TS Gateway Step-by-Step Guide

Microsoft Corporation Published: December 2007 Modified: July 2008

Abstract
Terminal Ser ices !ate"ay #TS !ate"ay$ is a ne" role ser ice a ailable to users of the Microsoft %indo"s Ser er& 2008 operatin' system( TS !ate"ay enables authori)ed remote users to connect to resources on an internal corporate or pri ate net"or*+ from any ,nternet-connected de ice that can run the .emote Des*top Connection #.DC$ client( The internal net"or* resources can be terminal ser ers+ terminal ser ers runnin' .emote/pp0 pro'rams+ or computers "ith .emote Des*top enabled( TS !ate"ay encapsulates .emote Des*top Protocol #.DP$ "ithin .PC+ "ithin 1TTP o er a Secure Soc*ets 2ayer #SS2$ connection( ,n this "ay+ TS !ate"ay helps impro e security by establishin' an encrypted connection bet"een remote users on the ,nternet and the internal net"or* resources on "hich their producti ity applications run(

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including !" and other Internet #eb site references, is sub$ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. nless otherwise noted, the example companies, organi%ations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi%ation, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. #ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub$ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ) *++, Microsoft Corporation. -ll rights reserved. -ctive .irectory, Terminal /ervices, Microsoft, M/-.0/, 1isual 2asic, 1isual /tudio, #indows, #indows 3T, and #indows /erver are either registered trademarks or trademarks of Microsoft Corporation in the nited /tates and4or other countries. -ll other trademarks are property of their respective owners.

Contents
TS !ate"ay Step-by-Step !uide(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 3 /bstract(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 3 Contents(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 4 TS !ate"ay Step-by-Step !uide(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 TS !ate"ay 5 er ie"(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 %ho should use TS !ate"ay6((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 7enefits of TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 Prere9uisites for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 .ole+ role ser ice+ and feature dependencies((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((30 /dministrati e credentials(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 Special Considerations for TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 TS !ate"ay ser er considerations((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((30 :ame resolution issues(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 Terminal Ser ices client considerations(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 /utomatic reconnection to a TS !ate"ay ser er mi'ht fail after the Terminal Ser ices client comes out of hibernation((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 33 TS !ate"ay ser er connection re9uests from a client runnin' %indo"s ;P "ith SP2 mi'ht fail if a smart card is used for authentication(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 Confi'urin' the TS !ate"ay Core Scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 System re9uirements for the TS !ate"ay core scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((32 Settin' up the TS !ate"ay core scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((34 Connection se9uence for the TS !ate"ay core scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((3< Steps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenario((((((((((((((((((((((3= 3( ,nstall the TS !ate"ay role ser ice((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((3> ?erify successful role ser ice installation and TS !ate"ay ser ice status((((((((((((((((((((((((((38 2( 5btain a certificate for the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((38 Certificate re9uirements for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((38 @sin' eAistin' certificates(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 20 Certificate installation and confi'uration process o er ie"(((((((((((((((((((((((((((((((((((((((((((((((((20 Create a self-si'ned certificate for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((22 4( Confi'ure a certificate for the TS !ate"ay ser er((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((24 ,nstall a certificate on the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2< Map the TS !ate"ay ser er certificate(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2= @nderstand authori)ation policies for TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2=

TS C/Ps((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 2> TS ./Ps((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 27 Security 'roups and TS !ate"ay-mana'ed computer 'roups associated "ith TS ./Ps(((27 <( Create a TS C/P for the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((28 =( Create a TS ./P and specify computers that users can connect to throu'h the TS !ate"ay ser er((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 28 >( 2imit the maAimum number of simultaneous connections throu'h TS !ate"ay #optional$(43 Steps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenario((((((((((((((((((42 3( ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities Store on the Terminal Ser ices client #optional$((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((44 2( Confi'ure .emote Des*top Connection settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((4< 4( ?erify that end-to-end connecti ity throu'h TS !ate"ay is functionin' correctly(((((((((((((((4> Confi'urin' the TS !ate"ay :/P Scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((4> System re9uirements for the TS !ate"ay :/P scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((47 Settin' up the TS !ate"ay :/P scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((48 Steps for confi'urin' TS !ate"ay for the :/P scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((48 3( Bnable :/P health policy chec*in' on the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((<0 2( Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er((((((((<0 4( Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er(((((((((((((((((((((((<3 <( Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard((((((((<2 Steps for confi'urin' a Terminal Ser ices client as a :/P enforcement client((((((((((((((((((((((((((<4 3( Do"nload and run the Terminal Ser ices :/P client confi'uration command(((((((((((((((((((<< 2( Test to confirm that the TS !ate"ay :/P health policy is successfully applied to the Terminal Ser ices client(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( <= Test for successful bloc*ed connection for :/P-capable client((((((((((((((((((((((((((((((((((((((((((<= ?erify that the :/P health policy bloc*ed the connection(((((((((((((((((((((((((((((((((((((((((((((((((((<> Test for successful allo"ed connection for :/P-capable client(((((((((((((((((((((((((((((((((((((((((((<7 ?erify that the :/P health policy allo"ed the connection((((((((((((((((((((((((((((((((((((((((((((((((((((<8 Test for successful bloc*ed connection for non-:/P capable client(((((((((((((((((((((((((((((((((((<8 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( <8 Confi'urin' the TS !ate"ay ,S/ Ser er Scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<8 System confi'urations tested for the TS !ate"ay ,S/ Ser er scenario(((((((((((((((((((((((((((((((((=0 Confi'urin' connections bet"een ,S/ Ser er and TS !ate"ay ser er((((((((((((((((((((((((((((((((((=3 Settin' up the TS !ate"ay ,S/ Ser er scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((=3 Steps for confi'urin' TS !ate"ay for the ,S/ Ser er scenario((((((((((((((((((((((((((((((((((((((((((((((((((=2 3( BAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er((((((((((=4 2( ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er((((((((((((((((((((((((((((=< 4( Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er((((((((((((((((((((((((== <( Create a ne" %eb publishin' rule on the ,S/ Ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((=7 Create a ne" %eb publishin' rule for ,S/ Ser er 200<((((((((((((((((((((((((((((((((((((((((((((((((((((((=7 Create a ne" %eb publishin' rule for ,S/ Ser er 200>((((((((((((((((((((((((((((((((((((((((((((((((((((((=8 =( Bnable or disable 1TTPS-1TTP brid'in' on the TS !ate"ay ser er((((((((((((((((((((((((((((((((>3

>( ?erify client confi'uration and test end-to-end connecti ity((((((((((((((((((((((((((((((((((((((((((((((((>3 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >3 Monitorin' /cti e Connections Throu'h a TS !ate"ay Ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((>2 Specify TS !ate"ay e ents to lo'((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>2 ?ie" details about acti e connections throu'h a TS !ate"ay ser er((((((((((((((((((((((((((((((((((((>< BAample Script for ?alidatin' Certificate Confi'uration(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>> .unnin' the .pcpin'test eAample script((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>> BAample of successful output((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >7 .pcpin' eAample script(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >7 Disclaimer(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >8 /ppendiA: Confi'urin' the TS !ate"ay 5TP Scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>8 System confi'uration for this scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>8 :et"or* topolo'y(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 73 Steps to confi'ure 5TP((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 72

TS Gateway Step-by-Step Guide

This Step-by-Step !uide describes functionality for the %indo"s Ser er& 2008 release of Terminal Ser ices !ate"ay #TS !ate"ay$( The follo"in' topics are co ered in this Step-by-Step !uide: TS !ate"ay 5 er ie" Prere9uisites for TS !ate"ay Special Considerations for TS !ate"ay Confi'urin' the TS !ate"ay Core Scenario Confi'urin' the TS !ate"ay :/P Scenario Confi'urin' the TS !ate"ay ,S/ Ser er Scenario Monitorin' /cti e Connections Throu'h a TS !ate"ay Ser er BAample Script for ?alidatin' Certificate Confi'uration /ppendiA: Confi'urin' the TS !ate"ay 5TP Scenario

TS Gateway Overview
%indo"s Ser er& 2008 Terminal Ser ices !ate"ay #TS !ate"ay$ is a role ser ice that enables authori)ed remote users to connect to resources on an internal corporate or pri ate net"or*+ from any ,nternet-connected de ice that can run the .emote Des*top Connection #.DC$ client( The net"or* resources can be terminal ser ers+ terminal ser ers runnin' .emote/pp0 pro'rams+ or computers "ith .emote Des*top enabled( TS !ate"ay encapsulates .emote Des*top Protocol #.DP$ "ithin .PC+ "ithin 1TTP o er a Secure Soc*ets 2ayer #SS2$ connection( ,n this "ay+ TS !ate"ay helps impro e security by establishin' an encrypted connection bet"een remote users on the ,nternet and the internal net"or* resources on "hich their producti ity applications run( The procedures in this 'uide "ill help you set up a TS !ate"ay ser er+ enablin' remote users to access terminal ser ers+ terminal ser ers runnin' .emote/pp pro'rams+ or computers "ith .emote Des*top enabled on your internal corporate or pri ate net"or*(

Who should use TS Gateway?

This 'uide is tar'eted at these audiences: ,T administrators+ planners+ and analysts "ho are e aluatin' remote access and mobile solution products Bnterprise ,T architects and desi'ners Barly adopters Security architects "ho are responsible for implementin' trust"orthy computin'
7

,T professionals "ho are responsible for terminal ser ers or remote access to des*tops

Benefits of TS Gateway
TS !ate"ay pro ides many benefits+ includin' the follo"in': TS !ate"ay enables remote users to connect to internal net"or* resources o er the ,nternet+ by usin' an encrypted connection+ "ithout needin' to confi'ure irtual pri ate net"or* #?P:$ connections( TS !ate"ay pro ides a comprehensi e security confi'uration model that enables you to control access to specific internal net"or* resources( TS !ate"ay pro ides a point-to-point .DP connection+ rather than allo"in' remote users access to all internal net"or* resources( TS !ate"ay enables most remote users to connect to internal net"or* resources that are hosted behind fire"alls in pri ate net"or*s and across net"or* address translators #:/Ts$( %ith TS !ate"ay+ you do not need to perform additional confi'uration for the TS !ate"ay ser er or clients for this scenario( ,n earlier ersions of %indo"s Ser er+ security measures pre ented remote users from connectin' to internal net"or* resources across fire"alls and :/Ts( This is because port 4488+ the port used for .DP connections+ is typically bloc*ed for net"or* security purposes( TS !ate"ay transmits .DP traffic to port <<4 instead+ by usin' an 1TTP Secure Soc*ets 2ayerCTransport 2ayer Security #SS2CT2S$ tunnel( 7ecause most corporations open port <<4 to enable ,nternet connecti ity+ TS !ate"ay ta*es ad anta'e of this net"or* desi'n to pro ide remote access connecti ity across multiple fire"alls( The TS !ate"ay Mana'er snap-in console enables you to confi'ure authori)ation policies to define conditions that must be met for remote users to connect to internal net"or* resources( Dor eAample+ you can specify: %ho can connect to net"or* resources #in other "ords+ the user 'roups "ho can connect$( %hat net"or* resources #computer 'roups$ users can connect to( %hether client computers must be members of /cti e Directory& security 'roups( %hether de ice and dis* redirection is allo"ed(

%hether clients need to use smart card authentication or pass"ord authentication+ or "hether they can use either method( Eou can confi'ure TS !ate"ay ser ers and Terminal Ser ices clients to use :et"or* /ccess Protection #:/P$ to further enhance security( :/P is a health policy creation+ enforcement+ and remediation technolo'y that is included in %indo"s ?ista& .TM+ %indo"s Ser er 2008+ and %indo"s ?ista Ser ice Pac* 3 #SP3$ and %indo"s ;P Ser ice Pac* 4 #SP4$( %ith :/P+ system administrators can enforce health re9uirements+ "hich can include soft"are re9uirements+ security update re9uirements+ re9uired computer confi'urations+ and other settin's( Eou can use a TS !ate"ay ser er in conFunction "ith Microsoft ,nternet Security and /cceleration #,S/$ Ser er to enhance security( ,n this scenario+ you can host TS !ate"ay
8

ser ers in a pri ate net"or* rather than a perimeter net"or*+ and host ,S/ Ser er in the perimeter net"or*( 5r+ ,S/ Ser er can ser e as an isolation point for either or both ends of the perimeter net"or*( The SS2 connection bet"een the Terminal Ser ices client and ,S/ Ser er can be terminated at the ,S/ Ser er+ "hich is ,nternet-facin'( TS !ate"ay Mana'er pro ides tools to help you monitor TS !ate"ay connection status+ health+ and e ents( 7y usin' TS !ate"ay Mana'er+ you can specify e ents #such as unsuccessful connection attempts to the TS !ate"ay ser er$ that you "ant to monitor for auditin' purposes(

Additional references
Dor product support+ see the Terminal Ser ices pa'e on the %indo"s Ser er 2008 TechCenter #http:CC'o(microsoft(comCf"lin*C62in*,dG<8===$( To access ne"s'roups for Terminal Ser ices+ see the Terminal Ser ices Community pa'e on the Microsoft Tech:et %eb site #http:CC'o(microsoft(comCf"lin*C62in*,dG8=740$(

Prere uisites for TS Gateway

Dor TS !ate"ay to function correctly+ you must meet these prere9uisites: Eou must ha e a ser er "ith %indo"s Ser er 2008 installed( Eou must obtain an SS2 certificate for the TS !ate"ay ser er if you do not ha e one already( 7y default+ on the TS !ate"ay ser er+ the .PCC1TTP 2oad 7alancin' ser ice and the ,,S ser ice use Transport 2ayer Security #T2S$ 3(0 to encrypt communications bet"een clients and TS !ate"ay ser ers o er the ,nternet( Dor T2S to function correctly+ you must install an SS2 certificate on the TS !ate"ay ser er( !ote Eou do not need a certification authority #C/$ infrastructure "ithin your or'ani)ation if you can use another method to obtain an eAternally trusted certificate that meets the re9uirements for TS !ate"ay( ,f your company does not maintain a stand-alone C/ or an enterprise C/ and you do not ha e a compatible certificate from a trusted public C/+ you can create and import a self-si'ned certificate for your TS !ate"ay ser er for technical e aluation and testin' purposes( Dor information about certificate re9uirements for TS !ate"ay and ho" to obtain and install a certificate+ see H5btain a certificate for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario( TS !ate"ay ser ers must be Foined to an /cti e Directory domain in the follo"in' cases: ,f you confi'ure a TS !ate"ay authori)ation policy that re9uires that users be domain members to connect to the TS !ate"ay ser er( ,f you confi'ure a TS !ate"ay authori)ation policy that re9uires that client computers be domain members to connect to the TS !ate"ay ser er( ,f you are deployin' a load-balanced TS !ate"ay ser er farm(
9

"ole# role service# and feature dependencies

To function correctly+ TS !ate"ay re9uires se eral role ser ices and features to be installed and runnin'( %hen you use Ser er Mana'er to install the TS !ate"ay role ser ice+ the follo"in' additional roles+ role ser ices+ and features are automatically installed and started+ if they are not already installed: .emote Procedure Call #.PC$ o er 1TTP ProAy %eb Ser er #,,S$ I,nternet ,nformation Ser ices 7(0J :et"or* Policy and /ccess Ser ices

,,S 7(0 must be installed and runnin' for the .PC o er 1TTP ProAy feature to function( Eou can also confi'ure TS !ate"ay to use Terminal Ser ices connection authori)ation policies #TS C/Ps$ that are stored on another ser er that runs the :et"or* Policy Ser er #:PS$ ser ice( 7y doin' this+ you are usin' the :PS ser erKformerly *no"n as a .emote /uthentication Dial-,n @ser Ser ice #./D,@S$ ser erKto centrali)e the stora'e+ mana'ement+ and alidation of TS C/Ps( ,f you ha e already deployed an :PS ser er for remote access scenarios such as ?P: and dial-up net"or*in'+ usin' the eAistin' :PS ser er for TS !ate"ay scenarios as "ell can enhance your deployment(

Ad$inistrative credentials
Eou must be a member of the /dministrators 'roup on the computer that you "ant to confi'ure as a TS !ate"ay ser er(

Special Considerations for TS Gateway

The follo"in' are special considerations for TS !ate"ay in %indo"s Ser er 2008(

TS Gateway server considerations

Dollo"in' are special considerations for the TS !ate"ay ser er(

!a$e resolution issues

%hen remote users attempt to access a computer on the internal corporate net"or* throu'h a TS !ate"ay ser er+ they can specify either a :et7,5S name or a fully 9ualified domain name #DLD:$ for the computer that they are attemptin' to connect to( %hen users specify the DLD: name of the tar'et computer+ and the associated Terminal Ser ices resource authori)ation policy #TS ./P$ that is confi'ured on the TS !ate"ay ser er uses a :et7,5S name for the tar'et computer+ the client connection "ill succeed( 1o"e er+ if the user attempts to connect to the tar'et computer by usin' its :et7,5S name "hen the TS ./P confi'ured on the TS !ate"ay ser er uses an DLD: name for the tar'et computer+ name resolution "ill fail and the user "ill not be able to connect to the tar'et computer(

10

To a oid name resolution failure+ and to support either :et7,5S names or DLD:s+ include each possible computer name in the computer 'roup that you create "hen you confi'ure a TS ./P( Dor eAample+ the computer names MyS/P.eportin'Ser er and MyS/P.eportin'Ser er(seattle(corp(microsoft(com "ould each need to be included in the computer 'roup that you create+ althou'h both names represent the same computer(

Ter$inal Services client considerations

Dollo"in' are special considerations for the Terminal Ser ices client+ "hen the client is used for connections throu'h a TS !ate"ay ser er(

Auto$atic reconnection to a TS Gateway server $i%ht fail after the Ter$inal Services client co$es out of hibernation
/fter you establish a remote connection throu'h a TS !ate"ay ser er to another computer+ if the Terminal Ser ices client that initiated the connection hibernates and then comes out of hibernation+ the client mi'ht not automatically reconnect to the remote computer throu'h the TS !ate"ay ser er( To resol e this problem+ open Tas* Mana'er+ end the $stsc #.emote Des*top Connection$ process+ and then attempt the remote connection a'ain( Closin' $stsc "ill not resol e this problem(

TS Gateway server connection re uests fro$ a client runnin% Windows &P with SP' $i%ht fail if a s$art card is used for authentication
,f you are usin' a client runnin' %indo"s& ;P "ith SP2 to connect to a remote computer throu'h a TS !ate"ay ser er+ you "ill recei e an error messa'e statin' that the remote computer is misconfi'ured if you do the follo"in': 3( Connect to a remote computer and lea e your smart card in the smart card reader durin' the session( 2( Bnd the session+ lea in' the smart card in the smart card reader( 4( Start another connection "hile lea in' the smart card in the smart card reader( To resol e this problem+ remo e the smart card+ reinsert it+ and then try to connect to the remote computer a'ain(

Confi%urin% the TS Gateway Core Scenario

The follo"in' steps are re9uired for the successful setup and demonstration of the TS !ate"ay core scenario described as an eAample in this 'uide( This scenario enables you to confi'ure a TS !ate"ay ser er so that a remote user can access an internal net"or* resource o er the ,nternet+ throu'h the TS !ate"ay ser er( ,n this scenario+ the internal net"or* resource can be

11

either a terminal ser er+ a terminal ser er runnin' .emote/pp pro'rams+ or a computer "ith .emote Des*top enabled( 3( %e recommend that you set up three computers to e aluate this scenario( These computers are: The TS !ate"ay ser er #*no"n as HTS!SB.?B.H in this eAample$ The Terminal Ser ices client #*no"n as HTSC2,B:TH in this eAample$ /n internal net"or* resource #*no"n as HC5.P5./TB.BS5@.CBH in this eAample$

The computers must meet the system re9uirements described in System re9uirements for the TS !ate"ay core scenario( 2( Confi'ure the TS !ate"ay ser er by follo"in' the instructions in Steps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenario( 4( Confi'ure the Terminal Ser ices client by follo"in' the instructions in Steps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenario( <( Confi'ure the internal net"or* resource( =( Demonstrate that the Terminal Ser ices client can connect to the internal net"or* resource throu'h the TS !ate"ay ser er by follo"in' the instructions in ?erify that end-toend connecti ity throu'h TS !ate"ay is functionin' correctly(

Syste$ re uire$ents for the TS Gateway core scenario

The three computers used in the TS !ate"ay core scenario must meet the follo"in' system re9uirements(
Co$puter "e uired confi%uration

TS !ate"ay ser er #TS!SB.?B.$

%indo"s Ser er 2008( The installation can be an up'rade from %indo"s Ser er& 2004 Ser ice Pac* 3 #SP3$ or %indo"s Ser er 2008 .elease Candidate 0 #.C0$( Dor more information+ see HSupported up'rade pathsH in ,nstallin' %indo"s Ser er 2008 #http:CC'o(microsoft(comCf"lin*C6 2in*,dG30<82<$( %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith Ser ice Pac* 2 #SP2$( %indo"s ;P SP2 and .emote Des*top Connection #.DC$ >(0( To do"nload .DC >(0+ see article 82=87> in the Microsoft
12

Terminal Ser ices client #TSC2,B:T$

Co$puter

"e uired confi%uration

Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C6 2in*,dG78474$( %indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith Ser ice Pac* 3 #SP3$ or SP2 and .DC >(0( ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ Dor computers "ith .emote Des*top enabled: %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s ;P "ith SP2( %indo"s Ser er 2004 "ith SP3 or SP2(

Dor terminal ser ers: %indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith SP3 or SP2(

Settin% up the TS Gateway core scenario

The follo"in' dia'ram illustrates the core scenario for TS !ate"ay(

13

!ote The steps in this setup 'uide describe ho" to set up the core TS !ate"ay scenario for remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er to an internal net"or* resource( The 'uide does not describe ho" to set up the fire"alls illustrated in the dia'ram+ terminal ser ers runnin' .emote/pp pro'rams+ or the /cti e Directory infrastructure( The dia'ram is pro ided to su''est one of many "ays in "hich the TS !ate"ay core remote access scenario mi'ht be implemented in a production en ironment( Dor information about ho" to set up a terminal ser er+ see the 1elp topic HTerminal Ser erH #http:CC'o(microsoft(comCf"lin*C62in*,dG720=2$( Dor information about settin' up .emote/pp pro'rams+ see the Terminal Ser ices .emote/pp Step-by-Step !uide #http:CC'o(microsoft(comCf"lin*C6lin*,dG8<88=$( Dor information about ho" to enable .emote Des*top+ see the topic H@sin' .emote Des*topH in the %indo"s Ser er 2008 1elp(

Connection se uence for the TS Gateway core scenario

Dollo"in' is a simplified description of the se9uence that TSC2,B:T follo"s "hen connectin' throu'h TS!SB.?B. to C5.P5./TB.BS5@.CB: 3( The user on the Terminal Ser ices client+ TSC2,B:T+ mi'ht initiate the connection by doin' one of the follo"in': Clic*in' an .DP file that the administrator has confi'ured+ to access his or her full des*top(

14

 Clic*in' a .emote/pp pro'ram icon( .emote/pp pro'rams are represented in an .DP file that the administrator has confi'ured( ?isitin' a %eb site #either from the ,nternet or from an intranet$ to access a list of .emote/pp pro'rams that the administrator has made a ailable by usin' Terminal Ser ices %eb /ccess #TS %eb /ccess$+ and then clic*in' a .emote/pp pro'ram icon( 5penin' the .emote Des*top Connection client and manually specifyin' the appropriate settin's for the connection( 2( /n SS2 tunnel is established bet"een TSC2,B:T and TS!SB.?B. by usin' the TS !ate"ay ser erNs SS2 certificate( 7efore a connection bet"een TSC2,B:T and TS!SB.?B. is established+ TS!SB.?B. must authenticate and authori)e the user accordin' to Terminal Ser ices connection authori)ation policies #TS C/Ps$ that the administrator has confi'ured on TS!SB.?B.( 4( /fter authentication and authori)ation succeed+ TS!SB.?B. si'nals TSC2,B:T to continue "ith the connection se9uence( <( TSC2,B:T re9uests a connection from TS!SB.?B. to C5.P5./TB.BS5@.CB( 7efore authori)in' the re9uest+ TS!SB.?B. erifies that both of the follo"in' conditions are met simultaneously+ for at least one Terminal Ser ices resource authori)ation policy #TS ./P$ that is confi'ured on TS!SB.?B.: C5.P5./TB.BS5@.CB is a member of a computer 'roup that is specified in the TS ./PO and The user is a member of a user 'roup that is specified in the TS ./P( ,f both re9uirements are met+ TS!SB.?B. authori)es the re9uest( =( /n SS2 connection is established bet"een TSC2,B:T and TS!SB.?B.+ and an .DP connection is established bet"een TS!SB.?B. and C5.P5./TB.BS5@.CB( Drom this point+ any pac*ets that TSC2,B:T sends to TS!SB.?B. are for"arded to C5.P5./TB.BS5@.CB+ and any pac*ets that C5.P5./TB.BS5@.CB sends to TS!SB.?B. are for"arded to TSC2,B:T( >( TSC2,B:T "ill attempt to create a user session on C5.P5./TB.BS5@.CB( C5.P5./TB.BS5@.CB performs %indo"s authentication to alidate the identity of the user re9uestin' the connection and the pri ile'es that the user has on C5.P5./TB.BS5@.CB( #These are the same steps that "ould be follo"ed if TSC2,B:T "ere to re9uest a remote connection to C5.P5./TB.BS5@.CB "ithout usin' TS!SB.?B.($ 7( TSC2,B:T eAchan'es encrypted .DP pac*ets encapsulated "ithin SS2 "ith TS!SB.?B. o er port <<4( TS!SB.?B. for"ards the .DP pac*ets to C5.P5./TB.BS5@.CB o er port 4488(

Steps for confi%urin% the TS Gateway server for the TS Gateway core scenario
To confi'ure the TS !ate"ay ser er+ complete these tas*s(
15

Tas(

"eference)Step-by-step instructions

3( ,nstall the TS !ate"ay role ser ice( 2( 5btain a certificate for the TS !ate"ay ser er( 4( Confi'ure a certificate for the TS !ate"ay ser er( <( Create a Terminal Ser ices connection authori)ation policy #TS C/P$( =( Create a Terminal Ser ices resource authori)ation policy #TS ./P$( >( 2imit the maAimum number of simultaneous connections thou'h TS !ate"ay #optional$(

,nstall the TS !ate"ay role ser ice 5btain a certificate for the TS !ate"ay ser er Confi'ure a certificate for the TS !ate"ay ser er Create a TS C/P Create a TS ./P 2imit the maAimum number of simultaneous connections throu'h TS !ate"ay

*+ ,nstall the TS Gateway role service

Dollo" these steps to install the TS !ate"ay role ser ice( 5ptionally+ durin' the role ser ice installation process+ you can select an eAistin' certificate #or create a ne" self-si'ned certificate$+ and you can create a TS C/P and a TS ./P( To install the TS Gateway role service 3( 5pen Ser er Mana'er( To open Ser er Mana'er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* Server -ana%er( 2( ,f the Terminal Ser ices role is not already installed: a( ,n Ser er Mana'er+ under "oles Su$$ary+ clic* Add roles( b( ,n the /dd .oles %i)ard+ if the Before .ou Be%in pa'e appears+ clic* !e/t( This pa'e "ill not appear if you ha e already installed other roles and you ha e selected the S(ip this pa%e by default chec* boA( c( 5n the Select Server "oles pa'e+ under "oles+ select the Ter$inal Services chec* boA+ and then clic* !e/t( d( 5n the Ter$inal Services pa'e+ clic* !e/t( e( 5n the Select "ole Services pa'e+ in the "ole services list+ select the TS Gateway chec* boA( f( ,f prompted to specify "hether you "ant to install the additional role ser ices re9uired for TS !ate"ay+ clic* Add "e uired "ole Services( '( 5n the Select "ole Services pa'e+ confirm that TS !ate"ay is selected+ and then clic* !e/t( ,f the Terminal Ser ices role is already installed:
16

a( @nder "oles Su$$ary+ clic* Ter$inal Services( b( @nder "ole Services+ clic* Add "ole Services( c( 5n the Select "ole Services pa'e+ select the TS Gateway chec* boA+ and then clic* !e/t( d( ,f prompted to specify "hether you "ant to install the additional role ser ices re9uired for TS !ate"ay+ clic* Add "e uired "ole Services( e( 5n the Select "ole Services pa'e+ clic* !e/t( 4( 5n the Choose a Server Authentication Certificate for SS0 1ncryption pa'e+ specify "hether to choose an eAistin' certificate for SS2 encryption #recommended$+ create a self-si'ned certificate for SS2 encryption+ or choose a certificate for SS2 encryption later( ,f you are completin' an installation for a ne" ser er that does not yet ha e certificates+ see 5btain a certificate for the TS !ate"ay ser er for certificate re9uirements and information about ho" to obtain and install a certificate( @nder the Choose an e/istin% certificate for SS0 encryption 2reco$$ended3 option+ only certificates that ha e the intended purpose #ser er authentication$ and Bnhanced Mey @sa'e #BM@$ ISer er /uthentication #3(4(>(3(=(=(7(4(3$J that are appropriate for the TS !ate"ay role ser ice "ill appear in the list of certificates( ,f you select this option+ clic* ,$port+ and then import a ne" certificate that does not meet these re9uirements+ the imported certificate "ill not appear in the list( <( 5n the Create Authori4ation Policies for TS Gateway pa'e+ specify "hether you "ant to create authori)ation policies #a TS C/P and a TS ./P$ durin' the TS !ate"ay role ser ice installation process or later( ,f you select 0ater+ follo" the procedures in Create a TS C/P to create this policy( ,f you select !ow+ do the follo"in': a( 5n the Select 5ser Groups That Can Connect Throu%h TS Gateway pa'e+ clic* Add to specify additional user 'roups( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA( b( To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colonO or add additional 'roups from different domains by repeatin' the first part of this step for each 'roup( c( /fter you finish specifyin' additional user 'roups+ on the Select 5ser Groups that Can Connect Throu%h TS Gateway pa'e+ clic* !e/t( d( 5n the Create a TS CAP for TS Gateway pa'e+ accept the default name for the TS C/P #TSPC/PP03$ or specify a ne" name+ select one or more supported %indo"s authentication methods+ and then clic* !e/t( e( 5n the Create a TS "AP for TS Gateway pa'e+ accept the default name for the TS ./P #TSP./PP03$ or specify a ne" name+ and then do one of the follo"in': Specify "hether to allo" users to connect only to computers in one or more computer 'roups+ and then specify the computer 'roupsO or specify that users can connect to any computer on the net"or*( Clic* !e/t(
17

=( 5n the !etwor( Policy and Access Services pa'e #"hich appears if this role ser ice is not already installed$+ re ie" the summary information+ and then clic* !e/t( >( 5n the Select "ole Services pa'e+ erify that !etwor( Policy Server is selected+ and then clic* !e/t( 7( 5n the Web Server 2,,S3 pa'e #"hich appears if this role ser ice is not already installed$+ re ie" the summary information+ and then clic* !e/t( 8( 5n the Select "ole Services pa'e+ accept the default selections for Web Server 2,,S3+ and then clic* !e/t( 8( 5n the Confir$ ,nstallation Options pa'e+ erify that the follo"in' roles+ role ser ices+ and features "ill be installed: Terminal Ser icesQTS !ate"ay :et"or* Policy and /ccess Ser icesQ:et"or* Policy Ser er %eb Ser er #,,S$Q%eb Ser erQMana'ement Tools .PC o er 1TTP ProAy %indo"s Process /cti ation Ser iceQProcess ModelQConfi'uration /P,s

30( Clic* ,nstall( 33( 5n the ,nstallation Pro%ress pa'e+ installation pro'ress "ill be noted( ,f any of these roles+ role ser ices+ or features has already been installed+ installation pro'ress "ill be noted only for the ne" roles+ role ser ices+ or features that are bein' installed( 32( 5n the ,nstallation "esults pa'e+ confirm that installation for these roles+ role ser ices+ and features "as successful+ and then clic* Close(

7erify successful role service installation and TS Gateway service status

@se the follo"in' procedure to erify that the TS !ate"ay role ser ice and dependent roles+ role ser ices+ and features are installed correctly and runnin'( To verify that installation was successful 3( 5pen Ser er Mana'er( To open Ser er Mana'er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* Server -ana%er( 2( ,n the console tree+ eApand "oles+ and then double-clic* Ter$inal Services( 4( 5n the Ter$inal Services summary pa'e+ in the Syste$ Services area+ erify that the status of Terminal Ser ices !ate"ay is "unnin% and that the startup type is set to Auto( <( Close Ser er Mana'er( =( 5pen ,nternet ,nformation Ser ices #,,S$ Mana'er( To open ,,S Mana'er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* ,nternet ,nfor$ation Services 2,,S3 -ana%er( >( ,n the console tree+ eApand 8T/ 5ateway6/erver63ame9:Sites:;efault Web Site+
18

and then clic* ;efault Web Site( 7( .i'ht-clic* ;efault Web Site+ point to -ana%e Web Site+ and then clic* Advanced Settin%s( 8( ,n the Advanced Settin%s dialo' boA+ under 2General3+ erify that Start Auto$atically is set to True( ,f it is not set to True+ clic* the drop-do"n arro" to display the list+ and then clic* True( 8( Clic* O6( 30( Close ,,S Mana'er(

'+ Obtain a certificate for the TS Gateway server

This section assumes an understandin' of certificate trust chainin'+ certificate si'nin'+ and 'eneral certificate confi'uration principles( Dor information about PM, confi'uration in %indo"s Ser er 2008+ see ,TP.5/DD-20<: PM, Bnhancement in %indo"s ?ista and %indo"s Ser er 2008 #http:CC'o(microsoft(comCf"lin*C62in*,dG8488=$( Dor information about PM, confi'uration in %indo"s Ser er 2004+ see Public Mey ,nfrastructure #http:CC'o(microsoft(comCf"lin*C62in*,DG=<837$( /s mentioned earlier in this 'uide+ by default T2S 3(0 is used to encrypt communications bet"een Terminal Ser ices clients and TS !ate"ay ser ers o er the ,nternet( T2S is a standard protocol that helps to secure %eb communications on the ,nternet or intranets( T2S is the latest and most secure ersion of the SS2 protocol( Dor more information about T2S+ see: SS2CT2S in %indo"s Ser er 2004 #http:CC'o(microsoft(comCf"lin*C62in*,DG38><>$ .DC 22<>: The T2S Protocol ?ersion 3(0 #http:CC'o(microsoft(comCf"lin*C62in*,DG<0878$

Dor T2S to function correctly+ you must install an SS2-compatible ;(=08 certificate on the TS !ate"ay ser er(

Certificate re uire$ents for TS Gateway

Certificates for TS !ate"ay must meet these re9uirements: The name in the SubFect line of the ser er certificate #certificate name+ or C:$ must match the D:S name that the client uses to connect to the TS !ate"ay ser er+ unless you are usin' "ildcard certificates or the S/: attributes of certificates( ,f your or'ani)ation issues certificates from an enterprise certification authority #C/$+ a certificate template must be confi'ured so that the appropriate name is supplied in the certificate re9uest( ,f your or'ani)ation issues certificates from a stand-alone C/+ you do not need to do this( !ote ,f you are usin' the S/: attributes of certificates+ clients that connect to the TS !ate"ay ser er must be runnin' .emote Des*top Connection #.DC$ >(3( #.DC >(3 I>(0(>003J supports .emote Des*top Protocol >(3($( .DC >(3 is included "ith %indo"s Ser er 2008 and %indo"s ?ista SP3 and %indo"s ;P SP4( The certificate is a computer certificate(
19

 The intended purpose of the certificate is ser er authentication( The BAtended Mey @sa'e #BM@$ is Ser er /uthentication #3(4(>(3(=(=(7(4(3$( The certificate has a correspondin' pri ate *ey( The certificate has not eApired( %e recommend that the certificate be alid one year from the date of installation( / certificate obFect identifier #also *no"n as 5,D$ of 2(=(28(3= is not re9uired( 1o"e er+ if the certificate that you plan to use contains an obFect identifier of 2(=(28(3=+ you can only use the certificate if at least one of the follo"in' *ey usa'e alues is also set: C1"T<61.<1!C,P=1"-1!T<61.<5SAG1+ C1"T<61.<AG"11-1!T<61.<5SAG1+ and C1"T<;ATA<1!C,P=1"-1!T<61.<5SAG1( Dor more information about these alues+ see /d anced Certificate Bnrollment and Mana'ement #http:CC'o(microsoft(comCf"lin*C62in*,DG7<=77$( The certificate must be trusted on clients( That is+ the public certificate of the C/ that si'ned the TS !ate"ay ser er certificate must be located in the Trusted .oot Certification /uthorities store on the client computer(

5sin% e/istin% certificates

,f you already ha e a certificate+ you can reuse it for the TS !ate"ay ser er if the certificate: ,s issued by one of the trusted public C/s that participate in the Microsoft .oot Certificate Pro'ram Members pro'ram Ias listed in article 84332= in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$JO and Meets the certificate re9uirements for TS !ate"ay ser er( ,f the certificate is not trusted by the Microsoft .oot Certificate Pro'ram Members pro'ram #for eAample+ if you create and install a self-si'ned certificate on the TS !ate"ay ser er and you do not manually confi'ure the certificate to trust the Terminal Ser ices client computer$+ a "arnin' statin' that you do not ha e a trusted certificate appears "hen the client attempts to connect throu'h the TS !ate"ay ser er+ and the connection "ill not succeed( To pre ent this error from occurrin'+ install the certificate onto the computer certificate store on the client computer before the client attempts to connect throu'h the TS !ate"ay ser er(

Certificate installation and confi%uration process overview

The process of obtainin'+ installin'+ and confi'urin' a certificate for TS !ate"ay ser er in ol es the follo"in' steps: *+ Obtain a certificate for the TS Gateway server by doin% one of the followin%> ,f your company maintains a stand-alone or enterprise C/ that is confi'ured to issue SS2-compatible ;(=08 certificates that meet TS !ate"ay re9uirements+ you can 'enerate and submit a certificate re9uest in se eral "ays+ dependin' on the policies and confi'uration of your or'ani)ationNs C/( Methods for obtainin' a certificate include: ,nitiatin' auto-enrollment from the Certificates snap-in( .e9uestin' certificates by usin' the Certificate .e9uest %i)ard(
20

.e9uestin' a certificate o er the %eb( !ote ,f you ha e a %indo"s Ser er 2004 C/+ be a"are that the %indo"s Ser er 2004 Certificate Ser ices %eb enrollment functionality relies on an /cti e; control that is named ;enroll( This /cti e; control is a ailable in Microsoft %indo"s 2000+ %indo"s Ser er 2004+ and %indo"s ;P( 1o"e er+ ;enroll has been deprecated in %indo"s Ser er 2008 and %indo"s ?ista( The sample certificate enrollment %eb pa'es that are included "ith the ori'inal release ersion of %indo"s Ser er 2004+ %indo"s Ser er 2004 Ser ice Pac* 3 #SP3$+ and %indo"s Ser er 2004 Ser ice Pac* 2 #SP2$ are not desi'ned to handle the chan'e in ho" %indo"s Ser er 2008 and %indo"s ?ista perform %eb-based certificate enrollment operations( Dor information about the steps that you can ta*e to address this issue+ see article 82270> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,dG8<<72$(

@sin' the Certre9 command-line tool(

Dor more information about usin' any of these methods to obtain certificates for %indo"s Ser er 2008+ see the H5btain a CertificateH topic in the Certificates snap-in 1elp and the HCertre9H topic in the %indo"s Ser er 2008 Command .eference( To re ie" the Certificates snap-in 1elp topics+ clic* Start+ clic* "un+ type hh cert$%r+ch$+ and then clic* O6( Dor information about ho" to re9uest certificates for %indo"s Ser er 2004+ see .e9uestin' Certificates #http:CC'o(microsoft(comCf"lin*C62in*,DG38>48$( / stand-alone or enterprise C/-issued certificate must be co-si'ned by a trusted public C/ that participates in the Microsoft .oot Certification Pro'ram Members pro'ram #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$( 5ther"ise+ users connectin' from home computers or *ios*s mi'ht not be able to connect to TS !ate"ay ser ers( These connections mi'ht fail because the enterprise C/-issued root mi'ht not be trusted by computers that are not members of domains+ such as home computers or *ios*s( ,f your company does not maintain a stand-alone or enterprise C/ that is confi'ured to issue SS2-compatible ;(=08 certificates+ you can purchase a certificate from a trusted public C/ that participates in the Microsoft .oot Certificate Pro'ram Members pro'ram #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$( Some of these endors mi'ht offer certificates at no cost on a trial basis( /lternati ely+ if your company does not maintain a stand-alone or enterprise C/ and you do not ha e a compatible certificate from a trusted public C/+ you can create and import a self-si'ned certificate for your TS !ate"ay ser er for technical e aluation and testin' purposes( Dor step-by-step instructions+ see Create a self-si'ned certificate for TS !ate"ay( ,n the eAample confi'urations described in this 'uide+ a self-si'ned certificate is used( ,$portant ,f you use either of the first t"o methods to obtain a certificate #that is+ if you obtain a certificate from a stand-alone or enterprise C/ or a trusted public C/$+ you must also install the certificate on the TS !ate"ay ser er and map the certificate( 1o"e er+ if you
21

create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation #as described in Create a self-si'ned certificate for TS !ate"ay$+ you do not need to install or map the certificate to the TS !ate"ay ser er( ,n this case+ the certificate is automatically created+ installed in the correct location on the TS !ate"ay ser er+ and mapped to the TS !ate"ay ser er( !ote Terminal Ser ices clients must ha e the certificate of the C/ that issued the ser er certificate in their Trusted .oot Certification /uthorities store( Therefore+ if you create a self-si'ned certificate by follo"in' the procedure in this 'uide+ you must copy the certificate to the client computer #or to a net"or* share that can be accessed from the client computer$ and then install the certificate in the Trusted .oot Certification /uthorities store on the client computer( Dor step-by-step instructions+ see ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client( ,f you use one of the first t"o methods to obtain a certificate and the Terminal Ser ices client computer trusts the issuin' C/+ you do not need to install the certificate of the C/ that issued the ser er certificate in the client computer certificate store( Dor eAample+ you do not need to install the certificate of the issuin' C/ in the client computer certificate store if a ?eriSi'n or other public+ trusted C/ certificate is installed on the TS !ate"ay ser er( ,f you use the third method to obtain a certificate #that is+ if you create a self-si'ned certificate$+ you do need to copy the certificate of the C/ that issued the ser er certificate to the client computer( Then+ you must install that certificate in the Trusted .oot Certification /uthorities store on the client computer( Dor more information+ see ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client( '+ ,nstall the certificate+ ,nstall a certificate on the TS !ate"ay ser er( @se this procedure+ described later in this 'uide+ to install the certificate on your TS !ate"ay ser er( ?+ -ap the certificate+ Map the TS !ate"ay certificate( This procedure+ described later in this 'uide+ allo"s you to specify that the eAistin' certificate be used by the TS !ate"ay ser er(

Create a self-si%ned certificate for TS Gateway

This procedure describes ho" to use TS !ate"ay Mana'er to create a self-si'ned certificate for technical e aluation and testin' purposes+ if you did not already create one by usin' the /dd .oles %i)ard "hen you installed the TS !ate"ay role ser ice( ,$portant %e recommend that you use self-si'ned certificates only for testin' and e aluation purposes( /fter you create the self-si'ned certificate+ you must copy it to the client

22

computer #or to a net"or* share that can be accessed from the client computer$+ and then install it in the Trusted .oot Certification /uthorities store on the client computer( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation #as described in this procedure$+ you do not need to install or map the certificate to the TS !ate"ay ser er( To create a self-si%ned certificate for the TS Gateway server 3( 5pen TS !ate"ay Mana'er( To open TS !ate"ay Mana'er+ clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* TS Gateway -ana%er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the results pane+ under Confi%uration Status+ clic* 7iew or $odify certificate properties( <( 5n the SS0 Certificate tab+ clic* Create a self-si%ned certificate for SS0 encryption+ and then clic* Create Certificate( =( ,n the Create Self-Si%ned Certificate dialo' boA+ do the follo"in': a( @nder Certificate na$e+ erify that the correct common name #C:$ is specified for the self-si'ned certificate+ or specify a ne" name( The C: must match the D:S name that the client uses to connect to the TS !ate"ay ser er+ unless you are usin' "ildcard certificates or the S/: attributes of certificates( b( @nder Certificate location+ to store the root certificate in a specified location so that you can manually distribute the root certificate to clients+ erify that the Store the root certificate chec* boA is selected+ and then specify "here to store the certificate( 7y default+ this chec* boA is selected and the certificate is stored under the R%indir RQ@sersQS@sernameTQDocuments folder( c( Clic* O6( >( ,f you selected the Store the root certificate chec* boA and specified a location for the certificate+ a messa'e "ill appear statin' that TS !ate"ay has successfully created the self-si'ned certificate+ and confirmin' the location of the stored certificate( Clic* O6 to close the messa'e( 7( Clic* O6 a'ain to close the TS !ate"ay ser er Properties dialo' boA(

?+ Confi%ure a certificate for the TS Gateway server

The process of confi'urin' a certificate for a TS !ate"ay ser er in ol es these steps: ,nstall a certificate on the TS !ate"ay ser er Map the TS !ate"ay ser er certificate

23

,nstall a certificate on the TS Gateway server

/fter you obtain a certificate+ use this procedure to install the certificate in the correct location on the TS !ate"ay ser er+ if the certificate is not already installed( /fter you complete this procedure+ you must map the certificate( !ote This procedure is not re9uired if you created a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation+ as described in Create a self-si'ned certificate for TS !ate"ay( ,n either case+ a certificate is automatically created+ installed in the correct location on the TS !ate"ay ser er+ and mapped to the TS !ate"ay ser er( To install a certificate on the TS Gateway server 3( 5pen the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ and then clic* Personal( 4( .i'ht-clic* the Personal folder+ point to All Tas(s+ and then clic* ,$port( <( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( =( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ specify the name of the certificate that you "ant to import+ and then clic* !e/t( >( 5n the Password pa'e+ do the follo"in': a( ,f you specified a pass"ord for the pri ate *ey associated "ith the certificate earlier+ type the pass"ord( b( ,f you "ant to mar* the pri ate *ey for the certificate as eAportable+ ensure that -ar( this (ey as e/portable is selected( c( ,f you "ant to include all eAtended properties for the certificate+ ensure that ,nclude all e/tended properties is selected( d( Clic* !e/t( 7( 5n the Certificate Store pa'e+ accept the default option+ and then clic* !e/t( 8( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the correct
24

certificate has been selected( 8( Clic* @inish( 30( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 33( %ith Certificates selected in the console tree+ in the details pane+ erify that the correct certificate appears in the list of certificates on the TS !ate"ay ser er( The certificate must be under the Personal store of the local computer(

-ap the TS Gateway server certificate

Eou must use TS !ate"ay Mana'er to map the TS !ate"ay ser er certificate( ,f you map a TS !ate"ay ser er certificate by usin' any other method+ TS !ate"ay "ill not function correctly( !ote This procedure is not re9uired if you created a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation+ as described in Create a self-si'ned certificate for TS !ate"ay( To $ap a certificate to the local TS Gateway server 3( 5pen TS !ate"ay Mana'er( To open TS !ate"ay Mana'er+ clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* TS Gateway -ana%er( 2( ,n the TS !ate"ay Mana'er console tree+ ri'ht-clic* the local TS !ate"ay ser er+ and then clic* Properties( 4( 5n the SS0 Certificate tab+ clic* Select an e/istin% certificate for SS0 encryption 2reco$$ended3+ and then clic* Browse Certificates( <( ,n the ,nstall Certificate dialo' boA+ clic* the certificate that you "ant to use+ and then clic* ,nstall( =( Clic* O6 to close the Properties dialo' boA for the TS !ate"ay ser er( >( ,f this is the first time that you ha e mapped the TS !ate"ay certificate+ after the certificate mappin' is completed+ you can erify that the mappin' "as successful by ie"in' the TS Gateway Server Status area in TS !ate"ay Mana'er( @nder Confi%uration Status and Confi%uration Tas(s+ the "arnin' statin' that a ser er certificate is not yet installed or selected and the 7iew or $odify certificate properties hyperlin* are no lon'er displayed(

5nderstand authori4ation policies for TS Gateway

/fter you install the TS !ate"ay role ser ice and confi'ure a certificate for the TS !ate"ay ser er+ you must create Terminal Ser ices connection authori)ation policies #TS C/Ps$+ computer 'roups+ and Terminal Ser ices resource authori)ation policies #TS ./Ps$(
25

TS CAPs
TS C/Ps allo" you to specify "ho can connect to a TS !ate"ay ser er( Eou can specify a user 'roup that eAists on the local TS !ate"ay ser er or in /cti e Directory Domain Ser ices( Eou can also specify other conditions that users must meet to access a TS !ate"ay ser er( Dor eAample+ you can specify that all users "ho connect to a specific terminal ser er that is hostin' a human resources #1.$ database throu'h a TS !ate"ay ser er must be members of the H1. @sersH security 'roup( Eou can also specify that the client computer that is initiatin' the connection must be a member of an /cti e Directory security 'roup in the internal net"or* to connect to the TS !ate"ay ser er( 7y re9uirin' that the computer be a member of a specific /cti e Directory security 'roup in the internal net"or*+ you can eAclude users "ho are attemptin' to connect to the internal net"or* from *ios*s+ airport computers+ or home computers that are not trusted( Dor enhanced security "hen clients are connectin' to the internal net"or* throu'h TS !ate"ay+ you can also specify "hether to disable client de ice redirection for all de ices supported by the Terminal Ser ices client+ or Fust for a specific type of de ice such as a dis* dri e or supported Plu' and Play de ices( ,f you disable client de ice redirection for all de ices supported by the client+ all de ice redirection is disabled+ eAcept for audio and smart card redirection( %hen you select the option to disable de ice redirection for specific de ice types or to disable all de ice types eAcept for smart cards+ the TS !ate"ay ser er "ill send the re9uest bac* to the client "ith a list of the de ice types to be disabled( This list is a su''estion onlyO it is possible for the client to modify the de ice redirection settin's in the list( Warnin% 7ecause the TS !ate"ay ser er relies on the client to enforce the de ice redirection settin's su''ested by the ser er+ this feature should not be considered to pro ide 'uaranteed security( The su''ested de ice redirection settin's can only be enforced for .emote Des*top Connection #.DC$ clientsO the settin's cannot be enforced for clients that do not use .DC( /dditionally+ it is possible for a malicious user to modify an .DC client so that the client i'nores the su''ested settin's( ,n such cases+ this feature cannot pro ide 'uaranteed security+ e en for .DC clients( /dditionally+ you can specify "hether remote clients must use smart card authentication or pass"ord authentication to access internal net"or* resources throu'h a TS !ate"ay ser er( %hen both of these options are selected+ clients that use either authentication method are allo"ed to connect( Dinally+ if your or'ani)ation has deployed :et"or* /ccess Protection #:/P$+ you can specify that the client must send a statement of health #So1$( Dor information about ho" to confi'ure TS !ate"ay for :/P+ see Confi'urin' the TS !ate"ay :/P Scenario( ,$portant @sers are 'ranted access to a TS !ate"ay ser er if they meet the conditions specified in the TS C/P( Eou must also create a TS ./P( / TS ./P allo"s you to specify the internal net"or* resources #computers$ that users can connect to throu'h TS !ate"ay( @ntil you create both a TS C/P and a TS ./P+ users cannot connect to internal net"or* resources throu'h this TS !ate"ay ser er(
26

TS "APs
TS ./Ps allo" you to specify the internal net"or* resources that remote users can connect to throu'h a TS !ate"ay ser er( %hen you create a TS ./P+ you can create a computer 'roup #a list of computers on the internal net"or* to "hich you "ant the remote users to connect$ and associate it "ith the TS ./P( Dor eAample+ you can specify that users "ho are members of the U1. @sersV user 'roup be allo"ed to connect only to computers that are members of the U1. ComputersV computer 'roup+ and that users "ho are members of the UDinance @sersV user 'roup be allo"ed to connect only to computers that are members of the HDinance ComputersH computer 'roup( .emote users connectin' to an internal net"or* throu'h a TS !ate"ay ser er are 'ranted access to computers on the net"or* if they meet the conditions specified in at least one TS C/P and one TS ./P( !ote %hen you associate a TS !ate"ay-mana'ed computer 'roup "ith a TS ./P+ you can support both fully 9ualified domain names #DLD:s$ and :et7,5S names by addin' both names to the TS !ate"ay-mana'ed computer 'roup separately( %hen you associate an /cti e Directory security 'roup "ith a TS ./P+ both DLD:s and :et7,5S names are supported automatically if the internal net"or* computer that the client is connectin' to belon's to the same domain as the TS !ate"ay ser er( ,f the internal net"or* computer belon's to a different domain than the TS !ate"ay ser er+ users must specify the DLD: of the internal net"or* computer( To'ether+ TS C/Ps and TS ./Ps pro ide t"o different le els of authori)ation to pro ide you "ith the ability to confi'ure a more specific le el of access control to computers on an internal net"or*(

Security %roups and TS Gateway-$ana%ed co$puter %roups associated with TS "APs

.emote users can connect throu'h TS !ate"ay to internal net"or* resources in a computer 'roup( The computer 'roup members can be any one of the follo"in': -e$bers of an e/istin% security %roup( The security 'roup can eAist in 2ocal @sers and !roups on the TS !ate"ay ser er+ or it can eAist in /cti e Directory Domain Ser ices( -e$bers of an e/istin% TS Gateway-$ana%ed co$puter %roup or a new TS Gateway-$ana%ed co$puter %roup+ Eou can confi'ure a TS !ate"ay-mana'ed computer 'roup by usin' TS !ate"ay Mana'er after installation( / TS !ate"ay-mana'ed 'roup "ill not appear in 2ocal @sers and !roups on the TS !ate"ay ser er+ nor can it be confi'ured by usin' 2ocal @sers and !roups( Any networ( resource+ ,n this case+ users can connect to any computer on the internal net"or* that they could connect to "hen they use .emote Des*top Connection(

27

A+ Create a TS CAP for the TS Gateway server

This procedure describes ho" to use TS !ate"ay Mana'er to create a custom TS C/P( /lternati ely+ you can use the /uthori)ation Policies %i)ard to 9uic*ly create a TS C/P and a TS ./P for TS !ate"ay( ,$portant ,f you confi'ure more than one TS C/P+ *eep in mind that TS !ate"ay uses the follo"in' policy loo*up beha ior: policies are applied in the numerical order sho"n in the TS !ate"ay Mana'er results pane+ and access to the TS !ate"ay ser er is 'ranted by the first matchin' policy( That is+ if a client does not meet the re9uirements of the first TS C/P in the list+ TS !ate"ay "ill e aluate the second policy in the list+ and so forth+ until it locates a TS C/P "hose re9uirements are met( ,f a client does not meet the re9uirements of any TS C/P in the list+ TS !ate"ay denies access to the client( To create a TS CAP for the TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents the TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand Policies+ and then clic* Connection Authori4ation Policies( <( .i'ht-clic* the Connection Authori4ation Policies folder+ clic* Create !ew Policy+ and then clic* Custo$( =( 5n the General tab+ type a name for the policy+ and then erify that the 1nable this policy chec* boA is selected( >( 5n the "e uire$ents tab+ under Supported Windows authentication $ethods+ select one or both of the follo"in' chec* boAes: Password S$art card

%hen both of these options are selected+ clients that use either authentication method are allo"ed to connect( 7( @nder 5ser %roup $e$bership 2re uired3+ clic* Add Group+ and then specify a user 'roup "hose members can connect to the TS !ate"ay ser er( Eou must specify at least one user 'roup( 8( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( /dd additional 'roups from different domains by repeatin' this step for each 'roup( 8( To specify computer domain membership criteria that client computers should meet
28

#optional$+ on the "e uire$ents tab+ under Client co$puter %roup $e$bership 2optional3+ clic* Add Group+ and then specify the computer 'roups( ,n the eAample confi'urations+ no computer 'roup is specified( To specify computer 'roups+ you can use the same steps that you used to specify user 'roups( 30( 5n the ;evice "edirection tab+ select one of the follo"in' options to enable or disable redirection for remote client de ices: To permit all client de ices to be redirected "hen connectin' throu'h the TS !ate"ay ser er+ clic* 1nable device redirection for all client devices ( 7y default+ this option is selected( To disable de ice redirection for all client de ices eAcept for smart cards "hen connectin' throu'h the TS !ate"ay ser er+ select ;isable device redirection for all client devices e/cept for s$art card( To disable de ice redirection for only certain de ice types "hen connectin' throu'h the TS !ate"ay ser er+ clic* ;isable device redirection for the followin% client device types+ and then select the chec* boAes that correspond to the client de ice types for "hich de ice redirection should be disabled( ,$portant De ice redirection settin's can be enforced only for Microsoft .emote Des*top Connection #.DC$ clients( 33( Clic* O6( 32( The ne" TS C/P that you created appears in the TS !ate"ay Mana'er results pane( %hen you clic* the name of the TS C/P+ the policy details appear in the lo"er pane(

B+ Create a TS "AP and specify co$puters that users can connect to throu%h the TS Gateway server
This procedure describes ho" to use TS !ate"ay Mana'er to create a custom TS ./P+ and to specify computers that users can connect to throu'h the TS !ate"ay ser er( /lternati ely+ you can use the /uthori)ation Policies %i)ard to complete these tas*s( ,$portant ,f users are connectin' to members of a terminal ser er farm+ you must confi'ure a TS ./P that eAplicitly specifies the name of the terminal ser er farm( To do so+ "hen you create the TS ./P+ on the Co$puter Group tab+ select the Select e/istin% TS Gateway-$ana%ed co$puter %roup or create a new one option+ and then eAplicitly specify the name of the terminal ser er farm( ,f the name of the terminal ser er farm is not eAplicitly specified+ users "ill not be able to connect to members of the farm( Dor optimal security and ease of administration+ to specify the terminal ser ers that are members of the farm+ create a second TS ./P( 5n the Co$puter Group+ select the Select an Active ;irectory security %roup option+ and then specify the security 'roup

29

that contains the terminal ser ers in the farm( Doin' this optimi)es security by ensurin' that the members of the farm are trusted members of an /cti e Directory security 'roup( To create a TS "AP and specify co$puters that users can connect to throu%h the TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand Policies+ and then clic* "esource Authori4ation Policies( <( .i'ht-clic* the "esource Authori4ation Policies folder+ clic* Create !ew Policy+ and then clic* Custo$( =( 5n the General tab+ in the Policy na$e boA+ enter a name that is no lon'er than >< characters( >( ,n the ;escription boA+ enter a description for the ne" TS ./P( 7( 5n the 5ser Groups tab+ clic* Add to select the user 'roups to "hich you "ant this TS ./P to apply( 8( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6( To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( /dd additional 'roups from different domains by repeatin' Step 7 for each 'roup( 8( 5n the Co$puter Group tab+ specify the computer 'roup that users can connect to throu'h TS !ate"ay by doin' one of the follo"in': To specify an eAistin' security 'roup+ clic* Select an e/istin% Active ;irectory security %roup+ and then clic* Browse( ,n the Select Group dialo' boA+ specify the user 'roup location and name+ and then clic* O6( :ote that you can select a security 'roup in 2ocal @sers and !roups+ rather than in /cti e Directory Domain Ser ices( To specify a TS !ate"ay-mana'ed computer 'roup+ clic* Select an e/istin% TS Gateway-$ana%ed co$puter %roup or create a new one+ and then clic* Browse( ,n the Select a TS Gateway-$ana%ed Co$puter Group dialo' boA+ do one of the follo"in': Select an eAistin' TS !ate"ay-mana'ed computer 'roup by clic*in' the name of the computer 'roup that you "ant to use+ and then clic* O6 to close the dialo' boA( Create a ne" TS !ate"ay-mana'ed computer 'roup by clic*in' Create !ew Group( 5n the General tab+ type a name and description for the ne" 'roup( 5n the !etwor( "esources tab+ type the name or ,P address of the computer or Terminal Ser ices farm that you "ant to add+ and then clic* Add( .epeat this step as needed to specify additional computers+ and then clic* O6 to close the !ew TS Gateway--ana%ed Co$puter Group dialo' boA( ,n the Select a TS Gateway-$ana%ed Co$puter Group dialo' boA+ clic* the name of the ne" computer 'roup+ and then clic* O6 to
30

close the dialo' boA( ,$portant %hen you add an internal net"or* computer to the list of TS !ate"aymana'ed computers+ *eep in mind that if you "ant to allo" remote users to connect to the computer by specifyin' either its computer name or its ,P address+ you must add the computer to the computer 'roup t"ice #by specifyin' the computer name of the computer and addin' it to the computer 'roup+ and then specifyin' the ,P address of the computer and addin' it to the computer 'roup a'ain$( ,f you specify only an ,P address for a computer "hen you add it to a computer 'roup+ users must also specify the ,P address of that computer "hen they connect to that computer throu'h TS !ate"ay( To ensure that remote users connect to the internal net"or* computers that you intend+ "e recommend that you do not specify ,P addresses for the computers+ if the computers are not confi'ured to use static ,P addresses( Dor eAample+ you should not specify ,P addresses if your or'ani)ation uses D1CP to dynamically reconfi'ure ,P addresses for the computers( To specify any net"or* resource+ clic* Allow users to connect to any networ( resource+ and then clic* O6( 30( /fter you specify a computer 'roup+ the ne" TS ./P that you created appears in the TS !ate"ay Mana'er results pane( %hen you clic* the name of the TS ./P+ the policy details appear in the lo"er pane(

C+ 0i$it the $a/i$u$ nu$ber of si$ultaneous connections throu%h TS Gateway 2optional3

7y default+ "ith the eAception of TS !ate"ay ser ers that are runnin' on %indo"s Ser er& 2008 Standard+ no limit is set for the number of simultaneous connections that clients can ma*e to internal net"or* resources throu'h a TS !ate"ay ser er( To optimi)e TS !ate"ay ser er performance or to ensure compliance "ith the connectionCsecurity policies of your or'ani)ation+ you can set a limit for the number of simultaneous connections that clients can ma*e to net"or* resources throu'h a TS !ate"ay ser er( !ote Dor TS !ate"ay ser ers that are runnin' on %indo"s Ser er 2008 Standard+ a maAimum of 2=0 simultaneous connections is supported( To li$it the $a/i$u$ nu$ber of allowable connections for TS Gateway 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand -onitorin%( <( %ith the -onitorin% folder selected+ ri'ht-clic* the -onitorin% folder+ and then clic*
31

1dit Connection 0i$it( =( 5n the General tab+ under -a/i$u$ Connections+ do one of the follo"in': To set a limit for the maAimum number of simultaneous connections that Terminal Ser ices clients can ma*e to internal net"or* resources throu'h TS !ate"ay+ clic* 0i$it $a/i$u$ allowed si$ultaneous connections to + and then specify the number of allo"able connections( To set no limit on the number of allo"able connections bet"een clients and internal net"or* resources throu'h TS !ate"ay+ clic* Allow the $a/i$u$ supported si$ultaneous connections( This is the default option( Meep in mind that for TS !ate"ay ser ers that are runnin' on %indo"s Ser er 2008 Standard+ a maAimum of 2=0 simultaneous connections is supported( To pre ent ne" connections from bein' made bet"een clients and internal net"or* resources throu'h TS !ate"ay+ clic* ;isable new connections( ,f you select this option+ only ne" connection attempts "ill be reFected( Current connections "ill not be ended by TS !ate"ay( >( Clic* O6(

Steps for confi%urin% a Ter$inal Services client for the TS Gateway core scenario
To confi'ure the Terminal Ser ices client for the TS !ate"ay core scenario+ complete these tas*s(
Tas( "eference)Step-by-step instructions

3( ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client #optional$( !ote This procedure is not re9uired if a certificate that is issued by one of the trusted public C/s that participate in the Microsoft .oot Certificate Pro'ram Members pro'ram is installed on the TS !ate"ay ser er+ and the Terminal Ser ices client computer trusts the certificate( 2( Confi'ure .emote Des*top Connection settin's( 4( ?erify that end-to-end connecti ity throu'h

,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client

Confi'ure .emote Des*top Connection settin's ?erify that end-to-end connecti ity throu'h the

32

Tas(

"eference)Step-by-step instructions

the TS !ate"ay ser er is functionin' correctly(

TS !ate"ay ser er is functionin' correctly

*+ ,nstall the TS Gateway server root certificate in the Trusted "oot Certification Authorities Store on the Ter$inal Services client 2optional3
The client computer must erify and trust the identity of the TS !ate"ay ser er before the client can send the userNs pass"ord and lo'on credentials securely and complete the authentication process( To establish this trust+ the clients must trust the root of the ser erWs certificate( That is+ clients must ha e the certificate of the certification authority #C/$ that issued the ser er certificate in their Trusted .oot Certification /uthorities store( Eou can ie" this store by usin' the Certificates snap-in( /s mentioned+ this procedure is not re9uired if: / certificate that is issued by one of the trusted public C/s that participate in the Microsoft .oot Certificate Pro'ram Members pro'ram Ias listed in article 84332= in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$J is installed on the TS !ate"ay ser erO and The Terminal Ser ices client computer already trusts the issuin' C/( ,f the TS !ate"ay ser er is usin' a certificate that is issued by one of the trusted public C/s+ and the certificate is reco'ni)ed and trusted by your client computer+ proceed to complete the steps in the Confi'ure remote des*top connection settin's section( ,$portant Do not install certificates from any untrusted sources or indi iduals( !ote ,f you are confi'urin' the Terminal Ser ices client for use "ith :et"or* /ccess Protection #:/P$+ you must install the TS !ate"ay ser er root certificate by usin' the computer account( ,f not+ you can install the TS !ate"ay ser er root certificate by usin' the user account( 7efore completin' the steps in the follo"in' procedure+ you must ha e already copied the certificate to the client computer( Dor eAample+ if you created a self-si'ned certificate for the TS !ate"ay ser er by usin' TS !ate"ay Mana'er+ you must ha e already copied that certificate from the TS !ate"ay ser er to the client computer( To install the TS Gateway server root certificate in the Trusted "oot Certification Authorities store on the Ter$inal Services client 3( 5pen the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6(
33

b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ to open the snap-in for a computer account+ clic* Co$puter account+ and then clic* !e/t( To open the snap-in for a user account+ clic* -y user account+ and then clic* @inish( e( ,f you opened the Certificates snap-in for a computer account+ in the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Trusted "oot Certification Authorities+ ri'ht-clic* Certificates+ point to All Tas(s+ and then clic* ,$port( 4( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( <( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ bro"se to the TS !ate"ay ser er root certificate+ clic* Open+ and then clic* !e/t( =( 5n the Certificate Store pa'e+ accept the default option #Place all certificates in the followin% store - Trusted "oot Certification Authorities$+ and then clic* !e/t( >( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the follo"in' certificate settin's appear: Certificate Store Selected by @ser: Trusted .oot Certification /uthorities Content: Certificate

Dile :ame: DilePathQS!oot6Certificate63ame.cerT+ "here S!oot6Certificate63ameT is the name of the TS !ate"ay ser er root certificate( 7( Clic* @inish( 8( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 8( %ith Certificates selected in the console tree+ in the details pane+ erify that the root certificate of the TS !ate"ay ser er appears in the list of certificates on the client( Bnsure that the certificate appears under the Trusted "oot Certification Authorities store(

'+ Confi%ure "e$ote ;es(top Connection settin%s

To confi%ure "e$ote ;es(top Connection settin%s 3( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then clic* "e$ote ;es(top Connection( 2( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's(
34

4( 5n the Advanced tab+ in the Connect fro$ anywhere area+ clic* Settin%s( <( ,n the TS Gateway Server Settin%s dialo' boA+ select the appropriate options: Auto$atically detect TS Gateway server settin%s #default$( ,f you select this option+ the Terminal Ser ices client attempts to use !roup Policy settin's that determine the beha ior of client connections to TS !ate"ay ser ers or TS !ate"ay ser er farms+ if these settin's ha e been confi'ured and enabled( Dor more information+ see the H@sin' !roup Policy to Mana'e Client Connections Throu'h TS !ate"ayH topic in the TS !ate"ay 1elp( 5se these TS Gateway server settin%s( ,f a TS !ate"ay ser er name or TS !ate"ay ser er farm name and a lo'on method are not already enabled and enforced by !roup Policy+ you can select this option and specify the name of the TS !ate"ay ser er or TS !ate"ay ser er farm that you "ant to connect to and the lo'on method to use for the connection( The name that you specify for the ser er must match the name in the ,ssued to field of the TS !ate"ay ser er certificate( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation+ specify the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er( Bypass TS Gateway server for local addresses( This option is selected by default( ,f you "ant the Terminal Ser ices client to automatically detect "hen TS !ate"ay is re9uired+ select this chec* boA( ,f you use a mobile computer+ selectin' this option "ill optimi)e client connecti ity performance and minimi)e latency because TS !ate"ay "ill only be used "hen it is re9uired( ,f your computer is al"ays connected to the local area net"or* #2/:$ or if it is hosted inside the internal net"or* fire"all+ TS !ate"ay "ill not be used( ,f you are outside the internal net"or* and connectin' to the internal net"or* o er the ,nternet+ TS !ate"ay "ill be used( ,f you are in a 2/:+ but "ant to test connecti ity throu'h a TS !ate"ay ser er or TS !ate"ay ser er farm+ clear this chec* boA( 5ther"ise+ the client "ill not connect throu'h the TS !ate"ay ser er or TS !ate"ay ser er farm in this case( ;o not use a TS Gateway server( Select this option if your computer is al"ays connected to the 2/: or if it is hosted inside the internal net"or* fire"all( This option is appropriate if you *no" that you do not need to use TS !ate"ay to tra erse a fire"all( =( Do one of the follo"in': To sa e the settin's and close the "e$ote ;es(top Connection dialo' boA+ clic* Save+ and then clic* Cancel( The settin's "ill be sa ed as an .DP file to a default location #by default+ the file is sa ed to Dri e:QS sernameTQDocuments$( To sa e the .DP file to a specified location #you can customi)e and distribute the file later to multiple clients as needed$+ clic* Save As( ,n the Save as dialo' boA+ in the @ile na$e boA+ specify the file name and location+ and then clic* Save( To proceed "ith a connection to an internal net"or* resource+ clic* Save+ clic* Connect+ and then proceed to Step = in the neAt procedure #H?erify that end-to-end
35

connecti ity throu'h TS !ate"ay is functionin' correctlyH$(

?+ 7erify that end-to-end connectivity throu%h TS Gateway is functionin% correctly

To verify that end-to-end connectivity throu%h TS Gateway is functionin% correctly 3( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then clic* "e$ote ;es(top Connection( 2( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 4( 5n the General tab+ type the name of the computer #terminal ser er or computer runnin' .emote Des*top$ to "hich you "ant to connect remotely throu'h TS !ate"ay( <( Clic* Connect( =( ,n the 1nter your credentials dialo' boA+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( >( ,n the Gateway server credentials dialo' boA+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 7( /fter a fe" moments+ the connection completes and a connection "ill be established throu'h the TS !ate"ay ser er to the computer(

Confi%urin% the TS Gateway !AP Scenario

To enhance security+ you can confi'ure TS !ate"ay ser ers and clients to use :et"or* /ccess Protection #:/P$( :/P is a health policy creation+ enforcement+ and remediation technolo'y that is included in %indo"s ?ista and %indo"s Ser er 2008( 7y usin' :/P+ you can enforce health re9uirements on clients that connect to the TS !ate"ay ser er+ "hich can include fire"alls bein' enabled+ security update re9uirements+ and other re9uired computer confi'urations( 7y usin' :/P+ you can help ensure that clients meet the health policy re9uirements of your or'ani)ation before they are allo"ed to connect to internal net"or* resources throu'h TS !ate"ay ser ers( The follo"in' steps are re9uired for the successful setup and demonstration of the TS !ate"ay :/P scenario described as an eAample in this 'uide( 3( %e recommend that you set up three computers to e aluate this scenario( These computers are: The TS !ate"ay ser erC:et"or* Policy Ser er #:PS ser er$ #*no"n as HTS!SB.?B.H in this eAample$ The Terminal Ser ices client #*no"n as HTSC2,B:TH in this eAample$
36

/n internal net"or* resource #*no"n as HC5.P5./TB.BS5@.CBH in this eAample$

The computers must meet the system re9uirements described in System re9uirements for the TS !ate"ay :/P scenario( 2( Complete the core TS !ate"ay ser er confi'uration by follo"in' the instructions in HSteps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenarioH in Confi'urin' the TS !ate"ay Core Scenario( 4( Confi'ure the TS !ate"ay ser er for :/P health policy chec*in' by follo"in' the instructions in Steps for confi'urin' TS !ate"ay for the :/P scenario( <( Complete the core Terminal Ser ices client confi'uration for TS !ate"ay by follo"in' the instructions in HSteps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenarioH in Confi'urin' the TS !ate"ay Core Scenario( =( Confi'ure the client as a :/P enforcement client by follo"in' the instructions in Steps for confi'urin' a Terminal Ser ices client as a :/P enforcement client( >( Confi'ure the internal net"or* resource( /s mentioned+ this resource can be any terminal ser er or any computer "ith .emote Des*top enabled( 7( ?erify that the :/P health policies created on the TS !ate"ay ser er are successfully applied to the Terminal Ser ices client by completin' the follo"in' t"o tas*s: Testin' for a successful bloc*ed connection( ,f the health policies are correctly applied to the Terminal Ser ices client+ the client connection attempt "ill be bloc*ed by the :PS ser er "hen automatic updatin' is disabled on the Terminal Ser ices client computer( Testin' for a successful allo"ed connection( ,f the health policies are correctly applied to the Terminal Ser ices client+ the client connection attempt "ill be allo"ed by the :PS ser er "hen automatic updatin' is enabled on the Terminal Ser ices client computer( To complete these t"o testin' tas*s+ follo" the instructions in Test to confirm that the TS !ate"ay :/P health policy is successfully applied to the Terminal Ser ices client(

Syste$ re uire$ents for the TS Gateway !AP scenario

The three computers used in the TS !ate"ay :/P scenario must meet the follo"in' system re9uirements(
Co$puter "e uired confi%uration

TS !ate"ay ser er #TS!SB.?B.$

,n this scenario+ TS!SB.?B. is used as the TS !ate"ay ser er and as an :PS ser er+ and it must run %indo"s Ser er 2008( The installation can be an up'rade from %indo"s Ser er 2004 SP3 or %indo"s Ser er 2008 .elease Candidate 0 #.C0$( Dor more information+ see HSupported up'rade pathsH in ,nstallin'
37

Co$puter

"e uired confi%uration

%indo"s Ser er 2008 #http:CC'o(microsoft(comCf"lin*C6 2in*,dG30<82<$( Terminal Ser ices client #TSC2,B:T$ ,n this scenario+ TSC2,B:T is used as a Terminal Ser ices client and as a :/P client+ and it can run any of the follo"in': %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s Ser er 2008( The installation can be an up'rade( ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s ;P "ith SP2( %indo"s ;P "ith SP4(

%indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith SP3 or SP2(

Settin% up the TS Gateway !AP scenario

The follo"in' dia'ram illustrates ho" TS !ate"ay can be used "ith :/P(

38

!ote The steps in this setup 'uide describe ho" to set up remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er to an internal net"or* resource+ "ith health policy chec*in' for Terminal Ser ices #the :PS ser er is used to perform the health policy chec*in'$( The 'uide does not describe ho" to set up the fire"alls illustrated in the dia'ram+ the terminal ser ers runnin' .emote/pp pro'rams+ or the perimeter net"or* or /cti e Directory infrastructure( The dia'ram is pro ided to su''est one "ay in "hich this scenario mi'ht be implemented in a production en ironment(

Steps for confi%urin% TS Gateway for the !AP scenario

To confi'ure the TS !ate"ay ser er :/P scenario+ complete these tas*s(
Tas( "eference)Step-by-step instructions

3( Bnable :/P health policy chec*in' on the TS !ate"ay ser er( 2( Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er(

Bnable :/P health policy chec*in' on the TS !ate"ay ser er Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er
39

Tas(

"eference)Step-by-step instructions

4( Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er( <( Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard(

Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard

*+ 1nable !AP health policy chec(in% on the TS Gateway server

To enable :/P health policy chec*in' on the TS !ate"ay ser er+ you enable a settin' on the ser er that re9uests that the Terminal Ser ices client send an So1( To enable health chec(in% on the TS Gateway server 3( 5pen TS !ate"ay Mana'er( To open TS !ate"ay Mana'er+ clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* Ter$inal Services Gateway( 2( ,n the TS !ate"ay Mana'er console tree+ ri'ht-clic* the local TS !ate"ay ser er+ and then clic* Properties( 4( 5n the TS CAP Store tab+ select the "e uest clients to send a state$ent of health chec* boA( <( / messa'e "ill appear+ statin' that you must also confi'ure TS C/Ps for :/P to ensure that health policies are enforced( Clic* O6 to close the messa'e( =( Clic* O6 a'ain to close the TS !ate"ay ser er Properties dialo' boA(

'+ ;elete e/istin% TS CAPs and create three new TS CAPs on the TS Gateway server
,f you ha e already created one or more TS C/Ps on the TS !ate"ay ser er by usin' TS !ate"ay Mana'er and follo"in' the procedures in HCreate a TS C/P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario+ "e stron'ly recommend that you delete those TS C/Ps by follo"in' the steps in this procedure( Warnin% Dailure to delete eAistin' TS C/Ps mi'ht result in security ulnerabilities for your internal net"or* because these TS C/Ps mi'ht bypass the :/P authori)ation policies that you "ill create for the TS !ate"ay :/P scenario( ,f the :/P authori)ation policies are bypassed+ Terminal Ser ices clients that do not meet :/P authori)ation policy re9uirements "ill be allo"ed access to the TS !ate"ay ser er( To delete e/istin% TS CAPs on the TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents the TS !ate"ay ser er+
40

"hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand Policies+ and then clic* Connection Authori4ation Policies( <( ,n the details pane+ ri'ht-clic* any eAistin' TS C/Ps+ and then clic* ;elete( /fter you delete any pre iously created TS C/Ps from TS !ate"ay Mana'er+ create three ne" identical TS C/Ps #TSC/P3+ TSC/P2+ and TSC/P4$ by follo"in' the procedures in HCreate a TS C/P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario( ,f you ha e not already done so+ also create a TS ./P in TS !ate"ay Mana'er( ,f you ha e already created a TS ./P that meets your security re9uirements+ you do not need to delete the eAistin' TS ./P and create a ne" TS ./P( Dor step-by-step instructions about ho" to create a TS ./P+ see HCreate a TS ./P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario(

?+ Confi%ure a Windows Security =ealth 7alidator on the TS Gateway server

%hen you confi'ure a %indo"s Security 1ealth ?alidator #%S1?$+ you are creatin' a client health policy that establishes the re9uirements for client computers that are allo"ed to connect to your net"or*( %hen client computers attempt to connect to your net"or* and their confi'uration does not match the %S1?+ their net"or* connection is bloc*ed until the clients meet the conditions of the %S1?( ,n this eAample+ the %S1? only re9uires that automatic updatin' be enabled( To confi%ure a Windows Security =ealth 7alidator on the TS Gateway server 3( 5pen the :et"or* Policy Ser er snap-in console( To open :et"or* Policy Ser er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* !etwor( Policy Server( 2( ,n the console tree+ clic* !etwor( Access Protection( 4( ,n the details pane+ under Syste$ =ealth 7alidators+ clic* Confi%ure Syste$ =ealth 7alidators( <( ,n the details pane+ under !a$e+ ri'ht-clic* Windows Security =ealth 7alidator+ and then clic* Properties( =( ,n the Windows Security =ealth 7alidator Properties dialo' boA+ on the Settin%s tab+ clic* Confi%ure( >( 5n the Windows 7ista andCor the Windows &P tab #dependin' on the operatin' system that the Terminal Ser ices client is runnin'$+ clear e ery chec* boA eAcept for Auto$atic updatin% is enabled+ "estrict access for clients that do not have all available security updates installed+ and Windows 5pdate( 7( Clic* O6 to close the Windows Security =ealth 7alidator Properties dialo' boA #"ith the Windows 7ista and Windows &P tabs$+ and then clic* O6 a'ain to close the Windows Security =ealth 7alidator Properties dialo' boA "ith the Settin%s tab(

41

A+ Create !AP policies on the TS Gateway server by usin% the Confi%ure !AP Wi4ard
Eou can use the Confi'ure :/P "i)ard to easily create the policies re9uired to confi'ure the TS !ate"ay ser er as a :/P enforcement client( This section describes ho" to create the follo"in' policies for TS !ate"ay: 1ealth policies: 1ealth policies allo" you to define client confi'uration re9uirements for the :/P-capable computers that attempt to connect to internal net"or* resources throu'h the TS !ate"ay ser er( Connection re9uest policy: Connection re9uest policies are an ordered set of rules that allo" the :PS ser ice to determine "hether a specific connection attempt re9uest or an accountin' messa'e recei ed from a ./D,@S client should be processed locally or for"arded to another ./D,@S ser er( %hen you are confi'urin' the :PS ser er to perform :/P health determination and enforcement+ :PS is actin' as a ./D,@S ser er( The TS !ate"ay ser er is the ./D,@S client(S! :et"or* policies: :et"or* policies allo" you to desi'nate "ho is authori)ed to connect to the net"or* and the circumstances under "hich they can connect( Durin' the authori)ation process+ :/P performs client health chec*s( To create !AP policies on the TS Gateway server by usin% the Confi%ure !AP Wi4ard 3( 5pen the :et"or* Policy Ser er snap-in console( To open :et"or* Policy Ser er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* !etwor( Policy Server( 2( ,n the console tree+ clic* !PS 20ocal3( 4( ,n the details pane+ under Standard Confi%uration+ clic* Confi%ure !AP( <( ,n the Confi'ure :/P "i)ard+ on the Select !etwor( Connection -ethod for 5se with !AP pa'e+ do the follo"in': a( @nder !etwor( connection $ethod+ select Ter$inal Services Gateway 2TS Gateway3( b( @nder Policy !a$e+ accept the default name #:/P TS !ate"ay$ or type a ne" name+ and then clic* !e/t( =( 5n the Specify !AP 1nforce$ent Servers "unnin% TS Gateway pa'e+ under TS Gateway servers+ confirm that TS Gateway server is specified+ and then clic* !e/t( >( 5n the Confi%ure Client ;evice "edirection and Authentication -ethods pa'e+ do the follo"in': a( @nder ;evice redirection+ select the option that is appropriate for your en ironment( b( @nder Authentication -ethod+ select the authentication method#s$ that is appropriate for your en ironment( %hen both authentication methods are selected+ clients that use either method "ill be allo"ed to connect( 7( 5n the Confi%ure 5ser Groups and -achine Groups pa'e+ do the follo"in': a( @nder 5ser Groups> 2"e uired3+ clic* Add 5ser+ and then specify a user 'roup
42

"hose members can connect to the TS !ate"ay ser er( Eou must specify at least one user 'roup( b( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA( To specify more than one user 'roup+ do either of the follo"in': c( Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( d( /dd additional 'roups from different domains by repeatin' this step for each 'roup( e( @nder -achine Groups> 2Optional3+ to specify computer domain membership criteria that client computers must meet #optional$+ clic* Add -achine+ and then specify the computer 'roups( ,n the eAample confi'urations+ no computer 'roup is specified( f( To specify computer 'roups+ you can use the same steps that you used to specify user 'roups( 8( Clic* !e/t( 8( 5n the ;efine !AP =ealth Policy pa'e+ erify that the Windows Security =ealth 7alidator chec* boA is selected and that ;eny client access to ter$inal servers or co$puters runnin% "e$ote ;es(top is selected+ and then clic* !e/t( 30( 5n the Co$pletin% !ew !etwor( Access Protection Policies and "A;,5S clients pa'e+ confirm that the follo"in' policies appear: @nder =ealth Policies: :/P TS !ate"ay Compliant+ :/P TS !ate"ay :oncompliant @nder Connection "e uest Policy: :/P TS !ate"ay @nder !etwor( Policies: :/P TS !ate"ay Compliant+ :/P TS !ate"ay :oncompliant+ and :/P TS !ate"ay :on :/P-Capable 33( Clic* @inish(

Steps for confi%urin% a Ter$inal Services client as a !AP enforce$ent client

To confi'ure a Terminal Ser ices client computer as a :et"or* /ccess Protection #:/P$ enforcement client+ you must complete these tas*s(
Tas( "eference)Step-by-step instructions

3( Do"nload and run the Terminal Ser ices :/P client confi'uration command( 2( Test to confirm that the :/P health policy is successfully applied to the Terminal Ser ices

Do"nload and run the Terminal Ser ices :/P client confi'uration command Test to confirm that the :/P health policy is successfully applied to the Terminal Ser ices
43

Tas(

"eference)Step-by-step instructions

client(

client

*+ ;ownload and run the Ter$inal Services !AP client confi%uration co$$and
The Terminal Ser ices :/P client confi'uration command #Ts% ecclientconfi%+c$d$ performs the follo"in' tas*s to confi'ure the Terminal Ser ices client as a :/P enforcement client: /dds the TS !ate"ay ser er name to the Trusted Ser er list on the client( Starts the :et"or* /ccess Protection /'ent ser ice and sets the ser ice startup type to /utomatic( The :/P a'ent collects and mana'es health information( The :/P a'ent processes statements of health #So1$ from the arious system health a'ents #S1/s$ and reports client health to the :/P administration ser er( Dor :/P to function correctly+ you must start the :et"or* /ccess Protection /'ent ser ice on the client+ and then set the ser ice startup type to /utomatic( 7y default+ this ser ice does not start automatically( Bnables the TS !ate"ay Luarantine Bnforcement client( To run this eAample script+ use the follo"in' procedure( :ote that you must run the script as a member of the local /dministrators 'roup on the TS !ate"ay ser er( To download and run the Ter$inal Services !AP client confi%uration co$$and 3( To do"nload the Terminal Ser ices :/P client confi'uration command+ 'o to the Terminal Ser ices :/P Client Confi'uration Command pa'e on the Do"nload Center #http:CC'o(microsoft(comCf"lin*C62in*,dG304084$( %hen you open the command prompt+ ri'ht-clic* the command prompt+ and then clic* "un as Ad$inistrator( Eou must run this command "ith ele ated pri ile'es for the command to succeed( Dor information about ho" to run this command "ith ele ated pri ile'es in %indo"s ;P+ see article 28<>7> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,dG87=43$( Dor information about ho" to do this in %indo"s Ser er 2004+ see .un a pro'ram "ith administrati e credentials #http:CC'o(microsoft(comCf"lin*C62in*,dG87=44$( 2( /t the command prompt+ type: ts% ecclientconfi% TS<GAT1WA.<S1"71"<!A-1 "here T/65-T(#-76/(!1(!63-M( is the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er that you "ant to add to the list of trusted TS !ate"ay ser ers on the client( The name that you specify for the ser er must match the name in the ,ssued to field of the TS !ate"ay ser er certificate( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation+ specify the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er(
44

To specify more than one TS !ate"ay ser er+ separate each ser er name "ith a Q0 #for eAample+ /(!1(!63-M(8Q+/(!1(!63-M(*Q+/(!1(!63-M(9$( 4( .estart the client computer to implement the confi'uration chan'es+ and then lo' bac* on to the client computer by usin' the same account that you used to run the client confi'uration command( <( 5pen .e'istry Bditor( To open .e'istry Bditor+ in the Start search boA+ type re%edit+ and then press B:TB.( =( :a i'ate to the follo"in' re'istry sub*ey: =61.<0OCA0<-AC=,!1:Software:-icrosoft:Ter$inal Server Client:TrustedGateways >( @nder TrustedGateways+ erify that the follo"in' alue eAists: ST/65ateway6/erver63-M(T "here T/65-T(#-76/(!1(!63-M( is the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er that you specified in Step 2( ,f you specified more than one TS !ate"ay ser er+ ensure that each TS !ate"ay ser er is listed(

'+ Test to confir$ that the TS Gateway !AP health policy is successfully applied to the Ter$inal Services client
@se the follo"in' procedures to erify that the health policy that you confi'ured on the TS !ate"ay ser er is bein' applied to the Terminal Ser ices client( .ecall that the %indo"s Security 1ealth ?alidator #%S1?$ policy that you created on the TS !ate"ay ser er re9uires that you enable automatic updatin' for the connection to succeed( To test "hether the health policy is correctly applied to the Terminal Ser ices client+ perform the follo"in' tas*s: Test for successful bloc*ed connection for :/P-capable client( ,f the health policy is correctly applied to the Terminal Ser ices :/P-capable client+ the client connection attempt "ill be bloc*ed by the ser er "hen automatic updatin' is disabled on the client( Test for successful allo"ed connection for :/P-capable client( ,f the health policy is correctly applied to the Terminal Ser ices :/P-capable client+ the client connection attempt "ill be allo"ed by the ser er "hen automatic updatin' is enabled on the client( Test for successful bloc*ed connection for non-:/P capable client( ,f the health policy is correctly applied to the Terminal Ser ices non-:/P capable client+ the client connection attempt "ill be bloc*ed by the ser er because the client cannot send a statement of health #So1$(

Test for successful bloc(ed connection for !AP-capable client

Perform the follo"in' procedure on the client computer to test "hether at least one :/P health policy is correctly confi'ured to bloc* the :/P-capable Terminal Ser ices client connection to the TS !ate"ay ser er "hen automatic updatin' is disabled on the client(

45

To atte$pt an end-to-end connection throu%h the TS Gateway server when auto$atic updatin% is disabled on the client 3( 5pen Control Panel( To open Control Panel+ clic* Start+ and then clic* Control Panel( 2( ,n Control Panel+ double-clic* Security Center( 4( @nder Security 1ssentials+ chec* "hether Auto$atic 5pdatin% is set to On( ,f so+ proceed to the neAt step( ,f Auto$atic 5pdatin% is already set to Off+ s*ip to Step 7( <( ,n the na i'ation pane+ clic* Windows 5pdate( =( ,n Windows 5pdate+ in the na i'ation pane+ clic* Chan%e Settin%s( >( ,n the Choose how Windows can install updates dialo' boA+ clic* !ever chec( for updates 2not reco$$ended3+ and then clic* O6( 7( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then clic* "e$ote ;es(top Connection( 8( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 8( 5n the General tab+ type the name of the computer #terminal ser er or computer "ith .emote Des*top enabled$ to "hich you "ant to connect throu'h TS !ate"ay( 30( Clic* Connect( 33( 5n the 1nter your credentials pa'e+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( 32( 5n the Gateway server credentials pa'e+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 34( /fter a fe" moments+ the follo"in' error messa'e appears: This computer canNt connect to the remote computer because your computer or de ice did not pass the :et"or* /ccess Policies alidation set by your net"or* administrator( Please contact your net"or* administrator for assistance( 3<( Clic* O6 to close the messa'e+ and then cancel the connection(

7erify that the !AP health policy bloc(ed the connection

5n the TS !ate"ay ser er+ the follo"in' three e ents "ill appear in the B ent 2o' to confirm that client access to the TS !ate"ay ser er "as denied because the health policy "as successfully applied: 1vent ,; C'D'# 6eyword> Audit Success: This e ent+ "hich appears under %indo"s 2o'sQSecurity+ indicates that the :PS ser er 'ranted access to the client( 1vent ,; C'DC# 6eyword> Audit Success: This e ent+ "hich appears under %indo"s 2o'sQSecurity+ indicates that the client "as denied access to the TS !ate"ay ser er and 9uarantined because the health policy "as successfully applied( 1vent ,; 'EA# 6eyword> Audit @ailure: This e ent+ "hich appears under /pplications and Ser ices 2o'sQMicrosoftQ%indo"sQTerminalSer ices-!ate"ayQ5perational+ indicates that
46

the client did not meet the re9uirements of the :/P policies on the :PS ser er and therefore is not authori)ed to access the TS !ate"ay ser er( To verify that the !AP health policy bloc(ed the connection 3( 5n the TS !ate"ay ser er+ open B ent ?ie"er( To open B ent ?ie"er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* 1vent 7iewer( 2( ,n B ent ?ie"er+ eApand Windows 0o%s+ and then clic* Security( 4( %ith Security selected in the console tree+ search for e ent ,Ds >272 and >27>( <( ,n the console tree+ eApand Applications and Services 0o%s:-icrosoft:Windows:Ter$inalServices-Gateway+ and then clic* Operational( =( %ith Operational selected in the console tree+ search for B ent ,D 20<( >( Close B ent ?ie"er(

Test for successful allowed connection for !AP-capable client

Perform the follo"in' procedure to test "hether at least one :/P health policy is correctly confi'ured to allo" the Terminal Ser ices client connection to the TS !ate"ay ser er "hen automatic updatin' is enabled on the client( To atte$pt an end-to-end connection throu%h the TS Gateway server when auto$atic updatin% is enabled on the client 3( 5pen Control Panel( To open Control Panel+ clic* Start+ and then clic* Control Panel( 2( ,n Control Panel+ double-clic* Security Center( 4( @nder Security 1ssentials+ under Auto$atic updatin%+ clic* Chan%e settin%s( <( ,n the Choose an auto$atic updatin% option dialo' boA+ clic* ,nstall updates auto$atically 2reco$$ended3( =( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then clic* "e$ote ;es(top Connection( >( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 7( 5n the General tab+ type the name of the computer #terminal ser er or computer "ith .emote Des*top enabled$ to "hich you "ant to connect throu'h TS !ate"ay( 8( Clic* Connect( 8( 5n the 1nter your credentials pa'e+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( 30( 5n the Gateway server credentials pa'e+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 33( /fter a fe" moments+ the connection completes and a connection "ill be established throu'h the TS !ate"ay ser er to the computer(
47

7erify that the !AP health policy allowed the connection

5n the TS !ate"ay ser er+ the follo"in' three e ents "ill appear in the B ent 2o' to confirm that client access to the TS !ate"ay ser er "as 'ranted because the health policy "as successfully applied: 1vent ,; C'D'# 6eyword> Audit Success: This e ent+ "hich appears under %indo"s 2o'sQSecurity+ indicates that the :PS ser er 'ranted access to the client( 1vent ,; C'DF# 6eyword> Audit Success: This e ent+ "hich appears under %indo"s 2o'sQSecurity+ indicates that the client "as 'ranted access to the TS !ate"ay ser er because the health policy "as successfully applied( 1vent ,; 'EE: This e ent+ "hich appears under /pplications and Ser ices 2o'sQMicrosoftQ%indo"sQTerminalSer ices-!ate"ayQ5perational+ indicates that the client is healthy and therefore can access the TS !ate"ay ser er( To verify that the !AP health policy allowed the connection 3( 5n the TS !ate"ay ser er+ open B ent ?ie"er( To open B ent ?ie"er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* 1vent 7iewer( 2( ,n B ent ?ie"er+ eApand Windows 0o%s+ and then clic* Security( 4( %ith Security selected in the console tree+ search for e ent ,Ds >272 and >278( <( ,n the console tree+ eApand Applications and Services 0o%s:-icrosoft:Windows:Ter$inalServices-Gateway+ and then clic* Operational( =( %ith Operational selected in the console tree+ search for B ent ,D 200( >( Close B ent ?ie"er(

Test for successful bloc(ed connection for non-!AP capable client

Perform the follo"in' procedure to test "hether at least one :/P health policy is correctly confi'ured to bloc* the Terminal Ser ices client connection to the TS !ate"ay ser er "hen the client cannot send an So1 to the TS !ate"ay ser er( To atte$pt an end-to-end connection throu%h the TS Gateway server when the client cannot send an So= 3( 5pen Control Panel( To open Control Panel+ clic* Start+ and then clic* Control Panel( 2( ,n Control Panel+ double-clic* Security Center( 4( @nder Security 1ssentials+ confirm that Auto$atic updatin% is set to On( <( 5pen the command prompt+ ri'ht-clic* the command prompt+ and then clic* "un as Ad$inistrator( =( /t the command prompt+ type the follo"in': net stop napa%ent >( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then
48

clic* "e$ote ;es(top Connection( 7( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 8( 5n the General tab+ type the name of the computer #terminal ser er or computer "ith .emote Des*top enabled$ to "hich you "ant to connect throu'h TS !ate"ay( 8( Clic* Connect( 30( 5n the 1nter your credentials pa'e+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( 33( 5n the Gateway server credentials pa'e+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 32( /fter a fe" moments+ the follo"in' error messa'e appears: HThis computer canNt connect to the remote computer because your computer or de ice did not pass the :et"or* /ccess Policies alidation set by your net"or* administrator( Please contact your net"or* administrator for assistance(H 34( Clic* O6 to close the messa'e+ and then cancel the connection( 5n the TS !ate"ay ser er+ follo" the steps in ?erify that the :/P health policy bloc*ed the connection to confirm that client access to the TS !ate"ay ser er "as denied because the health policy "as successfully applied(

Additional references
:et"or* /ccess Protection #http:CC'o(microsoft(comCf"lin*C62in*,DG700<7$ Terminal Ser ices pa'e on the %indo"s Ser er 2008 TechCenter #http:CC'o(microsoft(comCf"lin*C62in*,DG<8===$

Confi%urin% the TS Gateway ,SA Server Scenario

Eou can use ,nternet Security and /cceleration #,S/$ Ser er 200< or ,S/ Ser er 200> "ith TS !ate"ay to enhance security for a TS !ate"ay ser er by confi'urin' ,S/ Ser er to function as an SS2 brid'in' de ice( %hen SS2 brid'in' is used+ ,S/ Ser er can terminate SS2 sessions+ inspect pac*ets+ and re-establish SS2 sessions( ,S/ Ser er helps enhance security by decryptin' incomin' SS2 traffic+ statefully inspectin' the traffic for malicious code+ and then bloc*in' connections that contain suspicious pac*ets or pac*ets that reflect *no"n eAploits( ,S/ Ser er also performs stateful 1TTP filterin'+ "hich pro ides deep inspection of 1TTP application content( Dollo"in' are three scenarios in "hich ,S/ Ser er and a TS !ate"ay ser er can be used to'ether to enhance security for remote connections to internal net"or* resources: ,SA Server as an SS0 brid%in% device 2Web pro/y3+ ,n this scenario+ ,S/ Ser er is hosted in a perimeter net"or* and pro ides SS2 brid'in' bet"een the Terminal Ser ices
49

client and the TS !ate"ay ser er( The TS !ate"ay ser er is hosted in the corporateCpri ate net"or*( This scenario is illustrated under USettin' up the TS !ate"ay ,S/ Ser er scenario+V in the neAt section( ,SA Server as a firewall and SS0 brid%in% device+ ,n this scenario+ ,S/ Ser er functions as a fire"all that performs port filterin'+ pac*et filterin'+ and SS2 brid'in'( The TS !ate"ay ser er can be hosted in the corporateCpri ate net"or* or in the perimeter net"or*+ dependin' on "hether the ,S/ Ser er is located as the eAternal fire"all or the internal fire"all( ,SA Server as a firewall that perfor$s port filterin% 2server publishin%3+ ,n this scenario+ ,S/ Ser er functions as an eAternal pac*et filterin' fire"all and permits traffic only o er port <<4( The TS !ate"ay ser er is hosted in the perimeter( !ote The steps in this setup 'uide pro ide detailed confi'uration information only for the first scenario #,S/ Ser er as a %eb proAy$( The other t"o scenarios are mentioned as alternate "ays in "hich ,S/ Ser er can be used "ith TS !ate"ay to enhance security for remote connections to internal net"or* resources(

Syste$ confi%urations tested for the TS Gateway ,SA Server scenario

Microsoft tested the TS !ate"ay ,S/ Ser er scenario by usin' the follo"in' system confi'urations(
Co$puter "e uired confi%uration

TS !ate"ay ser er #TS!SB.?B.$ ,S/ Ser er #,S/SB.?B.$

%indo"s Ser er 2008

%indo"s Ser er 2004 and ,S/ Ser er 200< "ith Ser ice Pac* 4 #SP4$ 5r %indo"s Ser er 2004 and ,S/ Ser er 200>

Terminal Ser ices client #TSC2,B:T$

%indo"s ?ista "ith Ser ice Pac* 3 #SP3$ or %indo"s ;P "ith SP4 %indo"s ?ista %indo"s ;P "ith Ser ice Pac* 2 #SP2$ and the Terminal Ser ices client+ .emote Des*top Connection #.DC$ >(0( To do"nload .DC >(0+ see article 82=87> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C6
50

Co$puter

"e uired confi%uration

2in*,dG78474$( %indo"s Ser er 2008 %indo"s Ser er 2004 "ith SP3 or SP2 and .DC >(0 ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ %indo"s ?ista "ith SP3 or %indo"s ;P "ith SP4 %indo"s ?ista %indo"s ;P "ith SP2 %indo"s Ser er 2008 %indo"s Ser er 2004 "ith SP3 or SP2

Confi%urin% connections between ,SA Server and TS Gateway server

Eou can confi'ure ,S/ Ser er communication "ith the TS !ate"ay ser er in either of the follo"in' t"o "ays: 1TTPS-1TTPS brid'in': ,n this confi'uration+ the TS !ate"ay client initiates an SS2 #1TTPS$ re9uest to the SS2 brid'in' de ice( The SS2 brid'in' de ice initiates a ne" 1TTPS re9uest to the TS !ate"ay ser er+ for maAimum security( 1TTPS-1TTP brid'in': ,n this confi'uration+ the TS !ate"ay client initiates an SS2 #1TTPS$ re9uest to the SS2 brid'in' de ice( The SS2 brid'in' de ice initiates a ne" 1TTP re9uest to the TS !ate"ay ser er(

Settin% up the TS Gateway ,SA Server scenario

The follo"in' dia'ram illustrates the ,S/ Ser er scenario for TS !ate"ay+ in "hich ,S/ Ser er is used as an SS2 brid'in' de ice(

51

!ote The steps in this setup 'uide describe ho" to set up remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er+ "here SS2 traffic from the client is first sent to the ,S/ Ser er+ "hich is used for SS2 brid'in'( The 'uide does not describe ho" to install ,S/ Ser er 200< or ,S/ Ser er 200>+ nor does it describe ho" to confi'ure the fire"alls illustrated in the dia'ram+ the terminal ser ers runnin' .emote/pp pro'rams #hostin' 257 applications$+ or the perimeter net"or* or /cti e Directory infrastructure( The dia'ram is pro ided to su''est one "ay in "hich this scenario mi'ht be implemented in a production en ironment(

Steps for confi%urin% TS Gateway for the ,SA Server scenario

To confi'ure the TS !ate"ay ser er and ,S/ Ser er brid'in' scenario+ complete these tas*s(
Tas( "eference)Step-by-step instructions

3( BAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er( 2( ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er(

BAport the certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er
52

Tas(

"eference)Step-by-step instructions

4( Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er( !ote This step is re9uired only if you are usin' a self-si'ned certificate or another SS2 certificate type that is not trusted( <( Create a ne" %eb publishin' rule on the ,S/ Ser er( =( Bnable or disable 1TTPS-1TTP brid'in' on the TS !ate"ay ser er(

Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er

Create a ne" %eb publishin' rule on the ,S/ Ser er Bnable or disable the 1TTPS-1TTP brid'in' settin' on the TS !ate"ay ser er

>( ?erify client confi'uration and test end-to-end ?erify client confi'uration and test end-to-end connecti ity( connecti ity

*+ 1/port the SS0 certificate for the TS Gateway server and copy it to the ,SA Server
%hen you eAport the certificate+ ensure that you eAport the pri ate *ey( ,f this option is not a ailable for the certificate that you ha e selected+ you must obtain a ne" certificate for ,S/ Ser er( Dor information about ,S/ Ser er certificate re9uirements+ see Di'ital Certificates for ,S/ Ser er 200< #http:CC'o(microsoft(comCf"lin*C62in*,dG30<827$ and Troubleshootin' SS2 Certificates in ,S/ Ser er Publishin' #http:CC'o(microsoft(comCf"lin*C62in*,dG30<82>$( Perform the follo"in' procedure on the TS !ate"ay ser er to eAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er( To e/port the SS0 certificate for the TS Gateway server and copy it to the ,SA Server 3( 5n the TS !ate"ay ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6(
53

2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Personal+ and then clic* Certificates( 4( @nder certificates+ clic* the TS !ate"ay ser er certificate( ,f more than one certificate is listed and you are unsure "hich certificate to select+ ie" the properties for each certificate to identify the certificate that meets TS !ate"ay ser er re9uirements( <( .i'ht-clic* the TS !ate"ay certificate to eAport+ point to All Tas(s+ and then clic* 1/port( =( 5n the Welco$e to the Certificate 1/port Wi4ard pa'e+ clic* !e/t( >( 5n the 1/port Private 6ey pa'e+ clic* .es# e/port the private (ey+ and then clic* !e/t( 7( 5n the 1/port @ile @or$at pa'e+ ensure that Personal ,nfor$ation 1/chan%e P6CS G*' 2+P@&3 is selected+ select the ,nclude all certificates in the certification path if possible chec* boA+ and then clic* !e/t( 8( 5n the Password pa'e+ type a pass"ord to protect the pri ate *ey for the certificate+ confirm the pass"ord+ and then clic* !e/t( 8( 5n the @ile to 1/port pa'e+ in the @ile na$e boA+ clic* Browse( 30( ,n the Save As dialo' boA+ specify the name of the certificate that you "ant to eAport and the location to "hich you "ant to eAport the certificate #ensure that the location can be accessed from the ,S/ Ser er$+ and then clic* Save( 33( 5n the @ile to 1/port pa'e+ clic* !e/t( 32( 5n the Co$pletin% the Certificate 1/port Wi4ard pa'e+ confirm that the correct certificate is specified+ that 1/port 6eys is set to .es+ and that ,nclude all certificates in the certification path is set to .es+ and then clic* @inish( 34( /fter the certificate eAport has successfully completed+ a messa'e appears confirmin' that the eAport "as successful( Clic* O6( 3<( Close the Certificates snap-in( 3=( Copy the certificate to the ,S/ Ser er(

'+ ,nstall the SS0 certificate for the TS Gateway server on the ,SA Server
Perform the follo"in' procedure on the ,S/ Ser er to install the SS2 certificate for the TS !ate"ay ser er( To install the SS0 certificate for the TS Gateway server on the ,SA Server 3( 5n the ,S/ Ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic*
54

Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ and then clic* Personal( 4( .i'ht-clic* the Personal folder+ point to All Tas(s+ and then clic* ,$port( <( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( =( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ clic* Browse+ and then bro"se to the location "here you copied the SS2 certificate for the TS !ate"ay ser er( Select the certificate #Certificate63ame(pfA$+ clic* Open+ and then clic* !e/t( >( 5n the Password pa'e+ do the follo"in': ,f earlier you specified a pass"ord for the pri ate *ey associated "ith the certificate+ type the pass"ord( ,f you "ant to mar* the pri ate *ey as eAportable+ select the -ar( this (ey as e/portable chec* boA( Bnsure that the ,nclude all e/tended properties chec* boA is selected( 7( Clic* !e/t( 8( 5n the Certificate Store pa'e+ clic* Auto$atically select the certificate store based on the type of certificate+ and then clic* !e/t( 8( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the correct certificate has been selected and that the follo"in' certificate settin's appear: Certificate Store Selected: /utomatically determined by the "i)ard( Content: PD;

Dile :ame: DilePathQSCertificate63ame.pfxT+ "here SCertificate63ameT is the name of the TS !ate"ay ser er SS2 certificate( 30( Clic* @inish( 33( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 32( %ith Certificates selected in the console tree+ in the details pane+ erify that the correct certificate appears in the list of certificates on the ,S/ Ser er( The certificate must be under the Personal store of the local computer(

?+ Copy and install the TS Gateway server root certificate on the ,SA Server
This procedure is re9uired only in the follo"in' circumstances:
55

,f you are usin' a self-si'ned certificate or another SS2 certificate type that is not trusted(

,f you did not select the option to do"nload a certificate chain or Auto$atically select the certificate store based on the type of certificate "hen you installed the certificate on the ,S/ Ser er #as described in the precedin' procedure$( To copy and install the TS Gateway server root certificate on the ,SA Server 3( 5n the ,S/ Ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Trusted "oot Certification Authorities+ ri'ht-clic* Certificates+ point to All Tas(s+ and then clic* ,$port( 4( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( <( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ clic* Browse+ and then bro"se to the location of the TS !ate"ay ser er root certificate( Select the root certificate #S!oot6Certificate63ame(cer+ or+ if the pri ate *ey "as also eAported+ S!oot6Certificate63ame(pfAT$+ clic* Open+ and then clic* !e/t( !ote ,f you created a self-si'ned certificate by usin' the /dd .emo e .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation #as described in HCreate a self-si'ned certificate for TS !ate"ayH in Confi'urin' the TS !ate"ay Core Scenario$+ note that the selfsi'ned certificate is also the root certificate( =( 5n the Password pa'e+ if earlier you specified a pass"ord for the pri ate *ey associated "ith the certificate+ type the pass"ord( >( 5n the Certificate Store pa'e+ accept the default option #Place all certificates in the followin% store - Trusted "oot Certification Authorities$+ and then clic* !e/t( 7( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the follo"in' certificate settin's appear: Certificate Store Selected by @ser: Trusted .oot Certification /uthorities Content: Certificate #or PD;$ Dile :ame: DilePathQS!oot6Certificate63ame.cer: &or
56

;!oot6Certificate63ame.pfxT$+ "here S!oot6Certificate63ameT is the name of the TS !ate"ay ser er root certificate( 8( Clic* @inish( 8( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 30( %ith Certificates selected in the console tree+ in the details pane+ erify that the root certificate of the TS !ate"ay ser er appears in the list of certificates on the ,S/ Ser er( Bnsure that the certificate appears under the Trusted "oot Certification Authorities store on the local computer(

A+ Create a new Web publishin% rule on the ,SA Server

To confi'ure the TS !ate"ay ser er and ,S/ Ser er for 1TTPS-1TTP brid'in' or for 1TTPS1TTPS brid'in'+ you must create the appropriate %eb publishin' rule on the ,S/ Ser er( ,$portant The steps for creatin' a %eb publishin' rule for ,S/ Ser er "ill ary+ based on "hether you are usin' ,S/ Ser er 200< or ,S/ Ser er 200>( Bnsure that you follo" the steps that correspond to the ersion of ,S/ Ser er that you are usin'(

Create a new Web publishin% rule for ,SA Server 'EEA

@se the follo"in' procedure to create a ne" %eb publishin' rule for ,S/ Ser er 200<( To create a new Web publishin% rule for ,SA Server 'EEA 3( 5n the ,S/ Ser er+ open ,S/ Ser er Mana'ement( To open ,S/ Ser er Mana'ement+ clic* Start+ point to All Pro%ra$s+ point to -icrosoft ,SA Server+ and then clic* ,SA Server -ana%e$ent( 2( ,n the console tree+ bro"se to S"ocal I/- /erverT( 4( .i'ht-clic* @irewall Policy+ point to !ew+ and then clic* Secure Web Server Publishin% "ule( <( 5n the Welco$e to the SS0 Publishin% "ule Wi4ard pa'e+ in the SS0 Web Publishin% "ule !a$e boA+ type a name for the ne" ser er publishin' rule+ and then clic* !e/t( =( 5n the Publishin% -ode pa'e+ clic* SS0 Brid%in%+ and then clic* !e/t( >( 5n the Select "ule Action pa'e+ clic* Allow+ and then clic* !e/t( 7( 5n the Brid%in% -ode pa'e+ do one of the follo"in': To enable 1TTPS-1TTP brid'in'+ clic* Secure connections to clients+ and then clic* !e/t( To enable 1TTPS-1TTPS brid'in'+ clic* Secure connection to clients and Web server+ and then clic* !e/t( 8( 5n the ;efine Website to Publish pa'e+ do the follo"in':
57

a( ,n the Co$puter na$e or ,P address boA+ type the name of the TS !ate"ay ser er( The specified name must match the name of the TS !ate"ay ser er throu'h "hich users "ill connect in this scenario( This name must also match the certificate name #C:$ in the certificate that is installed on the TS !ate"ay ser er( b( Select the @orward the ori%inal host header instead of the actual one 2specified above3 chec* boA( c( ,n the Path boA+ type )H( 8( 5n the Public !a$e ;etails pa'e+ do the follo"in': a( ,n Accept re uests for+ ensure that This do$ain na$e is selected( b( ,n the Public na$e boA+ type the name of the TS !ate"ay ser er( The specified name must match the name of the TS !ate"ay ser er throu'h "hich users "ill connect in this scenario( c( ,n the Path boA+ type )H( d( Clic* !e/t( 30( ,f re9uired+ create a ne" SS2 %eb listener( ,f you ha e a pre-eAistin' listener "ith a certificate that matches the public name+ you do not need to create a ne" SS2 %eb listener( ,n this case+ select the appropriate %eb listener+ clic* !e/t+ and then proceed to Step 33( ,f you do need to create a ne" SS2 %eb listener+ do the follo"in': a( 5n the Welco$e to the !ew Web 0istener pa'e+ in the Web 0istener !a$e boA+ type a name for the %eb listener+ and then clic* !e/t( ,f %eb listeners ha e already been confi'ured for the ,S/ Ser er+ on the Select Web 0istener pa'e+ clic* !ew to open the Welco$e to the !ew Web 0istener pa'e and be'in specifyin' a ne" %eb listener( b( 5n the ,P Addresses pa'e+ under 0isten for re uests fro$ these networ(s+ select the 1/ternal chec* boA+ and then clic* !e/t( c( 5n the Port Specification pa'e+ do the follo"in': d( @nder SS0+ select the 1nable SS0 chec* boA+ and then clear the 1nable =TTP boA( e( Clic* Select+ and in the Select Certificate dialo' boA+ clic* the certificate that you "ant to use( f( Clic* O6 to close the Select Certificate dialo' boA+ and then clic* !e/t( '( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* @inish( 33( 5n the Select Web 0istener pa'e+ confirm that the correct %eb listener properties appear+ and then clic* !e/t( 32( 5n the 5ser Sets pa'e+ clic* All 5sers+ and then clic* !e/t( 34( 5n the Co$pletin% the !ew SS0 Web Publishin% "ule Wi4ard pa'e+ clic* @inish( 3<( To sa e the chan'es and update the ,S/ Ser er fire"all policy+ in the details pane of the ,S/ Ser er Mana'ement console+ clic* Apply(
58

3=( ,n the Apply !ew Confi%uration dialo' boA+ clic* O6 after the chan'es are applied #a pro'ress bar appears "hile the chan'es are bein' applied$(

Create a new Web publishin% rule for ,SA Server 'EEC

@se the follo"in' procedure to create a ne" %eb publishin' rule for ,S/ Ser er 200>( To create a new Web publishin% rule for ,SA Server 'EEC 3( 5n the ,S/ Ser er+ open ,S/ Ser er Mana'ement( To open ,S/ Ser er Mana'ement+ clic* Start+ point to All Pro%ra$s+ point to -icrosoft ,SA Server+ and then clic* ,SA Server -ana%e$ent( 2( ,n the console tree+ eApand the ,S/ Ser er name( #,f you are usin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ and then eApand the ,S/ Ser er name($ 4( Clic* @irewall Policy( <( 5n the Tas(s tab+ clic* Publish Web Sites( =( 5n the Welco$e to the !ew Web Publishin% "ule Wi4ard pa'e+ in the Web publishin% rule na$e boA+ type a name for the ne" publishin' rule+ and then clic* !e/t( >( 5n the Select "ule Action pa'e+ clic* Allow+ and then clic* !e/t( 7( 5n the Publishin% Type pa'e+ ensure that Publish a sin%le Web site or load balancer is selected+ and then clic* !e/t( 8( 5n the Server Connection Security pa'e+ select 5se SS0 to connect to the published Web server or server far$+ and then clic* !e/t( 8( 5n the ,nternal Publishin% details pa'e+ in the ,nternal site na$e boA+ type the name of the TS !ate"ay ser er+ and then clic* !e/t( ,f the ,S/ Ser er cannot resol e the name of the TS !ate"ay ser er+ type the ,P address of the TS !ate"ay ser er( /lternati ely you can include this information in the 1osts file( 30( 5n the second instance of the ,nternal Publishin% ;etails pa'e+ do the follo"in': a( Bnsure that the Path boA is empty( b( Bnsure that the @orward the ori%inal host header instead of the actual one specified in the ,nternal site na$e field on the previous pa%e chec* boA is cleared( c( Clic* !e/t( 33( 5n the Public !a$e ;etails pa'e+ do the follo"in': a( ,n Accept re uests for+ ensure that This do$ain na$e 2type below3 is selected( b( ,n the Public na$e boA+ type the name of the TS !ate"ay ser er( The specified name must match the name of the TS !ate"ay ser er throu'h "hich users "ill connect in this scenario( This name must also match the certificate name #C:$ or the Stora'e /rea :et"or* #S/:$ in the certificate that is installed on the TS !ate"ay ser er(
59

!ote ,f you are usin' the S/: attributes of certificates+ clients that connect to the TS !ate"ay ser er must be runnin' .DC >(3( .DC >(3 is a ailable "ith %indo"s Ser er 2008+ %indo"s ?ista "ith SP3+ and %indo"s ;P "ith SP4( The .DC >(3 #>(0(>003$ client supports .emote Des*top Protocol >(3( c( Bnsure that the Path boA is empty( d( Clic* !e/t( 32( ,f re9uired+ create a ne" SS2 %eb listener( ,f you ha e a pre-eAistin' listener "ith a certificate that matches the public name+ you do not need to create a ne" SS2 %eb listener( ,n this case+ select the appropriate %eb listener+ clic* !e/t+ and then proceed to Step 34( ,f you do need to create a ne" SS2 %eb listener+ do the follo"in': a( 5n the Select Web 0istener pa'e+ clic* !ew( b( 5n the Welco$e to the !ew Web 0istener Wi4ard pa'e+ in the Web 0istener !a$e boA+ type a name for the %eb listener+ and then clic* !e/t( c( 5n the Client Connection Security pa'e+ clic* "e uire SS0 secured connections with clients+ and then clic* !e/t( d( 5n the Web 0istener ,P Addresses pa'e+ do the follo"in': e( @nder 0isten for inco$in% Web re uests fro$ these networ(s+ select the 1/ternal chec* boA( f( Bnsure that The ,SA Server will co$press content sent to clients throu%h this Web 0istener if the clients re uestin% the content support co$pression chec* boA is selected( '( Clic* Select ,P Addresses( h( 5n the 1/ternal 0istener ,P Selection pa'e+ do the follo"in': i( Clic* Specified ,P addresses on the ,SA Server in the selected !etwor( ( @nder Available ,P addresses+ select the appropriate ,P address+ clic* Add+ and then clic* O6( F( Clic* !e/t( *( 5n the 0istener SS0 Certificates pa'e+ clic* Assi%n a certificate for each ,P address+ clic* the appropriate ,P address+ and then clic* Select Certificate( l( 5n the Select Certificate pa'e+ under Select certificate+ clic* the TS !ate"ay ser er certificate+ clic* Select+ and then clic* !e/t( m( 5n the Authentication Settin%s pa'e+ clic* !o Authentication+ and then clic* !e/t( n( 5n the Sin%le Si%n On Settin%s pa'e+ clic* SSO is not relevant for this setup+ and then clic* !e/t( o( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* @inish( p( 5n the second instance of the Co$pletin% the !ewWeb 0istener Wi4ard pa'e+ confirm that the correct %eb listener properties appear+ and then clic* @inish(
60

B+ 1nable or disable =TTPS-=TTP brid%in% on the TS Gateway server

To enable 1TTPS-1TTP brid'in'+ select the 5se =TTPS-=TTP brid%in% chec* boA on the SS0 Brid%in% tab of the TS !ate"ay ser er( To disable 1TTPS-1TTP brid'in'+ clear this chec* boA #if this settin' is cleared and you attempt to use 1TTPS-1TTP brid'in'+ the TS !ate"ay ser er "ill not function$( 7y desi'n+ selectin' or clearin' this chec* boA creates or updates the alue of the AllowAnony$ous re'istry entry( ,$portant ,f you enable 1TTPS-1TTP brid'in'+ the TS !ate"ay ser er "ill allo" anonymous access+ and authentication "ill be performed by the ,S/ Ser er( 1TTPS-1TTP brid'in' cannot be used for clients to authenticate by usin' smart cards( To deacti ate the ,S/ Ser er for SS2 termination in this scenario+ "e stron'ly recommend that you update the confi'uration by disablin' 1TTPS-1TTP brid'in' on the TS !ate"ay ser er( ,f you do not update the confi'uration chan'es in this scenario+ TS !ate"ay "ill continue to allo" anonymous access(

C+ 7erify client confi%uration and test end-to-end connectivity

Terminal Ser ices clients that connect throu'h the ,S/ Ser er to the TS !ate"ay ser er can be located in the eAternal net"or* ran'e of the ,S/ Ser er( %eb publication can also be confi'ured for the internal net"or*( Doin' this allo"s you to use a sin'le namespace for the TS !ate"ay ser er and ensure that Terminal Ser ices clients must connect throu'h ,S/ Ser er before connectin' to the TS !ate"ay ser er( ,n a typical deployment+ the TS !ate"ay ser er address and the ,P address of the ,S/ Ser er "ill be published in D:S( /s a result+ clients "ill resol e the TS !ate"ay ser er address to the ,S/ Ser er( The secure %eb publishin' rule that you create for the ,S/ Ser er ensures that all incomin' re9uests to the TS !ate"ay ser er from the eAternal net"or* "ill be for"arded to the TS !ate"ay ser er+ "hich is located in the internal net"or*( ,f you cannot publish entries to D:S+ for testin' purposes+ you can add an entry to the 1osts file of the client that maps the TS !ate"ay ser er address to the ,P address of the ,S/ Ser er( The 1osts file on the client is located at R"indirRQsystem42Qdri ersQetcQhosts( :eAt+ ensure that the client is correctly confi'ured as a TS !ate"ay client as described in HSteps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenarioH in Confi'urin' the TS !ate"ay Core Scenario( To ensure that connecti ity is successful in this scenario+ follo" the steps in H?erify that end-to-end connecti ity throu'h TS !ate"ay is functionin' correctlyH in Confi'urin' the TS !ate"ay Core Scenario(

Additional references
The follo"in' resources pro ide information about testin' and troubleshootin' .PC o er 1TTP throu'h ,S/ Ser er: Description of the ,S/ Ser er 200> hotfiA pac*a'e that is dated May 3<+ 2007 #http:CC'o(microsoft(comCf"lin*C62in*,dG307<>2$
61

 Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 3: Protocols+ /uthentication and Processin' #http:CC'o(microsoft(comCf"lin*C62in*,dG30<828$ Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 2: Test Tools and Strate'ies #http:CC'o(microsoft(comCf"lin*C62in*,dG30<840$ Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 4: Common Dailures and .esolutions #http:CC'o(microsoft(comCf"lin*C62in*,dG30<843$ .PC o er 1TTP 2o''in' %ildness #http:CC'o(microsoft(comCf"lin*C62in*,dG30<842$

-onitorin% Active Connections Throu%h a TS Gateway Server

/fter you ha e confi'ured Terminal Ser ices clients to connect to remote computers on the net"or* throu'h TS !ate"ay+ you can monitor acti e connections( This section pro ides the follo"in' information about monitorin' acti e connections throu'h a TS !ate"ay ser er: Specify TS !ate"ay e ents to lo' ?ie" details about acti e connections throu'h a TS !ate"ay ser er

Specify TS Gateway events to lo%

7y usin' TS !ate"ay Mana'er+ you can specify the types of e ents that you "ant to monitor+ such as unsuccessful or successful connection attempts to internal net"or* computers throu'h a TS !ate"ay ser er( %hen these e ents occur+ you can monitor the correspondin' e ents by usin' %indo"s B ent ?ie"er( TS !ate"ay ser er e ents are stored in B ent ?ie"er under Application and Services 0o%s:-icrosoft:Windows:Ter$inal Services-Gateway:( To specify TS Gateway events to lo% 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( %ith the name of the TS !ate"ay ser er hi'hli'hted in the console tree+ ri'ht-clic* the name of the ser er+ and then clic* Properties( <( 5n the Auditin% tab+ select or clear the appropriate chec* boAes to specify the e ents that you "ant to monitor for TS !ate"ay( The follo"in' table lists and describes the TS !ate"ay e ent types that you can monitor( Table *> TS Gateway 1vent Types
1vent na$e ;escription 1vent ,;

Successful 5ser

7y monitorin' the timestamp

404: %hen the client

62

1vent na$e

;escription

1vent ,;

;isconnection fro$ the "esource

for this e ent and the related Successful 5ser Connection to the "esource e ent+ you can erify the user session time and the amount of data #in *ilobytes$ that "as sent and recei ed by the remote client throu'h the TS !ate"ay ser er(

disconnects from the resource 202: %hen an administrator disconnects the client

@ailed 5ser Connection to the The remote client met the "esource conditions specified in the TS C/P and the TS ./P+ but could not connect to the internal net"or* resource #computer$ throu'h the TS !ate"ay ser er because the remote computer "as una ailable( 7y auditin' this e ent+ you can determine "hich connecti ity issues are caused by problems "ith Terminal Ser ices and .emote Des*top rather than the TS !ate"ay ser er( @ailed Connection Authori4ation The remote client could not connect to a TS !ate"ay ser er because the client did not meet the conditions specified in the TS C/Ps( The remote client could not connect throu'h a TS !ate"ay ser er to the specified computer because no TS ./Ps are confi'ured to allo" the user access to the specified computer( Dor eAample+ as mentioned earlier+ this issue mi'ht occur if the user attempts to connect

40<

203

@ailed "esource Authori4ation

403

63

1vent na$e

;escription

1vent ,;

to the computer by usin' its :et7,5S name "hen the TS ./P confi'ured on the TS !ate"ay ser er uses an DLD: name for the computer( Successful 5ser Connection to the "esource The remote client successfully connected to a computer throu'h the TS !ate"ay ser er( The remote client successfully connected to the TS !ate"ay ser er because the client met the conditions specified in at least one TS C/P( The remote client successfully connected throu'h the TS !ate"ay ser er to the specified internal net"or* resource because the client met the conditions specified in at least one TS ./P( 402

Successful Connection Authori4ation

200

Successful "esource Authori4ation

400

7iew details about active connections throu%h a TS Gateway server

Eou can use TS !ate"ay Mana'er to ie" information about acti e connections from Terminal Ser ices clients to internal net"or* resources throu'h a TS !ate"ay ser er( This information is displayed in the Monitorin' details pane and includes:
1vent na$e ;escription

Connection ,;

,n the format Sa:bT "here HaH is the tunnel ,D that uni9uely identifies a specific connection to the TS !ate"ay ser er and HbH is the channel ,D( The tunnel ,D represents the number of connections that the TS !ate"ay ser er has recei ed since the Terminal Ser ices !ate"ay ser ice has been runnin'( Bach time the TS !ate"ay ser er recei es a ne" connection+ the tunnel ,D is incremented by 3(
64

1vent na$e

;escription

5ser ,; 5ser !a$e

The domain and user ,D of the user lo''ed on to the client+ in the format SdomainQuser,DT( The full name of the user lo''ed on to the client( !ote Eou can only ie" the full name of the user if you are lo''ed on to the TS !ate"ay ser er as a domain user( ,f you are lo''ed on as member of the local administrators 'roup+ you can ie" the full name of the user in the 5ser ,; column(

Connected On Connection ;uration ,dle Ti$e Tar%et Co$puter Client ,P Address

The date and time "hen the connection "as initiated( The len'th of time that the connection "as acti e( The len'th of time that the connection is idle+ if applicable( The name of the internal net"or* computer to "hich the client is connected( The ,P address of the client( !ote ,f your net"or* confi'uration includes proAy ser ers+ the ,P address that appears in this column "ill reflect the ,P address of the proAy ser er+ rather than the ,P address of the Terminal Ser ices client(

Tar%et Port

The port on the internal net"or* computer to "hich the client is connected(

@se the follo"in' procedure to ie" details about acti e connections throu'h a TS !ate"ay ser er( To view details about active connections throu%h a TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+
65

"hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ clic* -onitorin%( The TS !ate"ay Mana'er results pane displays a summary of the number of connections from remote users to computers on the internal net"or*( Specific connections+ if any+ are listed belo" the summary( %hen you clic* a connection+ the connection details appear in the lo"er pane( ,f necessary+ you can disconnect a specific connection or all TS !ate"ay connections for a user( <( To refresh the display of connection status+ in the Actions pane+ clic* "efresh(

1/a$ple Script for 7alidatin% Certificate Confi%uration

/fter you ha e completed certificate confi'uration for the TS !ate"ay ser er and Terminal Ser ice client #as described in Confi'urin' the TS !ate"ay Core Scenario$+ you can use the .pcpin'(eAe resource *it tool to confirm that the certificate confi'uration is correct( The follo"in' script pro ides an eAample of ho" you can use .pcpin'(eAe for this purpose( .pcpin'(eAe is a ailable for do"nload from %indo"s Ser er 2004 .esource Mit Tools #http:CC'o(microsoft(comCf"lin*C62in*,dG3>=<<$( This appendiA describes ho" to sa e the eAample script as a teAt file and run the script by usin' .pcpin'(eAe+ and pro ides an eAample of successful output and the eAample script syntaA(

"unnin% the "pcpin%test e/a$ple script

To run this eAample script+ use the follo"in' procedure( :ote that you must run the script as a member of the local /dministrators 'roup on the TS !ate"ay ser er( To run the e/a$ple script 3( Copy and paste the eAample script into a teAt file( 2( Sa e the teAt file as .pcpin'test(cmd( 4( 5pen the command prompt+ s"itch to the directory "here .pcpin'(eAe is located+ and then type "pcpin%test+c$d( <( Dor eAample+ if you sa ed .pcpin'(eAe to the C:QTools directory+ you "ould do the follo"in': /t the command prompt+ type the follo"in' #replace TS!/TB%/ESB.?B.:/MB "ith the name of your TS !ate"ay ser er$: C>:Tools:"pcpin%test TSGAT1WA.S1"71"!A-1 ;user name: ;domain name: =( Press B:TB.(
66

>( Type the pass"ord for .PCChttp proAy #the pass"ord for the TS !ate"ay ser er$(

1/a$ple of successful output

,f the script is successful and the certificate confi'uration is correct+ output similar to the follo"in' "ill appear:
Results: Results: RPC/HTTP server preferred auth scheme is: 2 Pinging successfully completed in 78 sec.

Prompting for second rpc ping command in the scripting file !nter the pass"ord for server: #pass"ord for T$ %ate"ay& #pass"ord for T$ %ate"ay&

!nter the pass"ord for RCP/http Pro'y:

Results:

Completed ( calls in ()( ms

Results: 7 T/$ or ()(.*** ms/T.

"pcpin% e/a$ple script

+echo off setlocal set ,T-R%!T%-T!.-/01( set ,2$!R3-4!012 set ,564-733-4!018

if 91,T-R%!T%-T!.-/19 if 91,2$!R3-4!19 if 91,564-733-4!19

00 99 goto 56,2$-%! 00 99 goto 56,2$-%! 00 99 goto 56,2$-%!

!cho ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: !cho : The first RPCPing "ill authenticate to the RPC over HTTP !cho : Pro'y service. 7f this ping fails; then the certificate !cho : on the client computer is not correctly configured;

!cho : or you might have entered the "rong pass"ord. !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Rpcping

v 2

e 8888

t ncacn,http

s localhost

o RpcPro'y01,T-R%!T%-T!.-/1

67

91,2$!R3-4!1;1,564-733-4!1;:9 ! R 3one

H 3T<4

u 3T<4

a connect

= ssl

> msstd:1,T-R%!T%-T!.-/1

!cho ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: !cho : The second RPCPing "ill attempt to authenticate to the T$ !cho : %ate"ay service. 7f this ping fails; then the T$ %ate"ay !cho : service is pro?a?ly not running. !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Rpcping

v 2

e 8888

t ncacn,http

s localhost

o RpcPro'y01,T-R%!T%-T!.-/1 H 3T<4 u 3T<4

P a connect

91,2$!R3-4!1;1,564-733-4!1;:9 = ssl > msstd:1,T-R%!T%-T!.-/1

7 91,2$!R3-4!1;1,564-733-4!1;:9

goto endall

:56,2$-%! !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 2sage: !cho : testclient.cmd @gate"ayA @userA @domain/machineA !cho : : : :

!cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: goto endall :!35-<< !ndlocal

;isclai$er
The sample script is not supported under any Microsoft standard support pro'ram or ser ice( The sample script is pro ided /S ,S "ithout "arranty of any *ind( Microsoft further disclaims all implied "arranties includin'+ "ithout limitation+ any implied "arranties of merchantability or of fitness for a particular purpose( The entire ris* arisin' out of the use or performance of the sample script and documentation remains "ith you( ,n no e ent shall Microsoft+ its authors+ or anyone else in ol ed in the creation+ production+ or deli ery of the script be liable for any dama'es "hatsoe er #includin'+ "ithout limitation+ dama'es for loss of business profits+ business interruption+ loss of business information+ or other pecuniary loss$ arisin' out of the use of or
68

inability to use the sample scripts or documentation+ e en if Microsoft has been ad ised of the possibility of such dama'es(

Appendi/> Confi%urin% the TS Gateway OTP Scenario

This scenario discusses ho" to confi'ure 5ne Time Pass"ord #5TP$ authentication "ith Terminal Ser ices !ate"ay #TS !ate"ay$( ,n this scenario+ :et"or* Policy Ser er #:PS$ is used as a .emote /uthentication Dial-,n @ser Ser ice #./D,@S$ ser er to authenticate users on a Microsoft ,nternet Security and /cceleration #,S/$ Ser er 200>-based ed'e ser er( :PS enables you to pro ide local and remote net"or* access ser ices and to define and enforce policies for net"or* access authentication+ authori)ation+ and client health( The :PS role ser ice in %indo"s Ser er 2008 is the replacement for the ,nternet /uthentication Ser ice #,/S$ in %indo"s Ser er 2004( Deployin' :PS as a ./D,@S ser er enables users "ith supported clients to authenticate on the ed'e ser er by usin' 5TP authentication( /fter 5TP authentication+ users are allo"ed to cross the corporate perimeter and are authenticated a'ain for access to corporate resources( Therefore+ users need to pro ide t"o forms of credentials before they are allo"ed to connect to the corporate resource( !ote ,f you use 5TP for client authentication+ this confi'uration does not allo" you to di'itally si'n e-mail messa'es or easily share identities bet"een different or'ani)ations( The instructions for this scenario assume that you are already familiar "ith TS !ate"ay(

Syste$ confi%uration for this scenario

This eAample scenario uses the follo"in' confi'uration(
Co$puter Confi%uration

,S/ Ser er #Ucontoso-f"(contoso(comV$

The ser er is runnin' %indo"s Ser er 2004( The ser er is runnin' ,S/ Ser er 200>( The ,S/ Ser er contains a ser er certificate for www+contoso+co$ that is installed to the local computer certificate store( The ,S/ Ser er 200> Supportability @pdate pac*a'e is installed from the follo"in' %eb site: http:CC'o(microsoft(comCf"lin*C6 2in*,dG33=34>(
69

Co$puter

Confi%uration

The ser er has the follo"in' name and ,P addresses assi'ned: :ame: contoso-fw+contoso+co$ ,nternal ,P address: *I'+*CF+*+* BAternal ,P address: 'EC+D?+**F+* TS !ate"ayCTS %eb /ccess ser er #U"""(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the TS !ate"ay and TS %eb /ccess role ser ices+ "ith the TS %eb /ccess %eb site accessible at https>))www+contoso+co$)ts( TS %eb /ccess is confi'ured to populate its list of .emote/pp pro'rams from the terminal ser er Ucontosots(contoso(comV( The ser er has the follo"in' name and ,P address assi'ned: :ame: www+contoso+co$ ,P address: *I'+*CF+*+' :PS #./D,@S$ ser er #Ucontoso-otp(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the :PS role ser ice( The ser er has the follo"in' name and ,P address assi'ned: :ame: contoso-otp+contoso+co$ ,nternal ,P address: *I'+*CF+*+? Terminal Ser er #Ucontoso-ts(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the Terminal Ser er role ser ice( The terminal ser er has .emote/pp pro'rams installed that are a ailable throu'h TS %eb /ccess( The .emote/pp pro'rams are confi'ured to use TS !ate"ay( Dor more information about ho" to confi'ure Terminal Ser ices .emote/pp+ see the UTerminal Ser ices
70

Co$puter

Confi%uration

.emote/pp Step-by-Step !uideV #http:CC'o(microsoft(comCf"lin*C6 2in*,dG8<88=$( The ser er has the follo"in' name and ,P address assi'ned: :ame: contoso-ts+contoso+co$ ,P address: *I'+*CF+*+A Client computer #Uclient3V$ The client computer is runnin' %indo"s ?ista "ith Ser ice Pac* 3 #SP3$( The computer has the follo"in' confi'uration: :ame: client* ,P address: 'EC+D?+**F+' ,$portant The 5TP scenario is supported only for .emote Des*top Connection #.DC$ >(3 clients( .DC >(3 is a ailable in %indo"s ?ista "ith SP3+ %indo"s ;P "ith Ser ice Pac* 4 #SP4$+ and %indo"s Ser er 2008(

!etwor( topolo%y
The follo"in' dia'ram illustrates the 5TP scenario for TS !ate"ay(

71

Steps to confi%ure OTP

To confi'ure 5TP in this scenario+ you must perform the follo"in' steps: 3( Confi'ure the :PS #./D,@S$ ser er( 2( Set the Dial-in permission for the ./D,@S user( 4( Create a ./D,@S client on the ,S/ Ser er( <( Create a %eb listener on the ,S/ Ser er( =( Publish a %eb site on the ,S/ Ser er by usin' the %eb listener( >( Disable the =TTPOnly attribute on the ,S/ Ser er( 7( Modify the .emote Des*top Protocol #(rdp$ file that clients "ill use to connect( 8( Set up the client computer( 8( Test the confi'uration( To confi%ure the !PS 2"A;,5S3 server 3( 2o' on to the :PS ser er #Ucontoso-otp(contoso(comV$ "ith an account that has /dministrator pri ile'es( 2( Clic* Start+ point to Ad$inistrative Tools+ and then clic* !etwor( Policy Server( 4( ,n the console tree+ eApand "A;,5S Clients and Servers+ ri'ht-clic* "A;,5S Clients+ and then clic* !ew "A;,5S Client(
72

<( ,n the !ew "A;,5S Client dialo' boA+ do the follo"in': a( ,n the @riendly na$e boA+ type the friendly name of the ,S/ Ser er+ contoso-fw( b( ,n the Address 2,P or ;!S3 boA+ type the fully 9ualified domain name of the ,S/ Ser er+ contoso-fw+contoso+co$( c( ,n the 7endor na$e list+ accept the default settin' of "A;,5S Standard+ and then clic* O6( !ote Dor this scenario+ you do not ha e to confi'ure any settin's in the Shared Secret section( =( ,n the console tree+ eApand Policies+ and then clic* !etwor( Policies( >( @nder Policy !a$e+ double-clic* Connections to other access servers( 7( ,n the Connections to other access servers Properties dialo' boA+ clic* the Constraints tab( 8( ,n the Constraints column+ clic* Authentication -ethods( 8( Select the 5nencrypted authentication 2PAP# SPAP3 chec* boA( 2ea e the other chec* boAes "ith their default alues+ and then clic* O6( :PS uses %indo"s /uthentication to authenticate users( To use the ./D,@S ser ice that is pro ided by :PS+ users must ha e the Dial-in permission assi'ned( Eou can set this permission for domain users on a domain controller by usin' /cti e Directory @sers and Computers+ or for local users on a member ser er by usin' 2ocal @sers and !roups( ,n this eAample scenario+ the Dial-in permission is set for a local user on the :PS ser er( !ote The follo"in' procedure assumes that you ha e set up a local user account on the :PS ser er that you "ant to use for testin'( To set the ;ial-in per$ission for the "A;,5S user 3( 2o' on to the :PS ser er #Hcontoso-otp(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Clic* Start+ point to Ad$inistrative Tools+ and then clic* Co$puter -ana%e$ent( 4( ,n the console tree+ eApand 0ocal 5sers and Groups+ and then clic* 5sers( <( .i'ht-clic* the user account that you "ant to modify+ and then clic* Properties( =( Clic* the ;ial-in tab( >( @nder !etwor( Access Per$ission+ clic* Allow access+ and then clic* O6( To create a "A;,5S client on the ,SA Server 3( 2o' on to the ,S/ Ser er #Hcontoso-f"(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Start ,S/ Ser er Mana'ement( To do this+ clic* Start+ point to All Pro%ra$s+ point to
73

-icrosoft ,SA Server+ and then clic* ,SA Server -ana%e$ent( 4( ,n the console tree+ eApand the ser er name+ eApand Confi%uration+ and then clic* General( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ eApand Confi%uration+ and then clic* General($ <( ,n the middle pane+ under ,SA Server Ad$inistration+ clic* Specify "A;,5S and 0;AP Servers( =( 5n the "A;,5S Servers tab+ clic* Add( >( ,n the Server na$e boA+ type the name of the ./D,@S ser er to use #in this case+ contoso-otp+contoso+co$$+ and then clic* O6( 7( Clic* O6 to close the Authentication Servers dialo' boA( To create a Web listener on the ,SA Server 3( ,n the console tree of ,S/ Ser er Mana'ement+ eApand the ser er name+ and then clic* @irewall Policy( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ and then clic* @irewall Policy($ 2( ,n the ri'ht pane+ clic* the Toolbo/ tab+ and then clic* !etwor( ObJects( 4( 5n the !etwor( ObJects toolbar+ clic* !ew+ and then clic* Web 0istener( The !ew Web 0istener ;efinition Wi4ard starts( <( ,n the Web listener na$e boA+ type OTP+ and then clic* !e/t( =( 5n the Client Connection Security pa'e+ clic* "e uire SS0 secured connections with clients+ and then clic* !e/t( >( 5n the Web 0istener ,P Addresses pa'e+ do the follo"in': a( @nder 0isten for inco$in% Web re uests on these networ(s+ select the 1/ternal chec* boA( b( Clic* Select ,P Addresses( c( @nder 0isten for re uests on+ clic* Specified ,P addresses on the ,SA Server co$puter in the selected networ(( d( @nder Available ,P Addresses+ clic* 'EC+D?+**F+*+ clic* Add+ and then clic* O6( e( /ccept the default #selected$ settin' for the ,SA Server will co$press content sent to clients throu%h this Web 0istener if the clients re uestin% the content support co$pression chec* boA( f( Clic* !e/t( 7( 5n the 0istener SS0 Certificates pa'e+ do the follo"in': a( Clic* Assi%n a certificate for each ,P address( b( ,n the ,P Address column+ clic* 'EC+D?+**F+*+ and then clic* Select Certificate( c( 5n the Select Certificate pa'e+ select the certificate that is issued to www+contoso+co$+ and then clic* Select( d( Clic* !e/t(
74

8( 5n the Authentication Settin%s pa'e+ do the follo"in': a( ,n the Select how clients will provide credentials to ,SA Server list+ clic* =T-0 @or$ Authentication( b( @nder Select how ,SA Server will validate client credentials + clic* "A;,5S OTP+ and then clic* !e/t( 8( 5n the Sin%le Si%n On Settin%s pa'e+ clear the 1nable SSO for Web sites published with this Web listener chec* boA+ and then clic* !e/t( #SS5 is not rele ant for this solution($ 30( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* Bac( to ma*e any chan'es+ or clic* @inish to complete the "i)ard( To publish a Web site on the ,SA Server by usin% the Web listener 3( ,n the console tree of ,S/ Ser er Mana'ement+ eApand the ser er name+ and then clic* @irewall Policy( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ and then clic* @irewall Policy($ 2( ,n the ri'ht pane+ clic* the Tas(s tab+ and then clic* Publish Web Sites( The !ew Web Publishin% "ule Wi4ard starts( 4( ,n the Web publishin% rule na$e boA+ type Web Site Publishin%+ and then clic* !e/t( <( 5n the Select "ule Action pa'e+ under Action to ta(e when rule conditions are $et+ clic* Allow+ and then clic* !e/t( =( 5n the Publishin% Type pa'e+ clic* Publish a sin%le Web site or load balancer+ and then clic* !e/t( >( 5n the Server Connection Security pa'e+ clic* 5se SS0 to connect to the published Web server or server far$+ and then clic* !e/t( 7( 5n the ,nternal Publishin% ;etails pa'e+ in the ,nternal site na$e boA+ type www+contoso+co$+ and then clic* !e/t( 8( 5n the ,nternal Publishin% ;etails pa'e+ clic* !e/t( #2ea e the Path 2optional3 boA empty+ and the @orward the ori%inal host header instead of the actual one specified in the ,nternal site na$e field on the previous pa%e chec* boA cleared($ 8( 5n the Public !a$e ;etails pa'e+ do the follo"in': a( ,n the Accept re uests for list+ ensure that This do$ain na$e 2type below3 is selected( b( ,n the Public na$e boA+ type www+contoso+co$+ and then clic* !e/t( 30( 5n the Select Web 0istener pa'e+ in the Web listener list+ clic* OTP+ and then clic* !e/t( #This is the %eb listener that you created in the pre ious procedure($ 33( 5n the Authentication ;ele%ation pa'e+ in the Select the $ethod used by ,SA Server to authenticate to the published Web server list+ clic* !o dele%ation# but client $ay authenticate directly+ and then clic* !e/t( 32( 5n the 5ser Sets pa'e+ under This rule applies to re uests fro$ the followin%
75

user sets+ ensure that All Authenticated 5sers is listed+ and then clic* !e/t( 34( 5n the Co$pletin% the !ew Web Publishin% "ule Wi4ard pa'e+ clic* Bac( to ma*e any chan'es+ or clic* @inish to complete the "i)ard( 3<( Clic* Apply to update the confi'uration( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ you can chec* the status by usin' the Confi%uration tab that is a ailable "hen you clic* -onitorin% in the console tree($ To disable the =TTPOnly attribute on the ,SA Server 3( Copy and paste the follo"in' script into a teAt editor such as :otepad( 5n the ,S/ Ser er+ sa e the file to the C:Q directory as Disable1ttp5nly/uthCoo*ies( bs( ,$portant Microsoft pro ides pro'rammin' eAamples for illustration only+ "ithout "arranty either eApressed or implied( This includes+ but is not limited to+ the implied "arranties of merchantability or fitness for a particular purpose( !ote This script is also a ailable at the follo"in' %eb site: http:CC'o(microsoft(comCf"lin*C62in*,dG33=347
7f 3ot .$cript.-rguments.3amed.!'istsB9.e?<istener9C Then .$cript.!cho 9.e?<istener not defined9 .$cript.DuitB(C !nd 7f

$et fpcRoot 0 Create6?EectB9=PC.Root9C $et fpc-rray 0 fpcRoot.%etContaining-rrayBC $et fpc.e?<istener 0 fpc-rray.Rule!lements..e?<istenersB.$cript.-rguments.3amedB9.e?<istener9CC $et fpc.e?<istenerFps 0 fpc.e?<istener.FendorParameters$ets

6n !rror Resume 3e't $et fpcCooGie-uthFps 0 fpc.e?<istenerFps.7temB9H2I*22!>- >*8* )88I IC-J 55887K>C7>)7L9C 7f !rr.num?er 0 * Then CooGie-uthFps!'ists 0 True !lse CooGie-uthFps!'ists 0 =alse !nd 7f

76

!rr.Clear 6n !rror %oTo *

7f 3ot CooGie-uthFps!'ists Then .$cript.!cho 9CooGie auth FP$ settings not defined; HTTP only cooGies are 63 ?y default9 !lse .$cript.!cho 9HTTP only cooGies: 9 M BfpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 TrueC !nd 7f

7f .$cript.-rguments.3amed.!'istsB9Falue9C Then 7f 3ot CooGie-uthFps!'ists Then $et fpcCooGie-uthFps 0 fpc.e?<istenerFps.-ddB9H2I*22!>- >*8* )88I IC-J 55887K>C7>)7L9C !nd 7f fpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 B$trCompB.$cript.-rguments.3amedB9Falue9C; 9True9; (C 0 *C fpc-rray.$ave .$cript.!cho 9HTTP only cooGies set to 9 M BfpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 TrueC !nd 7f

2( Drom a command prompt+ run the follo"in' command from the C:Q directory: cscript ;isable=ttpOnlyAuthCoo(ies+vbs )Web0istener>OTP )7alue>@alse Eou should see the follo"in' output: =TTP only coo(ies> True =TTP only coo(ies set to @alse To $odify the ";P file that clients will use to connect 3( 2o' on to the terminal ser er #Hcontoso-ts(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* TS "e$oteApp -ana%er( 4( ,n the Overview pane of TS .emote/pp Mana'er+ neAt to ";P Settin%s+ clic* Chan%e( <( 5n the Custo$ ";P Settin%s tab+ type or copy the follo"in' .DP settin's into the
77

Custo$ ";P settin%s boA: pre-authentication server address> s> https>))www+contoso+co$)ts re uire pre-authentication>i>* =( %hen you ha e finished addin' the settin's+ clic* Apply( To set up the client co$puter 3( 2o' on to the client computer #Uclient3V$( 2( Drom an ele ated command prompt+ type the follo"in' commands+ pressin' B:TB. after each command: cd c>:windows:syste$?':drivers:etc edit hosts 4( /dd the follo"in' line to the 1osts file: 'EC+D?+**F+* www+contoso+co$ <( Sa e the 1osts file( !ote Typically+ you "ould not ha e to modify the 1osts file+ as the address "ould be resol able throu'h D:S( To test the confi%uration fro$ the client co$puter 3( 5pen ,nternet BAplorer and specify https>))www+contoso+co$)ts as the address( Eou "ill be redirected to the 5TP lo'on pa'e on the ,S/ Ser er( 2( Type the user name in the format contoso-otp:user( !ote ,f the user is a domain user and the ./D,@S ser er is a member of the domain+ you do not ha e to specify a domain name( 1o"e er+ because in this procedure the test user is a local user on the ./D,@S ser er+ you must specify the computer name "here the account eAists( 4( Bnter the userWs pass"ord( The ,S/ Ser er "ill pass the credentials to the :PS ser er for authentication( ,f successful+ the client "ill be redirected to the %eb site and retrie e the TS %eb /ccess pa'e(

78