ts gateway
TRANSCRIPT
-
7/31/2019 TS Gateway
1/48
You could use any other simple NAT device or packet filtering router, like a PIX, or even an
advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that youforward TCP port 443 connections to the Terminal Service Gateway computer.
The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS
installed.
The Terminal Server has only the base operating system installed. We will install other services
during the course of this article series.
The TS Gateway has only the base operating system installed. We will install other services
during the course of this article series.
In this article series I will describe the following processes and procedures that you need to
perform to get the basic solution running:
Install Terminal Services and Terminal Services Licensing on the Terminal Server
Configure Terminal Services Licensing Install Desktop Experience on the Terminal Server (optional) Configure the Terminal Services Licensing Mode Install the Terminal Services Gateway Service on the Terminal Services Gateway Request a Certificate for the Terminal Services Gateway Configure Terminal Services Gateway to Use the Certificate Create a Terminal Services Gateway RAP Create a Terminal Services Gateway CAP Configure the RDP Client to use the Terminal Services Gateway
Install Terminal Services and Terminal Services Licensingon the Terminal Server
The first step is to install Terminal Services on the Terminal Services computer.
Perform the following steps to install Terminal Services and Terminal Services Licensing:
1. On the Terminal Server computer, open the Server Manager. In the Server Manager,click on the Roles node in the left pane of the console.
2. Click the AddRoles link in the right pane of the console.
-
7/31/2019 TS Gateway
2/48
Figure 2
3. ClickNext on the Before You Begin page.4. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.
ClickNext.
Figure 3
5. ClickNext on the Terminal Services page.6. On the Select Role Services page, put a checkmark in the Terminal Server and TS
Licensing checkboxes. ClickNext.
-
7/31/2019 TS Gateway
3/48
Figure 4
7. ClickNext on the Uninstall and Reinstall Application for Compatibility page.8. On the Specify Authentication Method for Terminal Server page, select the Require
Network Level Authentication. We can select this option in our current scenariobecause we are using only Vista SP1 clients to connect to the Terminal Server through
the TS Gateway. We would not be able to use this option if we needed to support
Windows XP SP2 clients. However, you should be able to support Network LevelAuthentication with Windows XP SP3. However, I have not yet confirmed this, so make
sure to check the release notes on Windows XP SP3 when it is released later this year.
ClickNext.
-
7/31/2019 TS Gateway
4/48
Figure 5
9. On the Specify Licensing Mode page, select the Configure later option. We couldselect an option now, but I decided that we should select Configure later so that I can
show you where in the Terminal Services console you configure the licensing mode.ClickNext.
Figure 6
-
7/31/2019 TS Gateway
5/48
10.On the Select Use Groups Allowed Access To This Terminal Server page, use thedefault options. You can add or remove groups if you want finer tuned access controlover the Terminal Server. However, if all of your users will be going through the
Terminal Services Gateway, then you can control who can connect to the Terminal
Server using the TS Gateway policy settings. Leave the default settings as they are and
clickNext.
Figure 7
11.On the Configure Discovery Scope for TS Licensing page, select the This domainoption. We select this option in this scenario because we only have a single domain. If
you have a multi-domain forest, you might consider selecting the The forest option.ClickNext.
Figure 8
-
7/31/2019 TS Gateway
6/48
12.On the Confirm Installation Selections page, check the warning information indicatingthat you might have to reinstall applications that were already installed on this machine ifyou want them to work properly in a Terminal Services session environment. Also note
that IE Enhanced Security Configuration will be turned off. ClickInstall.
Figure 9
13.On the Installation Results page, you will see a warning that you must restart the serverto complete the installation. ClickClose.
-
7/31/2019 TS Gateway
7/48
Figure 10
14.ClickYes in the Add Roles Wizard dialog box that asks if you want to restart the server.15.Log on as Administrator. The installation will continue for a few minutes as the
Installation Progress page appears after the Server Manager comes up.
16.ClickClose on the Installation Results page after you see the Installation succeededmessage.
-
7/31/2019 TS Gateway
8/48
Figure 11
17.You may see a balloon telling you that Terminal Services licensing mode is notconfigured. You can dismiss that warning, as we will next configure Terminal ServicesLicensing and then configure the licensing mode on the Terminal Server.
Figure 12
Configure Terminal Services Licensing
At the point we are ready to configure Terminal Services Licensing. In this example I will use
some dummy data, which does not meet the actual requirements for licensing Terminal Servicesclient connections, but it will provide an example of how the process works. Please do notuse
the same procedure that I show here to license your Terminal Services clients, because you willnot be compliant with actual licensing requirements.
Perform the following steps to activate your Terminal Services Licensing Server:
-
7/31/2019 TS Gateway
9/48
1. From the Administrative Tools menu, click the Terminal Services menu and then clickon TS Licensing Manager.
2. In the TS Licensing Manager console, right click the server name in the left pane of theconsole. Click on Activate Server.
Figure 13
3. ClickNext on the Welcome to the Activate Server Wizard page.4. On the Connection Method page, select the Automatic Connection (recommended)
option. ClickNext.
-
7/31/2019 TS Gateway
10/48
Figure 14
5. On the Company Information page, enter your company information and clickNext.
-
7/31/2019 TS Gateway
11/48
Figure 15
6. Enter optional information if you like on the Company Information page. ClickNext.
-
7/31/2019 TS Gateway
12/48
Figure 16
7. On the Completing the Activate Server Wizard page, make sure that the Start InstallLicenses Wizard now option is checked. ClickNext.
-
7/31/2019 TS Gateway
13/48
Figure 17
8. ClickNext on the Welcome to the Install Licenses Wizard page.9. On the License Program page, click the down arrow on the License program list and
pick the license program that you participate in. In this example I will select Other
agreement since this lab is not participating in any license program. ClickNext.
-
7/31/2019 TS Gateway
14/48
Figure 18
10.On the License Program page, enter your Agreement number. In this example welljust enter 1234567. ClickNext.
-
7/31/2019 TS Gateway
15/48
Figure 19
11.On the Product Version and License Type page, select the Product version, Licensetype and Quantity that fits the needs of your environment. In this lab setup, we are using
Windows Server 2008 Terminal Servers, so we will select Windows Server 2008. We
will use per user CALs in this example network, so we will select Windows Server 2008
TS Per User CAL. And we will enter 50 in the Quantity text box. ClickNext.
-
7/31/2019 TS Gateway
16/48
Figure 20
12.ClickFinish on the Completing the Install Licenses Wizard page.Install Desktop Experience on the Terminal Server
(optional)
When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can have
a Vista-like desktop experience in the Terminal Services session if you install the Desktop
Experience option on the Terminal Server.
Perform the following steps to install the Desktop Experience Feature to the Terminal Server:
1. On the Select Features page, put a checkmark in the Desktop Experience checkbox.ClickNext.
-
7/31/2019 TS Gateway
17/48
Figure 21
2. ClickInstall on the Confirm Installation Selections page.3. On the Installation Results page, read the warning information that you must restart the
computer to finish the installation process. ClickClose.
4. ClickYes in the dialog box asking if you want to restart now.5. Log on as administrator. Installation will resume and take a few minutes, so be patient.6. ClickClose on the Installation Results page, which shows that the installation was
successful.
Configure the Terminal Services Licensing Mode
We will now finish up with configuring the Terminal Server by setting the Terminal Services
Licensing Mode. Perform the following steps to configure the Terminal Services LicensingMode:
1. From the Administrative Tools menu, click the Terminal Services entry and then clickTerminal Services Configuration.
2. In the middle pane of the Terminal Services Configuration console, double clickTerminal Services Licensing mode.
-
7/31/2019 TS Gateway
18/48
Figure 22
3. In the Properties dialog box, select the Per User option for the Specify the TerminalServices licensing mode option. Select Automatically discover license server for the
Specify the license server discovery mode option. ClickOK.
-
7/31/2019 TS Gateway
19/48
Figure 23
4. Click the Licensing Diagnosis node in the left pane of the console. In the middle paneyou will see details for the licensing configuration for this Terminal Server.
-
7/31/2019 TS Gateway
20/48
Figure 24
5. Close the Terminal Service Configuration console.In the first part of this article series, we did a basic installation of Terminal Services and
Terminal Services licensing and configure the Terminal Server licensing mode. In this, part two
of the article series, we will finish up by installing and configuring the TS Gateway and the RDP
client. Then we will make the connection and see it work.
Install the Terminal Services Gateway Service on the
Terminal Services Gateway
http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/ -
7/31/2019 TS Gateway
21/48
Now we will move our attention to the Terminal Services Gateway computer. This is the
machine that external clients will initially connect to when making their Terminal Services clientconnections.
Perform the following steps to install the Terminal Services Gateway on the Terminal Services
Gateway computer:
1. Open Server Manager on the Terminal Services Gateway computer. Click on the Rolesnode in the left pane of the console and then click the Add Role link in the right pane.
2. ClickNext on the Before You Begin page.3. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.4. On the Terminal Services page, clickNext.5. On the Select Role Services page, put a checkmark in the TS Gateway checkbox. You
will then see an Add Roles Wizard dialog box asking if you want to Add role services
and features required for TS Gateway. Click the Add Required Role Services button.
Figure 1
6. ClickNext on the Select Role Services page.7. On the Choose a Server Authentication Certificate for SSL Encryption page, select
the Choose a certificate for SSL encryption later option. We choose this option
because we have not yet created a certificate for the TS Gateway to use for the SSLconnection between itself and the RDP client. We will ask for this certificate later and
then configure TS Gateway to use the certificate. ClickNext.
-
7/31/2019 TS Gateway
22/48
Figure 2
8. On the Create Authorization Policies for TS Gateway page, select the Later option.We select this option because I want to take you into the TS Gateway console and show
you how to configure authorization policies in the console. ClickNext.
-
7/31/2019 TS Gateway
23/48
Figure 3
9. ClickNext on the Network Policy and Access Services page.10.On the Select Role Services page, confirm that the Network Policy Server checkbox is
checked. ClickNext.
Figure 4
11.On the Web Server (IIS) page, clickNext.12.On the Select Role Services page, accept the default role services selected by the wizard.
These are the services required to run the TS Gateway service. ClickNext.
-
7/31/2019 TS Gateway
24/48
Figure 5
13.Review the information on the Confirm Installation Selections page and clickInstall.
-
7/31/2019 TS Gateway
25/48
Figure 6
14.ClickClose on the Installation Results page which shows that the install succeeded.Request a Certificate for the Terminal Services Gateway
Now we can request a certificate that the TS Gateway Web site can use to establish the SSL
connection with the RDP client.
Perform the following steps to request the certificate for the TS Gateway computer:
1. From the Administrative Tools menu, clickInternet Information Services (IIS)Manager.2. In the Internet Information Services (IIS) Manager console, click on the server name
in the left pane of the console. Double click the Server Certificates icon in the middlepane of the console.
-
7/31/2019 TS Gateway
26/48
Figure 7
3. In the right pane of the console, click the Create Domain Certificate link.
-
7/31/2019 TS Gateway
27/48
Figure 8
4. On the Distinguished Name Properties page, enter the information specified on thispage. The most important entry is the Common name entry. The name you enter heremust be the same name that the Terminal Services client is configured to use to contact
the TS Gateway computer. This is also the name that your public DNS servers would be
configured to provide the public address that allows access to the TS Gateway. In most
cases, this will be a router or NAT devices external interface, or perhaps the external
interface of an advanced firewall, such as the Microsoft ISA Firewall. ClickNext.
Figure 9
5. On the Online Certification Authority page, click the Select button. In the SelectCertification Authority dialog box, select the name of the Enterprise CA that you wantto obtain the certificate from. Remember, we are able to obtain this domain certificate
and automatically install it because we are using an Enterprise CA. If you were using a
-
7/31/2019 TS Gateway
28/48
standalone CA, you would have to suffer from using the Web enrollment site, and that
would only be after you created an offline request, and then you would have to manuallyinstall the computer certificate. ClickOK after selecting the Enterprise CA.
Figure 10
6. Enter a Friendly name on the Online Certification Authority page. In this example wewill give the certificate a friendly name ofTSG Cert. ClickFinish.
-
7/31/2019 TS Gateway
29/48
Figure 11
7. After receiving the certificate, you will see certificate related information in the middlepane of the console. If you double click the certificate, you will see the Certificate dialog
box, which shows you the common name in the Issued to field and the fact that You
have a private key that corresponds to this certificate. This is crucial, since the
certificate will not work if you do not have a private key. ClickOK to close the
Certificate dialog box.
-
7/31/2019 TS Gateway
30/48
Figure 12
Configure Terminal Services Gateway to Use the Certificate
With the certificate now installed in the machines computer certificate store, you can assign the
TS Gateway to use this certificate.
Perform the following steps to configure the TS Gateway to use this certificate:
1. In the Administrative Tools console, click the Terminal Services entry and then clickTS Gateway.2. In the TS Gateway Manager, click the name of the TS Gateway computer in the leftpane of the console. The middle pane provides useful information about configuration
steps that need to be completed in order to finish the setup. Click the View or modify
certificate properties link.
-
7/31/2019 TS Gateway
31/48
Figure 13
3.
In the Properties dialog box for the TS Gateway, on the SSL Certificate tab, confirmthat the Select an existing certificate for SSL encryption is enabled and then click the
Browse Certificates button. This brings up the Install Certificate dialog box. Click the
certificate, which is in this case, tsg.msfirewall.org and then click the Install button.
-
7/31/2019 TS Gateway
32/48
Figure 14
4. The SSL Certificate tab now shows information about the certificate that the TSGateway will use to establish SSL connections. ClickOK.
-
7/31/2019 TS Gateway
33/48
Figure 15
5. The contents of the middle pane change, reflecting the fact that the certificate is nowinstalled on the TS Gateway. However, we now see in the Configuration Status section
that we need to create both a connection authorization policy and a resource authorizationpolicy.
-
7/31/2019 TS Gateway
34/48
Figure 16
Create a Terminal Services Gateway CAP
A connection authorization policy (CAP) allows you to control who can connect to the Terminal
Server through the Terminal Services Gateway.
Perform the following steps to create a connection authorization policy:
1. In the left pane of the console, click the Connection Authorization Policies node thatlies under the Policies node. In the right pane of the console, click the arrow to the rightofCreate New Policy and then clickWizard.
Figure 17
-
7/31/2019 TS Gateway
35/48
2. On the Authorization Policies page, select the Create only a TS CAP option. ClickNext.
Figure 18
3. On the Connection Authorization Policy page, enter a name for the CAP. In thisexample we will name the CAP General CAP. ClickNext.
Figure 19
4. On the Requirements page, put a checkmark in the Password checkbox. If you plan onusing Smartcard authentication, then you would select the Smartcard option. Now youneed to configure what groups can access the Terminal Server through the TS Gateway.
To do this, click the Add Group button. In the Select Groups dialog box, enter the nameof the group you want to allow access and clickCheck Names. In this example, enter
Domain Users and then clickOK.
-
7/31/2019 TS Gateway
36/48
Figure 20
5. Notice on the Requirements page that you also have an option to create computer groupsand allow access only to specified computers. We will not configure that option in this
example. ClickNext.
-
7/31/2019 TS Gateway
37/48
Figure 21
6. On the Device Redirection page, select the Enable device redirection for all clientdevices option. Note that if you want a higher security environment, you might consider
selecting the Disable device redirection for the following client device types and then
select the Drives and Clipboard options. For even higher security, you might even selectthe Disable device redirection for all client devices except for smart cards. Click
Next.
Figure 22
-
7/31/2019 TS Gateway
38/48
7. On the Summary of TS CAP Settings page, read the results of your selections and thenclickFinish.
Figure 23
8. ClickClose on the Confirm Policy Creation page.Create a Terminal Services Gateway RAP
The nextpolicy we need to create is a Resource Authorization Policy or RAP. RAPs are used tocontrol which Terminal Servers can be accessed through the Terminal Services Gateway.
Perform the following steps to create the RAP:
1. Click on the Resource Authorization Policies node in the left pane of the TS GatewayManager console. In the right pane of the console, click the arrow sitting to the right of
the Create New Policy link and then clickWizard.
-
7/31/2019 TS Gateway
39/48
Figure 24
2. On the Authorization Policies page, select the Create only a TS RAP option.
Figure 25
3. On the Resource Authorization Policy page, give a name for the RAP in the Enter aname for the TS RAP text box. In this example, we will name the RAP General RAP.
ClickNext.
Figure 26
-
7/31/2019 TS Gateway
40/48
4. On the User Groups page, you select the user groups to which this RAP will apply. Thisgives you fined tuned control over which users are able to access which TerminalServers. Some groups might be allowed to access Terminal Server A and some other
groups might want to have access to Terminal Server B. The RAP gives you this kind of
control. In this example, click the Add Group button and add the Domain Users group.
ClickNext.
Figure 27
5. On the Computer Group page, you have the option of defining what Terminal Serversare accessed through this RAP. You have the option of selecting an Active Directorydefined group of computers, or you can create a TS Gateway managed group. In this
example, since we only have a single Terminal Server, we will choose the most simple
option, which is the Allow users to connect to any network resource (computer)
option. This will allow users to connect to all Terminal Servers on the network. Click
Next.
Figure 28
6. On the TS Rap summary page, confirm your settings and clickFinish.
-
7/31/2019 TS Gateway
41/48
Figure 29
7. ClickClose on the Confirm Policy Creation page.8. Click on the server name in the left pane of the console. You will see in the middle pane
that there are no more issues that we need to handle. The TS Gateway is now ready tohandle new incoming connections to any Terminal Server on the network.
Figure 30
Configure the RDP Client to use the Terminal Services
Gateway
We are almost home! The Terminal Server and the TS Gateway are now configured and ready to
go. The last step is to configure the RDP client on the Vista computer. We need to configure the
-
7/31/2019 TS Gateway
42/48
client with the name of the Terminal Server that it should connect to and the name of the
Terminal Services Gateway computer that it will use to reach the Terminal Server.
Note:I have configured the Vista client computer with a HOSTS file entry for tsg.msfirewall.org so
that it will resolve the name of the Terminal Services Gateway to the IP address of the externalinterface of the NAT device in the front of the network.
Perform the following steps to configure the RDP client on the Windows Vista computer:
1. On the Vista computer, click the Start button and then clickAccessories. Double clickRemote Desktop Connection.
2. In the Remote Desktop Connection dialog box, on the General tab, enter the computername of the Terminal Server in the Computer text box. Enter your user name in the User
name text box. If you want the client to save your credentials, you can put a checkmark
in the Allow me to save credentials check box.
Figure 31
-
7/31/2019 TS Gateway
43/48
3. Click on the Advanced tab. In the Server authentication section, make sure that theWarn me option is selected. Click the Settings button in the Connect from anywheresection.
Figure 32
4. In the TS Gateway Server Settings dialog box, select the Use these TS Gateway serversettings option. Enter the name of the TS Gateway in the Server name text box. For the
Logon method, select the Ask for password (NTLM). Note that the Automaticallydetect TS Gateway server settings option allows you to configure the RDP client to pullits settings via Group Policy. ClickOK.
-
7/31/2019 TS Gateway
44/48
Figure 33
5. Click on the General tab and then clickConnect.
-
7/31/2019 TS Gateway
45/48
Figure 34
6. A Windows Security dialog box will appear. Enter your password and then clickOK.
-
7/31/2019 TS Gateway
46/48
Figure 35
7. The Terminal Services session opens up and you can see the desktop and applicationsrunning for your account in the Terminal Services session.
-
7/31/2019 TS Gateway
47/48
Figure 36
8. Go to the TS Gateway computer and click on the Monitoring node in the left pane of theTerminal Services Gateway console. Here you can see information about the Terminal
Services sessions going through the TS Gateway.
-
7/31/2019 TS Gateway
48/48
Figure 37