In
Terminal Services, if you expand the TS Gateway Manager and then
highlight the TS Gateway Server for your organization, you see the
connection and configuration status of your TS Gateway Server (see Figure 1).
Although
you configured many of these settings during the installation, there
are a few things you can go back and change or set (if you did not do
so during the initial installation). For instance, if you were waiting
for an SSL certificate issued by a CA, you could add that SSL
certificate now.
Under Properties in the Actions pane are six tabs you can configure. Let’s review them:
General:
Set the maximum connections to this TS Gateway. You can limit the
maximum number of simultaneous connections, allow the maximum supported
simultaneous connections, or choose to disable new connections (in
which case active connections will not be automatically disconnected).
SSL Certificate: In
this tab, you can create a self-signed SSL certificate or select an
existing SSL certificate for the TS Gateway. This tab also shows the
current SSL certificate and its expiration date.
TS CAP Store:
In this tab, you can indicate whether to use a connection access policy
from a local or central NPS server. If you choose a central NPS server,
you need to add the name or IP address of the NPS server to be used.
You can also choose to request that a client send a statement of health
(SoH) to enable the policy.
Server Farm:
Here you can add the various TS Gateway servers to participate in a
server farm. To create a TS Server farm, you must include all the TS
Gateway servers (including the one you are now working on) in the
server farm.
Auditing: In this tab, you select the events you want to enable for logging. Table 1
provides the events and description of the events, as expressed in
“Understanding TS Gateway Event Types” on Microsoft’s TechNet website.
Table 1. Auditing Events
Event Name | Description |
---|
Successful User Disconnection from the Resource | By
monitoring the timestamp for this event and the related Successful User
Connection to the Resource event, you can verify the user session time
and the amount of data (in kilobytes) sent and received by the client
through the TS Gateway server. |
Failed User Connection to the Resource | The
remote client met the conditions specified in the TS CAP and the TS RAP
but could not connect to the internal network resource (computer)
through the TS Gateway server because the computer was unavailable. By
auditing this event, you can determine which connectivity issues are
caused by problems with Terminal Services and Remote Desktop rather
than the TS Gateway server. |
Failed Connection Authorization | The
remote client could not connect to a TS Gateway server because the
client did not meet the conditions specified in the TS CAPs. |
Failed Resource Authorization | The
remote client could not connect through a TS Gateway server to the
specified computer because no TS RAPs are configured to allow the user
access to the specified computer. |
Successful User Connection to the Resource | The remote client successfully connected to a computer through the TS Gateway server. |
Successful Connection Authorization | The
remote client successfully connected to the TS Gateway server because
the client met the conditions specified in at least one TS CAP. |
Successful Resource Authorization | The
remote client successfully connected through the TS Gateway server to
the specified internal network resource because the client met the
conditions specified in at least one TS RAP. |
SSL Bridging: To
enhance security, you can configure TS Gateway to use ISA or a
third-party product to perform SSL bridging. You can also choose to use
HTTPS–HTTP bridging (this will terminate the SSL requests and initiate
new HTTP requests).
Expand
the TS Gateway server and highlight its policies folder in the console
tree. In the Actions pane you can now create and configure additional
TS CAP and TS RAP authorization policies. The Properties tabs for each
of these authorization policies expose some additional configuration
settings. Expand the Policies folder and highlight Connection
Authorization Policies. Choose the TS CAP you want to configure in the
Actions pane. Click Properties. The properties page has three tabs:
General:
This tab shows the policy type, the policy name, and the order in which
the policy is applied. You can choose to enable or disable a policy
from this tab.
Requirements:
In this tab, you set the requirements users must meet to connect to the
TS Gateway server. You can adjust the authentication methods (password
and smart card) here, and you can add other user groups. Optionally,
you can choose to add computer groups that will have access to this TS
Gateway server. (The option of adding computer groups was not available
at installation.)
Device Redirection: This
tab contains other configurable items that were not present during the
installation. Here you can enable or disable device redirection for
clients connecting to the TS Gateway server. You have the option of
also disabling only certain device types.
Note
In
all scenarios, a smart card cannot be disabled as a device because it
is used as an authentication method for connecting to the TS Gateway
server through the TS CAP.
Expand
the Policies folder and highlight Resource Authorization Policies.
Choose the TS CAP you want to configure and in the Actions pane click
Properties. The properties page has four tabs:
General: In this tab, you can view or adjust the policy name. You can also add a description and enable or disable this policy.
User Groups: This tab allows you to add additional user groups to this policy.
Computer Group:
This tab allows you to specify computer groups that can be accessed by
clients. You can select an existing Active Directory security group or
an existing TS Gateway managed group or allow users to access any
network resource.
Allowed Ports:
In this tab, you can choose to allow connections through port 3389,
allow connections through a list of specified ports (added manually),
or allow connections through any port.