Problem solve Get help with specific problems with your technologies, process and projects.

Making the most of the Terminal Services Gateway

Microsoft has designated TS Gateway as a Server Role, allowing it to run on a Windows Server 2008 Server Core.

Gary Olsen

 When you mention Windows Server 2008 features, you will likely think of things like BitLocker, Server Core and PowerShell. However, the new Terminal Services Gateway, in combination with the new Remote Desktop client, provides a powerful and secure connection to network resources in remote locations.

Remote connectivity is becoming a corporate staple, allowing employees to work remotely from home or a hotel or from a client's network. This is a convenient way to be productive without being in the office, but it is a headache for systems and security administrators.

You have to maintain a virtual private network, or VPN, for the clients to connect to. That includes servers, network components, the client connector and more. You also have to maintain the Terminal Services servers and applications. In spite of that effort, most companies block the RDP port 3389, so your users can't "VPN" out of a customer's network, limiting remote access. There are a lot of moving parts.

More on Terminal Services Gateway in Windows Server 2008:

Changes in Functionality from Windows Server 2003 to Windows Server 2008.

Virtual Lab: Managing Terminal Services Gateway and RemoteApps in Windows Server 2008 Beta 3.

Windows Server 2008 Release Candidate Evaluation Software.

Windows Server 2008 home page

 The Terminal Services Gateway, or TS Gateway, in Windows Server 2008 takes a big step in solving this situation. Microsoft has designated TS Gateway as a Server Role, allowing it to run on a  Windows Server 2008 Server Core server and making it easy to deploy as a single application server without the normal Windows overhead.

But the big benefit of TS Gateway is that it makes a secure connection using RDP over HTTPS, using port 443. This also requires the TS Gateway to have a valid certificate. The connection itself is secure, and like a VPN tunnel, allows clients to connect through firewalls because most companies do not block port 443.

And that means no VPN connection is required, so it reduces the complexity of the client as well as the need for VPN servers. Of course you probably will need VPN for other purposes, but moving all of your apps to Terminal Servers will greatly reduce the need for a VPN. This could have an added benefit in application consolidation besides reducing help desk and other related costs associated with a VPN. In addition, the TS Gateway can be configured for Network Access Protection policy enforcement.

According to Microsoft's Terminal Services Gateway document, Microsoft's ISA server can be used to deploy the TS Gateway in a private network as opposed to putting it in a DMZ. The corporate firewall thus protects the TS Gateway, which in turn is the secure connection end point. In addition, there is considerable granular control over the client, allowing the administrator to define access to resources by user or security group and authentication method, such as smart card or password authentication.

I previously mentioned that a certificate is required for the TS Gateway server. It can be generated from an internally deployed Microsoft Certificate Authority server or it can be purchased from a trusted third party. You can use a self-signed certificate for testing and evaluation but it should not be used for production for security reasons.

On the client end, the RDP 6.0 client provides configuration for the TS Gateway connection. Of course this client is standard in Windows Vista, but you can download the client for Windows XP with SP2 or for Windows Server 2003 from Microsoft's Download Center.

To configure the client, go to the Advanced tab and select the Connect from Anywhere option as shown in Figure 1, then click on the Settings option.

Figure 1:

In the Gateway Server Settings shown in Figure 2 note the following settings:

The Server Name here is the name of the TS Gateway and should resolve to a public IP address on the firewall of your network. This name must also be the name on the TS Gateway's certificate.

The logon method actually has three options: Smart Card, Ask for Password (NTLM), and Ask me later.

The Bypass TS Gateway Server for local addresses option is used to connect to resources within the network.

Figure 2:

When users access the RDP client to connect to an application server in the remote network, they will specify the IP address of that application server itself – not the TS Gateway.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.

Dig Deeper on Microsoft Hyper-V management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.