Professional Documents
Culture Documents
Abstract
Terminal Ser ices !ate"ay #TS !ate"ay$ is a ne" role ser ice a ailable to users of the Microsoft %indo"s Ser er& 2008 operatin' system( TS !ate"ay enables authori)ed remote users to connect to resources on an internal corporate or pri ate net"or*+ from any ,nternet-connected de ice that can run the .emote Des*top Connection #.DC$ client( The internal net"or* resources can be terminal ser ers+ terminal ser ers runnin' .emote/pp0 pro'rams+ or computers "ith .emote Des*top enabled( TS !ate"ay encapsulates .emote Des*top Protocol #.DP$ "ithin .PC+ "ithin 1TTP o er a Secure Soc*ets 2ayer #SS2$ connection( ,n this "ay+ TS !ate"ay helps impro e security by establishin' an encrypted connection bet"een remote users on the ,nternet and the internal net"or* resources on "hich their producti ity applications run(
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including !" and other Internet #eb site references, is sub$ect to change without notice. The entire risk of the use or the results from the use of this document remains with the user. nless otherwise noted, the example companies, organi%ations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organi%ation, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. #ithout limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means &electronic, mechanical, photocopying, recording, or otherwise', or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering sub$ect matter in this document. (xcept as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. ) *++, Microsoft Corporation. -ll rights reserved. -ctive .irectory, Terminal /ervices, Microsoft, M/-.0/, 1isual 2asic, 1isual /tudio, #indows, #indows 3T, and #indows /erver are either registered trademarks or trademarks of Microsoft Corporation in the nited /tates and4or other countries. -ll other trademarks are property of their respective owners.
Contents
TS !ate"ay Step-by-Step !uide(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 3 /bstract(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 3 Contents(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 4 TS !ate"ay Step-by-Step !uide(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 TS !ate"ay 5 er ie"(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 %ho should use TS !ate"ay6((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 7 7enefits of TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 Prere9uisites for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 8 .ole+ role ser ice+ and feature dependencies((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((30 /dministrati e credentials(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 Special Considerations for TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 TS !ate"ay ser er considerations((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((30 :ame resolution issues(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 30 Terminal Ser ices client considerations(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 /utomatic reconnection to a TS !ate"ay ser er mi'ht fail after the Terminal Ser ices client comes out of hibernation((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 33 TS !ate"ay ser er connection re9uests from a client runnin' %indo"s ;P "ith SP2 mi'ht fail if a smart card is used for authentication(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 Confi'urin' the TS !ate"ay Core Scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((33 System re9uirements for the TS !ate"ay core scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((32 Settin' up the TS !ate"ay core scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((34 Connection se9uence for the TS !ate"ay core scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((3< Steps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenario((((((((((((((((((((((3= 3( ,nstall the TS !ate"ay role ser ice((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((3> ?erify successful role ser ice installation and TS !ate"ay ser ice status((((((((((((((((((((((((((38 2( 5btain a certificate for the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((38 Certificate re9uirements for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((38 @sin' eAistin' certificates(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 20 Certificate installation and confi'uration process o er ie"(((((((((((((((((((((((((((((((((((((((((((((((((20 Create a self-si'ned certificate for TS !ate"ay((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((22 4( Confi'ure a certificate for the TS !ate"ay ser er((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((24 ,nstall a certificate on the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2< Map the TS !ate"ay ser er certificate(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2= @nderstand authori)ation policies for TS !ate"ay(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2=
TS C/Ps((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 2> TS ./Ps((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 27 Security 'roups and TS !ate"ay-mana'ed computer 'roups associated "ith TS ./Ps(((27 <( Create a TS C/P for the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((28 =( Create a TS ./P and specify computers that users can connect to throu'h the TS !ate"ay ser er((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 28 >( 2imit the maAimum number of simultaneous connections throu'h TS !ate"ay #optional$(43 Steps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenario((((((((((((((((((42 3( ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities Store on the Terminal Ser ices client #optional$((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((44 2( Confi'ure .emote Des*top Connection settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((4< 4( ?erify that end-to-end connecti ity throu'h TS !ate"ay is functionin' correctly(((((((((((((((4> Confi'urin' the TS !ate"ay :/P Scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((4> System re9uirements for the TS !ate"ay :/P scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((47 Settin' up the TS !ate"ay :/P scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((48 Steps for confi'urin' TS !ate"ay for the :/P scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((48 3( Bnable :/P health policy chec*in' on the TS !ate"ay ser er(((((((((((((((((((((((((((((((((((((((((<0 2( Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er((((((((<0 4( Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er(((((((((((((((((((((((<3 <( Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard((((((((<2 Steps for confi'urin' a Terminal Ser ices client as a :/P enforcement client((((((((((((((((((((((((((<4 3( Do"nload and run the Terminal Ser ices :/P client confi'uration command(((((((((((((((((((<< 2( Test to confirm that the TS !ate"ay :/P health policy is successfully applied to the Terminal Ser ices client(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( <= Test for successful bloc*ed connection for :/P-capable client((((((((((((((((((((((((((((((((((((((((((<= ?erify that the :/P health policy bloc*ed the connection(((((((((((((((((((((((((((((((((((((((((((((((((((<> Test for successful allo"ed connection for :/P-capable client(((((((((((((((((((((((((((((((((((((((((((<7 ?erify that the :/P health policy allo"ed the connection((((((((((((((((((((((((((((((((((((((((((((((((((((<8 Test for successful bloc*ed connection for non-:/P capable client(((((((((((((((((((((((((((((((((((<8 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( <8 Confi'urin' the TS !ate"ay ,S/ Ser er Scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((<8 System confi'urations tested for the TS !ate"ay ,S/ Ser er scenario(((((((((((((((((((((((((((((((((=0 Confi'urin' connections bet"een ,S/ Ser er and TS !ate"ay ser er((((((((((((((((((((((((((((((((((=3 Settin' up the TS !ate"ay ,S/ Ser er scenario((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((=3 Steps for confi'urin' TS !ate"ay for the ,S/ Ser er scenario((((((((((((((((((((((((((((((((((((((((((((((((((=2 3( BAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er((((((((((=4 2( ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er((((((((((((((((((((((((((((=< 4( Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er((((((((((((((((((((((((== <( Create a ne" %eb publishin' rule on the ,S/ Ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((((((=7 Create a ne" %eb publishin' rule for ,S/ Ser er 200<((((((((((((((((((((((((((((((((((((((((((((((((((((((=7 Create a ne" %eb publishin' rule for ,S/ Ser er 200>((((((((((((((((((((((((((((((((((((((((((((((((((((((=8 =( Bnable or disable 1TTPS-1TTP brid'in' on the TS !ate"ay ser er((((((((((((((((((((((((((((((((>3
>( ?erify client confi'uration and test end-to-end connecti ity((((((((((((((((((((((((((((((((((((((((((((((((>3 /dditional references(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >3 Monitorin' /cti e Connections Throu'h a TS !ate"ay Ser er(((((((((((((((((((((((((((((((((((((((((((((((((((((>2 Specify TS !ate"ay e ents to lo'((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>2 ?ie" details about acti e connections throu'h a TS !ate"ay ser er((((((((((((((((((((((((((((((((((((>< BAample Script for ?alidatin' Certificate Confi'uration(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>> .unnin' the .pcpin'test eAample script((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>> BAample of successful output((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >7 .pcpin' eAample script(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >7 Disclaimer(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( >8 /ppendiA: Confi'urin' the TS !ate"ay 5TP Scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>8 System confi'uration for this scenario(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((>8 :et"or* topolo'y(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 73 Steps to confi'ure 5TP((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( 72
TS Gateway Overview
%indo"s Ser er& 2008 Terminal Ser ices !ate"ay #TS !ate"ay$ is a role ser ice that enables authori)ed remote users to connect to resources on an internal corporate or pri ate net"or*+ from any ,nternet-connected de ice that can run the .emote Des*top Connection #.DC$ client( The net"or* resources can be terminal ser ers+ terminal ser ers runnin' .emote/pp0 pro'rams+ or computers "ith .emote Des*top enabled( TS !ate"ay encapsulates .emote Des*top Protocol #.DP$ "ithin .PC+ "ithin 1TTP o er a Secure Soc*ets 2ayer #SS2$ connection( ,n this "ay+ TS !ate"ay helps impro e security by establishin' an encrypted connection bet"een remote users on the ,nternet and the internal net"or* resources on "hich their producti ity applications run( The procedures in this 'uide "ill help you set up a TS !ate"ay ser er+ enablin' remote users to access terminal ser ers+ terminal ser ers runnin' .emote/pp pro'rams+ or computers "ith .emote Des*top enabled on your internal corporate or pri ate net"or*(
,T professionals "ho are responsible for terminal ser ers or remote access to des*tops
Benefits of TS Gateway
TS !ate"ay pro ides many benefits+ includin' the follo"in': TS !ate"ay enables remote users to connect to internal net"or* resources o er the ,nternet+ by usin' an encrypted connection+ "ithout needin' to confi'ure irtual pri ate net"or* #?P:$ connections( TS !ate"ay pro ides a comprehensi e security confi'uration model that enables you to control access to specific internal net"or* resources( TS !ate"ay pro ides a point-to-point .DP connection+ rather than allo"in' remote users access to all internal net"or* resources( TS !ate"ay enables most remote users to connect to internal net"or* resources that are hosted behind fire"alls in pri ate net"or*s and across net"or* address translators #:/Ts$( %ith TS !ate"ay+ you do not need to perform additional confi'uration for the TS !ate"ay ser er or clients for this scenario( ,n earlier ersions of %indo"s Ser er+ security measures pre ented remote users from connectin' to internal net"or* resources across fire"alls and :/Ts( This is because port 4488+ the port used for .DP connections+ is typically bloc*ed for net"or* security purposes( TS !ate"ay transmits .DP traffic to port <<4 instead+ by usin' an 1TTP Secure Soc*ets 2ayerCTransport 2ayer Security #SS2CT2S$ tunnel( 7ecause most corporations open port <<4 to enable ,nternet connecti ity+ TS !ate"ay ta*es ad anta'e of this net"or* desi'n to pro ide remote access connecti ity across multiple fire"alls( The TS !ate"ay Mana'er snap-in console enables you to confi'ure authori)ation policies to define conditions that must be met for remote users to connect to internal net"or* resources( Dor eAample+ you can specify: %ho can connect to net"or* resources #in other "ords+ the user 'roups "ho can connect$( %hat net"or* resources #computer 'roups$ users can connect to( %hether client computers must be members of /cti e Directory& security 'roups( %hether de ice and dis* redirection is allo"ed(
%hether clients need to use smart card authentication or pass"ord authentication+ or "hether they can use either method( Eou can confi'ure TS !ate"ay ser ers and Terminal Ser ices clients to use :et"or* /ccess Protection #:/P$ to further enhance security( :/P is a health policy creation+ enforcement+ and remediation technolo'y that is included in %indo"s ?ista& .TM+ %indo"s Ser er 2008+ and %indo"s ?ista Ser ice Pac* 3 #SP3$ and %indo"s ;P Ser ice Pac* 4 #SP4$( %ith :/P+ system administrators can enforce health re9uirements+ "hich can include soft"are re9uirements+ security update re9uirements+ re9uired computer confi'urations+ and other settin's( Eou can use a TS !ate"ay ser er in conFunction "ith Microsoft ,nternet Security and /cceleration #,S/$ Ser er to enhance security( ,n this scenario+ you can host TS !ate"ay
8
ser ers in a pri ate net"or* rather than a perimeter net"or*+ and host ,S/ Ser er in the perimeter net"or*( 5r+ ,S/ Ser er can ser e as an isolation point for either or both ends of the perimeter net"or*( The SS2 connection bet"een the Terminal Ser ices client and ,S/ Ser er can be terminated at the ,S/ Ser er+ "hich is ,nternet-facin'( TS !ate"ay Mana'er pro ides tools to help you monitor TS !ate"ay connection status+ health+ and e ents( 7y usin' TS !ate"ay Mana'er+ you can specify e ents #such as unsuccessful connection attempts to the TS !ate"ay ser er$ that you "ant to monitor for auditin' purposes(
Additional references
Dor product support+ see the Terminal Ser ices pa'e on the %indo"s Ser er 2008 TechCenter #http:CC'o(microsoft(comCf"lin*C62in*,dG<8===$( To access ne"s'roups for Terminal Ser ices+ see the Terminal Ser ices Community pa'e on the Microsoft Tech:et %eb site #http:CC'o(microsoft(comCf"lin*C62in*,dG8=740$(
,,S 7(0 must be installed and runnin' for the .PC o er 1TTP ProAy feature to function( Eou can also confi'ure TS !ate"ay to use Terminal Ser ices connection authori)ation policies #TS C/Ps$ that are stored on another ser er that runs the :et"or* Policy Ser er #:PS$ ser ice( 7y doin' this+ you are usin' the :PS ser erKformerly *no"n as a .emote /uthentication Dial-,n @ser Ser ice #./D,@S$ ser erKto centrali)e the stora'e+ mana'ement+ and alidation of TS C/Ps( ,f you ha e already deployed an :PS ser er for remote access scenarios such as ?P: and dial-up net"or*in'+ usin' the eAistin' :PS ser er for TS !ate"ay scenarios as "ell can enhance your deployment(
Ad$inistrative credentials
Eou must be a member of the /dministrators 'roup on the computer that you "ant to confi'ure as a TS !ate"ay ser er(
10
To a oid name resolution failure+ and to support either :et7,5S names or DLD:s+ include each possible computer name in the computer 'roup that you create "hen you confi'ure a TS ./P( Dor eAample+ the computer names MyS/P.eportin'Ser er and MyS/P.eportin'Ser er(seattle(corp(microsoft(com "ould each need to be included in the computer 'roup that you create+ althou'h both names represent the same computer(
Auto$atic reconnection to a TS Gateway server $i%ht fail after the Ter$inal Services client co$es out of hibernation
/fter you establish a remote connection throu'h a TS !ate"ay ser er to another computer+ if the Terminal Ser ices client that initiated the connection hibernates and then comes out of hibernation+ the client mi'ht not automatically reconnect to the remote computer throu'h the TS !ate"ay ser er( To resol e this problem+ open Tas* Mana'er+ end the $stsc #.emote Des*top Connection$ process+ and then attempt the remote connection a'ain( Closin' $stsc "ill not resol e this problem(
TS Gateway server connection re uests fro$ a client runnin% Windows &P with SP' $i%ht fail if a s$art card is used for authentication
,f you are usin' a client runnin' %indo"s& ;P "ith SP2 to connect to a remote computer throu'h a TS !ate"ay ser er+ you "ill recei e an error messa'e statin' that the remote computer is misconfi'ured if you do the follo"in': 3( Connect to a remote computer and lea e your smart card in the smart card reader durin' the session( 2( Bnd the session+ lea in' the smart card in the smart card reader( 4( Start another connection "hile lea in' the smart card in the smart card reader( To resol e this problem+ remo e the smart card+ reinsert it+ and then try to connect to the remote computer a'ain(
11
either a terminal ser er+ a terminal ser er runnin' .emote/pp pro'rams+ or a computer "ith .emote Des*top enabled( 3( %e recommend that you set up three computers to e aluate this scenario( These computers are: The TS !ate"ay ser er #*no"n as HTS!SB.?B.H in this eAample$ The Terminal Ser ices client #*no"n as HTSC2,B:TH in this eAample$ /n internal net"or* resource #*no"n as HC5.P5./TB.BS5@.CBH in this eAample$
The computers must meet the system re9uirements described in System re9uirements for the TS !ate"ay core scenario( 2( Confi'ure the TS !ate"ay ser er by follo"in' the instructions in Steps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenario( 4( Confi'ure the Terminal Ser ices client by follo"in' the instructions in Steps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenario( <( Confi'ure the internal net"or* resource( =( Demonstrate that the Terminal Ser ices client can connect to the internal net"or* resource throu'h the TS !ate"ay ser er by follo"in' the instructions in ?erify that end-toend connecti ity throu'h TS !ate"ay is functionin' correctly(
%indo"s Ser er 2008( The installation can be an up'rade from %indo"s Ser er& 2004 Ser ice Pac* 3 #SP3$ or %indo"s Ser er 2008 .elease Candidate 0 #.C0$( Dor more information+ see HSupported up'rade pathsH in ,nstallin' %indo"s Ser er 2008 #http:CC'o(microsoft(comCf"lin*C6 2in*,dG30<82<$( %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith Ser ice Pac* 2 #SP2$( %indo"s ;P SP2 and .emote Des*top Connection #.DC$ >(0( To do"nload .DC >(0+ see article 82=87> in the Microsoft
12
Co$puter
Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C6 2in*,dG78474$( %indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith Ser ice Pac* 3 #SP3$ or SP2 and .DC >(0( ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ Dor computers "ith .emote Des*top enabled: %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s ;P "ith SP2( %indo"s Ser er 2004 "ith SP3 or SP2(
Dor terminal ser ers: %indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith SP3 or SP2(
13
!ote The steps in this setup 'uide describe ho" to set up the core TS !ate"ay scenario for remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er to an internal net"or* resource( The 'uide does not describe ho" to set up the fire"alls illustrated in the dia'ram+ terminal ser ers runnin' .emote/pp pro'rams+ or the /cti e Directory infrastructure( The dia'ram is pro ided to su''est one of many "ays in "hich the TS !ate"ay core remote access scenario mi'ht be implemented in a production en ironment( Dor information about ho" to set up a terminal ser er+ see the 1elp topic HTerminal Ser erH #http:CC'o(microsoft(comCf"lin*C62in*,dG720=2$( Dor information about settin' up .emote/pp pro'rams+ see the Terminal Ser ices .emote/pp Step-by-Step !uide #http:CC'o(microsoft(comCf"lin*C6lin*,dG8<88=$( Dor information about ho" to enable .emote Des*top+ see the topic H@sin' .emote Des*topH in the %indo"s Ser er 2008 1elp(
14
Clic*in' a .emote/pp pro'ram icon( .emote/pp pro'rams are represented in an .DP file that the administrator has confi'ured( ?isitin' a %eb site #either from the ,nternet or from an intranet$ to access a list of .emote/pp pro'rams that the administrator has made a ailable by usin' Terminal Ser ices %eb /ccess #TS %eb /ccess$+ and then clic*in' a .emote/pp pro'ram icon( 5penin' the .emote Des*top Connection client and manually specifyin' the appropriate settin's for the connection( 2( /n SS2 tunnel is established bet"een TSC2,B:T and TS!SB.?B. by usin' the TS !ate"ay ser erNs SS2 certificate( 7efore a connection bet"een TSC2,B:T and TS!SB.?B. is established+ TS!SB.?B. must authenticate and authori)e the user accordin' to Terminal Ser ices connection authori)ation policies #TS C/Ps$ that the administrator has confi'ured on TS!SB.?B.( 4( /fter authentication and authori)ation succeed+ TS!SB.?B. si'nals TSC2,B:T to continue "ith the connection se9uence( <( TSC2,B:T re9uests a connection from TS!SB.?B. to C5.P5./TB.BS5@.CB( 7efore authori)in' the re9uest+ TS!SB.?B. erifies that both of the follo"in' conditions are met simultaneously+ for at least one Terminal Ser ices resource authori)ation policy #TS ./P$ that is confi'ured on TS!SB.?B.: C5.P5./TB.BS5@.CB is a member of a computer 'roup that is specified in the TS ./PO and The user is a member of a user 'roup that is specified in the TS ./P( ,f both re9uirements are met+ TS!SB.?B. authori)es the re9uest( =( /n SS2 connection is established bet"een TSC2,B:T and TS!SB.?B.+ and an .DP connection is established bet"een TS!SB.?B. and C5.P5./TB.BS5@.CB( Drom this point+ any pac*ets that TSC2,B:T sends to TS!SB.?B. are for"arded to C5.P5./TB.BS5@.CB+ and any pac*ets that C5.P5./TB.BS5@.CB sends to TS!SB.?B. are for"arded to TSC2,B:T( >( TSC2,B:T "ill attempt to create a user session on C5.P5./TB.BS5@.CB( C5.P5./TB.BS5@.CB performs %indo"s authentication to alidate the identity of the user re9uestin' the connection and the pri ile'es that the user has on C5.P5./TB.BS5@.CB( #These are the same steps that "ould be follo"ed if TSC2,B:T "ere to re9uest a remote connection to C5.P5./TB.BS5@.CB "ithout usin' TS!SB.?B.($ 7( TSC2,B:T eAchan'es encrypted .DP pac*ets encapsulated "ithin SS2 "ith TS!SB.?B. o er port <<4( TS!SB.?B. for"ards the .DP pac*ets to C5.P5./TB.BS5@.CB o er port 4488(
Steps for confi%urin% the TS Gateway server for the TS Gateway core scenario
To confi'ure the TS !ate"ay ser er+ complete these tas*s(
15
Tas(
"eference)Step-by-step instructions
3( ,nstall the TS !ate"ay role ser ice( 2( 5btain a certificate for the TS !ate"ay ser er( 4( Confi'ure a certificate for the TS !ate"ay ser er( <( Create a Terminal Ser ices connection authori)ation policy #TS C/P$( =( Create a Terminal Ser ices resource authori)ation policy #TS ./P$( >( 2imit the maAimum number of simultaneous connections thou'h TS !ate"ay #optional$(
,nstall the TS !ate"ay role ser ice 5btain a certificate for the TS !ate"ay ser er Confi'ure a certificate for the TS !ate"ay ser er Create a TS C/P Create a TS ./P 2imit the maAimum number of simultaneous connections throu'h TS !ate"ay
a( @nder "oles Su$$ary+ clic* Ter$inal Services( b( @nder "ole Services+ clic* Add "ole Services( c( 5n the Select "ole Services pa'e+ select the TS Gateway chec* boA+ and then clic* !e/t( d( ,f prompted to specify "hether you "ant to install the additional role ser ices re9uired for TS !ate"ay+ clic* Add "e uired "ole Services( e( 5n the Select "ole Services pa'e+ clic* !e/t( 4( 5n the Choose a Server Authentication Certificate for SS0 1ncryption pa'e+ specify "hether to choose an eAistin' certificate for SS2 encryption #recommended$+ create a self-si'ned certificate for SS2 encryption+ or choose a certificate for SS2 encryption later( ,f you are completin' an installation for a ne" ser er that does not yet ha e certificates+ see 5btain a certificate for the TS !ate"ay ser er for certificate re9uirements and information about ho" to obtain and install a certificate( @nder the Choose an e/istin% certificate for SS0 encryption 2reco$$ended3 option+ only certificates that ha e the intended purpose #ser er authentication$ and Bnhanced Mey @sa'e #BM@$ ISer er /uthentication #3(4(>(3(=(=(7(4(3$J that are appropriate for the TS !ate"ay role ser ice "ill appear in the list of certificates( ,f you select this option+ clic* ,$port+ and then import a ne" certificate that does not meet these re9uirements+ the imported certificate "ill not appear in the list( <( 5n the Create Authori4ation Policies for TS Gateway pa'e+ specify "hether you "ant to create authori)ation policies #a TS C/P and a TS ./P$ durin' the TS !ate"ay role ser ice installation process or later( ,f you select 0ater+ follo" the procedures in Create a TS C/P to create this policy( ,f you select !ow+ do the follo"in': a( 5n the Select 5ser Groups That Can Connect Throu%h TS Gateway pa'e+ clic* Add to specify additional user 'roups( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA( b( To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colonO or add additional 'roups from different domains by repeatin' the first part of this step for each 'roup( c( /fter you finish specifyin' additional user 'roups+ on the Select 5ser Groups that Can Connect Throu%h TS Gateway pa'e+ clic* !e/t( d( 5n the Create a TS CAP for TS Gateway pa'e+ accept the default name for the TS C/P #TSPC/PP03$ or specify a ne" name+ select one or more supported %indo"s authentication methods+ and then clic* !e/t( e( 5n the Create a TS "AP for TS Gateway pa'e+ accept the default name for the TS ./P #TSP./PP03$ or specify a ne" name+ and then do one of the follo"in': Specify "hether to allo" users to connect only to computers in one or more computer 'roups+ and then specify the computer 'roupsO or specify that users can connect to any computer on the net"or*( Clic* !e/t(
17
=( 5n the !etwor( Policy and Access Services pa'e #"hich appears if this role ser ice is not already installed$+ re ie" the summary information+ and then clic* !e/t( >( 5n the Select "ole Services pa'e+ erify that !etwor( Policy Server is selected+ and then clic* !e/t( 7( 5n the Web Server 2,,S3 pa'e #"hich appears if this role ser ice is not already installed$+ re ie" the summary information+ and then clic* !e/t( 8( 5n the Select "ole Services pa'e+ accept the default selections for Web Server 2,,S3+ and then clic* !e/t( 8( 5n the Confir$ ,nstallation Options pa'e+ erify that the follo"in' roles+ role ser ices+ and features "ill be installed: Terminal Ser icesQTS !ate"ay :et"or* Policy and /ccess Ser icesQ:et"or* Policy Ser er %eb Ser er #,,S$Q%eb Ser erQMana'ement Tools .PC o er 1TTP ProAy %indo"s Process /cti ation Ser iceQProcess ModelQConfi'uration /P,s
30( Clic* ,nstall( 33( 5n the ,nstallation Pro%ress pa'e+ installation pro'ress "ill be noted( ,f any of these roles+ role ser ices+ or features has already been installed+ installation pro'ress "ill be noted only for the ne" roles+ role ser ices+ or features that are bein' installed( 32( 5n the ,nstallation "esults pa'e+ confirm that installation for these roles+ role ser ices+ and features "as successful+ and then clic* Close(
and then clic* ;efault Web Site( 7( .i'ht-clic* ;efault Web Site+ point to -ana%e Web Site+ and then clic* Advanced Settin%s( 8( ,n the Advanced Settin%s dialo' boA+ under 2General3+ erify that Start Auto$atically is set to True( ,f it is not set to True+ clic* the drop-do"n arro" to display the list+ and then clic* True( 8( Clic* O6( 30( Close ,,S Mana'er(
Dor T2S to function correctly+ you must install an SS2-compatible ;(=08 certificate on the TS !ate"ay ser er(
The intended purpose of the certificate is ser er authentication( The BAtended Mey @sa'e #BM@$ is Ser er /uthentication #3(4(>(3(=(=(7(4(3$( The certificate has a correspondin' pri ate *ey( The certificate has not eApired( %e recommend that the certificate be alid one year from the date of installation( / certificate obFect identifier #also *no"n as 5,D$ of 2(=(28(3= is not re9uired( 1o"e er+ if the certificate that you plan to use contains an obFect identifier of 2(=(28(3=+ you can only use the certificate if at least one of the follo"in' *ey usa'e alues is also set: C1"T<61.<1!C,P=1"-1!T<61.<5SAG1+ C1"T<61.<AG"11-1!T<61.<5SAG1+ and C1"T<;ATA<1!C,P=1"-1!T<61.<5SAG1( Dor more information about these alues+ see /d anced Certificate Bnrollment and Mana'ement #http:CC'o(microsoft(comCf"lin*C62in*,DG7<=77$( The certificate must be trusted on clients( That is+ the public certificate of the C/ that si'ned the TS !ate"ay ser er certificate must be located in the Trusted .oot Certification /uthorities store on the client computer(
.e9uestin' a certificate o er the %eb( !ote ,f you ha e a %indo"s Ser er 2004 C/+ be a"are that the %indo"s Ser er 2004 Certificate Ser ices %eb enrollment functionality relies on an /cti e; control that is named ;enroll( This /cti e; control is a ailable in Microsoft %indo"s 2000+ %indo"s Ser er 2004+ and %indo"s ;P( 1o"e er+ ;enroll has been deprecated in %indo"s Ser er 2008 and %indo"s ?ista( The sample certificate enrollment %eb pa'es that are included "ith the ori'inal release ersion of %indo"s Ser er 2004+ %indo"s Ser er 2004 Ser ice Pac* 3 #SP3$+ and %indo"s Ser er 2004 Ser ice Pac* 2 #SP2$ are not desi'ned to handle the chan'e in ho" %indo"s Ser er 2008 and %indo"s ?ista perform %eb-based certificate enrollment operations( Dor information about the steps that you can ta*e to address this issue+ see article 82270> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,dG8<<72$(
Dor more information about usin' any of these methods to obtain certificates for %indo"s Ser er 2008+ see the H5btain a CertificateH topic in the Certificates snap-in 1elp and the HCertre9H topic in the %indo"s Ser er 2008 Command .eference( To re ie" the Certificates snap-in 1elp topics+ clic* Start+ clic* "un+ type hh cert$%r+ch$+ and then clic* O6( Dor information about ho" to re9uest certificates for %indo"s Ser er 2004+ see .e9uestin' Certificates #http:CC'o(microsoft(comCf"lin*C62in*,DG38>48$( / stand-alone or enterprise C/-issued certificate must be co-si'ned by a trusted public C/ that participates in the Microsoft .oot Certification Pro'ram Members pro'ram #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$( 5ther"ise+ users connectin' from home computers or *ios*s mi'ht not be able to connect to TS !ate"ay ser ers( These connections mi'ht fail because the enterprise C/-issued root mi'ht not be trusted by computers that are not members of domains+ such as home computers or *ios*s( ,f your company does not maintain a stand-alone or enterprise C/ that is confi'ured to issue SS2-compatible ;(=08 certificates+ you can purchase a certificate from a trusted public C/ that participates in the Microsoft .oot Certificate Pro'ram Members pro'ram #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$( Some of these endors mi'ht offer certificates at no cost on a trial basis( /lternati ely+ if your company does not maintain a stand-alone or enterprise C/ and you do not ha e a compatible certificate from a trusted public C/+ you can create and import a self-si'ned certificate for your TS !ate"ay ser er for technical e aluation and testin' purposes( Dor step-by-step instructions+ see Create a self-si'ned certificate for TS !ate"ay( ,n the eAample confi'urations described in this 'uide+ a self-si'ned certificate is used( ,$portant ,f you use either of the first t"o methods to obtain a certificate #that is+ if you obtain a certificate from a stand-alone or enterprise C/ or a trusted public C/$+ you must also install the certificate on the TS !ate"ay ser er and map the certificate( 1o"e er+ if you
21
create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation #as described in Create a self-si'ned certificate for TS !ate"ay$+ you do not need to install or map the certificate to the TS !ate"ay ser er( ,n this case+ the certificate is automatically created+ installed in the correct location on the TS !ate"ay ser er+ and mapped to the TS !ate"ay ser er( !ote Terminal Ser ices clients must ha e the certificate of the C/ that issued the ser er certificate in their Trusted .oot Certification /uthorities store( Therefore+ if you create a self-si'ned certificate by follo"in' the procedure in this 'uide+ you must copy the certificate to the client computer #or to a net"or* share that can be accessed from the client computer$ and then install the certificate in the Trusted .oot Certification /uthorities store on the client computer( Dor step-by-step instructions+ see ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client( ,f you use one of the first t"o methods to obtain a certificate and the Terminal Ser ices client computer trusts the issuin' C/+ you do not need to install the certificate of the C/ that issued the ser er certificate in the client computer certificate store( Dor eAample+ you do not need to install the certificate of the issuin' C/ in the client computer certificate store if a ?eriSi'n or other public+ trusted C/ certificate is installed on the TS !ate"ay ser er( ,f you use the third method to obtain a certificate #that is+ if you create a self-si'ned certificate$+ you do need to copy the certificate of the C/ that issued the ser er certificate to the client computer( Then+ you must install that certificate in the Trusted .oot Certification /uthorities store on the client computer( Dor more information+ see ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client( '+ ,nstall the certificate+ ,nstall a certificate on the TS !ate"ay ser er( @se this procedure+ described later in this 'uide+ to install the certificate on your TS !ate"ay ser er( ?+ -ap the certificate+ Map the TS !ate"ay certificate( This procedure+ described later in this 'uide+ allo"s you to specify that the eAistin' certificate be used by the TS !ate"ay ser er(
22
computer #or to a net"or* share that can be accessed from the client computer$+ and then install it in the Trusted .oot Certification /uthorities store on the client computer( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation #as described in this procedure$+ you do not need to install or map the certificate to the TS !ate"ay ser er( To create a self-si%ned certificate for the TS Gateway server 3( 5pen TS !ate"ay Mana'er( To open TS !ate"ay Mana'er+ clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* TS Gateway -ana%er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the results pane+ under Confi%uration Status+ clic* 7iew or $odify certificate properties( <( 5n the SS0 Certificate tab+ clic* Create a self-si%ned certificate for SS0 encryption+ and then clic* Create Certificate( =( ,n the Create Self-Si%ned Certificate dialo' boA+ do the follo"in': a( @nder Certificate na$e+ erify that the correct common name #C:$ is specified for the self-si'ned certificate+ or specify a ne" name( The C: must match the D:S name that the client uses to connect to the TS !ate"ay ser er+ unless you are usin' "ildcard certificates or the S/: attributes of certificates( b( @nder Certificate location+ to store the root certificate in a specified location so that you can manually distribute the root certificate to clients+ erify that the Store the root certificate chec* boA is selected+ and then specify "here to store the certificate( 7y default+ this chec* boA is selected and the certificate is stored under the R%indir RQ@sersQS@sernameTQDocuments folder( c( Clic* O6( >( ,f you selected the Store the root certificate chec* boA and specified a location for the certificate+ a messa'e "ill appear statin' that TS !ate"ay has successfully created the self-si'ned certificate+ and confirmin' the location of the stored certificate( Clic* O6 to close the messa'e( 7( Clic* O6 a'ain to close the TS !ate"ay ser er Properties dialo' boA(
23
certificate has been selected( 8( Clic* @inish( 30( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 33( %ith Certificates selected in the console tree+ in the details pane+ erify that the correct certificate appears in the list of certificates on the TS !ate"ay ser er( The certificate must be under the Personal store of the local computer(
TS CAPs
TS C/Ps allo" you to specify "ho can connect to a TS !ate"ay ser er( Eou can specify a user 'roup that eAists on the local TS !ate"ay ser er or in /cti e Directory Domain Ser ices( Eou can also specify other conditions that users must meet to access a TS !ate"ay ser er( Dor eAample+ you can specify that all users "ho connect to a specific terminal ser er that is hostin' a human resources #1.$ database throu'h a TS !ate"ay ser er must be members of the H1. @sersH security 'roup( Eou can also specify that the client computer that is initiatin' the connection must be a member of an /cti e Directory security 'roup in the internal net"or* to connect to the TS !ate"ay ser er( 7y re9uirin' that the computer be a member of a specific /cti e Directory security 'roup in the internal net"or*+ you can eAclude users "ho are attemptin' to connect to the internal net"or* from *ios*s+ airport computers+ or home computers that are not trusted( Dor enhanced security "hen clients are connectin' to the internal net"or* throu'h TS !ate"ay+ you can also specify "hether to disable client de ice redirection for all de ices supported by the Terminal Ser ices client+ or Fust for a specific type of de ice such as a dis* dri e or supported Plu' and Play de ices( ,f you disable client de ice redirection for all de ices supported by the client+ all de ice redirection is disabled+ eAcept for audio and smart card redirection( %hen you select the option to disable de ice redirection for specific de ice types or to disable all de ice types eAcept for smart cards+ the TS !ate"ay ser er "ill send the re9uest bac* to the client "ith a list of the de ice types to be disabled( This list is a su''estion onlyO it is possible for the client to modify the de ice redirection settin's in the list( Warnin% 7ecause the TS !ate"ay ser er relies on the client to enforce the de ice redirection settin's su''ested by the ser er+ this feature should not be considered to pro ide 'uaranteed security( The su''ested de ice redirection settin's can only be enforced for .emote Des*top Connection #.DC$ clientsO the settin's cannot be enforced for clients that do not use .DC( /dditionally+ it is possible for a malicious user to modify an .DC client so that the client i'nores the su''ested settin's( ,n such cases+ this feature cannot pro ide 'uaranteed security+ e en for .DC clients( /dditionally+ you can specify "hether remote clients must use smart card authentication or pass"ord authentication to access internal net"or* resources throu'h a TS !ate"ay ser er( %hen both of these options are selected+ clients that use either authentication method are allo"ed to connect( Dinally+ if your or'ani)ation has deployed :et"or* /ccess Protection #:/P$+ you can specify that the client must send a statement of health #So1$( Dor information about ho" to confi'ure TS !ate"ay for :/P+ see Confi'urin' the TS !ate"ay :/P Scenario( ,$portant @sers are 'ranted access to a TS !ate"ay ser er if they meet the conditions specified in the TS C/P( Eou must also create a TS ./P( / TS ./P allo"s you to specify the internal net"or* resources #computers$ that users can connect to throu'h TS !ate"ay( @ntil you create both a TS C/P and a TS ./P+ users cannot connect to internal net"or* resources throu'h this TS !ate"ay ser er(
26
TS "APs
TS ./Ps allo" you to specify the internal net"or* resources that remote users can connect to throu'h a TS !ate"ay ser er( %hen you create a TS ./P+ you can create a computer 'roup #a list of computers on the internal net"or* to "hich you "ant the remote users to connect$ and associate it "ith the TS ./P( Dor eAample+ you can specify that users "ho are members of the U1. @sersV user 'roup be allo"ed to connect only to computers that are members of the U1. ComputersV computer 'roup+ and that users "ho are members of the UDinance @sersV user 'roup be allo"ed to connect only to computers that are members of the HDinance ComputersH computer 'roup( .emote users connectin' to an internal net"or* throu'h a TS !ate"ay ser er are 'ranted access to computers on the net"or* if they meet the conditions specified in at least one TS C/P and one TS ./P( !ote %hen you associate a TS !ate"ay-mana'ed computer 'roup "ith a TS ./P+ you can support both fully 9ualified domain names #DLD:s$ and :et7,5S names by addin' both names to the TS !ate"ay-mana'ed computer 'roup separately( %hen you associate an /cti e Directory security 'roup "ith a TS ./P+ both DLD:s and :et7,5S names are supported automatically if the internal net"or* computer that the client is connectin' to belon's to the same domain as the TS !ate"ay ser er( ,f the internal net"or* computer belon's to a different domain than the TS !ate"ay ser er+ users must specify the DLD: of the internal net"or* computer( To'ether+ TS C/Ps and TS ./Ps pro ide t"o different le els of authori)ation to pro ide you "ith the ability to confi'ure a more specific le el of access control to computers on an internal net"or*(
27
%hen both of these options are selected+ clients that use either authentication method are allo"ed to connect( 7( @nder 5ser %roup $e$bership 2re uired3+ clic* Add Group+ and then specify a user 'roup "hose members can connect to the TS !ate"ay ser er( Eou must specify at least one user 'roup( 8( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( /dd additional 'roups from different domains by repeatin' this step for each 'roup( 8( To specify computer domain membership criteria that client computers should meet
28
#optional$+ on the "e uire$ents tab+ under Client co$puter %roup $e$bership 2optional3+ clic* Add Group+ and then specify the computer 'roups( ,n the eAample confi'urations+ no computer 'roup is specified( To specify computer 'roups+ you can use the same steps that you used to specify user 'roups( 30( 5n the ;evice "edirection tab+ select one of the follo"in' options to enable or disable redirection for remote client de ices: To permit all client de ices to be redirected "hen connectin' throu'h the TS !ate"ay ser er+ clic* 1nable device redirection for all client devices ( 7y default+ this option is selected( To disable de ice redirection for all client de ices eAcept for smart cards "hen connectin' throu'h the TS !ate"ay ser er+ select ;isable device redirection for all client devices e/cept for s$art card( To disable de ice redirection for only certain de ice types "hen connectin' throu'h the TS !ate"ay ser er+ clic* ;isable device redirection for the followin% client device types+ and then select the chec* boAes that correspond to the client de ice types for "hich de ice redirection should be disabled( ,$portant De ice redirection settin's can be enforced only for Microsoft .emote Des*top Connection #.DC$ clients( 33( Clic* O6( 32( The ne" TS C/P that you created appears in the TS !ate"ay Mana'er results pane( %hen you clic* the name of the TS C/P+ the policy details appear in the lo"er pane(
B+ Create a TS "AP and specify co$puters that users can connect to throu%h the TS Gateway server
This procedure describes ho" to use TS !ate"ay Mana'er to create a custom TS ./P+ and to specify computers that users can connect to throu'h the TS !ate"ay ser er( /lternati ely+ you can use the /uthori)ation Policies %i)ard to complete these tas*s( ,$portant ,f users are connectin' to members of a terminal ser er farm+ you must confi'ure a TS ./P that eAplicitly specifies the name of the terminal ser er farm( To do so+ "hen you create the TS ./P+ on the Co$puter Group tab+ select the Select e/istin% TS Gateway-$ana%ed co$puter %roup or create a new one option+ and then eAplicitly specify the name of the terminal ser er farm( ,f the name of the terminal ser er farm is not eAplicitly specified+ users "ill not be able to connect to members of the farm( Dor optimal security and ease of administration+ to specify the terminal ser ers that are members of the farm+ create a second TS ./P( 5n the Co$puter Group+ select the Select an Active ;irectory security %roup option+ and then specify the security 'roup
29
that contains the terminal ser ers in the farm( Doin' this optimi)es security by ensurin' that the members of the farm are trusted members of an /cti e Directory security 'roup( To create a TS "AP and specify co$puters that users can connect to throu%h the TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+ "hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand Policies+ and then clic* "esource Authori4ation Policies( <( .i'ht-clic* the "esource Authori4ation Policies folder+ clic* Create !ew Policy+ and then clic* Custo$( =( 5n the General tab+ in the Policy na$e boA+ enter a name that is no lon'er than >< characters( >( ,n the ;escription boA+ enter a description for the ne" TS ./P( 7( 5n the 5ser Groups tab+ clic* Add to select the user 'roups to "hich you "ant this TS ./P to apply( 8( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6( To specify more than one user 'roup+ do either of the follo"in': Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( /dd additional 'roups from different domains by repeatin' Step 7 for each 'roup( 8( 5n the Co$puter Group tab+ specify the computer 'roup that users can connect to throu'h TS !ate"ay by doin' one of the follo"in': To specify an eAistin' security 'roup+ clic* Select an e/istin% Active ;irectory security %roup+ and then clic* Browse( ,n the Select Group dialo' boA+ specify the user 'roup location and name+ and then clic* O6( :ote that you can select a security 'roup in 2ocal @sers and !roups+ rather than in /cti e Directory Domain Ser ices( To specify a TS !ate"ay-mana'ed computer 'roup+ clic* Select an e/istin% TS Gateway-$ana%ed co$puter %roup or create a new one+ and then clic* Browse( ,n the Select a TS Gateway-$ana%ed Co$puter Group dialo' boA+ do one of the follo"in': Select an eAistin' TS !ate"ay-mana'ed computer 'roup by clic*in' the name of the computer 'roup that you "ant to use+ and then clic* O6 to close the dialo' boA( Create a ne" TS !ate"ay-mana'ed computer 'roup by clic*in' Create !ew Group( 5n the General tab+ type a name and description for the ne" 'roup( 5n the !etwor( "esources tab+ type the name or ,P address of the computer or Terminal Ser ices farm that you "ant to add+ and then clic* Add( .epeat this step as needed to specify additional computers+ and then clic* O6 to close the !ew TS Gateway--ana%ed Co$puter Group dialo' boA( ,n the Select a TS Gateway-$ana%ed Co$puter Group dialo' boA+ clic* the name of the ne" computer 'roup+ and then clic* O6 to
30
close the dialo' boA( ,$portant %hen you add an internal net"or* computer to the list of TS !ate"aymana'ed computers+ *eep in mind that if you "ant to allo" remote users to connect to the computer by specifyin' either its computer name or its ,P address+ you must add the computer to the computer 'roup t"ice #by specifyin' the computer name of the computer and addin' it to the computer 'roup+ and then specifyin' the ,P address of the computer and addin' it to the computer 'roup a'ain$( ,f you specify only an ,P address for a computer "hen you add it to a computer 'roup+ users must also specify the ,P address of that computer "hen they connect to that computer throu'h TS !ate"ay( To ensure that remote users connect to the internal net"or* computers that you intend+ "e recommend that you do not specify ,P addresses for the computers+ if the computers are not confi'ured to use static ,P addresses( Dor eAample+ you should not specify ,P addresses if your or'ani)ation uses D1CP to dynamically reconfi'ure ,P addresses for the computers( To specify any net"or* resource+ clic* Allow users to connect to any networ( resource+ and then clic* O6( 30( /fter you specify a computer 'roup+ the ne" TS ./P that you created appears in the TS !ate"ay Mana'er results pane( %hen you clic* the name of the TS ./P+ the policy details appear in the lo"er pane(
1dit Connection 0i$it( =( 5n the General tab+ under -a/i$u$ Connections+ do one of the follo"in': To set a limit for the maAimum number of simultaneous connections that Terminal Ser ices clients can ma*e to internal net"or* resources throu'h TS !ate"ay+ clic* 0i$it $a/i$u$ allowed si$ultaneous connections to + and then specify the number of allo"able connections( To set no limit on the number of allo"able connections bet"een clients and internal net"or* resources throu'h TS !ate"ay+ clic* Allow the $a/i$u$ supported si$ultaneous connections( This is the default option( Meep in mind that for TS !ate"ay ser ers that are runnin' on %indo"s Ser er 2008 Standard+ a maAimum of 2=0 simultaneous connections is supported( To pre ent ne" connections from bein' made bet"een clients and internal net"or* resources throu'h TS !ate"ay+ clic* ;isable new connections( ,f you select this option+ only ne" connection attempts "ill be reFected( Current connections "ill not be ended by TS !ate"ay( >( Clic* O6(
Steps for confi%urin% a Ter$inal Services client for the TS Gateway core scenario
To confi'ure the Terminal Ser ices client for the TS !ate"ay core scenario+ complete these tas*s(
Tas( "eference)Step-by-step instructions
3( ,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client #optional$( !ote This procedure is not re9uired if a certificate that is issued by one of the trusted public C/s that participate in the Microsoft .oot Certificate Pro'ram Members pro'ram is installed on the TS !ate"ay ser er+ and the Terminal Ser ices client computer trusts the certificate( 2( Confi'ure .emote Des*top Connection settin's( 4( ?erify that end-to-end connecti ity throu'h
,nstall the TS !ate"ay ser er root certificate in the Trusted .oot Certification /uthorities store on the Terminal Ser ices client
Confi'ure .emote Des*top Connection settin's ?erify that end-to-end connecti ity throu'h the
32
Tas(
"eference)Step-by-step instructions
*+ ,nstall the TS Gateway server root certificate in the Trusted "oot Certification Authorities Store on the Ter$inal Services client 2optional3
The client computer must erify and trust the identity of the TS !ate"ay ser er before the client can send the userNs pass"ord and lo'on credentials securely and complete the authentication process( To establish this trust+ the clients must trust the root of the ser erWs certificate( That is+ clients must ha e the certificate of the certification authority #C/$ that issued the ser er certificate in their Trusted .oot Certification /uthorities store( Eou can ie" this store by usin' the Certificates snap-in( /s mentioned+ this procedure is not re9uired if: / certificate that is issued by one of the trusted public C/s that participate in the Microsoft .oot Certificate Pro'ram Members pro'ram Ias listed in article 84332= in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,DG=8=<7$J is installed on the TS !ate"ay ser erO and The Terminal Ser ices client computer already trusts the issuin' C/( ,f the TS !ate"ay ser er is usin' a certificate that is issued by one of the trusted public C/s+ and the certificate is reco'ni)ed and trusted by your client computer+ proceed to complete the steps in the Confi'ure remote des*top connection settin's section( ,$portant Do not install certificates from any untrusted sources or indi iduals( !ote ,f you are confi'urin' the Terminal Ser ices client for use "ith :et"or* /ccess Protection #:/P$+ you must install the TS !ate"ay ser er root certificate by usin' the computer account( ,f not+ you can install the TS !ate"ay ser er root certificate by usin' the user account( 7efore completin' the steps in the follo"in' procedure+ you must ha e already copied the certificate to the client computer( Dor eAample+ if you created a self-si'ned certificate for the TS !ate"ay ser er by usin' TS !ate"ay Mana'er+ you must ha e already copied that certificate from the TS !ate"ay ser er to the client computer( To install the TS Gateway server root certificate in the Trusted "oot Certification Authorities store on the Ter$inal Services client 3( 5pen the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6(
33
b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ to open the snap-in for a computer account+ clic* Co$puter account+ and then clic* !e/t( To open the snap-in for a user account+ clic* -y user account+ and then clic* @inish( e( ,f you opened the Certificates snap-in for a computer account+ in the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Trusted "oot Certification Authorities+ ri'ht-clic* Certificates+ point to All Tas(s+ and then clic* ,$port( 4( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( <( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ bro"se to the TS !ate"ay ser er root certificate+ clic* Open+ and then clic* !e/t( =( 5n the Certificate Store pa'e+ accept the default option #Place all certificates in the followin% store - Trusted "oot Certification Authorities$+ and then clic* !e/t( >( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the follo"in' certificate settin's appear: Certificate Store Selected by @ser: Trusted .oot Certification /uthorities Content: Certificate
Dile :ame: DilePathQS!oot6Certificate63ame.cerT+ "here S!oot6Certificate63ameT is the name of the TS !ate"ay ser er root certificate( 7( Clic* @inish( 8( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 8( %ith Certificates selected in the console tree+ in the details pane+ erify that the root certificate of the TS !ate"ay ser er appears in the list of certificates on the client( Bnsure that the certificate appears under the Trusted "oot Certification Authorities store(
4( 5n the Advanced tab+ in the Connect fro$ anywhere area+ clic* Settin%s( <( ,n the TS Gateway Server Settin%s dialo' boA+ select the appropriate options: Auto$atically detect TS Gateway server settin%s #default$( ,f you select this option+ the Terminal Ser ices client attempts to use !roup Policy settin's that determine the beha ior of client connections to TS !ate"ay ser ers or TS !ate"ay ser er farms+ if these settin's ha e been confi'ured and enabled( Dor more information+ see the H@sin' !roup Policy to Mana'e Client Connections Throu'h TS !ate"ayH topic in the TS !ate"ay 1elp( 5se these TS Gateway server settin%s( ,f a TS !ate"ay ser er name or TS !ate"ay ser er farm name and a lo'on method are not already enabled and enforced by !roup Policy+ you can select this option and specify the name of the TS !ate"ay ser er or TS !ate"ay ser er farm that you "ant to connect to and the lo'on method to use for the connection( The name that you specify for the ser er must match the name in the ,ssued to field of the TS !ate"ay ser er certificate( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation+ specify the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er( Bypass TS Gateway server for local addresses( This option is selected by default( ,f you "ant the Terminal Ser ices client to automatically detect "hen TS !ate"ay is re9uired+ select this chec* boA( ,f you use a mobile computer+ selectin' this option "ill optimi)e client connecti ity performance and minimi)e latency because TS !ate"ay "ill only be used "hen it is re9uired( ,f your computer is al"ays connected to the local area net"or* #2/:$ or if it is hosted inside the internal net"or* fire"all+ TS !ate"ay "ill not be used( ,f you are outside the internal net"or* and connectin' to the internal net"or* o er the ,nternet+ TS !ate"ay "ill be used( ,f you are in a 2/:+ but "ant to test connecti ity throu'h a TS !ate"ay ser er or TS !ate"ay ser er farm+ clear this chec* boA( 5ther"ise+ the client "ill not connect throu'h the TS !ate"ay ser er or TS !ate"ay ser er farm in this case( ;o not use a TS Gateway server( Select this option if your computer is al"ays connected to the 2/: or if it is hosted inside the internal net"or* fire"all( This option is appropriate if you *no" that you do not need to use TS !ate"ay to tra erse a fire"all( =( Do one of the follo"in': To sa e the settin's and close the "e$ote ;es(top Connection dialo' boA+ clic* Save+ and then clic* Cancel( The settin's "ill be sa ed as an .DP file to a default location #by default+ the file is sa ed to Dri e:QS sernameTQDocuments$( To sa e the .DP file to a specified location #you can customi)e and distribute the file later to multiple clients as needed$+ clic* Save As( ,n the Save as dialo' boA+ in the @ile na$e boA+ specify the file name and location+ and then clic* Save( To proceed "ith a connection to an internal net"or* resource+ clic* Save+ clic* Connect+ and then proceed to Step = in the neAt procedure #H?erify that end-to-end
35
The computers must meet the system re9uirements described in System re9uirements for the TS !ate"ay :/P scenario( 2( Complete the core TS !ate"ay ser er confi'uration by follo"in' the instructions in HSteps for confi'urin' the TS !ate"ay ser er for the TS !ate"ay core scenarioH in Confi'urin' the TS !ate"ay Core Scenario( 4( Confi'ure the TS !ate"ay ser er for :/P health policy chec*in' by follo"in' the instructions in Steps for confi'urin' TS !ate"ay for the :/P scenario( <( Complete the core Terminal Ser ices client confi'uration for TS !ate"ay by follo"in' the instructions in HSteps for confi'urin' a Terminal Ser ices client for the TS !ate"ay core scenarioH in Confi'urin' the TS !ate"ay Core Scenario( =( Confi'ure the client as a :/P enforcement client by follo"in' the instructions in Steps for confi'urin' a Terminal Ser ices client as a :/P enforcement client( >( Confi'ure the internal net"or* resource( /s mentioned+ this resource can be any terminal ser er or any computer "ith .emote Des*top enabled( 7( ?erify that the :/P health policies created on the TS !ate"ay ser er are successfully applied to the Terminal Ser ices client by completin' the follo"in' t"o tas*s: Testin' for a successful bloc*ed connection( ,f the health policies are correctly applied to the Terminal Ser ices client+ the client connection attempt "ill be bloc*ed by the :PS ser er "hen automatic updatin' is disabled on the Terminal Ser ices client computer( Testin' for a successful allo"ed connection( ,f the health policies are correctly applied to the Terminal Ser ices client+ the client connection attempt "ill be allo"ed by the :PS ser er "hen automatic updatin' is enabled on the Terminal Ser ices client computer( To complete these t"o testin' tas*s+ follo" the instructions in Test to confirm that the TS !ate"ay :/P health policy is successfully applied to the Terminal Ser ices client(
,n this scenario+ TS!SB.?B. is used as the TS !ate"ay ser er and as an :PS ser er+ and it must run %indo"s Ser er 2008( The installation can be an up'rade from %indo"s Ser er 2004 SP3 or %indo"s Ser er 2008 .elease Candidate 0 #.C0$( Dor more information+ see HSupported up'rade pathsH in ,nstallin'
37
Co$puter
%indo"s Ser er 2008 #http:CC'o(microsoft(comCf"lin*C6 2in*,dG30<82<$( Terminal Ser ices client #TSC2,B:T$ ,n this scenario+ TSC2,B:T is used as a Terminal Ser ices client and as a :/P client+ and it can run any of the follo"in': %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s Ser er 2008( The installation can be an up'rade( ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ %indo"s ?ista SP3 or %indo"s ;P SP4( %indo"s ?ista( The installation can be an up'rade from %indo"s ;P "ith SP2( %indo"s ;P "ith SP2( %indo"s ;P "ith SP4(
%indo"s Ser er 2008( The installation can be an up'rade( %indo"s Ser er 2004 "ith SP3 or SP2(
38
!ote The steps in this setup 'uide describe ho" to set up remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er to an internal net"or* resource+ "ith health policy chec*in' for Terminal Ser ices #the :PS ser er is used to perform the health policy chec*in'$( The 'uide does not describe ho" to set up the fire"alls illustrated in the dia'ram+ the terminal ser ers runnin' .emote/pp pro'rams+ or the perimeter net"or* or /cti e Directory infrastructure( The dia'ram is pro ided to su''est one "ay in "hich this scenario mi'ht be implemented in a production en ironment(
3( Bnable :/P health policy chec*in' on the TS !ate"ay ser er( 2( Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er(
Bnable :/P health policy chec*in' on the TS !ate"ay ser er Delete eAistin' TS C/Ps and create three ne" TS C/Ps on the TS !ate"ay ser er
39
Tas(
"eference)Step-by-step instructions
4( Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er( <( Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard(
Confi'ure a %indo"s Security 1ealth ?alidator on the TS !ate"ay ser er Create :/P policies on the TS !ate"ay ser er by usin' the Confi'ure :/P %i)ard
'+ ;elete e/istin% TS CAPs and create three new TS CAPs on the TS Gateway server
,f you ha e already created one or more TS C/Ps on the TS !ate"ay ser er by usin' TS !ate"ay Mana'er and follo"in' the procedures in HCreate a TS C/P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario+ "e stron'ly recommend that you delete those TS C/Ps by follo"in' the steps in this procedure( Warnin% Dailure to delete eAistin' TS C/Ps mi'ht result in security ulnerabilities for your internal net"or* because these TS C/Ps mi'ht bypass the :/P authori)ation policies that you "ill create for the TS !ate"ay :/P scenario( ,f the :/P authori)ation policies are bypassed+ Terminal Ser ices clients that do not meet :/P authori)ation policy re9uirements "ill be allo"ed access to the TS !ate"ay ser er( To delete e/istin% TS CAPs on the TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents the TS !ate"ay ser er+
40
"hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ eApand Policies+ and then clic* Connection Authori4ation Policies( <( ,n the details pane+ ri'ht-clic* any eAistin' TS C/Ps+ and then clic* ;elete( /fter you delete any pre iously created TS C/Ps from TS !ate"ay Mana'er+ create three ne" identical TS C/Ps #TSC/P3+ TSC/P2+ and TSC/P4$ by follo"in' the procedures in HCreate a TS C/P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario( ,f you ha e not already done so+ also create a TS ./P in TS !ate"ay Mana'er( ,f you ha e already created a TS ./P that meets your security re9uirements+ you do not need to delete the eAistin' TS ./P and create a ne" TS ./P( Dor step-by-step instructions about ho" to create a TS ./P+ see HCreate a TS ./P for the TS !ate"ay ser erH in Confi'urin' the TS !ate"ay Core Scenario(
41
A+ Create !AP policies on the TS Gateway server by usin% the Confi%ure !AP Wi4ard
Eou can use the Confi'ure :/P "i)ard to easily create the policies re9uired to confi'ure the TS !ate"ay ser er as a :/P enforcement client( This section describes ho" to create the follo"in' policies for TS !ate"ay: 1ealth policies: 1ealth policies allo" you to define client confi'uration re9uirements for the :/P-capable computers that attempt to connect to internal net"or* resources throu'h the TS !ate"ay ser er( Connection re9uest policy: Connection re9uest policies are an ordered set of rules that allo" the :PS ser ice to determine "hether a specific connection attempt re9uest or an accountin' messa'e recei ed from a ./D,@S client should be processed locally or for"arded to another ./D,@S ser er( %hen you are confi'urin' the :PS ser er to perform :/P health determination and enforcement+ :PS is actin' as a ./D,@S ser er( The TS !ate"ay ser er is the ./D,@S client(S! :et"or* policies: :et"or* policies allo" you to desi'nate "ho is authori)ed to connect to the net"or* and the circumstances under "hich they can connect( Durin' the authori)ation process+ :/P performs client health chec*s( To create !AP policies on the TS Gateway server by usin% the Confi%ure !AP Wi4ard 3( 5pen the :et"or* Policy Ser er snap-in console( To open :et"or* Policy Ser er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* !etwor( Policy Server( 2( ,n the console tree+ clic* !PS 20ocal3( 4( ,n the details pane+ under Standard Confi%uration+ clic* Confi%ure !AP( <( ,n the Confi'ure :/P "i)ard+ on the Select !etwor( Connection -ethod for 5se with !AP pa'e+ do the follo"in': a( @nder !etwor( connection $ethod+ select Ter$inal Services Gateway 2TS Gateway3( b( @nder Policy !a$e+ accept the default name #:/P TS !ate"ay$ or type a ne" name+ and then clic* !e/t( =( 5n the Specify !AP 1nforce$ent Servers "unnin% TS Gateway pa'e+ under TS Gateway servers+ confirm that TS Gateway server is specified+ and then clic* !e/t( >( 5n the Confi%ure Client ;evice "edirection and Authentication -ethods pa'e+ do the follo"in': a( @nder ;evice redirection+ select the option that is appropriate for your en ironment( b( @nder Authentication -ethod+ select the authentication method#s$ that is appropriate for your en ironment( %hen both authentication methods are selected+ clients that use either method "ill be allo"ed to connect( 7( 5n the Confi%ure 5ser Groups and -achine Groups pa'e+ do the follo"in': a( @nder 5ser Groups> 2"e uired3+ clic* Add 5ser+ and then specify a user 'roup
42
"hose members can connect to the TS !ate"ay ser er( Eou must specify at least one user 'roup( b( ,n the Select Groups dialo' boA+ specify the user 'roup location and name+ and then clic* O6 as needed to chec* the name and to close the Select Groups dialo' boA( To specify more than one user 'roup+ do either of the follo"in': c( Type the name of each user 'roup+ separatin' the name of each 'roup "ith a semi-colon( d( /dd additional 'roups from different domains by repeatin' this step for each 'roup( e( @nder -achine Groups> 2Optional3+ to specify computer domain membership criteria that client computers must meet #optional$+ clic* Add -achine+ and then specify the computer 'roups( ,n the eAample confi'urations+ no computer 'roup is specified( f( To specify computer 'roups+ you can use the same steps that you used to specify user 'roups( 8( Clic* !e/t( 8( 5n the ;efine !AP =ealth Policy pa'e+ erify that the Windows Security =ealth 7alidator chec* boA is selected and that ;eny client access to ter$inal servers or co$puters runnin% "e$ote ;es(top is selected+ and then clic* !e/t( 30( 5n the Co$pletin% !ew !etwor( Access Protection Policies and "A;,5S clients pa'e+ confirm that the follo"in' policies appear: @nder =ealth Policies: :/P TS !ate"ay Compliant+ :/P TS !ate"ay :oncompliant @nder Connection "e uest Policy: :/P TS !ate"ay @nder !etwor( Policies: :/P TS !ate"ay Compliant+ :/P TS !ate"ay :oncompliant+ and :/P TS !ate"ay :on :/P-Capable 33( Clic* @inish(
3( Do"nload and run the Terminal Ser ices :/P client confi'uration command( 2( Test to confirm that the :/P health policy is successfully applied to the Terminal Ser ices
Do"nload and run the Terminal Ser ices :/P client confi'uration command Test to confirm that the :/P health policy is successfully applied to the Terminal Ser ices
43
Tas(
"eference)Step-by-step instructions
client(
client
*+ ;ownload and run the Ter$inal Services !AP client confi%uration co$$and
The Terminal Ser ices :/P client confi'uration command #Ts% ecclientconfi%+c$d$ performs the follo"in' tas*s to confi'ure the Terminal Ser ices client as a :/P enforcement client: /dds the TS !ate"ay ser er name to the Trusted Ser er list on the client( Starts the :et"or* /ccess Protection /'ent ser ice and sets the ser ice startup type to /utomatic( The :/P a'ent collects and mana'es health information( The :/P a'ent processes statements of health #So1$ from the arious system health a'ents #S1/s$ and reports client health to the :/P administration ser er( Dor :/P to function correctly+ you must start the :et"or* /ccess Protection /'ent ser ice on the client+ and then set the ser ice startup type to /utomatic( 7y default+ this ser ice does not start automatically( Bnables the TS !ate"ay Luarantine Bnforcement client( To run this eAample script+ use the follo"in' procedure( :ote that you must run the script as a member of the local /dministrators 'roup on the TS !ate"ay ser er( To download and run the Ter$inal Services !AP client confi%uration co$$and 3( To do"nload the Terminal Ser ices :/P client confi'uration command+ 'o to the Terminal Ser ices :/P Client Confi'uration Command pa'e on the Do"nload Center #http:CC'o(microsoft(comCf"lin*C62in*,dG304084$( %hen you open the command prompt+ ri'ht-clic* the command prompt+ and then clic* "un as Ad$inistrator( Eou must run this command "ith ele ated pri ile'es for the command to succeed( Dor information about ho" to run this command "ith ele ated pri ile'es in %indo"s ;P+ see article 28<>7> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C62in*,dG87=43$( Dor information about ho" to do this in %indo"s Ser er 2004+ see .un a pro'ram "ith administrati e credentials #http:CC'o(microsoft(comCf"lin*C62in*,dG87=44$( 2( /t the command prompt+ type: ts% ecclientconfi% TS<GAT1WA.<S1"71"<!A-1 "here T/65-T(#-76/(!1(!63-M( is the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er that you "ant to add to the list of trusted TS !ate"ay ser ers on the client( The name that you specify for the ser er must match the name in the ,ssued to field of the TS !ate"ay ser er certificate( ,f you create a self-si'ned certificate by usin' the /dd .oles %i)ard durin' installation of the TS !ate"ay role ser ice or by usin' TS !ate"ay Mana'er after installation+ specify the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er(
44
To specify more than one TS !ate"ay ser er+ separate each ser er name "ith a Q0 #for eAample+ /(!1(!63-M(8Q+/(!1(!63-M(*Q+/(!1(!63-M(9$( 4( .estart the client computer to implement the confi'uration chan'es+ and then lo' bac* on to the client computer by usin' the same account that you used to run the client confi'uration command( <( 5pen .e'istry Bditor( To open .e'istry Bditor+ in the Start search boA+ type re%edit+ and then press B:TB.( =( :a i'ate to the follo"in' re'istry sub*ey: =61.<0OCA0<-AC=,!1:Software:-icrosoft:Ter$inal Server Client:TrustedGateways >( @nder TrustedGateways+ erify that the follo"in' alue eAists: ST/65ateway6/erver63-M(T "here T/65-T(#-76/(!1(!63-M( is the fully 9ualified domain name #DLD:$ of the TS !ate"ay ser er that you specified in Step 2( ,f you specified more than one TS !ate"ay ser er+ ensure that each TS !ate"ay ser er is listed(
'+ Test to confir$ that the TS Gateway !AP health policy is successfully applied to the Ter$inal Services client
@se the follo"in' procedures to erify that the health policy that you confi'ured on the TS !ate"ay ser er is bein' applied to the Terminal Ser ices client( .ecall that the %indo"s Security 1ealth ?alidator #%S1?$ policy that you created on the TS !ate"ay ser er re9uires that you enable automatic updatin' for the connection to succeed( To test "hether the health policy is correctly applied to the Terminal Ser ices client+ perform the follo"in' tas*s: Test for successful bloc*ed connection for :/P-capable client( ,f the health policy is correctly applied to the Terminal Ser ices :/P-capable client+ the client connection attempt "ill be bloc*ed by the ser er "hen automatic updatin' is disabled on the client( Test for successful allo"ed connection for :/P-capable client( ,f the health policy is correctly applied to the Terminal Ser ices :/P-capable client+ the client connection attempt "ill be allo"ed by the ser er "hen automatic updatin' is enabled on the client( Test for successful bloc*ed connection for non-:/P capable client( ,f the health policy is correctly applied to the Terminal Ser ices non-:/P capable client+ the client connection attempt "ill be bloc*ed by the ser er because the client cannot send a statement of health #So1$(
45
To atte$pt an end-to-end connection throu%h the TS Gateway server when auto$atic updatin% is disabled on the client 3( 5pen Control Panel( To open Control Panel+ clic* Start+ and then clic* Control Panel( 2( ,n Control Panel+ double-clic* Security Center( 4( @nder Security 1ssentials+ chec* "hether Auto$atic 5pdatin% is set to On( ,f so+ proceed to the neAt step( ,f Auto$atic 5pdatin% is already set to Off+ s*ip to Step 7( <( ,n the na i'ation pane+ clic* Windows 5pdate( =( ,n Windows 5pdate+ in the na i'ation pane+ clic* Chan%e Settin%s( >( ,n the Choose how Windows can install updates dialo' boA+ clic* !ever chec( for updates 2not reco$$ended3+ and then clic* O6( 7( 5pen the .emote Des*top Connection client( To open the .emote Des*top Connection client+ clic* Start+ point to All Pro%ra$s+ point to Accessories+ and then clic* "e$ote ;es(top Connection( 8( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 8( 5n the General tab+ type the name of the computer #terminal ser er or computer "ith .emote Des*top enabled$ to "hich you "ant to connect throu'h TS !ate"ay( 30( Clic* Connect( 33( 5n the 1nter your credentials pa'e+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( 32( 5n the Gateway server credentials pa'e+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 34( /fter a fe" moments+ the follo"in' error messa'e appears: This computer canNt connect to the remote computer because your computer or de ice did not pass the :et"or* /ccess Policies alidation set by your net"or* administrator( Please contact your net"or* administrator for assistance( 3<( Clic* O6 to close the messa'e+ and then cancel the connection(
the client did not meet the re9uirements of the :/P policies on the :PS ser er and therefore is not authori)ed to access the TS !ate"ay ser er( To verify that the !AP health policy bloc(ed the connection 3( 5n the TS !ate"ay ser er+ open B ent ?ie"er( To open B ent ?ie"er+ clic* Start+ point to Ad$inistrative Tools+ and then clic* 1vent 7iewer( 2( ,n B ent ?ie"er+ eApand Windows 0o%s+ and then clic* Security( 4( %ith Security selected in the console tree+ search for e ent ,Ds >272 and >27>( <( ,n the console tree+ eApand Applications and Services 0o%s:-icrosoft:Windows:Ter$inalServices-Gateway+ and then clic* Operational( =( %ith Operational selected in the console tree+ search for B ent ,D 20<( >( Close B ent ?ie"er(
clic* "e$ote ;es(top Connection( 7( ,n the "e$ote ;es(top Connection dialo' boA+ clic* Options to eApand the dialo' boA and ie" settin's( 8( 5n the General tab+ type the name of the computer #terminal ser er or computer "ith .emote Des*top enabled$ to "hich you "ant to connect throu'h TS !ate"ay( 8( Clic* Connect( 30( 5n the 1nter your credentials pa'e+ select the user account that you "ant to use to lo' on remotely to the computer+ enter the re9uired credentials+ and then clic* O6( 33( 5n the Gateway server credentials pa'e+ select the user name that you "ant to use to lo' on to the TS !ate"ay ser er+ enter the re9uired credentials+ and then clic* O6( 32( /fter a fe" moments+ the follo"in' error messa'e appears: HThis computer canNt connect to the remote computer because your computer or de ice did not pass the :et"or* /ccess Policies alidation set by your net"or* administrator( Please contact your net"or* administrator for assistance(H 34( Clic* O6 to close the messa'e+ and then cancel the connection( 5n the TS !ate"ay ser er+ follo" the steps in ?erify that the :/P health policy bloc*ed the connection to confirm that client access to the TS !ate"ay ser er "as denied because the health policy "as successfully applied(
Additional references
:et"or* /ccess Protection #http:CC'o(microsoft(comCf"lin*C62in*,DG700<7$ Terminal Ser ices pa'e on the %indo"s Ser er 2008 TechCenter #http:CC'o(microsoft(comCf"lin*C62in*,DG<8===$
client and the TS !ate"ay ser er( The TS !ate"ay ser er is hosted in the corporateCpri ate net"or*( This scenario is illustrated under USettin' up the TS !ate"ay ,S/ Ser er scenario+V in the neAt section( ,SA Server as a firewall and SS0 brid%in% device+ ,n this scenario+ ,S/ Ser er functions as a fire"all that performs port filterin'+ pac*et filterin'+ and SS2 brid'in'( The TS !ate"ay ser er can be hosted in the corporateCpri ate net"or* or in the perimeter net"or*+ dependin' on "hether the ,S/ Ser er is located as the eAternal fire"all or the internal fire"all( ,SA Server as a firewall that perfor$s port filterin% 2server publishin%3+ ,n this scenario+ ,S/ Ser er functions as an eAternal pac*et filterin' fire"all and permits traffic only o er port <<4( The TS !ate"ay ser er is hosted in the perimeter( !ote The steps in this setup 'uide pro ide detailed confi'uration information only for the first scenario #,S/ Ser er as a %eb proAy$( The other t"o scenarios are mentioned as alternate "ays in "hich ,S/ Ser er can be used "ith TS !ate"ay to enhance security for remote connections to internal net"or* resources(
%indo"s Ser er 2004 and ,S/ Ser er 200< "ith Ser ice Pac* 4 #SP4$ 5r %indo"s Ser er 2004 and ,S/ Ser er 200>
%indo"s ?ista "ith Ser ice Pac* 3 #SP3$ or %indo"s ;P "ith SP4 %indo"s ?ista %indo"s ;P "ith Ser ice Pac* 2 #SP2$ and the Terminal Ser ices client+ .emote Des*top Connection #.DC$ >(0( To do"nload .DC >(0+ see article 82=87> in the Microsoft Mno"led'e 7ase #http:CC'o(microsoft(comCf"lin*C6
50
Co$puter
2in*,dG78474$( %indo"s Ser er 2008 %indo"s Ser er 2004 "ith SP3 or SP2 and .DC >(0 ,nternal net"or* resource #C5.P5./TB.BS5@.CB$ %indo"s ?ista "ith SP3 or %indo"s ;P "ith SP4 %indo"s ?ista %indo"s ;P "ith SP2 %indo"s Ser er 2008 %indo"s Ser er 2004 "ith SP3 or SP2
51
!ote The steps in this setup 'uide describe ho" to set up remote access from a Terminal Ser ices client throu'h a TS !ate"ay ser er+ "here SS2 traffic from the client is first sent to the ,S/ Ser er+ "hich is used for SS2 brid'in'( The 'uide does not describe ho" to install ,S/ Ser er 200< or ,S/ Ser er 200>+ nor does it describe ho" to confi'ure the fire"alls illustrated in the dia'ram+ the terminal ser ers runnin' .emote/pp pro'rams #hostin' 257 applications$+ or the perimeter net"or* or /cti e Directory infrastructure( The dia'ram is pro ided to su''est one "ay in "hich this scenario mi'ht be implemented in a production en ironment(
3( BAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er( 2( ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er(
BAport the certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er ,nstall the SS2 certificate for the TS !ate"ay ser er on the ,S/ Ser er
52
Tas(
"eference)Step-by-step instructions
4( Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er( !ote This step is re9uired only if you are usin' a self-si'ned certificate or another SS2 certificate type that is not trusted( <( Create a ne" %eb publishin' rule on the ,S/ Ser er( =( Bnable or disable 1TTPS-1TTP brid'in' on the TS !ate"ay ser er(
Copy and install the TS !ate"ay ser er root certificate on the ,S/ Ser er
Create a ne" %eb publishin' rule on the ,S/ Ser er Bnable or disable the 1TTPS-1TTP brid'in' settin' on the TS !ate"ay ser er
>( ?erify client confi'uration and test end-to-end ?erify client confi'uration and test end-to-end connecti ity( connecti ity
*+ 1/port the SS0 certificate for the TS Gateway server and copy it to the ,SA Server
%hen you eAport the certificate+ ensure that you eAport the pri ate *ey( ,f this option is not a ailable for the certificate that you ha e selected+ you must obtain a ne" certificate for ,S/ Ser er( Dor information about ,S/ Ser er certificate re9uirements+ see Di'ital Certificates for ,S/ Ser er 200< #http:CC'o(microsoft(comCf"lin*C62in*,dG30<827$ and Troubleshootin' SS2 Certificates in ,S/ Ser er Publishin' #http:CC'o(microsoft(comCf"lin*C62in*,dG30<82>$( Perform the follo"in' procedure on the TS !ate"ay ser er to eAport the SS2 certificate for the TS !ate"ay ser er and copy it to the ,S/ Ser er( To e/port the SS0 certificate for the TS Gateway server and copy it to the ,SA Server 3( 5n the TS !ate"ay ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6(
53
2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Personal+ and then clic* Certificates( 4( @nder certificates+ clic* the TS !ate"ay ser er certificate( ,f more than one certificate is listed and you are unsure "hich certificate to select+ ie" the properties for each certificate to identify the certificate that meets TS !ate"ay ser er re9uirements( <( .i'ht-clic* the TS !ate"ay certificate to eAport+ point to All Tas(s+ and then clic* 1/port( =( 5n the Welco$e to the Certificate 1/port Wi4ard pa'e+ clic* !e/t( >( 5n the 1/port Private 6ey pa'e+ clic* .es# e/port the private (ey+ and then clic* !e/t( 7( 5n the 1/port @ile @or$at pa'e+ ensure that Personal ,nfor$ation 1/chan%e P6CS G*' 2+P@&3 is selected+ select the ,nclude all certificates in the certification path if possible chec* boA+ and then clic* !e/t( 8( 5n the Password pa'e+ type a pass"ord to protect the pri ate *ey for the certificate+ confirm the pass"ord+ and then clic* !e/t( 8( 5n the @ile to 1/port pa'e+ in the @ile na$e boA+ clic* Browse( 30( ,n the Save As dialo' boA+ specify the name of the certificate that you "ant to eAport and the location to "hich you "ant to eAport the certificate #ensure that the location can be accessed from the ,S/ Ser er$+ and then clic* Save( 33( 5n the @ile to 1/port pa'e+ clic* !e/t( 32( 5n the Co$pletin% the Certificate 1/port Wi4ard pa'e+ confirm that the correct certificate is specified+ that 1/port 6eys is set to .es+ and that ,nclude all certificates in the certification path is set to .es+ and then clic* @inish( 34( /fter the certificate eAport has successfully completed+ a messa'e appears confirmin' that the eAport "as successful( Clic* O6( 3<( Close the Certificates snap-in( 3=( Copy the certificate to the ,S/ Ser er(
'+ ,nstall the SS0 certificate for the TS Gateway server on the ,SA Server
Perform the follo"in' procedure on the ,S/ Ser er to install the SS2 certificate for the TS !ate"ay ser er( To install the SS0 certificate for the TS Gateway server on the ,SA Server 3( 5n the ,S/ Ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic*
54
Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ and then clic* Personal( 4( .i'ht-clic* the Personal folder+ point to All Tas(s+ and then clic* ,$port( <( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( =( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ clic* Browse+ and then bro"se to the location "here you copied the SS2 certificate for the TS !ate"ay ser er( Select the certificate #Certificate63ame(pfA$+ clic* Open+ and then clic* !e/t( >( 5n the Password pa'e+ do the follo"in': ,f earlier you specified a pass"ord for the pri ate *ey associated "ith the certificate+ type the pass"ord( ,f you "ant to mar* the pri ate *ey as eAportable+ select the -ar( this (ey as e/portable chec* boA( Bnsure that the ,nclude all e/tended properties chec* boA is selected( 7( Clic* !e/t( 8( 5n the Certificate Store pa'e+ clic* Auto$atically select the certificate store based on the type of certificate+ and then clic* !e/t( 8( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the correct certificate has been selected and that the follo"in' certificate settin's appear: Certificate Store Selected: /utomatically determined by the "i)ard( Content: PD;
Dile :ame: DilePathQSCertificate63ame.pfxT+ "here SCertificate63ameT is the name of the TS !ate"ay ser er SS2 certificate( 30( Clic* @inish( 33( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 32( %ith Certificates selected in the console tree+ in the details pane+ erify that the correct certificate appears in the list of certificates on the ,S/ Ser er( The certificate must be under the Personal store of the local computer(
?+ Copy and install the TS Gateway server root certificate on the ,SA Server
This procedure is re9uired only in the follo"in' circumstances:
55
,f you are usin' a self-si'ned certificate or another SS2 certificate type that is not trusted(
,f you did not select the option to do"nload a certificate chain or Auto$atically select the certificate store based on the type of certificate "hen you installed the certificate on the ,S/ Ser er #as described in the precedin' procedure$( To copy and install the TS Gateway server root certificate on the ,SA Server 3( 5n the ,S/ Ser er+ open the Certificates snap-in console( ,f you ha e not already added the Certificates snap-in console+ you can do so by doin' the follo"in': a( Clic* Start+ clic* "un+ type $$c+ and then clic* O6( b( 5n the @ile menu+ clic* Add)"e$ove Snap-in( c( ,n the Add or "e$ove Snap-ins dialo' boA+ in the Available snap-ins list+ clic* Certificates+ and then clic* Add( d( ,n the Certificates snap-in dialo' boA+ clic* Co$puter account+ and then clic* !e/t( e( ,n the Select Co$puter dialo' boA+ clic* 0ocal co$puter> 2the co$puter this console is runnin% on3+ and then clic* @inish( f( ,n the Add or "e$ove snap-ins dialo' boA+ clic* O6( 2( ,n the Certificates snap-in console+ in the console tree+ eApand Certificates 20ocal Co$puter3+ eApand Trusted "oot Certification Authorities+ ri'ht-clic* Certificates+ point to All Tas(s+ and then clic* ,$port( 4( 5n the Welco$e to the Certificate ,$port Wi4ard pa'e+ clic* !e/t( <( 5n the @ile to ,$port pa'e+ in the @ile na$e boA+ clic* Browse+ and then bro"se to the location of the TS !ate"ay ser er root certificate( Select the root certificate #S!oot6Certificate63ame(cer+ or+ if the pri ate *ey "as also eAported+ S!oot6Certificate63ame(pfAT$+ clic* Open+ and then clic* !e/t( !ote ,f you created a self-si'ned certificate by usin' the /dd .emo e .oles %i)ard durin' installation of the TS !ate"ay role ser ice+ or by usin' TS !ate"ay Mana'er after installation #as described in HCreate a self-si'ned certificate for TS !ate"ayH in Confi'urin' the TS !ate"ay Core Scenario$+ note that the selfsi'ned certificate is also the root certificate( =( 5n the Password pa'e+ if earlier you specified a pass"ord for the pri ate *ey associated "ith the certificate+ type the pass"ord( >( 5n the Certificate Store pa'e+ accept the default option #Place all certificates in the followin% store - Trusted "oot Certification Authorities$+ and then clic* !e/t( 7( 5n the Co$pletin% the Certificate ,$port Wi4ard pa'e+ confirm that the follo"in' certificate settin's appear: Certificate Store Selected by @ser: Trusted .oot Certification /uthorities Content: Certificate #or PD;$ Dile :ame: DilePathQS!oot6Certificate63ame.cer: &or
56
;!oot6Certificate63ame.pfxT$+ "here S!oot6Certificate63ameT is the name of the TS !ate"ay ser er root certificate( 8( Clic* @inish( 8( /fter the certificate import has successfully completed+ a messa'e appears confirmin' that the import "as successful( Clic* O6( 30( %ith Certificates selected in the console tree+ in the details pane+ erify that the root certificate of the TS !ate"ay ser er appears in the list of certificates on the ,S/ Ser er( Bnsure that the certificate appears under the Trusted "oot Certification Authorities store on the local computer(
a( ,n the Co$puter na$e or ,P address boA+ type the name of the TS !ate"ay ser er( The specified name must match the name of the TS !ate"ay ser er throu'h "hich users "ill connect in this scenario( This name must also match the certificate name #C:$ in the certificate that is installed on the TS !ate"ay ser er( b( Select the @orward the ori%inal host header instead of the actual one 2specified above3 chec* boA( c( ,n the Path boA+ type )H( 8( 5n the Public !a$e ;etails pa'e+ do the follo"in': a( ,n Accept re uests for+ ensure that This do$ain na$e is selected( b( ,n the Public na$e boA+ type the name of the TS !ate"ay ser er( The specified name must match the name of the TS !ate"ay ser er throu'h "hich users "ill connect in this scenario( c( ,n the Path boA+ type )H( d( Clic* !e/t( 30( ,f re9uired+ create a ne" SS2 %eb listener( ,f you ha e a pre-eAistin' listener "ith a certificate that matches the public name+ you do not need to create a ne" SS2 %eb listener( ,n this case+ select the appropriate %eb listener+ clic* !e/t+ and then proceed to Step 33( ,f you do need to create a ne" SS2 %eb listener+ do the follo"in': a( 5n the Welco$e to the !ew Web 0istener pa'e+ in the Web 0istener !a$e boA+ type a name for the %eb listener+ and then clic* !e/t( ,f %eb listeners ha e already been confi'ured for the ,S/ Ser er+ on the Select Web 0istener pa'e+ clic* !ew to open the Welco$e to the !ew Web 0istener pa'e and be'in specifyin' a ne" %eb listener( b( 5n the ,P Addresses pa'e+ under 0isten for re uests fro$ these networ(s+ select the 1/ternal chec* boA+ and then clic* !e/t( c( 5n the Port Specification pa'e+ do the follo"in': d( @nder SS0+ select the 1nable SS0 chec* boA+ and then clear the 1nable =TTP boA( e( Clic* Select+ and in the Select Certificate dialo' boA+ clic* the certificate that you "ant to use( f( Clic* O6 to close the Select Certificate dialo' boA+ and then clic* !e/t( '( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* @inish( 33( 5n the Select Web 0istener pa'e+ confirm that the correct %eb listener properties appear+ and then clic* !e/t( 32( 5n the 5ser Sets pa'e+ clic* All 5sers+ and then clic* !e/t( 34( 5n the Co$pletin% the !ew SS0 Web Publishin% "ule Wi4ard pa'e+ clic* @inish( 3<( To sa e the chan'es and update the ,S/ Ser er fire"all policy+ in the details pane of the ,S/ Ser er Mana'ement console+ clic* Apply(
58
3=( ,n the Apply !ew Confi%uration dialo' boA+ clic* O6 after the chan'es are applied #a pro'ress bar appears "hile the chan'es are bein' applied$(
!ote ,f you are usin' the S/: attributes of certificates+ clients that connect to the TS !ate"ay ser er must be runnin' .DC >(3( .DC >(3 is a ailable "ith %indo"s Ser er 2008+ %indo"s ?ista "ith SP3+ and %indo"s ;P "ith SP4( The .DC >(3 #>(0(>003$ client supports .emote Des*top Protocol >(3( c( Bnsure that the Path boA is empty( d( Clic* !e/t( 32( ,f re9uired+ create a ne" SS2 %eb listener( ,f you ha e a pre-eAistin' listener "ith a certificate that matches the public name+ you do not need to create a ne" SS2 %eb listener( ,n this case+ select the appropriate %eb listener+ clic* !e/t+ and then proceed to Step 34( ,f you do need to create a ne" SS2 %eb listener+ do the follo"in': a( 5n the Select Web 0istener pa'e+ clic* !ew( b( 5n the Welco$e to the !ew Web 0istener Wi4ard pa'e+ in the Web 0istener !a$e boA+ type a name for the %eb listener+ and then clic* !e/t( c( 5n the Client Connection Security pa'e+ clic* "e uire SS0 secured connections with clients+ and then clic* !e/t( d( 5n the Web 0istener ,P Addresses pa'e+ do the follo"in': e( @nder 0isten for inco$in% Web re uests fro$ these networ(s+ select the 1/ternal chec* boA( f( Bnsure that The ,SA Server will co$press content sent to clients throu%h this Web 0istener if the clients re uestin% the content support co$pression chec* boA is selected( '( Clic* Select ,P Addresses( h( 5n the 1/ternal 0istener ,P Selection pa'e+ do the follo"in': i( Clic* Specified ,P addresses on the ,SA Server in the selected !etwor( ( @nder Available ,P addresses+ select the appropriate ,P address+ clic* Add+ and then clic* O6( F( Clic* !e/t( *( 5n the 0istener SS0 Certificates pa'e+ clic* Assi%n a certificate for each ,P address+ clic* the appropriate ,P address+ and then clic* Select Certificate( l( 5n the Select Certificate pa'e+ under Select certificate+ clic* the TS !ate"ay ser er certificate+ clic* Select+ and then clic* !e/t( m( 5n the Authentication Settin%s pa'e+ clic* !o Authentication+ and then clic* !e/t( n( 5n the Sin%le Si%n On Settin%s pa'e+ clic* SSO is not relevant for this setup+ and then clic* !e/t( o( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* @inish( p( 5n the second instance of the Co$pletin% the !ewWeb 0istener Wi4ard pa'e+ confirm that the correct %eb listener properties appear+ and then clic* @inish(
60
Additional references
The follo"in' resources pro ide information about testin' and troubleshootin' .PC o er 1TTP throu'h ,S/ Ser er: Description of the ,S/ Ser er 200> hotfiA pac*a'e that is dated May 3<+ 2007 #http:CC'o(microsoft(comCf"lin*C62in*,dG307<>2$
61
Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 3: Protocols+ /uthentication and Processin' #http:CC'o(microsoft(comCf"lin*C62in*,dG30<828$ Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 2: Test Tools and Strate'ies #http:CC'o(microsoft(comCf"lin*C62in*,dG30<840$ Testin' .PC o er 1TTP throu'h ,S/ Ser er 200>+ Part 4: Common Dailures and .esolutions #http:CC'o(microsoft(comCf"lin*C62in*,dG30<843$ .PC o er 1TTP 2o''in' %ildness #http:CC'o(microsoft(comCf"lin*C62in*,dG30<842$
Successful 5ser
1vent na$e
;escription
1vent ,;
for this e ent and the related Successful 5ser Connection to the "esource e ent+ you can erify the user session time and the amount of data #in *ilobytes$ that "as sent and recei ed by the remote client throu'h the TS !ate"ay ser er(
disconnects from the resource 202: %hen an administrator disconnects the client
@ailed 5ser Connection to the The remote client met the "esource conditions specified in the TS C/P and the TS ./P+ but could not connect to the internal net"or* resource #computer$ throu'h the TS !ate"ay ser er because the remote computer "as una ailable( 7y auditin' this e ent+ you can determine "hich connecti ity issues are caused by problems "ith Terminal Ser ices and .emote Des*top rather than the TS !ate"ay ser er( @ailed Connection Authori4ation The remote client could not connect to a TS !ate"ay ser er because the client did not meet the conditions specified in the TS C/Ps( The remote client could not connect throu'h a TS !ate"ay ser er to the specified computer because no TS ./Ps are confi'ured to allo" the user access to the specified computer( Dor eAample+ as mentioned earlier+ this issue mi'ht occur if the user attempts to connect
40<
203
403
63
1vent na$e
;escription
1vent ,;
to the computer by usin' its :et7,5S name "hen the TS ./P confi'ured on the TS !ate"ay ser er uses an DLD: name for the computer( Successful 5ser Connection to the "esource The remote client successfully connected to a computer throu'h the TS !ate"ay ser er( The remote client successfully connected to the TS !ate"ay ser er because the client met the conditions specified in at least one TS C/P( The remote client successfully connected throu'h the TS !ate"ay ser er to the specified internal net"or* resource because the client met the conditions specified in at least one TS ./P( 402
200
400
Connection ,;
,n the format Sa:bT "here HaH is the tunnel ,D that uni9uely identifies a specific connection to the TS !ate"ay ser er and HbH is the channel ,D( The tunnel ,D represents the number of connections that the TS !ate"ay ser er has recei ed since the Terminal Ser ices !ate"ay ser ice has been runnin'( Bach time the TS !ate"ay ser er recei es a ne" connection+ the tunnel ,D is incremented by 3(
64
1vent na$e
;escription
The domain and user ,D of the user lo''ed on to the client+ in the format SdomainQuser,DT( The full name of the user lo''ed on to the client( !ote Eou can only ie" the full name of the user if you are lo''ed on to the TS !ate"ay ser er as a domain user( ,f you are lo''ed on as member of the local administrators 'roup+ you can ie" the full name of the user in the 5ser ,; column(
The date and time "hen the connection "as initiated( The len'th of time that the connection "as acti e( The len'th of time that the connection is idle+ if applicable( The name of the internal net"or* computer to "hich the client is connected( The ,P address of the client( !ote ,f your net"or* confi'uration includes proAy ser ers+ the ,P address that appears in this column "ill reflect the ,P address of the proAy ser er+ rather than the ,P address of the Terminal Ser ices client(
Tar%et Port
The port on the internal net"or* computer to "hich the client is connected(
@se the follo"in' procedure to ie" details about acti e connections throu'h a TS !ate"ay ser er( To view details about active connections throu%h a TS Gateway server 3( 5pen TS !ate"ay Mana'er( 2( ,n the console tree+ clic* to select the node that represents your TS !ate"ay ser er+
65
"hich is named for the computer on "hich the TS !ate"ay ser er is runnin'( 4( ,n the console tree+ clic* -onitorin%( The TS !ate"ay Mana'er results pane displays a summary of the number of connections from remote users to computers on the internal net"or*( Specific connections+ if any+ are listed belo" the summary( %hen you clic* a connection+ the connection details appear in the lo"er pane( ,f necessary+ you can disconnect a specific connection or all TS !ate"ay connections for a user( <( To refresh the display of connection status+ in the Actions pane+ clic* "efresh(
>( Type the pass"ord for .PCChttp proAy #the pass"ord for the TS !ate"ay ser er$(
Prompting for second rpc ping command in the scripting file !nter the pass"ord for server: #pass"ord for T$ %ate"ay& #pass"ord for T$ %ate"ay&
Results:
!cho ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: !cho : The first RPCPing "ill authenticate to the RPC over HTTP !cho : Pro'y service. 7f this ping fails; then the certificate !cho : on the client computer is not correctly configured;
!cho : or you might have entered the "rong pass"ord. !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Rpcping
v 2
e 8888
t ncacn,http
s localhost
o RpcPro'y01,T-R%!T%-T!.-/1
67
91,2$!R3-4!1;1,564-733-4!1;:9 ! R 3one
H 3T<4
u 3T<4
a connect
= ssl
> msstd:1,T-R%!T%-T!.-/1
!cho ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: !cho : The second RPCPing "ill attempt to authenticate to the T$ !cho : %ate"ay service. 7f this ping fails; then the T$ %ate"ay !cho : service is pro?a?ly not running. !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Rpcping
v 2
e 8888
t ncacn,http
s localhost
P a connect
7 91,2$!R3-4!1;1,564-733-4!1;:9
goto endall
:56,2$-%! !cho :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 2sage: !cho : testclient.cmd @gate"ayA @userA @domain/machineA !cho : : : :
;isclai$er
The sample script is not supported under any Microsoft standard support pro'ram or ser ice( The sample script is pro ided /S ,S "ithout "arranty of any *ind( Microsoft further disclaims all implied "arranties includin'+ "ithout limitation+ any implied "arranties of merchantability or of fitness for a particular purpose( The entire ris* arisin' out of the use or performance of the sample script and documentation remains "ith you( ,n no e ent shall Microsoft+ its authors+ or anyone else in ol ed in the creation+ production+ or deli ery of the script be liable for any dama'es "hatsoe er #includin'+ "ithout limitation+ dama'es for loss of business profits+ business interruption+ loss of business information+ or other pecuniary loss$ arisin' out of the use of or
68
inability to use the sample scripts or documentation+ e en if Microsoft has been ad ised of the possibility of such dama'es(
The ser er is runnin' %indo"s Ser er 2004( The ser er is runnin' ,S/ Ser er 200>( The ,S/ Ser er contains a ser er certificate for www+contoso+co$ that is installed to the local computer certificate store( The ,S/ Ser er 200> Supportability @pdate pac*a'e is installed from the follo"in' %eb site: http:CC'o(microsoft(comCf"lin*C6 2in*,dG33=34>(
69
Co$puter
Confi%uration
The ser er has the follo"in' name and ,P addresses assi'ned: :ame: contoso-fw+contoso+co$ ,nternal ,P address: *I'+*CF+*+* BAternal ,P address: 'EC+D?+**F+* TS !ate"ayCTS %eb /ccess ser er #U"""(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the TS !ate"ay and TS %eb /ccess role ser ices+ "ith the TS %eb /ccess %eb site accessible at https>))www+contoso+co$)ts( TS %eb /ccess is confi'ured to populate its list of .emote/pp pro'rams from the terminal ser er Ucontosots(contoso(comV( The ser er has the follo"in' name and ,P address assi'ned: :ame: www+contoso+co$ ,P address: *I'+*CF+*+' :PS #./D,@S$ ser er #Ucontoso-otp(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the :PS role ser ice( The ser er has the follo"in' name and ,P address assi'ned: :ame: contoso-otp+contoso+co$ ,nternal ,P address: *I'+*CF+*+? Terminal Ser er #Ucontoso-ts(contoso(comV$ The ser er is runnin' %indo"s Ser er 2008( The ser er is runnin' the Terminal Ser er role ser ice( The terminal ser er has .emote/pp pro'rams installed that are a ailable throu'h TS %eb /ccess( The .emote/pp pro'rams are confi'ured to use TS !ate"ay( Dor more information about ho" to confi'ure Terminal Ser ices .emote/pp+ see the UTerminal Ser ices
70
Co$puter
Confi%uration
.emote/pp Step-by-Step !uideV #http:CC'o(microsoft(comCf"lin*C6 2in*,dG8<88=$( The ser er has the follo"in' name and ,P address assi'ned: :ame: contoso-ts+contoso+co$ ,P address: *I'+*CF+*+A Client computer #Uclient3V$ The client computer is runnin' %indo"s ?ista "ith Ser ice Pac* 3 #SP3$( The computer has the follo"in' confi'uration: :ame: client* ,P address: 'EC+D?+**F+' ,$portant The 5TP scenario is supported only for .emote Des*top Connection #.DC$ >(3 clients( .DC >(3 is a ailable in %indo"s ?ista "ith SP3+ %indo"s ;P "ith Ser ice Pac* 4 #SP4$+ and %indo"s Ser er 2008(
!etwor( topolo%y
The follo"in' dia'ram illustrates the 5TP scenario for TS !ate"ay(
71
<( ,n the !ew "A;,5S Client dialo' boA+ do the follo"in': a( ,n the @riendly na$e boA+ type the friendly name of the ,S/ Ser er+ contoso-fw( b( ,n the Address 2,P or ;!S3 boA+ type the fully 9ualified domain name of the ,S/ Ser er+ contoso-fw+contoso+co$( c( ,n the 7endor na$e list+ accept the default settin' of "A;,5S Standard+ and then clic* O6( !ote Dor this scenario+ you do not ha e to confi'ure any settin's in the Shared Secret section( =( ,n the console tree+ eApand Policies+ and then clic* !etwor( Policies( >( @nder Policy !a$e+ double-clic* Connections to other access servers( 7( ,n the Connections to other access servers Properties dialo' boA+ clic* the Constraints tab( 8( ,n the Constraints column+ clic* Authentication -ethods( 8( Select the 5nencrypted authentication 2PAP# SPAP3 chec* boA( 2ea e the other chec* boAes "ith their default alues+ and then clic* O6( :PS uses %indo"s /uthentication to authenticate users( To use the ./D,@S ser ice that is pro ided by :PS+ users must ha e the Dial-in permission assi'ned( Eou can set this permission for domain users on a domain controller by usin' /cti e Directory @sers and Computers+ or for local users on a member ser er by usin' 2ocal @sers and !roups( ,n this eAample scenario+ the Dial-in permission is set for a local user on the :PS ser er( !ote The follo"in' procedure assumes that you ha e set up a local user account on the :PS ser er that you "ant to use for testin'( To set the ;ial-in per$ission for the "A;,5S user 3( 2o' on to the :PS ser er #Hcontoso-otp(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Clic* Start+ point to Ad$inistrative Tools+ and then clic* Co$puter -ana%e$ent( 4( ,n the console tree+ eApand 0ocal 5sers and Groups+ and then clic* 5sers( <( .i'ht-clic* the user account that you "ant to modify+ and then clic* Properties( =( Clic* the ;ial-in tab( >( @nder !etwor( Access Per$ission+ clic* Allow access+ and then clic* O6( To create a "A;,5S client on the ,SA Server 3( 2o' on to the ,S/ Ser er #Hcontoso-f"(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Start ,S/ Ser er Mana'ement( To do this+ clic* Start+ point to All Pro%ra$s+ point to
73
-icrosoft ,SA Server+ and then clic* ,SA Server -ana%e$ent( 4( ,n the console tree+ eApand the ser er name+ eApand Confi%uration+ and then clic* General( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ eApand Confi%uration+ and then clic* General($ <( ,n the middle pane+ under ,SA Server Ad$inistration+ clic* Specify "A;,5S and 0;AP Servers( =( 5n the "A;,5S Servers tab+ clic* Add( >( ,n the Server na$e boA+ type the name of the ./D,@S ser er to use #in this case+ contoso-otp+contoso+co$$+ and then clic* O6( 7( Clic* O6 to close the Authentication Servers dialo' boA( To create a Web listener on the ,SA Server 3( ,n the console tree of ,S/ Ser er Mana'ement+ eApand the ser er name+ and then clic* @irewall Policy( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ and then clic* @irewall Policy($ 2( ,n the ri'ht pane+ clic* the Toolbo/ tab+ and then clic* !etwor( ObJects( 4( 5n the !etwor( ObJects toolbar+ clic* !ew+ and then clic* Web 0istener( The !ew Web 0istener ;efinition Wi4ard starts( <( ,n the Web listener na$e boA+ type OTP+ and then clic* !e/t( =( 5n the Client Connection Security pa'e+ clic* "e uire SS0 secured connections with clients+ and then clic* !e/t( >( 5n the Web 0istener ,P Addresses pa'e+ do the follo"in': a( @nder 0isten for inco$in% Web re uests on these networ(s+ select the 1/ternal chec* boA( b( Clic* Select ,P Addresses( c( @nder 0isten for re uests on+ clic* Specified ,P addresses on the ,SA Server co$puter in the selected networ(( d( @nder Available ,P Addresses+ clic* 'EC+D?+**F+*+ clic* Add+ and then clic* O6( e( /ccept the default #selected$ settin' for the ,SA Server will co$press content sent to clients throu%h this Web 0istener if the clients re uestin% the content support co$pression chec* boA( f( Clic* !e/t( 7( 5n the 0istener SS0 Certificates pa'e+ do the follo"in': a( Clic* Assi%n a certificate for each ,P address( b( ,n the ,P Address column+ clic* 'EC+D?+**F+*+ and then clic* Select Certificate( c( 5n the Select Certificate pa'e+ select the certificate that is issued to www+contoso+co$+ and then clic* Select( d( Clic* !e/t(
74
8( 5n the Authentication Settin%s pa'e+ do the follo"in': a( ,n the Select how clients will provide credentials to ,SA Server list+ clic* =T-0 @or$ Authentication( b( @nder Select how ,SA Server will validate client credentials + clic* "A;,5S OTP+ and then clic* !e/t( 8( 5n the Sin%le Si%n On Settin%s pa'e+ clear the 1nable SSO for Web sites published with this Web listener chec* boA+ and then clic* !e/t( #SS5 is not rele ant for this solution($ 30( 5n the Co$pletin% the !ew Web 0istener Wi4ard pa'e+ clic* Bac( to ma*e any chan'es+ or clic* @inish to complete the "i)ard( To publish a Web site on the ,SA Server by usin% the Web listener 3( ,n the console tree of ,S/ Ser er Mana'ement+ eApand the ser er name+ and then clic* @irewall Policy( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ eApand Arrays+ eApand the ser er name+ and then clic* @irewall Policy($ 2( ,n the ri'ht pane+ clic* the Tas(s tab+ and then clic* Publish Web Sites( The !ew Web Publishin% "ule Wi4ard starts( 4( ,n the Web publishin% rule na$e boA+ type Web Site Publishin%+ and then clic* !e/t( <( 5n the Select "ule Action pa'e+ under Action to ta(e when rule conditions are $et+ clic* Allow+ and then clic* !e/t( =( 5n the Publishin% Type pa'e+ clic* Publish a sin%le Web site or load balancer+ and then clic* !e/t( >( 5n the Server Connection Security pa'e+ clic* 5se SS0 to connect to the published Web server or server far$+ and then clic* !e/t( 7( 5n the ,nternal Publishin% ;etails pa'e+ in the ,nternal site na$e boA+ type www+contoso+co$+ and then clic* !e/t( 8( 5n the ,nternal Publishin% ;etails pa'e+ clic* !e/t( #2ea e the Path 2optional3 boA empty+ and the @orward the ori%inal host header instead of the actual one specified in the ,nternal site na$e field on the previous pa%e chec* boA cleared($ 8( 5n the Public !a$e ;etails pa'e+ do the follo"in': a( ,n the Accept re uests for list+ ensure that This do$ain na$e 2type below3 is selected( b( ,n the Public na$e boA+ type www+contoso+co$+ and then clic* !e/t( 30( 5n the Select Web 0istener pa'e+ in the Web listener list+ clic* OTP+ and then clic* !e/t( #This is the %eb listener that you created in the pre ious procedure($ 33( 5n the Authentication ;ele%ation pa'e+ in the Select the $ethod used by ,SA Server to authenticate to the published Web server list+ clic* !o dele%ation# but client $ay authenticate directly+ and then clic* !e/t( 32( 5n the 5ser Sets pa'e+ under This rule applies to re uests fro$ the followin%
75
user sets+ ensure that All Authenticated 5sers is listed+ and then clic* !e/t( 34( 5n the Co$pletin% the !ew Web Publishin% "ule Wi4ard pa'e+ clic* Bac( to ma*e any chan'es+ or clic* @inish to complete the "i)ard( 3<( Clic* Apply to update the confi'uration( #,f you are runnin' ,S/ Ser er 200> Bnterprise Bdition+ you can chec* the status by usin' the Confi%uration tab that is a ailable "hen you clic* -onitorin% in the console tree($ To disable the =TTPOnly attribute on the ,SA Server 3( Copy and paste the follo"in' script into a teAt editor such as :otepad( 5n the ,S/ Ser er+ sa e the file to the C:Q directory as Disable1ttp5nly/uthCoo*ies( bs( ,$portant Microsoft pro ides pro'rammin' eAamples for illustration only+ "ithout "arranty either eApressed or implied( This includes+ but is not limited to+ the implied "arranties of merchantability or fitness for a particular purpose( !ote This script is also a ailable at the follo"in' %eb site: http:CC'o(microsoft(comCf"lin*C62in*,dG33=347
7f 3ot .$cript.-rguments.3amed.!'istsB9.e?<istener9C Then .$cript.!cho 9.e?<istener not defined9 .$cript.DuitB(C !nd 7f
$et fpcRoot 0 Create6?EectB9=PC.Root9C $et fpc-rray 0 fpcRoot.%etContaining-rrayBC $et fpc.e?<istener 0 fpc-rray.Rule!lements..e?<istenersB.$cript.-rguments.3amedB9.e?<istener9CC $et fpc.e?<istenerFps 0 fpc.e?<istener.FendorParameters$ets
6n !rror Resume 3e't $et fpcCooGie-uthFps 0 fpc.e?<istenerFps.7temB9H2I*22!>- >*8* )88I IC-J 55887K>C7>)7L9C 7f !rr.num?er 0 * Then CooGie-uthFps!'ists 0 True !lse CooGie-uthFps!'ists 0 =alse !nd 7f
76
7f 3ot CooGie-uthFps!'ists Then .$cript.!cho 9CooGie auth FP$ settings not defined; HTTP only cooGies are 63 ?y default9 !lse .$cript.!cho 9HTTP only cooGies: 9 M BfpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 TrueC !nd 7f
7f .$cript.-rguments.3amed.!'istsB9Falue9C Then 7f 3ot CooGie-uthFps!'ists Then $et fpcCooGie-uthFps 0 fpc.e?<istenerFps.-ddB9H2I*22!>- >*8* )88I IC-J 55887K>C7>)7L9C !nd 7f fpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 B$trCompB.$cript.-rguments.3amedB9Falue9C; 9True9; (C 0 *C fpc-rray.$ave .$cript.!cho 9HTTP only cooGies set to 9 M BfpcCooGie-uthFps.FalueB9Http6nlyCooGie9C 0 TrueC !nd 7f
2( Drom a command prompt+ run the follo"in' command from the C:Q directory: cscript ;isable=ttpOnlyAuthCoo(ies+vbs )Web0istener>OTP )7alue>@alse Eou should see the follo"in' output: =TTP only coo(ies> True =TTP only coo(ies set to @alse To $odify the ";P file that clients will use to connect 3( 2o' on to the terminal ser er #Hcontoso-ts(contoso(comH$ "ith an account that has /dministrator pri ile'es( 2( Clic* Start+ point to Ad$inistrative Tools+ point to Ter$inal Services+ and then clic* TS "e$oteApp -ana%er( 4( ,n the Overview pane of TS .emote/pp Mana'er+ neAt to ";P Settin%s+ clic* Chan%e( <( 5n the Custo$ ";P Settin%s tab+ type or copy the follo"in' .DP settin's into the
77
Custo$ ";P settin%s boA: pre-authentication server address> s> https>))www+contoso+co$)ts re uire pre-authentication>i>* =( %hen you ha e finished addin' the settin's+ clic* Apply( To set up the client co$puter 3( 2o' on to the client computer #Uclient3V$( 2( Drom an ele ated command prompt+ type the follo"in' commands+ pressin' B:TB. after each command: cd c>:windows:syste$?':drivers:etc edit hosts 4( /dd the follo"in' line to the 1osts file: 'EC+D?+**F+* www+contoso+co$ <( Sa e the 1osts file( !ote Typically+ you "ould not ha e to modify the 1osts file+ as the address "ould be resol able throu'h D:S( To test the confi%uration fro$ the client co$puter 3( 5pen ,nternet BAplorer and specify https>))www+contoso+co$)ts as the address( Eou "ill be redirected to the 5TP lo'on pa'e on the ,S/ Ser er( 2( Type the user name in the format contoso-otp:user( !ote ,f the user is a domain user and the ./D,@S ser er is a member of the domain+ you do not ha e to specify a domain name( 1o"e er+ because in this procedure the test user is a local user on the ./D,@S ser er+ you must specify the computer name "here the account eAists( 4( Bnter the userWs pass"ord( The ,S/ Ser er "ill pass the credentials to the :PS ser er for authentication( ,f successful+ the client "ill be redirected to the %eb site and retrie e the TS %eb /ccess pa'e(
78