Configuring the TS Gateway Core Scenario

Applies To: Windows Server 2008

The following steps are required for the successful setup and demonstration of the TS Gateway core scenario described as an example in this guide. This scenario enables you to configure a TS Gateway server so that a remote user can access an internal network resource over the Internet, through the TS Gateway server. In this scenario, the internal network resource can be either a terminal server, a terminal server running RemoteApp programs, or a computer with Remote Desktop enabled.

  1. We recommend that you set up three computers to evaluate this scenario. These computers are:

    • The TS Gateway server (known as "TSGSERVER" in this example)

    • The Terminal Services client (known as "TSCLIENT" in this example)

    • An internal network resource (known as "CORPORATERESOURCE" in this example)

    The computers must meet the system requirements described in System requirements for the TS Gateway core scenario.

  2. Configure the TS Gateway server by following the instructions in Steps for configuring the TS Gateway server for the TS Gateway core scenario.

  3. Configure the Terminal Services client by following the instructions in Steps for configuring a Terminal Services client for the TS Gateway core scenario.

  4. Configure the internal network resource.

  5. Demonstrate that the Terminal Services client can connect to the internal network resource through the TS Gateway server by following the instructions in 3. Verify that end-to-end connectivity through TS Gateway is functioning correctly.

System requirements for the TS Gateway core scenario

The three computers used in the TS Gateway core scenario must meet the following system requirements.

Computer Required configuration

TS Gateway server (TSGSERVER)

  • Windows Server 2008. The installation can be an upgrade from Windows Server® 2003 Service Pack 1 (SP1) or Windows Server 2008 Release Candidate 0 (RC0). For more information, see "Supported upgrade paths" in Installing Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=104824).

Terminal Services client (TSCLIENT)

  • Windows Vista SP1 or Windows XP SP3.

  • Windows Vista. The installation can be an upgrade from Windows XP with Service Pack 2 (SP2).

  • Windows XP SP2 and Remote Desktop Connection (RDC) 6.0. To download RDC 6.0, see article 925876 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=79373).

  • Windows Server 2008. The installation can be an upgrade.

  • Windows Server 2003 with Service Pack 1 (SP1) or SP2 and RDC 6.0.

Internal network resource (CORPORATERESOURCE)

For computers with Remote Desktop enabled:

  • Windows Vista SP1 or Windows XP SP3.

  • Windows Vista. The installation can be an upgrade from Windows XP with SP2.

  • Windows XP with SP2.

  • Windows Server 2003 with SP1 or SP2.

For terminal servers:

  • Windows Server 2008. The installation can be an upgrade.

  • Windows Server 2003 with SP1 or SP2.

Setting up the TS Gateway core scenario

The following diagram illustrates the core scenario for TS Gateway.

Note

The steps in this setup guide describe how to set up the core TS Gateway scenario for remote access from a Terminal Services client through a TS Gateway server to an internal network resource. The guide does not describe how to set up the firewalls illustrated in the diagram, terminal servers running RemoteApp programs, or the Active Directory infrastructure. The diagram is provided to suggest one of many ways in which the TS Gateway core remote access scenario might be implemented in a production environment.

For information about how to set up a terminal server, see the Help topic "Terminal Server" (https://go.microsoft.com/fwlink/?LinkId=72052).

For information about setting up RemoteApp programs, see the Terminal Services RemoteApp Step-by-Step Guide (https://go.microsoft.com/fwlink/?linkId=84895).

For information about how to enable Remote Desktop, see the topic "Using Remote Desktop" in the Windows Server 2008 Help.

Connection sequence for the TS Gateway core scenario

Following is a simplified description of the sequence that TSCLIENT follows when connecting through TSGSERVER to CORPORATERESOURCE:

  1. The user on the Terminal Services client, TSCLIENT, might initiate the connection by doing one of the following:

    • Clicking an RDP file that the administrator has configured, to access his or her full desktop.

    • Clicking a RemoteApp program icon. RemoteApp programs are represented in an RDP file that the administrator has configured.

    • Visiting a Web site (either from the Internet or from an intranet) to access a list of RemoteApp programs that the administrator has made available by using Terminal Services Web Access (TS Web Access), and then clicking a RemoteApp program icon.

    • Opening the Remote Desktop Connection client and manually specifying the appropriate settings for the connection.

  2. An SSL tunnel is established between TSCLIENT and TSGSERVER by using the TS Gateway server's SSL certificate. Before a connection between TSCLIENT and TSGSERVER is established, TSGSERVER must authenticate and authorize the user according to Terminal Services connection authorization policies (TS CAPs) that the administrator has configured on TSGSERVER.

  3. After authentication and authorization succeed, TSGSERVER signals TSCLIENT to continue with the connection sequence.

  4. TSCLIENT requests a connection from TSGSERVER to CORPORATERESOURCE. Before authorizing the request, TSGSERVER verifies that both of the following conditions are met simultaneously, for at least one Terminal Services resource authorization policy (TS RAP) that is configured on TSGSERVER:

    • CORPORATERESOURCE is a member of a computer group that is specified in the TS RAP; and

    • The user is a member of a user group that is specified in the TS RAP.

    If both requirements are met, TSGSERVER authorizes the request.

  5. An SSL connection is established between TSCLIENT and TSGSERVER, and an RDP connection is established between TSGSERVER and CORPORATERESOURCE.

    From this point, any packets that TSCLIENT sends to TSGSERVER are forwarded to CORPORATERESOURCE, and any packets that CORPORATERESOURCE sends to TSGSERVER are forwarded to TSCLIENT.

  6. TSCLIENT will attempt to create a user session on CORPORATERESOURCE. CORPORATERESOURCE performs Windows authentication to validate the identity of the user requesting the connection and the privileges that the user has on CORPORATERESOURCE. (These are the same steps that would be followed if TSCLIENT were to request a remote connection to CORPORATERESOURCE without using TSGSERVER.)

  7. TSCLIENT exchanges encrypted RDP packets encapsulated within SSL with TSGSERVER over port 443. TSGSERVER forwards the RDP packets to CORPORATERESOURCE over port 3389.

Steps for configuring the TS Gateway server for the TS Gateway core scenario

To configure the TS Gateway server, complete these tasks.

Task Reference/Step-by-step instructions

1. Install the TS Gateway role service.

1. Install the TS Gateway role service

2. Obtain a certificate for the TS Gateway server.

2. Obtain a certificate for the TS Gateway server

3. Configure a certificate for the TS Gateway server.

3. Configure a certificate for the TS Gateway server

4. Create a Terminal Services connection authorization policy (TS CAP).

4. Create a TS CAP for the TS Gateway server

5. Create a Terminal Services resource authorization policy (TS RAP).

5. Create a TS RAP and specify computers that users can connect to through the TS Gateway server

6. Limit the maximum number of simultaneous connections though TS Gateway (optional).

6. Limit the maximum number of simultaneous connections through TS Gateway (optional)

1. Install the TS Gateway role service

Follow these steps to install the TS Gateway role service. Optionally, during the role service installation process, you can select an existing certificate (or create a new self-signed certificate), and you can create a TS CAP and a TS RAP.

To install the TS Gateway role service

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  2. If the Terminal Services role is not already installed:

    1. In Server Manager, under Roles Summary, click Add roles.

    2. In the Add Roles Wizard, if the Before You Begin page appears, click Next. This page will not appear if you have already installed other roles and you have selected the Skip this page by default check box.

    3. On the Select Server Roles page, under Roles, select the Terminal Services check box, and then click Next.

    4. On the Terminal Services page, click Next.

    5. On the Select Role Services page, in the Role services list, select the TS Gateway check box.

    6. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.

    7. On the Select Role Services page, confirm that TS Gateway is selected, and then click Next.

    If the Terminal Services role is already installed:

    1. Under Roles Summary, click Terminal Services.

    2. Under Role Services, click Add Role Services.

    3. On the Select Role Services page, select the TS Gateway check box, and then click Next.

    4. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services.

    5. On the Select Role Services page, click Next.

  3. On the Choose a Server Authentication Certificate for SSL Encryption page, specify whether to choose an existing certificate for SSL encryption (recommended), create a self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later. If you are completing an installation for a new server that does not yet have certificates, see 2. Obtain a certificate for the TS Gateway server for certificate requirements and information about how to obtain and install a certificate.

    Under the Choose an existing certificate for SSL encryption (recommended) option, only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the TS Gateway role service will appear in the list of certificates. If you select this option, click Import, and then import a new certificate that does not meet these requirements, the imported certificate will not appear in the list.

  4. On the Create Authorization Policies for TS Gateway page, specify whether you want to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role service installation process or later. If you select Later, follow the procedures in 4. Create a TS CAP for the TS Gateway server to create this policy. If you select Now, do the following:

    1. On the Select User Groups That Can Connect Through TS Gateway page, click Add to specify additional user groups. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box.

    2. To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon; or add additional groups from different domains by repeating the first part of this step for each group.

    3. After you finish specifying additional user groups, on the Select User Groups that Can Connect Through TS Gateway page, click Next.

    4. On the Create a TS CAP for TS Gateway page, accept the default name for the TS CAP (TS_CAP_01) or specify a new name, select one or more supported Windows authentication methods, and then click Next.

    5. On the Create a TS RAP for TS Gateway page, accept the default name for the TS RAP (TS_RAP_01) or specify a new name, and then do one of the following: Specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups; or specify that users can connect to any computer on the network. Click Next.

  5. On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next.

  6. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next.

  7. On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next.

  8. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next.

  9. On the Confirm Installation Options page, verify that the following roles, role services, and features will be installed:

    • Terminal Services\TS Gateway

    • Network Policy and Access Services\Network Policy Server

    • Web Server (IIS)\Web Server\Management Tools

    • RPC over HTTP Proxy

    • Windows Process Activation Service\Process Model\Configuration APIs

  10. Click Install.

  11. On the Installation Progress page, installation progress will be noted.

    If any of these roles, role services, or features has already been installed, installation progress will be noted only for the new roles, role services, or features that are being installed.

  12. On the Installation Results page, confirm that installation for these roles, role services, and features was successful, and then click Close.

Verify successful role service installation and TS Gateway service status

Use the following procedure to verify that the TS Gateway role service and dependent roles, role services, and features are installed correctly and running.

To verify that installation was successful

  1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  2. In the console tree, expand Roles, and then double-click Terminal Services.

  3. On the Terminal Services summary page, in the System Services area, verify that the status of Terminal Services Gateway is Running and that the startup type is set to Auto.

  4. Close Server Manager.

  5. Open Internet Information Services (IIS) Manager. To open IIS Manager, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  6. In the console tree, expand <TS Gateway_Server_Name>\Sites\Default Web Site, and then click Default Web Site.

  7. Right-click Default Web Site, point to Manage Web Site, and then click Advanced Settings.

  8. In the Advanced Settings dialog box, under (General), verify that Start Automatically is set to True. If it is not set to True, click the drop-down arrow to display the list, and then click True.

  9. Click OK.

  10. Close IIS Manager.

2. Obtain a certificate for the TS Gateway server

This section assumes an understanding of certificate trust chaining, certificate signing, and general certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkID=54917).

As mentioned earlier in this guide, by default TLS 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the SSL protocol. For more information about TLS, see:

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the TS Gateway server.

Certificate requirements for TS Gateway

Certificates for TS Gateway must meet these requirements:

  • The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this.

Note

If you are using the SAN attributes of certificates, clients that connect to the TS Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008 and Windows Vista SP1 and Windows XP SP3.

  • The certificate is a computer certificate.

  • The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1).

  • The certificate has a corresponding private key.

  • The certificate has not expired. We recommend that the certificate be valid one year from the date of installation.

  • A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

    For more information about these values, see Advanced Certificate Enrollment and Management (https://go.microsoft.com/fwlink/?LinkID=74577).

  • The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

Using existing certificates

If you already have a certificate, you can reuse it for the TS Gateway server if the certificate:

  • Is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=59547)]; and

  • Meets the Certificate requirements for TS Gateway.

If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for example, if you create and install a self-signed certificate on the TS Gateway server and you do not manually configure the certificate to trust the Terminal Services client computer), a warning stating that you do not have a trusted certificate appears when the client attempts to connect through the TS Gateway server, and the connection will not succeed. To prevent this error from occurring, install the certificate onto the computer certificate store on the client computer before the client attempts to connect through the TS Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for TS Gateway server involves the following steps:

1. Obtain a certificate for the TS Gateway server by doing one of the following:

  • If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet TS Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include:

    • Initiating auto-enrollment from the Certificates snap-in.

    • Requesting certificates by using the Certificate Request Wizard.

    • Requesting a certificate over the Web.

Note

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000, Windows Server 2003, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=94472).

  - Using the Certreq command-line tool.  
      
For more information about using any of these methods to obtain certificates for Windows Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates snap-in Help topics, click **Start**, click **Run**, type **hh certmgr.chm**, and then click **OK**. For information about how to request certificates for Windows Server 2003, see Requesting Certificates ([https://go.microsoft.com/fwlink/?LinkID=19638](https://go.microsoft.com/fwlink/?linkid=19638)).  
  
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program ([https://go.microsoft.com/fwlink/?LinkID=59547](https://go.microsoft.com/fwlink/?linkid=59547)). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway servers. These connections might fail because the enterprise CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.  
  
  • If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer certificates at no cost on a trial basis.

  • Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For step-by-step instructions, see Create a self-signed certificate for TS Gateway.

    In the example configurations described in this guide, a self-signed certificate is used.

Important

If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also install the certificate on the TS Gateway server and map the certificate. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation (as described in Create a self-signed certificate for TS Gateway), you do not need to install or map the certificate to the TS Gateway server. In this case, the certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server.

Note

Terminal Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. Therefore, if you create a self-signed certificate by following the procedure in this guide, you must copy the certificate to the client computer (or to a network share that can be accessed from the client computer) and then install the certificate in the Trusted Root Certification Authorities store on the client computer. For step-by-step instructions, see 1. Install the TS Gateway server root certificate in the Trusted Root Certification Authorities Store on the Terminal Services client (optional).

If you use one of the first two methods to obtain a certificate and the Terminal Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the TS Gateway server.

If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to copy the certificate of the CA that issued the server certificate to the client computer. Then, you must install that certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see 1. Install the TS Gateway server root certificate in the Trusted Root Certification Authorities Store on the Terminal Services client (optional).

2. Install the certificate.

Install a certificate on the TS Gateway server. Use this procedure, described later in this guide, to install the certificate on your TS Gateway server.

3. Map the certificate.

Map the TS Gateway server certificate. This procedure, described later in this guide, allows you to specify that the existing certificate be used by the TS Gateway server.

Create a self-signed certificate for TS Gateway

This procedure describes how to use TS Gateway Manager to create a self-signed certificate for technical evaluation and testing purposes, if you did not already create one by using the Add Roles Wizard when you installed the TS Gateway role service.

Important

We recommend that you use self-signed certificates only for testing and evaluation purposes. After you create the self-signed certificate, you must copy it to the client computer (or to a network share that can be accessed from the client computer), and then install it in the Trusted Root Certification Authorities store on the client computer.

If you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation (as described in this procedure), you do not need to install or map the certificate to the TS Gateway server.

To create a self-signed certificate for the TS Gateway server

  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the results pane, under Configuration Status, click View or modify certificate properties.

  4. On the SSL Certificate tab, click Create a self-signed certificate for SSL encryption, and then click Create Certificate.

  5. In the Create Self-Signed Certificate dialog box, do the following:

    1. Under Certificate name, verify that the correct common name (CN) is specified for the self-signed certificate, or specify a new name. The CN must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates.

    2. Under Certificate location, to store the root certificate in a specified location so that you can manually distribute the root certificate to clients, verify that the Store the root certificate check box is selected, and then specify where to store the certificate. By default, this check box is selected and the certificate is stored under the %Windir%\Users\<Username>\Documents folder.

    3. Click OK.

  6. If you selected the Store the root certificate check box and specified a location for the certificate, a message will appear stating that TS Gateway has successfully created the self-signed certificate, and confirming the location of the stored certificate. Click OK to close the message.

  7. Click OK again to close the TS Gateway server Properties dialog box.

3. Configure a certificate for the TS Gateway server

The process of configuring a certificate for a TS Gateway server involves these steps:

Install a certificate on the TS Gateway server

Map the TS Gateway server certificate

Install a certificate on the TS Gateway server

After you obtain a certificate, use this procedure to install the certificate in the correct location on the TS Gateway server, if the certificate is not already installed. After you complete this procedure, you must map the certificate.

Note

This procedure is not required if you created a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation, as described in Create a self-signed certificate for TS Gateway. In either case, a certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server.

To install a certificate on the TS Gateway server

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    6. In the Add or Remove snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal.

  3. Right-click the Personal folder, point to All Tasks, and then click Import.

  4. On the Welcome to the Certificate Import Wizard page, click Next.

  5. On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next.

  6. On the Password page, do the following:

    1. If you specified a password for the private key associated with the certificate earlier, type the password.

    2. If you want to mark the private key for the certificate as exportable, ensure that Mark this key as exportable is selected.

    3. If you want to include all extended properties for the certificate, ensure that Include all extended properties is selected.

    4. Click Next.

  7. On the Certificate Store page, accept the default option, and then click Next.

  8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected.

  9. Click Finish.

  10. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

  11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the TS Gateway server. The certificate must be under the Personal store of the local computer.

Map the TS Gateway server certificate

You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a TS Gateway server certificate by using any other method, TS Gateway will not function correctly.

Note

This procedure is not required if you created a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation, as described in Create a self-signed certificate for TS Gateway.

To map a certificate to the local TS Gateway server

  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.

  3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates.

  4. In the Install Certificate dialog box, click the certificate that you want to use, and then click Install.

  5. Click OK to close the Properties dialog box for the TS Gateway server.

  6. If this is the first time that you have mapped the TS Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the TS Gateway Server Status area in TS Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

Understand authorization policies for TS Gateway

After you install the TS Gateway role service and configure a certificate for the TS Gateway server, you must create Terminal Services connection authorization policies (TS CAPs), computer groups, and Terminal Services resource authorization policies (TS RAPs).

TS CAPs

TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access a TS Gateway server. For example, you can specify that all users who connect to a specific terminal server that is hosting a human resources (HR) database through a TS Gateway server must be members of the "HR Users" security group. You can also specify that the client computer that is initiating the connection must be a member of an Active Directory security group in the internal network to connect to the TS Gateway server. By requiring that the computer be a member of a specific Active Directory security group in the internal network, you can exclude users who are attempting to connect to the internal network from kiosks, airport computers, or home computers that are not trusted.

For enhanced security when clients are connecting to the internal network through TS Gateway, you can also specify whether to disable client device redirection for all devices supported by the Terminal Services client, or just for a specific type of device such as a disk drive or supported Plug and Play devices. If you disable client device redirection for all devices supported by the client, all device redirection is disabled, except for audio and smart card redirection.

When you select the option to disable device redirection for specific device types or to disable all device types except for smart cards, the TS Gateway server will send the request back to the client with a list of the device types to be disabled. This list is a suggestion only; it is possible for the client to modify the device redirection settings in the list.

Warning

Because the TS Gateway server relies on the client to enforce the device redirection settings suggested by the server, this feature should not be considered to provide guaranteed security. The suggested device redirection settings can only be enforced for Remote Desktop Connection (RDC) clients; the settings cannot be enforced for clients that do not use RDC. Additionally, it is possible for a malicious user to modify an RDC client so that the client ignores the suggested settings. In such cases, this feature cannot provide guaranteed security, even for RDC clients.

Additionally, you can specify whether remote clients must use smart card authentication or password authentication to access internal network resources through a TS Gateway server. When both of these options are selected, clients that use either authentication method are allowed to connect.

Finally, if your organization has deployed Network Access Protection (NAP), you can specify that the client must send a statement of health (SoH). For information about how to configure TS Gateway for NAP, see Configuring the TS Gateway NAP Scenario.

Important

Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a TS RAP. A TS RAP allows you to specify the internal network resources (computers) that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to internal network resources through this TS Gateway server.

TS RAPs

TS RAPs allow you to specify the internal network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the TS RAP. For example, you can specify that users who are members of the “HR Users” user group be allowed to connect only to computers that are members of the “HR Computers” computer group, and that users who are members of the “Finance Users” user group be allowed to connect only to computers that are members of the "Finance Computers" computer group.

Remote users connecting to an internal network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP.

Note

When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer.

Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.

Security groups and TS Gateway-managed computer groups associated with TS RAPs

Remote users can connect through TS Gateway to internal network resources in a computer group. The computer group members can be any one of the following:

  • Members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.

  • Members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group. You can configure a TS Gateway-managed computer group by using TS Gateway Manager after installation.

    A TS Gateway-managed group will not appear in Local Users and Groups on the TS Gateway server, nor can it be configured by using Local Users and Groups.

  • Any network resource. In this case, users can connect to any computer on the internal network that they could connect to when they use Remote Desktop Connection.

4. Create a TS CAP for the TS Gateway server

This procedure describes how to use TS Gateway Manager to create a custom TS CAP. Alternatively, you can use the Authorization Policies Wizard to quickly create a TS CAP and a TS RAP for TS Gateway.

Important

If you configure more than one TS CAP, keep in mind that TS Gateway uses the following policy lookup behavior: policies are applied in the numerical order shown in the TS Gateway Manager results pane, and access to the TS Gateway server is granted by the first matching policy. That is, if a client does not meet the requirements of the first TS CAP in the list, TS Gateway will evaluate the second policy in the list, and so forth, until it locates a TS CAP whose requirements are met. If a client does not meet the requirements of any TS CAP in the list, TS Gateway denies access to the client.

To create a TS CAP for the TS Gateway server

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. Right-click the Connection Authorization Policies folder, click Create New Policy, and then click Custom.

  5. On the General tab, type a name for the policy, and then verify that the Enable this policy check box is selected.

  6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes:

    • Password

    • Smart card

    When both of these options are selected, clients that use either authentication method are allowed to connect.

  7. Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating this step for each group.

  9. To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups. In the example configurations, no computer group is specified.

    To specify computer groups, you can use the same steps that you used to specify user groups.

  10. On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices:

    • To permit all client devices to be redirected when connecting through the TS Gateway server, click Enable device redirection for all client devices. By default, this option is selected.

    • To disable device redirection for all client devices except for smart cards when connecting through the TS Gateway server, select Disable device redirection for all client devices except for smart card.

    • To disable device redirection for only certain device types when connecting through the TS Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled.

Important

Device redirection settings can be enforced only for Microsoft Remote Desktop Connection (RDC) clients.

  1. Click OK.

  2. The new TS CAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS CAP, the policy details appear in the lower pane.

5. Create a TS RAP and specify computers that users can connect to through the TS Gateway server

This procedure describes how to use TS Gateway Manager to create a custom TS RAP, and to specify computers that users can connect to through the TS Gateway server. Alternatively, you can use the Authorization Policies Wizard to complete these tasks.

Important

If users are connecting to members of a terminal server farm, you must configure a TS RAP that explicitly specifies the name of the terminal server farm. To do so, when you create the TS RAP, on the Computer Group tab, select the Select existing TS Gateway-managed computer group or create a new one option, and then explicitly specify the name of the terminal server farm. If the name of the terminal server farm is not explicitly specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the terminal servers that are members of the farm, create a second TS RAP. On the Computer Group, select the Select an Active Directory security group option, and then specify the security group that contains the terminal servers in the farm. Doing this optimizes security by ensuring that the members of the farm are trusted members of an Active Directory security group.

To create a TS RAP and specify computers that users can connect to through the TS Gateway server

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Resource Authorization Policies.

  4. Right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom.

  5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters.

  6. In the Description box, enter a description for the new TS RAP.

  7. On the User Groups tab, click Add to select the user groups to which you want this TS RAP to apply.

  8. In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following:

    • Type the name of each user group, separating the name of each group with a semi-colon.

    • Add additional groups from different domains by repeating Step 7 for each group.

  9. On the Computer Group tab, specify the computer group that users can connect to through TS Gateway by doing one of the following:

    • To specify an existing security group, click Select an existing Active Directory security group, and then click Browse. In the Select Group dialog box, specify the user group location and name, and then click OK. Note that you can select a security group in Local Users and Groups, rather than in Active Directory Domain Services.

    • To specify a TS Gateway-managed computer group, click Select an existing TS Gateway-managed computer group or create a new one, and then click Browse. In the Select a TS Gateway-managed Computer Group dialog box, do one of the following:

      Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box.

      Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed Computer Group dialog box, click the name of the new computer group, and then click OK to close the dialog box.

Important

When you add an internal network computer to the list of TS Gateway-managed computers, keep in mind that if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group, and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway. To ensure that remote users connect to the internal network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.

  - To specify any network resource, click **Allow users to connect to any network resource**, and then click **OK**.  
      
  1. After you specify a computer group, the new TS RAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS RAP, the policy details appear in the lower pane.

6. Limit the maximum number of simultaneous connections through TS Gateway (optional)

By default, with the exception of TS Gateway servers that are running on Windows Server® 2008 Standard, no limit is set for the number of simultaneous connections that clients can make to internal network resources through a TS Gateway server. To optimize TS Gateway server performance or to ensure compliance with the connection/security policies of your organization, you can set a limit for the number of simultaneous connections that clients can make to network resources through a TS Gateway server.

Note

For TS Gateway servers that are running on Windows Server 2008 Standard, a maximum of 250 simultaneous connections is supported.

To limit the maximum number of allowable connections for TS Gateway

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Monitoring.

  4. With the Monitoring folder selected, right-click the Monitoring folder, and then click Edit Connection Limit.

  5. On the General tab, under Maximum Connections, do one of the following:

    • To set a limit for the maximum number of simultaneous connections that Terminal Services clients can make to internal network resources through TS Gateway, click Limit maximum allowed simultaneous connections to, and then specify the number of allowable connections.

    • To set no limit on the number of allowable connections between clients and internal network resources through TS Gateway, click Allow the maximum supported simultaneous connections. This is the default option. Keep in mind that for TS Gateway servers that are running on Windows Server 2008 Standard, a maximum of 250 simultaneous connections is supported.

    • To prevent new connections from being made between clients and internal network resources through TS Gateway, click Disable new connections. If you select this option, only new connection attempts will be rejected. Current connections will not be ended by TS Gateway.

  6. Click OK.

Steps for configuring a Terminal Services client for the TS Gateway core scenario

To configure the Terminal Services client for the TS Gateway core scenario, complete these tasks.

Task Reference/Step-by-step instructions

1. Install the TS Gateway server root certificate in the Trusted Root Certification Authorities store on the Terminal Services client (optional).

Note
This procedure is not required if a certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program is installed on the TS Gateway server, and the Terminal Services client computer trusts the certificate.

1. Install the TS Gateway server root certificate in the Trusted Root Certification Authorities Store on the Terminal Services client (optional)

2. Configure Remote Desktop Connection settings.

2. Configure Remote Desktop Connection settings

3. Verify that end-to-end connectivity through the TS Gateway server is functioning correctly.

3. Verify that end-to-end connectivity through TS Gateway is functioning correctly

1. Install the TS Gateway server root certificate in the Trusted Root Certification Authorities Store on the Terminal Services client (optional)

The client computer must verify and trust the identity of the TS Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root of the server’s certificate. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in.

As mentioned, this procedure is not required if:

  • A certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program [as listed in article 931125 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=59547)] is installed on the TS Gateway server; and

  • The Terminal Services client computer already trusts the issuing CA.

If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in the 2. Configure Remote Desktop Connection settings section.

Important

Do not install certificates from any untrusted sources or individuals.

Note

If you are configuring the Terminal Services client for use with Network Access Protection (NAP), you must install the TS Gateway server root certificate by using the computer account. If not, you can install the TS Gateway server root certificate by using the user account.

Before completing the steps in the following procedure, you must have already copied the certificate to the client computer. For example, if you created a self-signed certificate for the TS Gateway server by using TS Gateway Manager, you must have already copied that certificate from the TS Gateway server to the client computer.

To install the TS Gateway server root certificate in the Trusted Root Certification Authorities store on the Terminal Services client

  1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:

    1. Click Start, click Run, type mmc, and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, to open the snap-in for a computer account, click Computer account, and then click Next. To open the snap-in for a user account, click My user account, and then click Finish.

    5. If you opened the Certificates snap-in for a computer account, in the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    6. In the Add or Remove snap-ins dialog box, click OK.

  2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.

  3. On the Welcome to the Certificate Import Wizard page, click Next.

  4. On the File to Import page, in the File name box, browse to the TS Gateway server root certificate, click Open, and then click Next.

  5. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.

  6. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:

    • Certificate Store Selected by User: Trusted Root Certification Authorities

    • Content: Certificate

    • File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the TS Gateway server root certificate.

  7. Click Finish.

  8. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.

  9. With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the client. Ensure that the certificate appears under the Trusted Root Certification Authorities store.

2. Configure Remote Desktop Connection settings

To configure Remote Desktop Connection settings

  1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

  3. On the Advanced tab, in the Connect from anywhere area, click Settings.

  4. In the TS Gateway Server Settings dialog box, select the appropriate options:

    • Automatically detect TS Gateway server settings (default). If you select this option, the Terminal Services client attempts to use Group Policy settings that determine the behavior of client connections to TS Gateway servers or TS Gateway server farms, if these settings have been configured and enabled. For more information, see the "Using Group Policy to Manage Client Connections Through TS Gateway" topic in the TS Gateway Help.

    • Use these TS Gateway server settings. If a TS Gateway server name or TS Gateway server farm name and a logon method are not already enabled and enforced by Group Policy, you can select this option and specify the name of the TS Gateway server or TS Gateway server farm that you want to connect to and the logon method to use for the connection. The name that you specify for the server must match the name in the Issued to field of the TS Gateway server certificate. If you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation, specify the fully qualified domain name (FQDN) of the TS Gateway server.

    • Bypass TS Gateway server for local addresses. This option is selected by default.

      If you want the Terminal Services client to automatically detect when TS Gateway is required, select this check box. If you use a mobile computer, selecting this option will optimize client connectivity performance and minimize latency because TS Gateway will only be used when it is required. If your computer is always connected to the local area network (LAN) or if it is hosted inside the internal network firewall, TS Gateway will not be used. If you are outside the internal network and connecting to the internal network over the Internet, TS Gateway will be used.

      If you are in a LAN, but want to test connectivity through a TS Gateway server or TS Gateway server farm, clear this check box. Otherwise, the client will not connect through the TS Gateway server or TS Gateway server farm in this case.

    • Do not use a TS Gateway server. Select this option if your computer is always connected to the LAN or if it is hosted inside the internal network firewall. This option is appropriate if you know that you do not need to use TS Gateway to traverse a firewall.

  5. Do one of the following:

    • To save the settings and close the Remote Desktop Connection dialog box, click Save, and then click Cancel. The settings will be saved as an RDP file to a default location (by default, the file is saved to Drive:\<Username>\Documents).

    • To save the RDP file to a specified location (you can customize and distribute the file later to multiple clients as needed), click Save As. In the Save as dialog box, in the File name box, specify the file name and location, and then click Save.

    • To proceed with a connection to an internal network resource, click Save, click Connect, and then proceed to Step 5 in the next procedure ("Verify that end-to-end connectivity through TS Gateway is functioning correctly").

3. Verify that end-to-end connectivity through TS Gateway is functioning correctly

To verify that end-to-end connectivity through TS Gateway is functioning correctly

  1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

  3. On the General tab, type the name of the computer (terminal server or computer running Remote Desktop) to which you want to connect remotely through TS Gateway.

  4. Click Connect.

  5. In the Enter your credentials dialog box, select the user account that you want to use to log on remotely to the computer, enter the required credentials, and then click OK.

  6. In the Gateway server credentials dialog box, select the user name that you want to use to log on to the TS Gateway server, enter the required credentials, and then click OK.

  7. After a few moments, the connection completes and a connection will be established through the TS Gateway server to the computer.