Making the most of the Terminal Services Gateway

Remote connectivity is becoming a corporate staple, allowing employees to work remotely from home or a hotel or from a client's network. This is a convenient way to be productive without being in the office, but it is a headache for systems and security administrators.

You have to maintain a virtual private network, or VPN, for the clients to connect to. That includes servers, network components, the client connector and more. You also have to maintain the Terminal Services servers and applications. In spite of that effort, most companies block the RDP port 3389, so your users can't "VPN" out of a customer's network, limiting remote access. There are a lot of moving parts.

The Terminal Services Gateway, or TS Gateway, in Windows Server 2008 takes a big step in solving this situation. Microsoft has designated TS Gateway as a Server Role, allowing it to run on a Windows Server 2008 Server Core server and making it easy to deploy as a single application server without the normal Windows overhead.

But the big benefit of TS Gateway is that it makes a secure connection using RDP over HTTPS, using port 443. This also requires the TS Gateway to have a valid certificate. The connection itself is secure, and like a VPN tunnel, allows clients to connect through firewalls because most companies do not block port 443.

And that means no VPN connection is required, so it reduces the complexity of the client as well as the need for VPN servers. Of course you probably will need VPN for other purposes, ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Server 2008 Administration Utilizing Active Directory snapshots in Windows Server 2008 How to configure backups and perform restores in Windows Server 2008 Using DFSR for SYSVOL replication in Windows Server 2008 Installing Server Core for Windows 2008 the easy way File classification the automated way with Windows Server 2008 R2 Using DFS to create file system virtualization in Windows Server 2008 Internet Information Services (IIS) sees big changes in Windows Server 2008 Microsoft adds hypervisor support to Windows Server 2008 R2 File server migration tips for Windows Server 2008 Top five Server Core management tips for Windows 2008 Windows Server Monitoring and Management BitLocker in R2 provides data protection for semi-protected servers Perfmon made easy with PAL utility Converting Citrix XenServer source machines to Hyper-V format Balancing Windows security with reasonable password policies Windows AppLocker in R2: Turning conventional security wisdom on its head Top 10 things you don't know about Windows Server 2008 R2 BranchCache makes branch offices feel like home When to use VM backups versus snapshots in Hyper-V Installing Server Core for Windows 2008 the easy way Migrating virtual machines from Microsoft Virtual Server to Hyper-V

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Server Core  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

but moving all of your apps to Terminal Servers will greatly reduce the need for a VPN. This could have an added benefit in application consolidation besides reducing help desk and other related costs associated with a VPN. In addition, the TS Gateway can be configured for Network Access Protection policy enforcement.

According to Microsoft's Terminal Services Gateway document, Microsoft's ISA server can be used to deploy the TS Gateway in a private network as opposed to putting it in a DMZ. The corporate firewall thus protects the TS Gateway, which in turn is the secure connection end point. In addition, there is considerable granular control over the client, allowing the administrator to define access to resources by user or security group and authentication method, such as smart card or password authentication.

I previously mentioned that a certificate is required for the TS Gateway server. It can be generated from an internally deployed Microsoft Certificate Authority server or it can be purchased from a trusted third party. You can use a self-signed certificate for testing and evaluation but it should not be used for production for security reasons.

On the client end, the RDP 6.0 client provides configuration for the TS Gateway connection. Of course this client is standard in Windows Vista, but you can download the client for Windows XP with SP2 or for Windows Server 2003 from Microsoft's Download Center.

To configure the client, go to the Advanced tab and select the Connect from Anywhere option as shown in Figure 1, then click on the Settings option.

Figure 1:

In the Gateway Server Settings shown in Figure 2 note the following settings:

The Server Name here is the name of the TS Gateway and should resolve to a public IP address on the firewall of your network. This name must also be the name on the TS Gateway's certificate.

The logon method actually has three options: Smart Card, Ask for Password (NTLM), and Ask me later.

The Bypass TS Gateway Server for local addresses option is used to connect to resources within the network.

Figure 2:

When users access the RDP client to connect to an application server in the remote network, they will specify the IP address of that application server itself – not the TS Gateway.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.