Overview of Terminal Services Gateway
TS Gateway
is an optional TS component that enables authorized Remote Desktop
clients to establish Remote Desktop Protocol (RDP) sessions between the
Internet and Terminal Services resources found behind a firewall on a
private network. (“Terminal Services resources,” in this case, refers
both to terminal servers and to computers with Remote Desktop enabled.)
As they pass over the Internet, RDP connections to a TS Gateway server
are secured and encrypted by the Secure Sockets Layer (SSL)
protocol. A key feature of TS Gateway is that it enables RDP traffic to
stream through corporate firewalls at TCP port 443, which is normally
open for SSL traffic. (By default, RDP traffic communicates over TCP
port 3389.)
In a basic TS Gateway deployment, shown in Figure 1,
a user on a home computer (point 1) connects over the Internet to TS
Gateway (point 2) located behind an external corporate firewall.
The connection from points 1 to 2 is established by means of the RDP protocol encapsulated in an HTTPS
(HTTP over SSL) tunnel. To receive this HTTPS connection in the
perimeter network, the TS Gateway server must be running the Internet
Information Services (IIS) Web server. After receiving the connection,
the TS Gateway server then strips away the HTTPS data and forwards the
RDP packets to the destination terminal servers (point 3) located
behind a second, internal firewall. In this scenario, if incoming
connections are allowed or denied to Active Directory accounts, Active
Directory Domain Services must be installed on the TS Gateway.
As an alternative to the basic scenario illustrated in Figure 1,
you can use Internet Security and Acceleration (ISA) Server instead of
a TS Gateway server to serve as the SSL/HTTPS endpoint for the incoming
TS client connection. In this scenario, illustrated in Figure 2,
ISA Server (point 2) serves as either an HTTPS-to-HTTPS or an
HTTPS-to-HTTP bridge to the TS Gateway server (point 3), and the TS
Gateway server then directs the RDP connection to the appropriate
internal resource (point 4). This method provides the advantage of
protecting Active Directory information within the corporate network.
Installing and Configuring a TS Gateway Server
You
can install and configure a TS Gateway server first by adding the TS
Gateway role service and then by configuring the clients to point to
the TS Gateway server. These steps are described in detail in the
following section.
Adding the TS Gateway Role Service
When
you choose to add the TS Gateway role service by using Server Manager,
the Add Role Services Wizard launches. The Add Role Services Wizard
then performs two main tasks. First, it automatically installs (if
necessary) the prerequisite role services for TS Gateway: the IIS Web
server and Network Policy Server (NPS). Second, it guides you through
the process of configuring the three component features of TS Gateway
that are required for the role service to function:
a server certificate for SSL encryption, a TS Connection Authorization
Policy (TS CAP), and a TS Resource Authorization Policy (TS RAP).
Server Certificate for SSL
TS clients connections to TS Gateway are encrypted by using SSL (also
known as Transport Layer Security [TLS]), which requires a server
certificate. This server certificate can originate from a trusted
third-party certificate authority (CA)
or from a trusted local CA (such as Certificate Services). As a less
secure alternative suitable for testing environments, the Add Role
Services Wizard can also generate a self-signed server certificate for use with TS Gateway.
Important: The client must trust the server’s root certificate
Every
TS client that connects to the TS Gateway server must trust the CA that
issued the TS Gateway server’s certificate. If neither a trusted
third-party CA nor a CA integrated in the client’s own Active Directory
domain has issued the certificate, you must export and install TS
Gateway Server Root Certificate in the Trusted Root Certification
Authorities store on the Terminal Services client. You can view this
store by using the Certificates snap-in. For a demonstration of this
procedure, see the practice section at the end of this lesson.
Figure 3 shows the page in the wizard on which you can specify or create a server certificate for SSL encryption.
TS CAP
A TS CAP essentially is a policy that specifies which external users or
computers can connect to TS Gateway. The Add Role Services Wizard
enables you only to create the
first and primary TS CAP, but you can create others later by using the
administrative console for TS Gateway, TS Gateway Manager.
Note: TS Gateway Manager and TS CAPs
To
open TS Gateway Manager, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS Gateway Manager.
To
create a new TS CAP in TS Gateway Manager, right-click the Connection
Authorization Policies folder in the console tree, select Create New
Policy in the shortcut menu, and then point to Wizard or Custom, as
desired. To modify the properties of an existing TS CAP, right-click an
existing TS CAP in the Connection Authorization Policies pane, and then
click Properties.
On
the Select User Groups That Can Connect Through TS Gateway page of the
Add Role Services Wizard, the process of creating the first TS CAP is
simplified and enables you to specify users (typically, Active
Directory security groups) that are permitted to connect. These same
user groups are then made available to the main TS RAP created next by
the wizard.
Note that a TS CAP also enables you to choose an authentication method for remote users: Password, Smart Card, or both.
The Select User Groups page is shown in Figure 4.
When
you use the TS Gateway Manager console to create or modify a TS CAP,
you also have the option of specifying the computers for which you want
to enable access to TS Gateway. Another configuration choice for a TS
CAP, available only in the TS Gateway Manager console, is the option to
restrict device redirection. In other words, you can use a TS CAP to
prevent certain client devices such as a USB drive from being
redirected to the TS user session through TS Gateway.
The properties sheet of a TS CAP, available in the TS Gateway Manager console, is shown in Figure 5.
TS RAP
A TS RAP is a TS Gateway policy that specifies which users can connect
to which Terminal Services resources in an organization. The Add Role
Services Wizard enables you to create the first and primary TS RAP, but
you can create others later by using the TS Gateway Manager console.
Note: TS Gateway Manager and TS RAPs
To
create a new TS RAP in TS Gateway Manager, right-click the Resource
Authorization Policies folder in the console tree, select Create New
Policy in the shortcut menu, and then click Wizard or Custom, as
desired. To modify the properties of an existing TS RAP, simply
right-click an existing TS RAP in the Resource Authorization Policies
pane, and then click Properties.
In
the simplified policy created by the Add Role Services Wizard, you
determine whether the user group you have selected on the Select User
Groups That Can Connect Through TS
Gateway page should be granted access to all terminal servers on the
network or merely a subset, defined by an Active Directory security
group.
The Create A TS RAP For TS Gateway page of the Add Role Services Wizard is shown in Figure 6.
As
with a TS CAP, using the TS Gateway Manager console to create or modify
a TS RAP presents additional configuration options. For example, when
you use the TS Gateway Manager console to create a TS RAP, the computer
group to which you enable access can be an Active Directory security
group or a TS Gateway-managed computer group, as shown in Figure 7.
This latter group type is used only for TS Gateway and is created only
through the TS Gateway Manager console. A second TS RAP configuration
choice only available in the TS Gateway Manager console is the option
to control the TCP ports through which a TS client may connect to a
resource. For example, you can restrict all RDP connections to TCP port
3389 (the standard port for RDP), or you can specify a nonstandard port
or set of ports on which the computer group will listen for connections.
Configuring Remote Desktop Connection to Use TS Gateway
To
use Remote Desktop Connection to initiate connections through TS
Gateway, you must first configure RDC to use the gateway. To do so,
first open RDC, click the Options button if necessary, and then select
the Advanced tab. On the Advanced tab, click the Settings button in the
Connect From Anywhere section, as shown in Figure 8.
This procedure opens the Gateway Server Settings dialog box, as shown in Figure 9.
In
the Gateway Server Settings dialog box, select the Use These TS Gateway
Server Settings option. Then, specify the TS Gateway server in the
Server Name box and an appropriate logon method (password or smart
card) in the Logon Method box. To force RDC to use TS Gateway even for
computers on your LAN, clear the option to bypass TS Gateway for local
addresses.
In the
Logon Settings area of the dialog box, you can specify whether the TS
Gateway server should pass your credentials along to the target
terminal server. By default, this option is selected. However, if you
need to enter a different username or password at the remote server,
clear this option.