Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide

  • Article

Applies To: Windows Server 2008 R2

About this guide

This step-by-step guide walks you through the process of setting up a working Remote Desktop Session Host (RD Session Host) server that is accessible by using Remote Desktop Gateway (RD Gateway) through Microsoft® Forefront™ Threat Management Gateway in a test environment. During this process, you will create a test deployment that includes the following components:

  • An RD Gateway server

  • An RD Session Host server

  • A Forefront TMG server

  • A Remote Desktop Connection (RDC) client computer

This guide assumes that you previously completed the steps in the Deploying Remote Desktop Gateway Step-by-Step Guide, and that you have already deployed the following components:

  • An RD Session Host server

  • A Remote Desktop Connection (RDC) client computer

  • An Active Directory Domain Services domain controller

This guide includes the following topics:

The goal of configuring the RD Gateway server with a Forefront TMG server is to enhance the security of the RD Gateway server while allowing external access to internal resources. Forefront TMG acts as an SSL bridging device in the RD Gateway-Forefront TMG server scenario. Forefront TMG receives HTTPS requests and passes them to the internal RD Gateway server by using HTTPS/HTTP protocol depending on the Forefront TMG server to RD Gateway bridging configuration. While bridging the request, Forefront TMG decrypts the SSL packets and performs application-layer inspection. If the HTTP protocol stream passes inspection, then the communication is re-encrypted and forwarded to the RD Gateway server. If the protocol stream fails inspection, the connection is dropped.

What this guide does not provide

This guide does not provide the following:

Important

If you have previously configured the computers in the Installing Remote Desktop Session Host Step-by-Step Guide, you should repeat the steps in that guide with the new installations.

Technology review

Forefront TMG can bridge the communication between the remote desktop client and RD Gateway server in the following ways:

  • HTTPS-HTTPS bridging: Forefront TMG receives SSL requests from the remote desktop client. After receiving the requests, Forefront TMG decrypts the SSL requests and does application-layer inspection. If the packet inspection passes then Forefront TMG re-encrypts the requests and forwards it to RD Gateway server in HTTPS format.

  • HTTPS-HTTP bridging: Forefront TMG receives SSL requests from Remote Desktop Connection (RDC) client. After doing the packet inspection Forefront TMG forwards the requests in HTTP format to RD Gateway server. So in this scenario SSL session is terminated at Forefront TMG and RD Gateway receives the packets in HTTP format.

Following are three scenarios in which Forefront TMG and an RD Gateway server can be used together to enhance security for remote connections to internal network resources:

  • Forefront TMG as an SSL bridging device (Web proxy). In this scenario, Forefront TMG is hosted in a perimeter network, and it provides SSL bridging between the Remote Desktop Services client and the RD Gateway server. The RD Gateway server is hosted in the private corporate network.

    This scenario is illustrated in this step-by-step guide.

  • Forefront TMG as a firewall and SSL bridging device. In this scenario, Forefront TMG functions as a firewall that performs port filtering, packet filtering, and SSL bridging. The RD Gateway server can be hosted in the private corporate network or in the perimeter network, depending on whether the Forefront TMG is located as the external firewall or the internal firewall.

  • Forefront TMG as a firewall that performs port filtering (server publishing). In this scenario, Forefront TMG functions as an external packet filtering firewall and permits traffic only over port 443. The RD Gateway server is hosted in the perimeter network.

Scenario: Deploying Remote Desktop Gateway

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional deployment documentation, and they should be used with discretion as stand-alone documents.

Upon completion of this step-by-step guide, you will have an RD Session Host server that users can connect to with the remote desktop client computer by using RD Gateway through Forefront TMG. You can then test and verify this functionality by connecting to the RD Session Host server by using RD Gateway from the remote desktop client computer as an authorized remote user.

Note

The steps in this step-by-step guide provide detailed deployment and configuration information only for the scenario (Forefront TMG as a Web proxy). The other two scenarios are mentioned as alternate ways in which Forefront TMG server can be used with RD Gateway to enhance security for remote connections to internal network resources.

The test environment described in this guide includes five computers that are connected to a private network and using the following operating systems, applications, and services.

Computer name Operating system Applications and services

CONTOSO-DC

Windows Server 2008 R2

Active Directory Domain Services (AD DS), DNS

RDSH-SRV

Windows Server 2008 R2

RD Session Host

CONTOSO-CLNT

Windows 7

Remote Desktop Connection

RDG-SRV

Windows Server 2008 R2

RD Gateway

TMG-SRV

Windows Server 2008 R2

Forefront TMG

 

The computers form a private network, and they are connected through a common hub or Layer 2 switch. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the network. The domain controller is named CONTOSO-DC for the domain named contoso.com. The following figure illustrates the Forefront TMG server scenario for RD Gateway, in which Forefront TMG is used as an SSL bridging device.