Terminal Services Gateway helps administrators to
enable remote users to access the corporate applications without a need
to setup a VPN. Users with the RDC client can connect to internal
network resources securely.
To
achieve this, the RDP traffic is sent over a Secure Sockets Layer (SSL)
Hypertext Transfer Protocol (HTTP) connection. Once the
RDP-encapsulated traffic reaches the TS Gateway, TS Gateway strips the
HTTPS headers and forwards the RDP traffic to terminal servers. Remote
clients can access terminal servers or RemoteApp listed applications,
or initiate a Remote Desktop session securely over the Internet.
In
a conventional VPN network, the remote client runs an Internet Protocol
Security (IPsec) VPN client. A secure IPSec session is established
between the remote user terminating at the Firewall/VPN appliance or
server. However, managing mobile user VPN for a large enterprise may be
a cumbersome task due to managing and distributing security policies
across the enterprise. Moreover, users are restricted to use the client
with the VPN pre-installed and pre-configured. TS Gateway liberates
users from device restrictions and can virtually access from any
desktop, laptop from a trusted or untrusted network, and even from the
mobile hand-held devices with RDP client. Apart from establishing a
secure connection, administrators can granularly control which network
resources need to be accessed by the remote users. HTTP and HTTPS are
allowed by most corporate firewalls, therefore there is no need to open
the RDP 3389 port on the firewall.
In addition to this, TS Gateway provides resource authorization policies for remote user terminal connections.
Figure 1 shows the scenario where different types of users establish a secure connection over HTTPS carrying RDP traffic.
For
large enterprises with a huge number of remote user sessions, TS
Gateway can be deployed in a high-available load-balancing environment.
Dedicated load-balances such as F5 FirePass controllers may be deployed
with multiple TS Gateway servers to ensure continuous availability of
remote user sessions. Figure 2
is an illustration of an environment with a dedicated hardware load
balancer with two TS Gateway servers. HTTPS connections are load
balanced between both of the TS Gateway servers. After HTTPS
encapsulation is removed RDP traffic is passed to the terminal servers.
TS Gateway configuration involves the following procedure:
1. | Install
a SSL certificate (obtained through a trusted third party such as
Verisign or create a self-signed certificate for the organization).
|
2. | Map the SSL certificate to the TS Gateway Server.
|
3. | Join the TS Gateway Server to an AD domain.
|
4. | Create a Connection Authorization Policy (CAP)
|
5. | Create a RAP.
|
Certificate Configuration
Configuring
self-signed certificates involves two steps: installing and configuring
the AD Certificate Services server role, and copying the certificate to
the client computers (as the built-in Internet browsers only have
trusted third-party certificates).
To create a self-signed certificate:
1. | Add the Active Directory Certificate Services server role (see Figure 3) through Server Manager (adding roles were explained earlier).
|
2. | Follow the wizard to add Enterprise, stand-alone, Root CA. This will install a server certificate.
|
To map a certificate to the TS Gateway Server:
1. | Click Start | Administrative Tools | Terminal Services, | TS Gateway Manager.
|
2. | Select the Server on the left pane, right-click and select Properties.
|
3. | Click on the SSL Certificate tab (see Figure 4).
|
4. | Click on Select an existing certificate for SSL encryption (recommended), if not selected already by default.
|
5. | Click on Browse Certificates.
|
6. | Select the certificate on the Install Certificate screen and click Install.
|
7. | Click OK to complete the certificate association with TS Gateway server.
|
Terminal Service (TS) Gateway Manager
TS Gateway Manager is the snap-in console that helps you manage TS Gateway server (see Figure 5). With the TS Gateway Manager you can perform the following tasks:
Manage the TS Gateway Server
Configure a SSL certificate
Create CAPs
Create RAPs
Manage terminal services through CAP and RAP
Create a TS Gateway server farm
Add members to a TS Gateway server farm
Limit the maximum number of simultaneously allowed connections
Disable new connections
Enable auditing
Create a SSL bridge (HTTPS-HTTP bringing to terminate SSL requests and initiate new HTTP requests)