal Service Gateway computer.
The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed.
The Terminal Server has only the base operating system installed. We will install other services during the course of this article series.
The TS Gateway has only the base operating system installed. We will install other services during the course of this article series.
In this article series I will describe the following processes and procedures that you need to perform to get the basic solution running:
The first step is to install Terminal Services on the Terminal Services computer.
Perform the following steps to install Terminal Services and Terminal Services Licensing: [*]On the Terminal Server computer, open the Server Manager. In the Server Manager, click on the Roles node in the left pane of the console.Click the Add Roles link in the right pane of the console.
Figure 2 [*]Click Next on the Before You Begin page.On the Select Server Roles page, put a checkmark in the Terminal Services checkbox. Click Next.
Figure 3 [*]Click Next on the Terminal Services page.On the Select Role Services page, put a checkmark in the Terminal Server and TS Licensing checkboxes. Click Next.
Figure 4 [*]Click Next on the Uninstall and Reinstall Application for Compatibility page.On the Specify Authentication Method for Terminal Server page, select the Require Network Level Authentication. We can select this option in our current scenario because we are using only Vista SP1 clients to connect to the Terminal Server through the TS Gateway. We would not be able to use this option if we needed to support Windows XP SP2 clients. However, you should be able to support Network Level Authentication with Windows XP SP3. However, I have not yet confirmed this, so make sure to check the release notes on Windows XP SP3 when it is released later this year. Click Next.
Figure 5 [*]On the Specify Licensing Mode page, select the Configure later option. We could select an option now, but I decided that we should select Configure later so that I can show you where in the Terminal Services console you configure the licensing mode. Click Next.
Figure 6 [*]On the Select Use Groups Allowed Access To This Terminal Server page, use the default options. You can add or remove groups if you want finer tuned access control over the Terminal Server. However, if all of your users will be going through the Terminal Services Gateway, then you can control who can connect to the Terminal Server using the TS Gateway policy settings. Leave the default settings as they are and click Next.
Figure 7 [*]On the Configure Discovery Scope for TS Licensing page, select the This domain option. We select this option in this scenario because we only have a single domain. If you have a multi-domain forest, you might consider selecting the The forest option. Click Next.
Figure 8 [*]On the Confirm Installation Selections page, check the warning information indicating that you might have to reinstall applications that were already installed on this machine if you want them to work properly in a Terminal Services session environment. Also note that IE Enhanced Security Configuration will be turned off. Click Install.
Figure 9 [*]On the Installation Results page, you will see a warning that you must restart the server to complete the installation. Click Close.
Figure 10 [*]Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server.Log on as Administrator. The installation will continue for a few minutes as the Installation Progress page appears after the Server Manager comes up.Click Close on the Installation Results page after you see the Installation succeeded message.
Figure 11 [*]You may see a balloon telling you that Terminal Services licensing mode is not configured. You can dismiss that warning, as we will next configure Terminal Services Licensing and then configure the licensing mode on the Terminal Server.
Figure 12
Configure Terminal Services Licensing
At the point we are ready to configure Terminal Services Licensing. In this example I will use some dummy data, which does not meet the actual requirements for licensing Terminal Services client connections, but it will provide an example of how the process works. Please do not use the same procedure that I show here to license your Terminal Services clients, because you will not be compliant with actual licensing requirements.
Perform the following steps to activate your Terminal Services Licensing Server: [*]From the Administrative Tools menu, click the Terminal Services menu and then click on TS Licensing Manager.In the TS Licensing Manager console, right click the server name in the left pane of the console. Click on Activate Server.
Figure 13 [*]Click Next on the Welcome to the Activate Server Wizard page.On the Connection Method page, select the Automatic Connection (recommended) option. Click Next.
Figure 14 [*]On the Company Information page, enter your company information and click Next.
Figure 15 [*]Enter optional information if you like on the Company Information page. Click Next.
Figure 16 [*]On the Completing the Activate Server Wizard page, make sure that the Start Install Licenses Wizard now option is checked. Click Next.
Figure 17 [*]Click Next on the Welcome to the Install Licenses Wizard page.On the License Program page, click the down arrow on the License program list and pick the license program that you participate in. In this example I will select Other agreement since this lab is not participating in any license program. Click Next.
Figure 18 [*]On the License Program page, enter your Agreement number. In this example we’ll just enter 1234567. Click Next.
Figure 19 [*]On the Product Version and License Type page, select the Product version, License type and Quantity that fits the needs of your environment. In this lab setup, we are using Windows Server 2008 Terminal Servers, so we will select Windows Server 2008. We will use per user CALs in this example network, so we will select Windows Server 2008 TS Per User CAL. And we will enter 50 in the Quantity text box. Click Next.
Figure 20 [*]Click Finish on the Completing the Install Licenses Wizard page.
Install Desktop Experience on the Terminal Server (optional)
When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can have a Vista-like desktop experience in the Terminal Services session if you install the Desktop Experience option on the Terminal Server.
Perform the following steps to install the Desktop Experience Feature to the Terminal Server: [*]On the Select Features page, put a checkmark in the Desktop Experience checkbox. Click Next.
Figure 21 [*]Click Install on the Confirm Installation Selections page.On the Installation Results page, read the warning information that you must restart the computer to finish the installation process. Click Close.Click Yes in the dialog box asking if you want to restart now.Log on as administrator. Installation will resume and take a few minutes, so be patient.Click Close on the Installation Results page, which shows that the installation was successful.
Configure the Terminal Services Licensing Mode
We will now finish up with configuring the Terminal Server by setting the Terminal Services Licensing Mode. Perform the following steps to configure the Terminal Services Licensing Mode: [*]From the Administrative Tools menu, click the Terminal Services entry and then click Terminal Services Configuration.In the middle pane of the Terminal Services Configuration console, double click Terminal Services Licensing mode.
Figure 22 [*]In the Properties dialog box, select the Per User option for the Specify the Terminal Services licensing mode option. Select Automatically discover license server for the Specify the license server discovery mode option. Click OK.
Figure 23 [*]Click the Licensing Diagnosis node in the left pane of the console. In the middle pane you will see details for the licensing configuration for this Terminal Server.
Figure 24 [*]Close the Terminal Service Configuration console.
Install the Terminal Services Gateway Service on the Terminal Services Gateway
Now we will move our attention to the Terminal Services Gateway computer. This is the machine that external clients will initially connect to when making their Terminal Services client connections.
Perform the following steps to install the Terminal Services Gateway on the Terminal Services Gateway computer: [*]Open Server Manager on the Terminal Services Gateway computer. Click on the Roles node in the left pane of the console and then click the Add Role link in the right pane.Click Next on the Before You Begin page.On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.On the Terminal Services page, click Next.On the Select Role Services page, put a checkmark in the TS Gateway checkbox. You will then see an Add Roles Wizard dialog box asking if you want to Add role services and features required for TS Gateway. Click the Add Required Role Services button.
Figure 1 [*]Click Next on the Select Role Services page.On the Choose a Server Authentication Certificate for SSL Encryption page, select the Choose a certificate for SSL encryption later option. We choose this option because we have not yet created a certificate for the TS Gateway to use for the SSL connection between itself and the RDP client. We will ask for this certificate later and then configure TS Gateway to use the certificate. Click Next.
Figure 2 [*]On the Create Authorization Policies for TS Gateway page, select the Later option. We select this option because I want to take you into the TS Gateway console and show you how to configure authorization policies in the console. Click Next.
Figure 3 [*]Click Next on the Network Policy and Access Services page.On the Select Role Services page, confirm that the Network Policy Server checkbox is checked. Click Next.
Figure 4 [*]On the Web Server (IIS) page, click Next.On the Select Role Services page, accept the default role services selected by the wizard. These are the services required to run the TS Gateway service. Click Next.
Figure 5 [*]Review the information on the Confirm Installation Selections page and click Install.
Figure 6 [*]Click Close on the Installation Results page which shows that the install succeeded.
Request a Certificate for the Terminal Services Gateway
Now we can request a certificate that the TS Gateway Web site can use to establish the SSL connection with the RDP client.
Perform the following steps to request the certificate for the TS Gateway computer: [*]From the Administrative Tools menu, click Internet Information Services (IIS) Manager.In the Internet Information Services (IIS) Manager console, click on the server name in the left pane of the console. Double click the Server Certificates icon in the middle pane of the console.
Figure 7 [*]In the right pane of the console, click the Create Domain Certificate link.
Figure 8 [*]On the Distinguished Name Properties page, enter the information specified on this page. The most important entry is the Common name entry. The name you enter here must be the same name that the Terminal Services client is configured to use to contact the TS Gateway computer. This is also the name that your public DNS servers would be configured to provide the public address that allows access to the TS Gateway. In most cases, this will be a router or NAT device’s external interface, or perhaps the external interface of an advanced firewall, such as the Microsoft ISA Firewall. Click Next.
Figure 9 [*]On the Online Certification Authority page, click the Select button. In the Select Certification Authority dialog box, select the name of the Enterprise CA that you want to obtain the certificate from. Remember, we are able to obtain this domain certificate and automatically install it because we are using an Enterprise CA. If you were using a standalone CA, you would have to suffer from using the Web enrollment site, and that would only be after you created an offline request, and then you would have to manually install the computer certificate. Click OK after selecting the Enterprise CA.
Figure 10 [*]Enter a Friendly name on the Online Certification Authority page. In this example we will give the certificate a friendly name of TSG Cert. Click Finish.
Figure 11 [*]After receiving the certificate, you will see certificate related information in the middle pane of the console. If you double click the certificate, you will see the Certificate dialog box, which shows you the common name in the Issued to field and the fact that You have a private key that corresponds to this certificate. This is crucial, since the certificate will not work if you do not have a private key. Click OK to close the Certificate dialog box.
Figure 12
Configure Terminal Services Gateway to Use the Certificate
With the certificate now installed in the machine’s computer certificate store, you can assign the TS Gateway to use this certificate.
Perform the following steps to configure the TS Gateway to use this certificate: [*]In the Administrative Tools console, click the Terminal Services entry and then click TS Gateway.In the TS Gateway Manager, click the name of the TS Gateway computer in the left pane of the console. The middle pane provides useful information about configuration steps that need to be completed in order to finish the setup. Click the View or modify certificate properties link.
Figure 13 [*]In the Properties dialog box for the TS Gateway, on the SSL Certificate tab, confirm that the Select an existing certificate for SSL encryption is enabled and then click the Browse Certificates button. This brings up the Install Certificate dialog box. Click the certificate, which is in this case, tsg.msfirewall.org and then click the Install button.
Figure 14 [*]The SSL Certificate tab now shows information about the certificate that the TS Gateway will use to establish SSL connections. Click OK.
Figure 15 [*]The contents of the middle pane change, reflecting the fact that the certificate is now installed on the TS Gateway. However, we now see in the Configuration Status section that we need to create both a connection authorization policy and a resource authorization policy.
Figure 16
Create a Terminal Services Gateway CAP
A connection authorization policy (CAP) allows you to control who can connect to the Terminal Server through the Terminal Services Gateway.
Perform the following steps to create a connection authorization policy: [*]In the left pane of the console, click the Connection Authorization Policies node that lies under the Policies node. In the right pane of the console, click the arrow to the right of Create New Policy and then click Wizard.
Figure 17 [*]On the Authorization Policies page, select the Create only a TS CAP option. Click Next.
Figure 18 [*]On the Connection Authorization Policy page, enter a name for the CAP. In this example we will name the CAP General CAP. Click Next.
Figure 19 [*]On the Requirements page, put a checkmark in the Password checkbox. If you plan on using Smartcard authentication, then you would select the Smartcard option. Now you need to configure what groups can access the Terminal Server through the TS Gateway. To do this, click the Add Group button. In the Select Groups dialog box, enter the name of the group you want to allow access and click Check Names. In this example, enter Domain Users and then click OK.
Figure 20 [*]Notice on the Requirements page that you also have an option to create computer groups and allow access only to specified computers. We will not configure that option in this example. Click Next.
Figure 21 [*]On the Device Redirection page, select the Enable device redirection for all client devices option. Note that if you want a higher security environment, you might consider selecting the Disable device redirection for the following client device types and then select the Drives and Clipboard options. For even higher security, you might even select the Disable device redirection for all client devices except for smart cards. Click Next.
Figure 22 [*]On the Summary of TS CAP Settings page, read the results of your selections and then click Finish.
Figure 23 [*]Click Close on the Confirm Policy Creation page.
Create a Terminal Services Gateway RAP
The next policy we need to create is a Resource Authorization Policy or RAP. RAP’s are used to control which Terminal Servers can be accessed through the Terminal Services Gateway.
Perform the following steps to create the RAP: [*]Click on the Resource Authorization Policies node in the left pane of the TS Gateway Manager console. In the right pane of the console, click the arrow sitting to the right of the Create New Policy link and then click Wizard.
Figure 24 [*]On the Authorization Policies page, select the Create only a TS RAP option.
Figure 25 [*]On the Resource Authorization Policy page, give a name for the RAP in the Enter a name for the TS RAP text box. In this example, we will name the RAP General RAP. Click Next.
Figure 26 [*]On the User Groups page, you select the user groups to which this RAP will apply. This gives you fined tuned control over which users are able to access which Terminal Servers. Some groups might be allowed to access Terminal Server A and some other groups might want to have access to Terminal Server B. The RAP gives you this kind of control. In this example, click the Add Group button and add the Domain Users group. Click Next.
Figure 27 [*]On the Computer Group page, you have the option of defining what Terminal Servers are accessed through this RAP. You have the option of selecting an Active Directory defined group of computers, or you can create a TS Gateway managed group. In this example, since we only have a single Terminal Server, we will choose the most simple option, which is the Allow users to connect to any network resource (computer) option. This will allow users to connect to all Terminal Servers on the network. Click Next.
Figure 28 [*]On the TS Rap summary page, confirm your settings and click Finish.
Figure 29 [*]Click Close on the Confirm Policy Creation page.Click on the server name in the left pane of the console. You will see in the middle pane that there are no more issues that we need to handle. The TS Gateway is now ready to handle new incoming connections to any Terminal Server on the network.
Figure 30
Configure the RDP Client to use the Terminal Services Gateway
We are almost home! The Terminal Server and the TS Gateway are now configured and ready to go. The last step is to configure the RDP client on the Vista computer. We need to configure the client with the name of the Terminal Server that it should connect to and the name of the Terminal Services Gateway computer that it will use to reach the Terminal Server.
Note:
I have configured the Vista client computer with a HOSTS file entry for tsg.msfirewall.org so that it will resolve the name of the Terminal Services Gateway to the IP address of the external interface of the NAT device in the front of the network.
Perform the following steps to configure the RDP client on the Windows Vista computer: [*]On the Vista computer, click the Start button and then click Accessories. Double click Remote Desktop Connection.In the Remote Desktop Connection dialog box, on the General tab, enter the computer name of the Terminal Server in the Computer text box. Enter your user name in the User name text box. If you want the client to save your credentials, you can put a checkmark in the Allow me to save credentials check box.
Figure 31 [*]Click on the Advanced tab. In the Server authentication section, make sure that the Warn me option is selected. Click the Settings button in the Connect from anywhere section.
Figure 32 [*]In the TS Gateway Server Settings dialog box, select the Use these TS Gateway server settings option. Enter the name of the TS Gateway in the Server name text box. For the Logon method, select the Ask for password (NTLM). Note that the Automatically detect TS Gateway server settings option allows you to configure the RDP client to pull its settings via Group Policy. Click OK.
Figure 33 [*]Click on the General tab and then click Connect.
Figure 34 [*]A Windows Security dialog box will appear. Enter your password and then click OK.
Figure 35 [*]The Terminal Services session opens up and you can see the desktop and applications running for your account in the Terminal Services session.
Figure 36 [*]Go to the TS Gateway computer and click on the Monitoring node in the left pane of the Terminal Services Gateway console. Here you can see information about the Terminal Services sessions going through the TS Gateway.
Figure 37
Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway. Using a Terminal Services Gateway, you can pre-authenticate users and control what Terminal Servers users can access based on credentials and policy. This gives you the fine grained control you need to insure that you have a secure remote access RDP solution.
In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you see in the figure below. The arrows show the flow of communications from the external RDP client to the Terminal Server.
Figure 1
Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition.
In this example network, I am using the Windows Server 2008 NAT server as my Internet gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that you forward TCP port 443 connections to the Terminal Service Gateway computer.
The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed.
The Terminal Server has only the base operating system installed. We will install other services during the course of this article series.
The TS Gateway has only the base operating system installed. We will install other services during the course of this article series.
In this article series I will describe the following processes and procedures that you need to perform to get the basic solution running:
- Install Terminal Services and Terminal Services Licensing on the Terminal ServerConfigure Terminal Services LicensingInstall Desktop Experience on the Terminal Server (optional)Configure the Terminal Services Licensing ModeInstall the Terminal Services Gateway Service on the Terminal Services GatewayRequest a Certificate for the Terminal Services GatewayConfigure Terminal Services Gateway to Use the CertificateCreate a Terminal Services Gateway RAPCreate a Terminal Services Gateway CAPConfigure the RDP Client to use the Terminal Services Gateway
The first step is to install Terminal Services on the Terminal Services computer.
Perform the following steps to install Terminal Services and Terminal Services Licensing: [*]On the Terminal Server computer, open the Server Manager. In the Server Manager, click on the Roles node in the left pane of the console.Click the Add Roles link in the right pane of the console.
Figure 2 [*]Click Next on the Before You Begin page.On the Select Server Roles page, put a checkmark in the Terminal Services checkbox. Click Next.
Figure 3 [*]Click Next on the Terminal Services page.On the Select Role Services page, put a checkmark in the Terminal Server and TS Licensing checkboxes. Click Next.
Figure 4 [*]Click Next on the Uninstall and Reinstall Application for Compatibility page.On the Specify Authentication Method for Terminal Server page, select the Require Network Level Authentication. We can select this option in our current scenario because we are using only Vista SP1 clients to connect to the Terminal Server through the TS Gateway. We would not be able to use this option if we needed to support Windows XP SP2 clients. However, you should be able to support Network Level Authentication with Windows XP SP3. However, I have not yet confirmed this, so make sure to check the release notes on Windows XP SP3 when it is released later this year. Click Next.
Figure 5 [*]On the Specify Licensing Mode page, select the Configure later option. We could select an option now, but I decided that we should select Configure later so that I can show you where in the Terminal Services console you configure the licensing mode. Click Next.
Figure 6 [*]On the Select Use Groups Allowed Access To This Terminal Server page, use the default options. You can add or remove groups if you want finer tuned access control over the Terminal Server. However, if all of your users will be going through the Terminal Services Gateway, then you can control who can connect to the Terminal Server using the TS Gateway policy settings. Leave the default settings as they are and click Next.
Figure 7 [*]On the Configure Discovery Scope for TS Licensing page, select the This domain option. We select this option in this scenario because we only have a single domain. If you have a multi-domain forest, you might consider selecting the The forest option. Click Next.
Figure 8 [*]On the Confirm Installation Selections page, check the warning information indicating that you might have to reinstall applications that were already installed on this machine if you want them to work properly in a Terminal Services session environment. Also note that IE Enhanced Security Configuration will be turned off. Click Install.
Figure 9 [*]On the Installation Results page, you will see a warning that you must restart the server to complete the installation. Click Close.
Figure 10 [*]Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server.Log on as Administrator. The installation will continue for a few minutes as the Installation Progress page appears after the Server Manager comes up.Click Close on the Installation Results page after you see the Installation succeeded message.
Figure 11 [*]You may see a balloon telling you that Terminal Services licensing mode is not configured. You can dismiss that warning, as we will next configure Terminal Services Licensing and then configure the licensing mode on the Terminal Server.
Figure 12
Configure Terminal Services Licensing
At the point we are ready to configure Terminal Services Licensing. In this example I will use some dummy data, which does not meet the actual requirements for licensing Terminal Services client connections, but it will provide an example of how the process works. Please do not use the same procedure that I show here to license your Terminal Services clients, because you will not be compliant with actual licensing requirements.
Perform the following steps to activate your Terminal Services Licensing Server: [*]From the Administrative Tools menu, click the Terminal Services menu and then click on TS Licensing Manager.In the TS Licensing Manager console, right click the server name in the left pane of the console. Click on Activate Server.
Figure 13 [*]Click Next on the Welcome to the Activate Server Wizard page.On the Connection Method page, select the Automatic Connection (recommended) option. Click Next.
Figure 14 [*]On the Company Information page, enter your company information and click Next.
Figure 15 [*]Enter optional information if you like on the Company Information page. Click Next.
Figure 16 [*]On the Completing the Activate Server Wizard page, make sure that the Start Install Licenses Wizard now option is checked. Click Next.
Figure 17 [*]Click Next on the Welcome to the Install Licenses Wizard page.On the License Program page, click the down arrow on the License program list and pick the license program that you participate in. In this example I will select Other agreement since this lab is not participating in any license program. Click Next.
Figure 18 [*]On the License Program page, enter your Agreement number. In this example we’ll just enter 1234567. Click Next.
Figure 19 [*]On the Product Version and License Type page, select the Product version, License type and Quantity that fits the needs of your environment. In this lab setup, we are using Windows Server 2008 Terminal Servers, so we will select Windows Server 2008. We will use per user CALs in this example network, so we will select Windows Server 2008 TS Per User CAL. And we will enter 50 in the Quantity text box. Click Next.
Figure 20 [*]Click Finish on the Completing the Install Licenses Wizard page.
Install Desktop Experience on the Terminal Server (optional)
When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can have a Vista-like desktop experience in the Terminal Services session if you install the Desktop Experience option on the Terminal Server.
Perform the following steps to install the Desktop Experience Feature to the Terminal Server: [*]On the Select Features page, put a checkmark in the Desktop Experience checkbox. Click Next.
Figure 21 [*]Click Install on the Confirm Installation Selections page.On the Installation Results page, read the warning information that you must restart the computer to finish the installation process. Click Close.Click Yes in the dialog box asking if you want to restart now.Log on as administrator. Installation will resume and take a few minutes, so be patient.Click Close on the Installation Results page, which shows that the installation was successful.
Configure the Terminal Services Licensing Mode
We will now finish up with configuring the Terminal Server by setting the Terminal Services Licensing Mode. Perform the following steps to configure the Terminal Services Licensing Mode: [*]From the Administrative Tools menu, click the Terminal Services entry and then click Terminal Services Configuration.In the middle pane of the Terminal Services Configuration console, double click Terminal Services Licensing mode.
Figure 22 [*]In the Properties dialog box, select the Per User option for the Specify the Terminal Services licensing mode option. Select Automatically discover license server for the Specify the license server discovery mode option. Click OK.
Figure 23 [*]Click the Licensing Diagnosis node in the left pane of the console. In the middle pane you will see details for the licensing configuration for this Terminal Server.
Figure 24 [*]Close the Terminal Service Configuration console.
Install the Terminal Services Gateway Service on the Terminal Services Gateway
Now we will move our attention to the Terminal Services Gateway computer. This is the machine that external clients will initially connect to when making their Terminal Services client connections.
Perform the following steps to install the Terminal Services Gateway on the Terminal Services Gateway computer: [*]Open Server Manager on the Terminal Services Gateway computer. Click on the Roles node in the left pane of the console and then click the Add Role link in the right pane.Click Next on the Before You Begin page.On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.On the Terminal Services page, click Next.On the Select Role Services page, put a checkmark in the TS Gateway checkbox. You will then see an Add Roles Wizard dialog box asking if you want to Add role services and features required for TS Gateway. Click the Add Required Role Services button.
Figure 1 [*]Click Next on the Select Role Services page.On the Choose a Server Authentication Certificate for SSL Encryption page, select the Choose a certificate for SSL encryption later option. We choose this option because we have not yet created a certificate for the TS Gateway to use for the SSL connection between itself and the RDP client. We will ask for this certificate later and then configure TS Gateway to use the certificate. Click Next.
Figure 2 [*]On the Create Authorization Policies for TS Gateway page, select the Later option. We select this option because I want to take you into the TS Gateway console and show you how to configure authorization policies in the console. Click Next.
Figure 3 [*]Click Next on the Network Policy and Access Services page.On the Select Role Services page, confirm that the Network Policy Server checkbox is checked. Click Next.
Figure 4 [*]On the Web Server (IIS) page, click Next.On the Select Role Services page, accept the default role services selected by the wizard. These are the services required to run the TS Gateway service. Click Next.
Figure 5 [*]Review the information on the Confirm Installation Selections page and click Install.
Figure 6 [*]Click Close on the Installation Results page which shows that the install succeeded.
Request a Certificate for the Terminal Services Gateway
Now we can request a certificate that the TS Gateway Web site can use to establish the SSL connection with the RDP client.
Perform the following steps to request the certificate for the TS Gateway computer: [*]From the Administrative Tools menu, click Internet Information Services (IIS) Manager.In the Internet Information Services (IIS) Manager console, click on the server name in the left pane of the console. Double click the Server Certificates icon in the middle pane of the console.
Figure 7 [*]In the right pane of the console, click the Create Domain Certificate link.
Figure 8 [*]On the Distinguished Name Properties page, enter the information specified on this page. The most important entry is the Common name entry. The name you enter here must be the same name that the Terminal Services client is configured to use to contact the TS Gateway computer. This is also the name that your public DNS servers would be configured to provide the public address that allows access to the TS Gateway. In most cases, this will be a router or NAT device’s external interface, or perhaps the external interface of an advanced firewall, such as the Microsoft ISA Firewall. Click Next.
Figure 9 [*]On the Online Certification Authority page, click the Select button. In the Select Certification Authority dialog box, select the name of the Enterprise CA that you want to obtain the certificate from. Remember, we are able to obtain this domain certificate and automatically install it because we are using an Enterprise CA. If you were using a standalone CA, you would have to suffer from using the Web enrollment site, and that would only be after you created an offline request, and then you would have to manually install the computer certificate. Click OK after selecting the Enterprise CA.
Figure 10 [*]Enter a Friendly name on the Online Certification Authority page. In this example we will give the certificate a friendly name of TSG Cert. Click Finish.
Figure 11 [*]After receiving the certificate, you will see certificate related information in the middle pane of the console. If you double click the certificate, you will see the Certificate dialog box, which shows you the common name in the Issued to field and the fact that You have a private key that corresponds to this certificate. This is crucial, since the certificate will not work if you do not have a private key. Click OK to close the Certificate dialog box.
Figure 12
Configure Terminal Services Gateway to Use the Certificate
With the certificate now installed in the machine’s computer certificate store, you can assign the TS Gateway to use this certificate.
Perform the following steps to configure the TS Gateway to use this certificate: [*]In the Administrative Tools console, click the Terminal Services entry and then click TS Gateway.In the TS Gateway Manager, click the name of the TS Gateway computer in the left pane of the console. The middle pane provides useful information about configuration steps that need to be completed in order to finish the setup. Click the View or modify certificate properties link.
Figure 13 [*]In the Properties dialog box for the TS Gateway, on the SSL Certificate tab, confirm that the Select an existing certificate for SSL encryption is enabled and then click the Browse Certificates button. This brings up the Install Certificate dialog box. Click the certificate, which is in this case, tsg.msfirewall.org and then click the Install button.
Figure 14 [*]The SSL Certificate tab now shows information about the certificate that the TS Gateway will use to establish SSL connections. Click OK.
Figure 15 [*]The contents of the middle pane change, reflecting the fact that the certificate is now installed on the TS Gateway. However, we now see in the Configuration Status section that we need to create both a connection authorization policy and a resource authorization policy.
Figure 16
Create a Terminal Services Gateway CAP
A connection authorization policy (CAP) allows you to control who can connect to the Terminal Server through the Terminal Services Gateway.
Perform the following steps to create a connection authorization policy: [*]In the left pane of the console, click the Connection Authorization Policies node that lies under the Policies node. In the right pane of the console, click the arrow to the right of Create New Policy and then click Wizard.
Figure 17 [*]On the Authorization Policies page, select the Create only a TS CAP option. Click Next.
Figure 18 [*]On the Connection Authorization Policy page, enter a name for the CAP. In this example we will name the CAP General CAP. Click Next.
Figure 19 [*]On the Requirements page, put a checkmark in the Password checkbox. If you plan on using Smartcard authentication, then you would select the Smartcard option. Now you need to configure what groups can access the Terminal Server through the TS Gateway. To do this, click the Add Group button. In the Select Groups dialog box, enter the name of the group you want to allow access and click Check Names. In this example, enter Domain Users and then click OK.
Figure 20 [*]Notice on the Requirements page that you also have an option to create computer groups and allow access only to specified computers. We will not configure that option in this example. Click Next.
Figure 21 [*]On the Device Redirection page, select the Enable device redirection for all client devices option. Note that if you want a higher security environment, you might consider selecting the Disable device redirection for the following client device types and then select the Drives and Clipboard options. For even higher security, you might even select the Disable device redirection for all client devices except for smart cards. Click Next.
Figure 22 [*]On the Summary of TS CAP Settings page, read the results of your selections and then click Finish.
Figure 23 [*]Click Close on the Confirm Policy Creation page.
Create a Terminal Services Gateway RAP
The next policy we need to create is a Resource Authorization Policy or RAP. RAP’s are used to control which Terminal Servers can be accessed through the Terminal Services Gateway.
Perform the following steps to create the RAP: [*]Click on the Resource Authorization Policies node in the left pane of the TS Gateway Manager console. In the right pane of the console, click the arrow sitting to the right of the Create New Policy link and then click Wizard.
Figure 24 [*]On the Authorization Policies page, select the Create only a TS RAP option.
Figure 25 [*]On the Resource Authorization Policy page, give a name for the RAP in the Enter a name for the TS RAP text box. In this example, we will name the RAP General RAP. Click Next.
Figure 26 [*]On the User Groups page, you select the user groups to which this RAP will apply. This gives you fined tuned control over which users are able to access which Terminal Servers. Some groups might be allowed to access Terminal Server A and some other groups might want to have access to Terminal Server B. The RAP gives you this kind of control. In this example, click the Add Group button and add the Domain Users group. Click Next.
Figure 27 [*]On the Computer Group page, you have the option of defining what Terminal Servers are accessed through this RAP. You have the option of selecting an Active Directory defined group of computers, or you can create a TS Gateway managed group. In this example, since we only have a single Terminal Server, we will choose the most simple option, which is the Allow users to connect to any network resource (computer) option. This will allow users to connect to all Terminal Servers on the network. Click Next.
Figure 28 [*]On the TS Rap summary page, confirm your settings and click Finish.
Figure 29 [*]Click Close on the Confirm Policy Creation page.Click on the server name in the left pane of the console. You will see in the middle pane that there are no more issues that we need to handle. The TS Gateway is now ready to handle new incoming connections to any Terminal Server on the network.
Figure 30
Configure the RDP Client to use the Terminal Services Gateway
We are almost home! The Terminal Server and the TS Gateway are now configured and ready to go. The last step is to configure the RDP client on the Vista computer. We need to configure the client with the name of the Terminal Server that it should connect to and the name of the Terminal Services Gateway computer that it will use to reach the Terminal Server.
Note:
I have configured the Vista client computer with a HOSTS file entry for tsg.msfirewall.org so that it will resolve the name of the Terminal Services Gateway to the IP address of the external interface of the NAT device in the front of the network.
Perform the following steps to configure the RDP client on the Windows Vista computer: [*]On the Vista computer, click the Start button and then click Accessories. Double click Remote Desktop Connection.In the Remote Desktop Connection dialog box, on the General tab, enter the computer name of the Terminal Server in the Computer text box. Enter your user name in the User name text box. If you want the client to save your credentials, you can put a checkmark in the Allow me to save credentials check box.
Figure 31 [*]Click on the Advanced tab. In the Server authentication section, make sure that the Warn me option is selected. Click the Settings button in the Connect from anywhere section.
Figure 32 [*]In the TS Gateway Server Settings dialog box, select the Use these TS Gateway server settings option. Enter the name of the TS Gateway in the Server name text box. For the Logon method, select the Ask for password (NTLM). Note that the Automatically detect TS Gateway server settings option allows you to configure the RDP client to pull its settings via Group Policy. Click OK.
Figure 33 [*]Click on the General tab and then click Connect.
Figure 34 [*]A Windows Security dialog box will appear. Enter your password and then click OK.
Figure 35 [*]The Terminal Services session opens up and you can see the desktop and applications running for your account in the Terminal Services session.
Figure 36 [*]Go to the TS Gateway computer and click on the Monitoring node in the left pane of the Terminal Services Gateway console. Here you can see information about the Terminal Services sessions going through the TS Gateway.