Configuring the TS Gateway NAP Scenario

Applies To: Windows Server 2008

To enhance security, you can configure TS Gateway servers and clients to use Network Access Protection (NAP). NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Vista and Windows Server 2008. By using NAP, you can enforce health requirements on clients that connect to the TS Gateway server, which can include firewalls being enabled, security update requirements, and other required computer configurations.

By using NAP, you can help ensure that clients meet the health policy requirements of your organization before they are allowed to connect to internal network resources through TS Gateway servers.

The following steps are required for the successful setup and demonstration of the TS Gateway NAP scenario described as an example in this guide.

  1. We recommend that you set up three computers to evaluate this scenario. These computers are:

    • The TS Gateway server/Network Policy Server (NPS server) (known as "TSGSERVER" in this example)

    • The Terminal Services client (known as "TSCLIENT" in this example)

    • An internal network resource (known as "CORPORATERESOURCE" in this example)

    The computers must meet the system requirements described in System requirements for the TS Gateway NAP scenario.

  2. Complete the core TS Gateway server configuration by following the instructions in "Steps for configuring the TS Gateway server for the TS Gateway core scenario" in Configuring the TS Gateway Core Scenario.

  3. Configure the TS Gateway server for NAP health policy checking by following the instructions in Steps for configuring TS Gateway for the NAP scenario.

  4. Complete the core Terminal Services client configuration for TS Gateway by following the instructions in "Steps for configuring a Terminal Services client for the TS Gateway core scenario" in Configuring the TS Gateway Core Scenario.

  5. Configure the client as a NAP enforcement client by following the instructions in Steps for configuring a Terminal Services client as a NAP enforcement client.

  6. Configure the internal network resource. As mentioned, this resource can be any terminal server or any computer with Remote Desktop enabled.

  7. Verify that the NAP health policies created on the TS Gateway server are successfully applied to the Terminal Services client by completing the following two tasks:

    • Testing for a successful blocked connection. If the health policies are correctly applied to the Terminal Services client, the client connection attempt will be blocked by the NPS server when automatic updating is disabled on the Terminal Services client computer.

    • Testing for a successful allowed connection. If the health policies are correctly applied to the Terminal Services client, the client connection attempt will be allowed by the NPS server when automatic updating is enabled on the Terminal Services client computer.

    To complete these two testing tasks, follow the instructions in 2. Test to confirm that the TS Gateway NAP health policy is successfully applied to the Terminal Services client.

System requirements for the TS Gateway NAP scenario

The three computers used in the TS Gateway NAP scenario must meet the following system requirements.

Computer Required configuration

TS Gateway server (TSGSERVER)

  • In this scenario, TSGSERVER is used as the TS Gateway server and as an NPS server, and it must run Windows Server 2008. The installation can be an upgrade from Windows Server 2003 SP1 or Windows Server 2008 Release Candidate 0 (RC0). For more information, see "Supported upgrade paths" in Installing Windows Server 2008 (https://go.microsoft.com/fwlink/?LinkId=104824).

Terminal Services client (TSCLIENT)

In this scenario, TSCLIENT is used as a Terminal Services client and as a NAP client, and it can run any of the following:

  • Windows Vista SP1 or Windows XP SP3.

  • Windows Vista. The installation can be an upgrade from Windows XP with SP2.

Internal network resource (CORPORATERESOURCE)

  • Windows Vista SP1 or Windows XP SP3.

  • Windows Vista. The installation can be an upgrade from Windows XP with SP2.

  • Windows XP with SP2.

  • Windows XP with SP3.

  • Windows Server 2008. The installation can be an upgrade.

  • Windows Server 2003 with SP1 or SP2.

Setting up the TS Gateway NAP scenario

The following diagram illustrates how TS Gateway can be used with NAP.

Note

The steps in this setup guide describe how to set up remote access from a Terminal Services client through a TS Gateway server to an internal network resource, with health policy checking for Terminal Services (the NPS server is used to perform the health policy checking). The guide does not describe how to set up the firewalls illustrated in the diagram, the terminal servers running RemoteApp programs, or the perimeter network or Active Directory infrastructure. The diagram is provided to suggest one way in which this scenario might be implemented in a production environment.

Steps for configuring TS Gateway for the NAP scenario

To configure the TS Gateway server NAP scenario, complete these tasks.

Task Reference/Step-by-step instructions

1. Enable NAP health policy checking on the TS Gateway server.

1. Enable NAP health policy checking on the TS Gateway server

2. Delete existing Terminal Services connection authorization policies (TS CAPs) on the TS Gateway server.

2. Delete existing TS CAPs on the TS Gateway server

3. Configure a Windows Security Health Validator on the TS Gateway server.

3. Configure a Windows Security Health Validator on the TS Gateway server

4. Create NAP policies on the TS Gateway server by using the Configure NAP Wizard.

4. Create NAP policies on the TS Gateway server by using the Configure NAP Wizard

1. Enable NAP health policy checking on the TS Gateway server

To enable NAP health policy checking on the TS Gateway server, you enable a setting on the server that requests that the Terminal Services client send a statement of health (SoH).

To enable health checking on the TS Gateway server

  1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager.

  2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.

  3. On the TS CAP Store tab, select the Request clients to send a statement of health check box.

  4. A message will appear, stating that you must also configure TS CAPs for NAP to ensure that health policies are enforced. Click OK to close the message.

  5. Click OK again to close the TS Gateway server Properties dialog box.

2. Delete existing TS CAPs on the TS Gateway server

If you have already created one or more TS CAPs on the TS Gateway server by using TS Gateway Manager and following the procedures in "Create a TS CAP for the TS Gateway server" in Configuring the TS Gateway Core Scenario, we strongly recommend that you delete those TS CAPs by following the steps in this procedure.

Warning

Failure to delete existing TS CAPs might result in security vulnerabilities for your internal network because these TS CAPs might bypass the NAP authorization policies that you will create for the TS Gateway NAP scenario. If the NAP authorization policies are bypassed, Terminal Services clients that do not meet NAP authorization policy requirements will be allowed access to the TS Gateway server.

To delete existing TS CAPs on the TS Gateway server

  1. Open TS Gateway Manager.

  2. In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running.

  3. In the console tree, expand Policies, and then click Connection Authorization Policies.

  4. In the details pane, right-click any existing TS CAPs, and then click Delete.

If you have not already done so, also create a Terminal Services resource authorization policy (TS RAP) in TS Gateway Manager. If you have already created a TS RAP that meets your security requirements, you do not need to delete the existing TS RAP and create a new TS RAP. For step-by-step instructions about how to create a TS RAP, see "Create a TS RAP for the TS Gateway server" in Configuring the TS Gateway Core Scenario.

3. Configure a Windows Security Health Validator on the TS Gateway server

When you configure a Windows Security Health Validator (WSHV), you are creating a client health policy that establishes the requirements for client computers that are allowed to connect to your network. When client computers attempt to connect to your network and their configuration does not match the WSHV, their network connection is blocked until the clients meet the conditions of the WSHV.

In this example, the WSHV only requires that automatic updating be enabled.

To configure a Windows Security Health Validator on the TS Gateway server

  1. Open the Network Policy Server snap-in console. To open Network Policy Server, click Start, point to Administrative Tools, and then click Network Policy Server.

  2. In the console tree, click Network Access Protection.

  3. In the details pane, under System Health Validators, click Configure System Health Validators.

  4. In the details pane, under Name, right-click Windows Security Health Validator, and then click Properties.

  5. In the Windows Security Health Validator Properties dialog box, on the Settings tab, click Configure.

  6. On the Windows Vista and/or the Windows XP tab (depending on the operating system that the Terminal Services client is running), clear every check box except for Automatic updating is enabled, Restrict access for clients that do not have all available security updates installed, and Windows Update.

  7. Click OK to close the Windows Security Health Validator Properties dialog box (with the Windows Vista and Windows XP tabs), and then click OK again to close the Windows Security Health Validator Properties dialog box with the Settings tab.

4. Create NAP policies on the TS Gateway server by using the Configure NAP Wizard

You can use the Configure NAP wizard to easily create the policies required to configure the TS Gateway server as a NAP enforcement client. This section describes how to create the following policies for TS Gateway:

  • Health policies: Health policies allow you to define client configuration requirements for the NAP-capable computers that attempt to connect to internal network resources through the TS Gateway server.

  • Connection request policy: Connection request policies are an ordered set of rules that allow the NPS service to determine whether a specific connection attempt request or an accounting message received from a RADIUS client should be processed locally or forwarded to another RADIUS server. When you are configuring the NPS server to perform NAP health determination and enforcement, NPS is acting as a RADIUS server. The TS Gateway server is the RADIUS client.

  • Network policies: Network policies allow you to designate who is authorized to connect to the network and the circumstances under which they can connect. During the authorization process, NAP performs client health checks.

Note

Using the Configure NAP Wizard creates three network policies that appear as TS CAPs in TS Gateway Manager. However, TS Gateway Manager cannot display the specific NAP properties in these TS CAPs.

To create NAP policies on the TS Gateway server by using the Configure NAP Wizard

  1. Open the Network Policy Server snap-in console. To open Network Policy Server, click Start, point to Administrative Tools, and then click Network Policy Server.

  2. In the console tree, click NPS (Local).

  3. In the details pane, under Standard Configuration, click Configure NAP.

  4. In the Configure NAP wizard, on the Select Network Connection Method for Use with NAP page, do the following:

    1. Under Network connection method, select Terminal Services Gateway (TS Gateway).

    2. Under Policy Name, accept the default name (NAP TS Gateway) or type a new name, and then click Next.

  5. On the Specify NAP Enforcement Servers Running TS Gateway page, click Next.

  6. On the Configure Client Device Redirection and Authentication Methods page, do the following:

    1. Under Device redirection, select the option that is appropriate for your environment.

    2. Under Authentication Method, select the authentication method(s) that is appropriate for your environment. When both authentication methods are selected, clients that use either method will be allowed to connect.

  7. On the Configure User Groups and Machine Groups page, do the following:

    1. Under User Groups: (Required), click Add User, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group.

    2. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following:

    3. Type the name of each user group, separating the name of each group with a semi-colon.

    4. Add additional groups from different domains by repeating this step for each group.

    5. Under Machine Groups: (Optional), to specify computer domain membership criteria that client computers must meet (optional), click Add Machine, and then specify the computer groups. In the example configurations, no computer group is specified.

    6. To specify computer groups, you can use the same steps that you used to specify user groups.

  8. Click Next.

  9. On the Define NAP Health Policy page, verify that the Windows Security Health Validator check box is selected and that Deny client access to terminal servers or computers running Remote Desktop is selected, and then click Next.

  10. On the Completing New Network Access Protection Policies and RADIUS clients page, confirm that the following policies appear:

    • Under Health Policies: NAP TS Gateway Compliant, NAP TS Gateway Noncompliant

    • Under Connection Request Policy: NAP TS Gateway

    • Under Network Policies: NAP TS Gateway Compliant, NAP TS Gateway Noncompliant, and NAP TS Gateway Non NAP-Capable

  11. Click Finish.

Steps for configuring a Terminal Services client as a NAP enforcement client

To configure a Terminal Services client computer as a Network Access Protection (NAP) enforcement client, you must complete these tasks.

Task Reference/Step-by-step instructions

1. Download and run the Terminal Services NAP client configuration command.

1. Download and run the Terminal Services NAP client configuration command

2. Test to confirm that the NAP health policy is successfully applied to the Terminal Services client.

2. Test to confirm that the TS Gateway NAP health policy is successfully applied to the Terminal Services client

1. Download and run the Terminal Services NAP client configuration command

The Terminal Services NAP client configuration command (Tsgqecclientconfig.cmd) performs the following tasks to configure the Terminal Services client as a NAP enforcement client:

  • Adds the TS Gateway server name to the Trusted Server list on the client.

  • Starts the Network Access Protection Agent service and sets the service startup type to Automatic.

    The NAP agent collects and manages health information. The NAP agent processes statements of health (SoH) from the various system health agents (SHAs) and reports client health to the NAP administration server. For NAP to function correctly, you must start the Network Access Protection Agent service on the client, and then set the service startup type to Automatic. By default, this service does not start automatically.

  • Enables the TS Gateway Quarantine Enforcement client.

    To run this example script, use the following procedure. Note that you must run the script as a member of the local Administrators group on the TS Gateway client.

To download and run the Terminal Services NAP client configuration command

  1. To download the Terminal Services NAP client configuration command, go to the Terminal Services NAP Client Configuration Command page on the Download Center (https://go.microsoft.com/fwlink/?LinkId=103093). When you open the command prompt, right-click the command prompt, and then click Run as Administrator. You must run this command with elevated privileges for the command to succeed. For information about how to run this command with elevated privileges in Windows XP, see article 294676 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=87531). For information about how to do this in Windows Server 2003, see Run a program with administrative credentials (https://go.microsoft.com/fwlink/?LinkId=87533).

  2. At the command prompt, type:

    tsgqecclientconfig TS_GATEWAY_SERVER_NAME

    where TS_GATEWAY_SERVER_NAME is the fully qualified domain name (FQDN) of the TS Gateway server that you want to add to the list of trusted TS Gateway servers on the client.

    The name that you specify for the server must match the name in the Issued to field of the TS Gateway server certificate. If you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation, specify the fully qualified domain name (FQDN) of the TS Gateway server.

    To specify more than one TS Gateway server, separate each server name with a \0 (for example, SERVER_NAME1\0SERVER_NAME2\0SERVER_NAME3).

  3. Restart the client computer to implement the configuration changes, and then log back on to the client computer by using the same account that you used to run the client configuration command.

  4. Open Registry Editor. To open Registry Editor, in the Start search box, type regedit, and then press ENTER.

  5. Navigate to the following registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Terminal Server Client\TrustedGateways

  6. Under GatewayFQDN, verify that the following value exists:

    <TS_Gateway_Server_NAME>

    where TS_GATEWAY_SERVER_NAME is the fully qualified domain name (FQDN) of the TS Gateway server that you specified in Step 2. If you specified more than one TS Gateway server, ensure that each TS Gateway server is listed.

2. Test to confirm that the TS Gateway NAP health policy is successfully applied to the Terminal Services client

Use the following procedures to verify that the health policy that you configured on the TS Gateway server is being applied to the Terminal Services client.

Recall that the Windows Security Health Validator (WSHV) policy that you created on the TS Gateway server requires that you enable automatic updating for the connection to succeed.

To test whether the health policy is correctly applied to the Terminal Services client, perform the following tasks:

  • Test for successful blocked connection for NAP-capable client. If the health policy is correctly applied to the Terminal Services NAP-capable client, the client connection attempt will be blocked by the server when automatic updating is disabled on the client.

  • Test for successful allowed connection for NAP-capable client. If the health policy is correctly applied to the Terminal Services NAP-capable client, the client connection attempt will be allowed by the server when automatic updating is enabled on the client.

  • Test for successful blocked connection for non-NAP capable client. If the health policy is correctly applied to the Terminal Services non-NAP capable client, the client connection attempt will be blocked by the server because the client cannot send a statement of health (SoH).

Test for successful blocked connection for NAP-capable client

Perform the following procedure on the client computer to test whether at least one NAP health policy is correctly configured to block the NAP-capable Terminal Services client connection to the TS Gateway server when automatic updating is disabled on the client.

To attempt an end-to-end connection through the TS Gateway server when automatic updating is disabled on the client

  1. Open Control Panel. To open Control Panel, click Start, and then click Control Panel.

  2. In Control Panel, double-click Security Center.

  3. Under Security Essentials, check whether Automatic Updating is set to On. If so, proceed to the next step. If Automatic Updating is already set to Off, skip to Step 7.

  4. In the navigation pane, click Windows Update.

  5. In Windows Update, in the navigation pane, click Change Settings.

  6. In the Choose how Windows can install updates dialog box, click Never check for updates (not recommended), and then click OK.

  7. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  8. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

  9. On the General tab, type the name of the computer (terminal server or computer with Remote Desktop enabled) to which you want to connect through TS Gateway.

  10. Click Connect.

  11. On the Enter your credentials page, select the user account that you want to use to log on remotely to the computer, enter the required credentials, and then click OK.

  12. On the Gateway server credentials page, select the user name that you want to use to log on to the TS Gateway server, enter the required credentials, and then click OK.

  13. After a few moments, the following error message appears:

    This computer can't connect to the remote computer because your computer or device did not pass the Network Access Policies validation set by your network administrator. Please contact your network administrator for assistance.

  14. Click OK to close the message, and then cancel the connection.

Verify that the NAP health policy blocked the connection

On the TS Gateway server, the following three events will appear in the Event Log to confirm that client access to the TS Gateway server was denied because the health policy was successfully applied:

  • Event ID 6272, Keyword: Audit Success: This event, which appears under Windows Logs\Security, indicates that the NPS server granted access to the client.

  • Event ID 6276, Keyword: Audit Success: This event, which appears under Windows Logs\Security, indicates that the client was denied access to the TS Gateway server and quarantined because the health policy was successfully applied.

  • Event ID 204, Keyword: Audit Failure: This event, which appears under Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway\Operational, indicates that the client did not meet the requirements of the NAP policies on the NPS server and therefore is not authorized to access the TS Gateway server.

To verify that the NAP health policy blocked the connection

  1. On the TS Gateway server, open Event Viewer. To open Event Viewer, click Start, point to Administrative Tools, and then click Event Viewer.

  2. In Event Viewer, expand Windows Logs, and then click Security.

  3. With Security selected in the console tree, search for event IDs 6272 and 6276.

  4. In the console tree, expand Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then click Operational.

  5. With Operational selected in the console tree, search for Event ID 204.

  6. Close Event Viewer.

Test for successful allowed connection for NAP-capable client

Perform the following procedure to test whether at least one NAP health policy is correctly configured to allow the Terminal Services client connection to the TS Gateway server when automatic updating is enabled on the client.

To attempt an end-to-end connection through the TS Gateway server when automatic updating is enabled on the client

  1. Open Control Panel. To open Control Panel, click Start, and then click Control Panel.

  2. In Control Panel, double-click Security Center.

  3. Under Security Essentials, under Automatic updating, click Change settings.

  4. In the Choose an automatic updating option dialog box, click Install updates automatically (recommended).

  5. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  6. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

  7. On the General tab, type the name of the computer (terminal server or computer with Remote Desktop enabled) to which you want to connect through TS Gateway.

  8. Click Connect.

  9. On the Enter your credentials page, select the user account that you want to use to log on remotely to the computer, enter the required credentials, and then click OK.

  10. On the Gateway server credentials page, select the user name that you want to use to log on to the TS Gateway server, enter the required credentials, and then click OK.

  11. After a few moments, the connection completes and a connection will be established through the TS Gateway server to the computer.

Verify that the NAP health policy allowed the connection

On the TS Gateway server, the following three events will appear in the Event Log to confirm that client access to the TS Gateway server was granted because the health policy was successfully applied:

  • Event ID 6272, Keyword: Audit Success: This event, which appears under Windows Logs\Security, indicates that the NPS server granted access to the client.

  • Event ID 6278, Keyword: Audit Success: This event, which appears under Windows Logs\Security, indicates that the client was granted access to the TS Gateway server because the health policy was successfully applied.

  • Event ID 200: This event, which appears under Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway\Operational, indicates that the client is healthy and therefore can access the TS Gateway server.

To verify that the NAP health policy allowed the connection

  1. On the TS Gateway server, open Event Viewer. To open Event Viewer, click Start, point to Administrative Tools, and then click Event Viewer.

  2. In Event Viewer, expand Windows Logs, and then click Security.

  3. With Security selected in the console tree, search for event IDs 6272 and 6278.

  4. In the console tree, expand Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway, and then click Operational.

  5. With Operational selected in the console tree, search for Event ID 200.

  6. Close Event Viewer.

Test for successful blocked connection for non-NAP capable client

Perform the following procedure to test whether at least one NAP health policy is correctly configured to block the Terminal Services client connection to the TS Gateway server when the client cannot send an SoH to the TS Gateway server.

To attempt an end-to-end connection through the TS Gateway server when the client cannot send an SoH

  1. Open Control Panel. To open Control Panel, click Start, and then click Control Panel.

  2. In Control Panel, double-click Security Center.

  3. Under Security Essentials, confirm that Automatic updating is set to On.

  4. Open the command prompt, right-click the command prompt, and then click Run as Administrator.

  5. At the command prompt, type the following:

    net stop napagent

  6. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

  7. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

  8. On the General tab, type the name of the computer (terminal server or computer with Remote Desktop enabled) to which you want to connect through TS Gateway.

  9. Click Connect.

  10. On the Enter your credentials page, select the user account that you want to use to log on remotely to the computer, enter the required credentials, and then click OK.

  11. On the Gateway server credentials page, select the user name that you want to use to log on to the TS Gateway server, enter the required credentials, and then click OK.

  12. After a few moments, the following error message appears:

    "This computer can't connect to the remote computer because your computer or device did not pass the Network Access Policies validation set by your network administrator. Please contact your network administrator for assistance."

  13. Click OK to close the message, and then cancel the connection.

On the TS Gateway server, follow the steps in Verify that the NAP health policy blocked the connection to confirm that client access to the TS Gateway server was denied because the health policy was successfully applied.

Additional references