Tuesday, January 6, 2009

Windows 2008 TS gateway rocks

I set up a test win2k8 box and enabled Terminal Services Gateway on it. It enables you to use remote desktop to access machines inside the firewall from outside. And I haven't used my VPN connection since then!

The setup isn't too bad.
1. Enable the TS Gateway role (and the TS web access if you want)
2. Obtain an SSL certificate with the outside DNS name of the server. This will need to be setup on the TS Gateway server. If you are using an ISA firewall for SSL tunnel inspection, you'll need to install the cert on the listener as well.
3. Make sure your DNS records will resolve properly to the external IP address that matches the SSL certificates DNS name.
4. Create a CAP (connection authorization policy) to specify who is allowed to even connect to the server. You can restrict connection access to specific users or active directory groups as needed.

5. Create a RAP (resource authorization policy) to specify which servers can be accessed. You can also choose to enable all of them but IMHO that's less secure. It would also appear that you can further limit which users can access which RAP groups as well for more granular access. For your initial testing, try not to make this too complicated.

6. If you are just setting up a passthrough on your firewall, then just open up tcp 443 on the right external IP address that corresponds to your SSL cert and have it route the packets to your TS Gateway server.

7. If you are using ISA server you'll need to setup a new publishing rule.

For the listener properties, I left the Client Authentication Method on "No Authentication", No Forms, No SSO.

(Apologies if this isn't well structured, it's been a few weeks since I set this up.)

Now to access the server, you have to use Remote Desktop Client 6.0 or higher. (Basically Vista SP1 or XP SP3). Go to the Advanced Tab and enter in your server information.

Then OK out of that and go to the General Tab and enter in the internal machine name that you want to connect to through the terminal server gateway. (NOTE: Make sure the machine is listed in the RAP policy if you are not allowing all connections. If you used the FQDN in the RAP policy, then you have to use the FQDN in the client. The same goes for the Netbios name and IP address. I just put all 3 in the RAP).

At this point I normally do a Save As to create a shortcut so these settings don't interfere with my other connections.

When you go to connect you may be prompted for a security confirmation. Just accept it and move one. You'll notice in the confirmation window that it shows you both the gateway server name and the end target name/ip.

Additional notes:
a) Your client MUST trust the SSL certificate. I can't garauntee this'll work otherwise

1 comment:

Anonymous said...

Great post.
I was wondering if you could shed some light on the setup of the DNS / cert.

I have setup a DNS name with a free hoster - called DynamicDns, I have a free URL and IP from them.

I've installed a CA internal on my home network with Win2008.
Does the CA need to be the name of the Win2008 computer name or the name of the URL?