Windows Server 2003 : The Terminal Services Gateway (part 2)

11/22/2010 11:20:30 AM

Accessing Resources through the TS Gateway Using TS CAP

TS Connection Authorization Policy (TS CAP) defines who can connect to a TS Gateway server. Unless clients meet these requirements, connection to the TS Gateway server is not allowed. CAP defines authentication methods (password or smart card, member of AD security groups) and device redirection parameters.

To create a new TS Connection Authorization Policy:

1.	Click Start \| Administrative Tools \| Terminal Services, and then select the TS Gateway Manager (see Figure 6). Figure 6. TS Gateway Server Manager Police Configuration
2.	Click and expand the Server.
3.	Click and expand the Policies folder. You will find Connection Authorization Policies and Resource Authorization Policies sub-folders.
4.	Click on Connection Authorization Policies.
5.	On the Actions pane, click on Create New Policy and select the wizard option. This will start the Authorization Policies wizard. The other option is custom, which will open up a New TS CAP window.
6.	Select the Create a TS CAP and a TS RAP (recommended) option (see Figure 7). You have the option to create a CAP or a RAP. If you select the first option (Create a TS CAP and a TS RAP (recommended)), the wizard will assist you in creating both the policies together. However, until you recreate both the options, you will not be able to access the network resources. Figure 7. Policy Creation Wizard to Create TS CAP and TS RAP
7.	Type a name in the Enter a name of TS CAP text box and click Next.
8.	Select the Password check box to select password as the authentication method. The other option is to use Smart card for user authentication (see Figure 8). Figure 8. TS CAP Authentication Method and User Group Configuration
9.	Click on Add Group and select the group created for Terminal Services. For this exercise, we have created tsusers group. You also have the option to add Client computer group.
10.	Click Next.
11.	Select Enable device redirection for all client devices (see Figure 9) and click Next. Device redirection includes disk drives, printers, clipboard, serial ports, and plug-and play-devices. Figure 9. TS CAP Policy for Device Redirection
12.	Review the Summary of TS CAP settings and click Next.

As we have chosen the option to create both the TSCAP and TSRAP policies, the wizard will continue with RSRAP creation. We’ll discuss the same in the next section.

Accessing Resources through the TS Gateway Using TS RAP

TS Resource Authorization Policy (TS RAP) defines the type of network resources a remote user can connect through a TS Gateway server. RAP defines the AD security group and the port number the remote connections use (for example, RDP 3389). You can configure RAP to allow custom port numbers or connection through any port number (not recommended).

To configure TS RAP:

1.	Continue with the wizard from the previous screen for creating TS CAP.
2.	Type a name in the Enter the name for the TS RAP text box.
3.	Select the An existing Active Directory security group option, click on Browse and then add the tsusers group that consists of terminal services users (see Figure 10). This option specifies the network resources users can access through TS Gateway. Other options include using a TS Gateway managed group or allowing any access to any network resources. The first option is preferred as you can integrate the security settings with the AD. Figure 10. TS RAP Network Resource Access Configuration
4.	Select Allow connections only through TCP port 3389 (see Figure 11). This is the RDP port. You have an option to provide custom ports. You need to exercise caution while choosing ports for the terminal services. It should not be from the well-known port range or ports that are used by other applications in your network. The third option to allow connection through any port is not recommended. Figure 11. TS RAP RDP Port Configuration
5.	Review the settings on Summary of TS RAP settings screen and click Next to create the policy.

Terminal Service Group Policy Settings

Group Policy settings help you to define finer security settings, connection and session limits, resource management, and licensing. Table 9.1 summarizes the Group Policy settings available for Terminal Services. To configure these settings click Start | Administrative Tools | Group Policy Management, locate the OU and right click and select Edit. In the Group Policy Management Editor expand Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services.

Table 1. Group Policy Parameters for Terminal Service Components
Category	Setting
Remote Desktop Connection Client	Allow .rdp files from valid publishers and use’s default RDP settings
	Allow .rdp files from unknown publishers
	Do not allow passwords to be saved
	Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
	Prompt for credentials on the client computer
	Configure server authentication for client
Terminal Server
Connections	Automatic reconnection
	Allow users to connect remotely using Terminal Services
	Deny logoff of an administrator logged in to the console session
	Configure keep-alive connection interval
	Limit number of connections
	Set rules for remote control of Terminal Services user sessions
	Restrict Terminal Services users to a single remote session
	Allow remote start of unlisted program
Device and Resource Redirection	Allow audio redirection
	Do not allow clipboard redirection
	Do not allow COM port redirection
	Do not allow drive redirection
	Do not allow LPT port redirection
	Do not allow supported Plug-and-Play device redirection
	Do not allow smart card device redirection
	Allow time zone redirection
Licensing	Use the specified Terminal Services license servers
	Hide notification about TS Licensing problems that affect the terminal server
	Set the Terminal Services licensing mode
Printer Redirection	Do not set default client printer to be default printer in a session
	Do not allow client printer redirection
	Specify terminal server fallback printer driver behavior
	Use Terminal Services Easy Print printer driver first
	Redirect only the default client printer
Profiles	Set TS User Home Directory
	Use mandatory profiles on the terminal server
	Set path for TS Roaming User Profile
Remote Session Environment	Limit maximum color depth
	Enforce Removal of Remote Desktop Wallpaper
	Remove “Disconnect” option from Shut Down dialog
	Remove Windows Security item from Start menu
	Set compression algorithm for RDP data
	Start a program on connection
	Always show desktop on connection
Security	Server Authentication Certificate Template
	Set client connection encryption level
	Always prompt from password upon connection
	Require secure RPC connection
	Require use of specific security layer for remote (RDP) connections
	Do not allow local administrators to customize permissions
	Require user authentication for remote connections by using Network Level Authentication
Session Time Limits	Set time limit for disconnected sessions
	Set time limit for active but idle Terminal Services sessions
	Terminate session when time limits are reached
	Set time limit for logoff of RemoteApp sessions
Temporary Folders	Do not delete temporary folder upon exit
	Do not use temporary folders per session
TS Session Broker	Join TS Session Broker
	Configure TS Session Broker farm name
	Use IP Address Redirection
	Configure TS Session Broker server name
	Use TS Session Broker load balancing
TS Licensing	License server security group
	Prevent License upgrade