ts gateway

7/31/2019 TS Gateway

1/48

You could use any other simple NAT device or packet filtering router, like a PIX, or even an

advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that youforward TCP port 443 connections to the Terminal Service Gateway computer.

The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS

installed.

The Terminal Server has only the base operating system installed. We will install other services

during the course of this article series.

The TS Gateway has only the base operating system installed. We will install other services

during the course of this article series.

In this article series I will describe the following processes and procedures that you need to

perform to get the basic solution running:

Install Terminal Services and Terminal Services Licensing on the Terminal Server

Configure Terminal Services Licensing Install Desktop Experience on the Terminal Server (optional) Configure the Terminal Services Licensing Mode Install the Terminal Services Gateway Service on the Terminal Services Gateway Request a Certificate for the Terminal Services Gateway Configure Terminal Services Gateway to Use the Certificate Create a Terminal Services Gateway RAP Create a Terminal Services Gateway CAP Configure the RDP Client to use the Terminal Services Gateway

Install Terminal Services and Terminal Services Licensingon the Terminal Server

The first step is to install Terminal Services on the Terminal Services computer.

Perform the following steps to install Terminal Services and Terminal Services Licensing:

1. On the Terminal Server computer, open the Server Manager. In the Server Manager,click on the Roles node in the left pane of the console.

2. Click the AddRoles link in the right pane of the console.


2/48

Figure 2

3. ClickNext on the Before You Begin page.4. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.

ClickNext.

Figure 3

5. ClickNext on the Terminal Services page.6. On the Select Role Services page, put a checkmark in the Terminal Server and TS

Licensing checkboxes. ClickNext.


3/48

Figure 4

7. ClickNext on the Uninstall and Reinstall Application for Compatibility page.8. On the Specify Authentication Method for Terminal Server page, select the Require

Network Level Authentication. We can select this option in our current scenariobecause we are using only Vista SP1 clients to connect to the Terminal Server through

the TS Gateway. We would not be able to use this option if we needed to support

Windows XP SP2 clients. However, you should be able to support Network LevelAuthentication with Windows XP SP3. However, I have not yet confirmed this, so make

sure to check the release notes on Windows XP SP3 when it is released later this year.

ClickNext.


4/48

Figure 5

9. On the Specify Licensing Mode page, select the Configure later option. We couldselect an option now, but I decided that we should select Configure later so that I can

show you where in the Terminal Services console you configure the licensing mode.ClickNext.

Figure 6


5/48

10.On the Select Use Groups Allowed Access To This Terminal Server page, use thedefault options. You can add or remove groups if you want finer tuned access controlover the Terminal Server. However, if all of your users will be going through the

Terminal Services Gateway, then you can control who can connect to the Terminal

Server using the TS Gateway policy settings. Leave the default settings as they are and

clickNext.

Figure 7

11.On the Configure Discovery Scope for TS Licensing page, select the This domainoption. We select this option in this scenario because we only have a single domain. If

you have a multi-domain forest, you might consider selecting the The forest option.ClickNext.

Figure 8


6/48

12.On the Confirm Installation Selections page, check the warning information indicatingthat you might have to reinstall applications that were already installed on this machine ifyou want them to work properly in a Terminal Services session environment. Also note

that IE Enhanced Security Configuration will be turned off. ClickInstall.

Figure 9

13.On the Installation Results page, you will see a warning that you must restart the serverto complete the installation. ClickClose.


7/48

Figure 10

14.ClickYes in the Add Roles Wizard dialog box that asks if you want to restart the server.15.Log on as Administrator. The installation will continue for a few minutes as the

Installation Progress page appears after the Server Manager comes up.

16.ClickClose on the Installation Results page after you see the Installation succeededmessage.


8/48

Figure 11

17.You may see a balloon telling you that Terminal Services licensing mode is notconfigured. You can dismiss that warning, as we will next configure Terminal ServicesLicensing and then configure the licensing mode on the Terminal Server.

Figure 12

Configure Terminal Services Licensing

At the point we are ready to configure Terminal Services Licensing. In this example I will use

some dummy data, which does not meet the actual requirements for licensing Terminal Servicesclient connections, but it will provide an example of how the process works. Please do notuse

the same procedure that I show here to license your Terminal Services clients, because you willnot be compliant with actual licensing requirements.

Perform the following steps to activate your Terminal Services Licensing Server:


9/48

1. From the Administrative Tools menu, click the Terminal Services menu and then clickon TS Licensing Manager.

2. In the TS Licensing Manager console, right click the server name in the left pane of theconsole. Click on Activate Server.

Figure 13

3. ClickNext on the Welcome to the Activate Server Wizard page.4. On the Connection Method page, select the Automatic Connection (recommended)

option. ClickNext.


10/48

Figure 14

5. On the Company Information page, enter your company information and clickNext.


11/48

Figure 15

6. Enter optional information if you like on the Company Information page. ClickNext.


12/48

Figure 16

7. On the Completing the Activate Server Wizard page, make sure that the Start InstallLicenses Wizard now option is checked. ClickNext.


13/48

Figure 17

8. ClickNext on the Welcome to the Install Licenses Wizard page.9. On the License Program page, click the down arrow on the License program list and

pick the license program that you participate in. In this example I will select Other

agreement since this lab is not participating in any license program. ClickNext.


14/48

Figure 18

10.On the License Program page, enter your Agreement number. In this example welljust enter 1234567. ClickNext.


15/48

Figure 19

11.On the Product Version and License Type page, select the Product version, Licensetype and Quantity that fits the needs of your environment. In this lab setup, we are using

Windows Server 2008 Terminal Servers, so we will select Windows Server 2008. We

will use per user CALs in this example network, so we will select Windows Server 2008

TS Per User CAL. And we will enter 50 in the Quantity text box. ClickNext.


16/48

Figure 20

12.ClickFinish on the Completing the Install Licenses Wizard page.Install Desktop Experience on the Terminal Server

(optional)

When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can have

a Vista-like desktop experience in the Terminal Services session if you install the Desktop

Experience option on the Terminal Server.

Perform the following steps to install the Desktop Experience Feature to the Terminal Server:

1. On the Select Features page, put a checkmark in the Desktop Experience checkbox.ClickNext.


17/48

Figure 21

2. ClickInstall on the Confirm Installation Selections page.3. On the Installation Results page, read the warning information that you must restart the

computer to finish the installation process. ClickClose.

4. ClickYes in the dialog box asking if you want to restart now.5. Log on as administrator. Installation will resume and take a few minutes, so be patient.6. ClickClose on the Installation Results page, which shows that the installation was

successful.

Configure the Terminal Services Licensing Mode

We will now finish up with configuring the Terminal Server by setting the Terminal Services

Licensing Mode. Perform the following steps to configure the Terminal Services LicensingMode:

1. From the Administrative Tools menu, click the Terminal Services entry and then clickTerminal Services Configuration.

2. In the middle pane of the Terminal Services Configuration console, double clickTerminal Services Licensing mode.


18/48

Figure 22

3. In the Properties dialog box, select the Per User option for the Specify the TerminalServices licensing mode option. Select Automatically discover license server for the

Specify the license server discovery mode option. ClickOK.


19/48

Figure 23

4. Click the Licensing Diagnosis node in the left pane of the console. In the middle paneyou will see details for the licensing configuration for this Terminal Server.


20/48

Figure 24

5. Close the Terminal Service Configuration console.In the first part of this article series, we did a basic installation of Terminal Services and

Terminal Services licensing and configure the Terminal Server licensing mode. In this, part two

of the article series, we will finish up by installing and configuring the TS Gateway and the RDP

client. Then we will make the connection and see it work.

Install the Terminal Services Gateway Service on the

Terminal Services Gateway
http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/http://www.amazon.com/exec/obidos/ASIN/1597491993/isaserver1-20/


21/48

Now we will move our attention to the Terminal Services Gateway computer. This is the

machine that external clients will initially connect to when making their Terminal Services clientconnections.

Perform the following steps to install the Terminal Services Gateway on the Terminal Services

Gateway computer:

1. Open Server Manager on the Terminal Services Gateway computer. Click on the Rolesnode in the left pane of the console and then click the Add Role link in the right pane.

2. ClickNext on the Before You Begin page.3. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox.4. On the Terminal Services page, clickNext.5. On the Select Role Services page, put a checkmark in the TS Gateway checkbox. You

will then see an Add Roles Wizard dialog box asking if you want to Add role services

and features required for TS Gateway. Click the Add Required Role Services button.

Figure 1

6. ClickNext on the Select Role Services page.7. On the Choose a Server Authentication Certificate for SSL Encryption page, select

the Choose a certificate for SSL encryption later option. We choose this option

because we have not yet created a certificate for the TS Gateway to use for the SSLconnection between itself and the RDP client. We will ask for this certificate later and

then configure TS Gateway to use the certificate. ClickNext.


22/48

Figure 2

8. On the Create Authorization Policies for TS Gateway page, select the Later option.We select this option because I want to take you into the TS Gateway console and show

you how to configure authorization policies in the console. ClickNext.


23/48

Figure 3

9. ClickNext on the Network Policy and Access Services page.10.On the Select Role Services page, confirm that the Network Policy Server checkbox is

checked. ClickNext.

Figure 4

11.On the Web Server (IIS) page, clickNext.12.On the Select Role Services page, accept the default role services selected by the wizard.

These are the services required to run the TS Gateway service. ClickNext.


24/48

Figure 5

13.Review the information on the Confirm Installation Selections page and clickInstall.


25/48

Figure 6

14.ClickClose on the Installation Results page which shows that the install succeeded.Request a Certificate for the Terminal Services Gateway

Now we can request a certificate that the TS Gateway Web site can use to establish the SSL

connection with the RDP client.

Perform the following steps to request the certificate for the TS Gateway computer:

1. From the Administrative Tools menu, clickInternet Information Services (IIS)Manager.2. In the Internet Information Services (IIS) Manager console, click on the server name

in the left pane of the console. Double click the Server Certificates icon in the middlepane of the console.


26/48

Figure 7

3. In the right pane of the console, click the Create Domain Certificate link.


27/48

Figure 8

4. On the Distinguished Name Properties page, enter the information specified on thispage. The most important entry is the Common name entry. The name you enter heremust be the same name that the Terminal Services client is configured to use to contact

the TS Gateway computer. This is also the name that your public DNS servers would be

configured to provide the public address that allows access to the TS Gateway. In most

cases, this will be a router or NAT devices external interface, or perhaps the external

interface of an advanced firewall, such as the Microsoft ISA Firewall. ClickNext.

Figure 9

5. On the Online Certification Authority page, click the Select button. In the SelectCertification Authority dialog box, select the name of the Enterprise CA that you wantto obtain the certificate from. Remember, we are able to obtain this domain certificate

and automatically install it because we are using an Enterprise CA. If you were using a


28/48

standalone CA, you would have to suffer from using the Web enrollment site, and that

would only be after you created an offline request, and then you would have to manuallyinstall the computer certificate. ClickOK after selecting the Enterprise CA.

Figure 10

6. Enter a Friendly name on the Online Certification Authority page. In this example wewill give the certificate a friendly name ofTSG Cert. ClickFinish.


29/48

Figure 11

7. After receiving the certificate, you will see certificate related information in the middlepane of the console. If you double click the certificate, you will see the Certificate dialog

box, which shows you the common name in the Issued to field and the fact that You

have a private key that corresponds to this certificate. This is crucial, since the

certificate will not work if you do not have a private key. ClickOK to close the

Certificate dialog box.


30/48

Figure 12

Configure Terminal Services Gateway to Use the Certificate

With the certificate now installed in the machines computer certificate store, you can assign the

TS Gateway to use this certificate.

Perform the following steps to configure the TS Gateway to use this certificate:

1. In the Administrative Tools console, click the Terminal Services entry and then clickTS Gateway.2. In the TS Gateway Manager, click the name of the TS Gateway computer in the leftpane of the console. The middle pane provides useful information about configuration

steps that need to be completed in order to finish the setup. Click the View or modify

certificate properties link.


31/48

Figure 13

3.

In the Properties dialog box for the TS Gateway, on the SSL Certificate tab, confirmthat the Select an existing certificate for SSL encryption is enabled and then click the

Browse Certificates button. This brings up the Install Certificate dialog box. Click the

certificate, which is in this case, tsg.msfirewall.org and then click the Install button.


32/48

Figure 14

4. The SSL Certificate tab now shows information about the certificate that the TSGateway will use to establish SSL connections. ClickOK.


33/48

Figure 15

5. The contents of the middle pane change, reflecting the fact that the certificate is nowinstalled on the TS Gateway. However, we now see in the Configuration Status section

that we need to create both a connection authorization policy and a resource authorizationpolicy.


34/48

Figure 16

Create a Terminal Services Gateway CAP

A connection authorization policy (CAP) allows you to control who can connect to the Terminal

Server through the Terminal Services Gateway.

Perform the following steps to create a connection authorization policy:

1. In the left pane of the console, click the Connection Authorization Policies node thatlies under the Policies node. In the right pane of the console, click the arrow to the rightofCreate New Policy and then clickWizard.

Figure 17


35/48

2. On the Authorization Policies page, select the Create only a TS CAP option. ClickNext.

Figure 18

3. On the Connection Authorization Policy page, enter a name for the CAP. In thisexample we will name the CAP General CAP. ClickNext.

Figure 19

4. On the Requirements page, put a checkmark in the Password checkbox. If you plan onusing Smartcard authentication, then you would select the Smartcard option. Now youneed to configure what groups can access the Terminal Server through the TS Gateway.

To do this, click the Add Group button. In the Select Groups dialog box, enter the nameof the group you want to allow access and clickCheck Names. In this example, enter

Domain Users and then clickOK.


36/48

Figure 20

5. Notice on the Requirements page that you also have an option to create computer groupsand allow access only to specified computers. We will not configure that option in this

example. ClickNext.


37/48

Figure 21

6. On the Device Redirection page, select the Enable device redirection for all clientdevices option. Note that if you want a higher security environment, you might consider

selecting the Disable device redirection for the following client device types and then

select the Drives and Clipboard options. For even higher security, you might even selectthe Disable device redirection for all client devices except for smart cards. Click

Next.

Figure 22


38/48

7. On the Summary of TS CAP Settings page, read the results of your selections and thenclickFinish.

Figure 23

8. ClickClose on the Confirm Policy Creation page.Create a Terminal Services Gateway RAP

The nextpolicy we need to create is a Resource Authorization Policy or RAP. RAPs are used tocontrol which Terminal Servers can be accessed through the Terminal Services Gateway.

Perform the following steps to create the RAP:

1. Click on the Resource Authorization Policies node in the left pane of the TS GatewayManager console. In the right pane of the console, click the arrow sitting to the right of

the Create New Policy link and then clickWizard.


39/48

Figure 24

2. On the Authorization Policies page, select the Create only a TS RAP option.

Figure 25

3. On the Resource Authorization Policy page, give a name for the RAP in the Enter aname for the TS RAP text box. In this example, we will name the RAP General RAP.

ClickNext.

Figure 26


40/48

4. On the User Groups page, you select the user groups to which this RAP will apply. Thisgives you fined tuned control over which users are able to access which TerminalServers. Some groups might be allowed to access Terminal Server A and some other

groups might want to have access to Terminal Server B. The RAP gives you this kind of

control. In this example, click the Add Group button and add the Domain Users group.

ClickNext.

Figure 27

5. On the Computer Group page, you have the option of defining what Terminal Serversare accessed through this RAP. You have the option of selecting an Active Directorydefined group of computers, or you can create a TS Gateway managed group. In this

example, since we only have a single Terminal Server, we will choose the most simple

option, which is the Allow users to connect to any network resource (computer)

option. This will allow users to connect to all Terminal Servers on the network. Click

Next.

Figure 28

6. On the TS Rap summary page, confirm your settings and clickFinish.


41/48

Figure 29

7. ClickClose on the Confirm Policy Creation page.8. Click on the server name in the left pane of the console. You will see in the middle pane

that there are no more issues that we need to handle. The TS Gateway is now ready tohandle new incoming connections to any Terminal Server on the network.

Figure 30

Configure the RDP Client to use the Terminal Services

Gateway

We are almost home! The Terminal Server and the TS Gateway are now configured and ready to

go. The last step is to configure the RDP client on the Vista computer. We need to configure the


42/48

client with the name of the Terminal Server that it should connect to and the name of the

Terminal Services Gateway computer that it will use to reach the Terminal Server.

Note:I have configured the Vista client computer with a HOSTS file entry for tsg.msfirewall.org so

that it will resolve the name of the Terminal Services Gateway to the IP address of the externalinterface of the NAT device in the front of the network.

Perform the following steps to configure the RDP client on the Windows Vista computer:

1. On the Vista computer, click the Start button and then clickAccessories. Double clickRemote Desktop Connection.

2. In the Remote Desktop Connection dialog box, on the General tab, enter the computername of the Terminal Server in the Computer text box. Enter your user name in the User

name text box. If you want the client to save your credentials, you can put a checkmark

in the Allow me to save credentials check box.

Figure 31


43/48

3. Click on the Advanced tab. In the Server authentication section, make sure that theWarn me option is selected. Click the Settings button in the Connect from anywheresection.

Figure 32

4. In the TS Gateway Server Settings dialog box, select the Use these TS Gateway serversettings option. Enter the name of the TS Gateway in the Server name text box. For the

Logon method, select the Ask for password (NTLM). Note that the Automaticallydetect TS Gateway server settings option allows you to configure the RDP client to pullits settings via Group Policy. ClickOK.


44/48

Figure 33

5. Click on the General tab and then clickConnect.


45/48

Figure 34

6. A Windows Security dialog box will appear. Enter your password and then clickOK.


46/48

Figure 35

7. The Terminal Services session opens up and you can see the desktop and applicationsrunning for your account in the Terminal Services session.


47/48

Figure 36

8. Go to the TS Gateway computer and click on the Monitoring node in the left pane of theTerminal Services Gateway console. Here you can see information about the Terminal

Services sessions going through the TS Gateway.


48/48

Figure 37

ts gateway

Documents