Step 6: Verifying NAP Health Policy Functionality on the RD Gateway Server

  • Article

Applies To: Windows Server 2008 R2

To verify the functionality of the RD Gateway deployment, complete the following steps:

  • Install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT computer.

  • Configure the CONTOSO-CLNT computer as a Network Access Protection (NAP) enforcement client for the RD Gateway server.

  • Log on to CONTOSO-CLNT as Morgan Skinner and use Remote Desktop Connection (RDC) to verify that the NAP health policy is successfully applied to the Remote Desktop Services client computer.

    • Test for a successful allowed connection to the RD Session Host server (RDSH-SRV) by using the RD Gateway server (RDG-SRV).

    • Test for a successful blocked connection to the RD Session Host server (RDSH-SRV) by using the RD Gateway server (RDG-SRV).

To install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT computer

  1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.

  2. Open the Certificates snap-in console as follows:

    1. Click Start, click Run, type mmc and then click OK.

    2. On the File menu, click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.

    4. In the Certificates snap-in dialog box, click Computer account, and then click Next.

    5. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.

    6. In the Add or Remove snap-ins dialog box, click OK.

  3. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Trusted Root Certification Authorities.

  4. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import.

  5. On the Welcome to the Certificate Import Wizard page, click Next.

  6. On the File to Import page, in the File name box, click Browse, and then browse to the location where you copied the SSL certificate for the RD Gateway server. From the file type drop-down list, select All Files (*.*). Select the certificate RDG-SRV.cer, click Open, and then click Next.

  7. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next.

  8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected and that the following certificate settings appear:

    • Certificate Store Selected by User: Trusted Root Certification Authorities

    • Content: Certificate

    • File Name: FilePath\RDG-SRV.cer

  9. Click Finish.

  10. After the certificate import has successfully completed, a message appears that confirms the import was successful. Click OK.

  11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the CONTOSO-CLNT computer.

The Remote Desktop Services NAP client configuration command (Tsgqecclientconfig.cmd) performs the following tasks to configure the Remote Desktop Services client computer as a NAP enforcement client computer:

  • Adds the RD Gateway server name to the Trusted Server list on the client computer.

  • Starts the Network Access Protection Agent service and sets the service startup type to Automatic.

  • Enables the RD Gateway Quarantine Enforcement client.

Configure the CONTOSO-CLNT computer as a NAP enforcement client

  1. To download the Remote Desktop Services NAP client configuration command, see Configure Terminal Services Clients as Network Access Protection (NAP) Enforcement Clients for TS Gateway in the Microsoft Download Center.

  2. After you download the file, change the file extension to .cmd.

  3. Open the command prompt as an administrator. To open the command prompt as an administrator, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  4. At the command prompt, cd to the directory you downloaded the NAP Client configuration file, type tsgqecclientconfig RDG-SRV.contoso.com, and then press ENTER.

  5. Restart the client computer to implement the configuration changes, and then log on to CONTOSO-CLNT as CONTOSO\Administrator.

  6. To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  7. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client\TrustedGateways

  8. Under GatewayFQDN, verify that the following value exists: RDG-SRV.contoso.com

  9. Log off from the CONTOSO-CLNT computer.

To test for a successful allowed connection to RDSH-SRV with RDC by using RDG-SRV

  1. Log on to CONTOSO-CLNT as MSkinner.

  2. Open Windows Update. To open Windows Update, click Start, click Control Panel, click System and Security, and then click Windows Update.

  3. Click Change Settings, and in the Choose how Windows can install updates window, click Install updates automatically (recommended), and then click OK.

  4. Click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  5. In the Remote Desktop Connection dialog box, click Options.

  6. On the Advanced tab, click Settings.

  7. On the RD Gateway Server Settings page, click Use these RD Gateway server settings, enter the following settings, and then click OK.

    • Server name: RDG-SRV.contoso.com

    • Logon method: Allow me to select later

    • Bypass RD Gateway server for local addresses: Clear check box

  8. On the General tab, in the Computer box, type rdsh-srv, and then click Connect.

  9. In the Windows Security dialog box, type the password for contoso\mskinner, and then click OK.

  10. If the connection is successful, a Windows desktop will appear on the screen for RDSH-SRV.

To verify that the NAP health policy allowed the connection

  1. Log on to RDG-SRV as CONTOSO\Administrator.

  2. Open Event Viewer. To open Event Viewer, click Start, point to Administrative Tools, and then click Event Viewer.

  3. In Event Viewer, expand Windows Logs, and then click Security.

  4. With Security selected in the console tree, search for event IDs 6272 and 6278.

  5. In the console tree, expand Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then click Operational.

  6. With Operational selected in the console tree, search for Event ID 200.

  7. Close Event Viewer.

To test for a successful blocked connection to RDSH-SRV with RDC by using RDG-SRV

  1. Log on to CONTOSO-CLNT as MSkinner.

  2. Open Windows Update. To open Windows Update, click Start, click Control Panel, click System and Security, and then click Windows Update.

  3. Click Change Settings, and in the Choose how Windows can install updates window, click Never check for updates (not recommended), and then click OK.

  4. On the User Account Control page, enter the credentials for contoso\administrator, and then click Yes.

  5. Click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  6. In the Remote Desktop Connection dialog box, click Options.

  7. On the Advanced tab, click Settings.

  8. On the RD Gateway Server Settings page, click Use these RD Gateway server settings, enter the following settings, and then click OK.

    • Server name: RDG-SRV.contoso.com

    • Logon method: Allow me to select later

    • Bypass RD Gateway server for local addresses: Clear check box

  9. On the General tab, in the Computer box, type rdsh-srv, and then click Connect.

  10. In the Windows Security dialog box, type the password for contoso\mskinner, and then click OK.

  11. If the connection is blocked, you will receive a message indicating that your computer cannot connect to the remote computer. Click OK to close the window.

To verify that the NAP health policy blocked the connection

  1. Log on to RDG-SRV as CONTOSO\Administrator.

  2. Open Event Viewer. To open Event Viewer, click Start, point to Administrative Tools, and then click Event Viewer.

  3. In Event Viewer, expand Windows Logs, and then click Security.

  4. With Security selected in the console tree, search for event IDs 6272 and 6276.

  5. In the console tree, expand Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then click Operational.

  6. With Operational selected in the console tree, search for Event ID 204.

  7. Close Event Viewer.

You have successfully deployed and demonstrated the functionality of RD Gateway on Remote Desktop Services by connecting to an RD Session Host server by using RD Gateway with an authorized remote user account by using Remote Desktop Connection. You can also use this deployment to explore more capabilities of Remote Desktop Services through additional configuration and testing.

You have verified NAP health policy functionality on the RD Gateway server. For additional information, proceed to Appendix A: Configuring RD Gateway Clients as Network Access Protection Enforcement Clients.