Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide

Applies To: Windows Server 2008 R2

This step-by-step guide walks you through the process of setting up a working Remote Desktop Session Host (RD Session Host) server that is accessible by using Remote Desktop Gateway (RD Gateway) through Microsoft® Forefront™ Threat Management Gateway in a test environment. During this process, you will create a test deployment that includes the following components:

• An RD Gateway server

• An RD Session Host server

• A Forefront TMG server

• A Remote Desktop Connection (RDC) client computer

This guide assumes that you previously completed the steps in the Deploying Remote Desktop Gateway Step-by-Step Guide, and that you have already deployed the following components:

• An RD Session Host server

• A Remote Desktop Connection (RDC) client computer

• An Active Directory Domain Services domain controller

This guide includes the following topics:

• Step 1: Setting Up the Contoso Domain

• Step 2: Installing RD Gateway

• Step 3: Installing Forefront TMG

• Step 4: Exporting the SSL Certificate for the RD Gateway Server

• Step 5: Importing the SSL Certificate on the Forefront TMG Server

• Step 6: Creating a Web Listener on the Forefront TMG Server

• Step 7: Creating a Web Publishing Rule on the Forefront TMG Server

• Step 8: Configuring SSL Bridging

• Step 9: Verifying RD Gateway Functionality

The goal of configuring the RD Gateway server with a Forefront TMG server is to enhance the security of the RD Gateway server while allowing external access to internal resources. Forefront TMG acts as an SSL bridging device in the RD Gateway-Forefront TMG server scenario. Forefront TMG receives HTTPS requests and passes them to the internal RD Gateway server by using HTTPS/HTTP protocol depending on the Forefront TMG server to RD Gateway bridging configuration. While bridging the request, Forefront TMG decrypts the SSL packets and performs application-layer inspection. If the HTTP protocol stream passes inspection, then the communication is re-encrypted and forwarded to the RD Gateway server. If the protocol stream fails inspection, the connection is dropped.

This guide does not provide the following:

• An overview of Remote Desktop Services.

• Guidance for setting up Active Directory Domain Services or an RD Session Host server. This information can be found in the Installing Remote Desktop Session Host Step-by-Step Guide. For a downloadable version of this document, see the Installing Remote Desktop Session Host Step-by-Step Guide in the Microsoft Download Center.

• Complete technical reference for Remote Desktop Services.

• An overview of Forefront TMG.

• Guidance for setting up Forefront TMG. This information can be found at Forefront TMG Planning and Design. For guidance for installing Forefront TMG, see Forefront TMG Deployment.

Forefront TMG can bridge the communication between the remote desktop client and RD Gateway server in the following ways:

• HTTPS-HTTPS bridging: Forefront TMG receives SSL requests from the remote desktop client. After receiving the requests, Forefront TMG decrypts the SSL requests and does application-layer inspection. If the packet inspection passes then Forefront TMG re-encrypts the requests and forwards it to RD Gateway server in HTTPS format.

• HTTPS-HTTP bridging: Forefront TMG receives SSL requests from Remote Desktop Connection (RDC) client. After doing the packet inspection Forefront TMG forwards the requests in HTTP format to RD Gateway server. So in this scenario SSL session is terminated at Forefront TMG and RD Gateway receives the packets in HTTP format.

Following are three scenarios in which Forefront TMG and an RD Gateway server can be used together to enhance security for remote connections to internal network resources:

• Forefront TMG as an SSL bridging device (Web proxy). In this scenario, Forefront TMG is hosted in a perimeter network, and it provides SSL bridging between the Remote Desktop Services client and the RD Gateway server. The RD Gateway server is hosted in the private corporate network.

  This scenario is illustrated in this step-by-step guide.

• Forefront TMG as a firewall and SSL bridging device. In this scenario, Forefront TMG functions as a firewall that performs port filtering, packet filtering, and SSL bridging. The RD Gateway server can be hosted in the private corporate network or in the perimeter network, depending on whether the Forefront TMG is located as the external firewall or the internal firewall.

• Forefront TMG as a firewall that performs port filtering (server publishing). In this scenario, Forefront TMG functions as an external packet filtering firewall and permits traffic only over port 443. The RD Gateway server is hosted in the perimeter network.

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional deployment documentation, and they should be used with discretion as stand-alone documents.

Upon completion of this step-by-step guide, you will have an RD Session Host server that users can connect to with the remote desktop client computer by using RD Gateway through Forefront TMG. You can then test and verify this functionality by connecting to the RD Session Host server by using RD Gateway from the remote desktop client computer as an authorized remote user.

The test environment described in this guide includes five computers that are connected to a private network and using the following operating systems, applications, and services.

The computers form a private network, and they are connected through a common hub or Layer 2 switch. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the network. The domain controller is named CONTOSO-DC for the domain named contoso.com. The following figure illustrates the Forefront TMG server scenario for RD Gateway, in which Forefront TMG is used as an SSL bridging device.