server 2008 (4)
TRANSCRIPT
-
7/30/2019 server 2008 (4)
1/21
1 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Configuring the Windows Server 2008
Terminal Services Gateway (Part 1)
Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway.Using a Terminal Services Gateway, you can pre-authenticate users and control what Terminal
Servers users can access based on credentials and policy. This gives you the fine grained control
you need to insure that you have a secure remote access RDP solution.
In this two part series on how to put together a working Terminal Services Gateway solution, wewill use the lab network you see in the figure below. The arrows show the flow of
communications from the external RDP client to the Terminal Server.
Figure 1
Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition.
In this example network, I am using the Windows Server 2008 NAT server as my Internet
gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or
-
7/30/2019 server 2008 (4)
2/21
2 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is
that you forward TCP port 443 connections to the Terminal Service Gateway computer.
The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS
installed.
The Terminal Server has only the base operating system installed. We will install other services
during the course of this article series.
The TS Gateway has only the base operating system installed. We will install other services
during the course of this article series.
In this article series I will describe the following processes and procedures that you need to
perform to get the basic solution running:
Install Terminal Services and Terminal Services Licensing on the Terminal Server
Configure Terminal Services Licensing
Install Desktop Experience on the Terminal Server (optional)
Configure the Terminal Services Licensing Mode
Install the Terminal Services Gateway Service on the Terminal Services Gateway
Request a Certificate for the Terminal Services Gateway
Configure Terminal Services Gateway to Use the Certificate
Create a Terminal Services Gateway RAP
Create a Terminal Services Gateway CAP
Configure the RDP Client to use the Terminal Services Gateway
Install Terminal Services and Terminal Services Licensing on the Terminal
Server
The first step is to install Terminal Services on the Terminal Services computer.
Perform the following steps to install Terminal Services and Terminal Services Licensing:
1. On the Terminal Server computer, open theServer Manager. In the Server Manager, click on
the Roles node in the left pane of the console.
2. Click the Add Roles link in the right pane of the console.
-
7/30/2019 server 2008 (4)
3/21
3 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 2
3. Click Next on the Before You Begin page.
4. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox. Click Next.
Figure 3
5. Click Next on the Terminal Services page.
6. On the Select Role Services page, put a checkmark in the Terminal Server and TS Licensing
checkboxes. Click Next.
-
7/30/2019 server 2008 (4)
4/21
4 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 4
7. Click Next on the Uninstall and Reinstall Application for Compatibility page.
8. On the Specify Authentication Method for Terminal Server page, select the Require Network
Level Authentication. We can select this option in our current scenario because we are using
only Vista SP1 clients to connect to the Terminal Server through the TS Gateway. We would not
be able to use this option if we needed to support Windows XP SP2 clients. However, you should
be able to support Network Level Authentication with Windows XP SP3. However, I have not yet
confirmed this, so make sure to check the release notes on Windows XP SP3 when it is released
later this year. Click Next.
-
7/30/2019 server 2008 (4)
5/21
5 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 5
9. On the Specify Licensing Mode page, select the Configure later option. We could select an
option now, but I decided that we should select Configure later so that I can show you where in
the Terminal Services console you configure the licensing mode. Click Next.
Figure 6
-
7/30/2019 server 2008 (4)
6/21
6 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
10. On the Select Use Groups Allowed Access To This Terminal Server page, use the default
options. You can add or remove groups if you want finer tuned access control over the Terminal
Server. However, if all of your users will be going through the Terminal Services Gateway, then
you can control who can connect to the Terminal Server using the TS Gateway policy settings.
Leave the default settings as they are and click Next.
Figure 7
11. On the Configure Discovery Scope for TS Licensing page, select the This domain option. We
select this option in this scenario because we only have a single domain. If you have a multi-
domain forest, you might consider selecting the The forest option. Click Next.
Figure 8
12. On the Confirm Installation Selections page, check the warning information indicating that you
might have to reinstall applications that were already installed on this machine if you want them
-
7/30/2019 server 2008 (4)
7/21
7 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
to work properly in a Terminal Services session environment. Also note that IE Enhanced
Security Configuration will be turned off. Click Install.
Figure 9
13. On the Installation Results page, you will see a warning that you must restart the server to
complete the installation. Click Close.
-
7/30/2019 server 2008 (4)
8/21
8 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 10
14. Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server.
15. Log on as Administrator. The installation will continue for a few minutes as the Installation
Progress page appears after the Server Manager comes up.
16. Click Close on the Installation Results page after you see the Installation succeeded message.
-
7/30/2019 server 2008 (4)
9/21
9 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 11
17. You may see a balloon telling you that Terminal Services licensing mode is not configured. You
can dismiss that warning, as we will next configure Terminal Services Licensing and then
configure the licensing mode on the Terminal Server.
Figure 12
Configure Terminal Services Licensing
At the point we are ready to configure Terminal Services Licensing. In this example I will use
some dummy data, which does not meet the actual requirements for licensing Terminal Servicesclient connections, but it will provide an example of how the process works. Please do notuse
the same procedure that I show here to license your Terminal Services clients, because you willnot be compliant with actual licensing requirements.
Perform the following steps to activate your Terminal Services Licensing Server:
-
7/30/2019 server 2008 (4)
10/21
10 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
1. From the Administrative Tools menu, click the Terminal Services menu and then click on TS
Licensing Manager.
2. In the TS Licensing Manager console, right click the server name in the left pane of the console.
Click on Activate Server.
Figure 13
3. Click Next on the Welcome to the Activate Server Wizard page.
4. On the Connection Method page, select the Automatic Connection (recommended) option.
Click Next.
-
7/30/2019 server 2008 (4)
11/21
11 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 14
5. On the Company Information page, enter your company information and click Next.
-
7/30/2019 server 2008 (4)
12/21
12 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 15
6. Enter optional information if you like on the Company Information page. Click Next.
-
7/30/2019 server 2008 (4)
13/21
13 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 16
7. On the Completing the Activate Server Wizard page, make sure that the Start Install Licenses
Wizard now option is checked. Click Next.
-
7/30/2019 server 2008 (4)
14/21
14 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 17
8. Click Next on the Welcome to the Install Licenses Wizard page.
9. On the License Program page, click the down arrow on the License program list and pick the
license program that you participate in. In this example I will select Other agreement since this
lab is not participating in any license program. Click Next.
-
7/30/2019 server 2008 (4)
15/21
15 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 18
10. On the License Program page, enter your Agreement number. In this example well just enter
1234567. Click Next.
-
7/30/2019 server 2008 (4)
16/21
16 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 19
11. On the Product Version and License Type page, select the Product version, License type and
Quantity that fits the needs of your environment. In this lab setup, we are using Windows
Server 2008 Terminal Servers, so we will select Windows Server 2008. We will use per user CALs
in this example network, so we will select Windows Server 2008 TS Per User CAL. And we will
enter 50 in the Quantity text box. Click Next.
-
7/30/2019 server 2008 (4)
17/21
17 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 20
12. Click Finish on the Completing the Install Licenses Wizard page.
Install Desktop Experience on the Terminal Server (optional)
When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can havea Vista-like desktop experience in the Terminal Services session if you install the Desktop
Experience option on the Terminal Server.
Perform the following steps to install the Desktop Experience Feature to the Terminal Server:
1. On the Select Features page, put a checkmark in the Desktop Experience checkbox. Click Next.
-
7/30/2019 server 2008 (4)
18/21
18 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 21
2. Click Install on the Confirm Installation Selections page.
3. On the Installation Results page, read the warning information that you must restart the
computer to finish the installation process. Click Close.
4. Click Yes in the dialog box asking if you want to restart now.5. Log on as administrator. Installation will resume and take a few minutes, so be patient.
6. Click Close on the Installation Results page, which shows that the installation was successful.
Configure the Terminal Services Licensing Mode
We will now finish up with configuring the Terminal Server by setting the Terminal Services
Licensing Mode. Perform the following steps to configure the Terminal Services Licensing
Mode:
1. From the Administrative Tools menu, click the Terminal Services entry and then click Terminal
Services Configuration.2. In the middle pane of the Terminal Services Configuration console, double click Terminal
Services Licensing mode.
-
7/30/2019 server 2008 (4)
19/21
19 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 22
3. In the Properties dialog box, select the Per User option for the Specify the Terminal Services
licensing mode option. Select Automatically discover license server for the Specify the license
server discovery mode option. Click OK.
-
7/30/2019 server 2008 (4)
20/21
20 | P a g e ICT Trendy Co., Ltd Prepared By: Kheuangkham Phothisan
Figure 23
4. Click the Licensing Diagnosis node in the left pane of the console. In the middle pane you will
see details for the licensing configuration for this Terminal Server.
-
7/30/2019 server 2008 (4)
21/21
Figure 24
5. Close the Terminal Service Configuration console.