configuring the windows server 2008 terminal services gateway (part 1)

8/7/2019 Configuring the Windows Server 2008 Terminal Services Gateway (Part 1)

1/20

Configuring the Windows Server 2008 Terminal Services

Gateway (Part 1)How to put together a working Terminal Services Gateway solution.

Published: Mar 26, 2008

Updated: Apr 10, 2008

Section: Articles :: Authentication, Access Control & Encryption

Author: Thomas Shinder

Rating: 4.4/5 - 70 Votes

If you would like to read the next part in this article series please go to Configuring the Windows Server 2008 Terminal

Services Gateway (Part 2)

Microsoft security administrators have always been a bit wary of publishing Terminal Servers to the Internet. And for good

reason there was no ability to pre-authenticate connections or use policy to determine which users could access which

Terminal Servers. The lack of pre-authentication was an especially difficult problem. Without pre-authentication, anonymous

users could leverage their anonymous connections to compromise the published Terminal Server. A compromised Terminal

Server is perhaps the most dangerous exploit pos sible against your network, as the at tacker has access to a full operating

system to launch his attacks.

Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway. Using a Terminal Services

Gateway, you can pre-authenticate users and control what Terminal Servers us ers can access based on credentials and policy.

This gives y ou the fine grained control you need to insure that you have a secure remote access RDP solution.

In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you

see in the figure below. The arrows show the flow of communications from the external RDP client to the Terminal Server.

15/06/2010 Configuring the Windows Server 2008

windowsecurity.com//Configuring-Wi 1/


2/20

Figure 1

Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition.

In this example network, I am using the Windows Server 2008 NAT server as my Internet gateway. You could use any other

simple NAT device or packet filtering router, like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The key

configuration option here is that you forward TCP port 443 connections to the Terminal Service Gateway computer.

The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed.

The Terminal Server has only the base operating s ys tem installed. We will install other services during the course of this article

series.

The TS Gateway has only the base operating sys tem installed. We will install other services during the course of this article

series.

In this article series I will describe the following processes and procedures that you need to perform to get the basic solutionrunning:

Install Terminal Services and Terminal Services Licens ing on the Terminal Server

Configure Terminal Services Licens ing

Install Desktop Experience on the Terminal Server (optional)

Configure the Terminal Services Licensing Mode

Install the Terminal Services Gateway Service on the Terminal Services Gateway

Request a Certificate for the Terminal Services Gateway

Configure Terminal Services Gateway to Use the Certificate

Create a Terminal Services Gateway RAP

Create a Terminal Services Gateway CAP




3/20

Configure the RDP Client to use the Terminal Services Gateway

Install Terminal Services and Terminal Services Licensing on the Terminal

Server

The first step is to install Terminal Services on the Terminal Services computer.

Perform the following s teps to ins tall Terminal Services and Terminal Services Licensing:

1. On the Terminal Server computer, open the Server Manager. In the Server Manager, click on the Roles node in the left

pane of the console.

2. Click the AddRoles link in the right pane of the console.

Figure 2

3. Click ext on the Before You Begin page.

4. On the Select Server Roles page, put a checkmark in the Terminal Services checkbox. Click ext.




4/20

Figure 3

5. Click ext on the Terminal Services page.

6. On the Select Role Services page, put a checkmark in the Terminal Server and TS Licensing checkboxes. Click ext.




5/20

Figure 4

7. Click ext on the Uninstall and Reins tall Application for Compatibility page.

8. On the Specify Authentication Method for Terminal Server page, select the Require etwork Level Authentication.

We can select this option in our current scenario because we are using only Vista SP1 clients to connect to the Termina

Server through the TS Gateway. We would not be able to us e this option if we needed to support Windows XP SP2

clients. However, you should be able to support Network Level Authentication with Windows XP SP3. However, I have

not yet confirmed this, s o make sure to check the release notes on Windows XP SP3 when it is released later this year.

Click ext.




6/20

Figure 5

9. On the Specify Licensing Mode page, select the Configure later option. We could select an option now, but I decided

that we should select Configure later so that I can show you where in the Terminal Services cons ole you configure the

licensing mode. Click ext.

Figure 6

10. On the Select Use Groups Allowed Access To This Terminal Server page, use the default options. You can add or

remove groups if you want finer tuned access control over the Terminal Server. However, if all of your users will be

going through the Terminal Services Gateway, then you can control who can connect to the Terminal Server using the

TS Gateway policy settings . Leave the default sett ings as they are and click ext.




7/20

Figure 7

11. On the Configure Discovery Scope for TS Licensing page, select the This domain option. We select this option in this

scenario because we only have a s ingle domain. If you have a multi-domain forest, you might consider selecting the Th

forest option. Click ext.

Figure 8

12. On the Confirm Installation Selections page, check the warning information indicating that you might have to reinstall

applications that were already installed on this machine if you want them to work properly in a Terminal Services

session environment. Also note that IE Enhanced Security Configuration will be turned off. Click Install.




8/20

Figure 9

13. On the Installation Results page, you will see a warning that you must restart the server to complete the installation.

Click Close.

Figure 10

14. Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server.

15. Log on as Administrator. The installation will continue for a few minutes as the Installation Progress page appears




9/20

after the Server Manager comes up.

16. Click Close on the Installation Results page after you s ee the Installation succeeded message.

Figure 11

17. You may see a balloon telling you that Terminal Services licensing mode is not configured. You can dismiss that

warning, as we will next configure Terminal Services Licensing and then configure the licensing mode on the Terminal

Server.

Figure 12

Configure Terminal Services Licensing

At the point we are ready to configure Terminal Services Licensing. In this example I will use some dummy data, which does not

meet the actual requirements for licensing Terminal Services client connections, but it will provide an example of how the

process works. Please do notuse the s ame procedure that I show here to license your Terminal Services clients , because y ou

will not be compliant with actual licensing requirements.

Perform the following steps to activate your Terminal Services Licensing Server:

1. From the Administrative Tools menu, click the Terminal Services menu and then click on TS Licensing Manager.

2. In the TS Licensing Manager console, right click the server name in the left pane of the console. Click on Activate

Server.




10/20

Figure 13

3. Click ext on the Welcome to the Activate Server Wizard page.

4. On the Connection Method page, select the Automatic Connection (recommended) option. Click ext.

Figure 14




11/20

5. On the Company Information page, enter your company information and click ext.

Figure 15

6. Enter optional information if you like on the Company Information page. Click ext.




12/20

Figure 16

7. On the Completing the Activate Server Wizard page, make sure that the Start Install Licenses Wizard now option is

checked. Click ext.




13/20

Figure 17

8. Click ext on the Welcome to the Install Licenses Wizard page.

9. On the License Program page, click the down arrow on the License program list and pick the license program that y ou

participate in. In th is example I will select Other agreement since this lab is not participating in any license program.

Click ext.




14/20

Figure 18

10. On the License Program page, enter your Agreement number. In this example well just enter 1234567. Click ext.




15/20

Figure 19

11. On the Product Vers ion and License Type page, select the Product version, License type and Quantity that fits the

needs of your environment. In this lab setup, we are using Windows Server 2008 Terminal Servers, so we will select

Windows Server 2008. We will use per us er CALs in this example network, so we will select Windows Server 2008 TS

Per User CAL. And we will enter 50 in the Quantity text box. Click ext.




16/20

Figure 20

12. Click Finish on the Completing the Install Licenses Wizard page.

Install Desktop Experience on the Terminal Server (optional)

When Windows Vista clients connect to a Windows Server 2008 Terminal Server, they can have a Vista-like desktop experience

in the Terminal Services session if you install the Desktop Experience option on the Terminal Server.

Perform the following steps to install the Desktop Experience Feature to the Terminal Server:

1. On the Select Features page, put a checkmark in the Desktop Experience checkbox. Click ext.




17/20

Figure 21

2. Click Install on the Confirm Installation Selections page.

3. On the Installation Results page, read the warning information that you must restart the computer to finish the

installation process. Click Close.

4. Click Yes in the dialog box asking if you want to restart now.

5. Log on as administrator. Installation will resume and take a few minutes , so be patient.

6. Click Close on the Installation Results page, which shows that the installation was success ful.

Configure the Terminal Services Licensing Mode

We will now finish up with configuring the Terminal Server by setting the Terminal Services Licensing Mode. Perform the

following s teps to configure the Terminal Services Licensing Mode:

1. From the Administrative Tools menu, click the Terminal Services entry and then click Terminal Services

Configuration.

2. In the middle pane of the Terminal Services Configuration console, double click Terminal Services Licensing mode.

Figure 22

3. In the Properties dialog box, select the Per User option for the Specify the Terminal S ervices licensing mode option.

Select Automatically discover license server for the Specify the license server discovery mode option. Click OK.




18/20

Figure 23

4. Click the Licensing Diagnosis node in the left pane of the console. In the middle pane you will see details for the

licensing configuration for this Terminal Server.




19/20

Figure 24

5. Close the Terminal Service Configuration console.

Summary

In this, part 1 of a two part series on creating a Terminal Services Gateway solution using Windows Server 2008, we went overinstalling the Terminal Server services and Terminal Services licensing on the Terminal Server, we then configured Terminal

Services licensing, then installed the Desktop Experience on the Terminal Server and finally configured the licensing mode for

the terminal server. Next t ime we will finish up by ins talling and configuring the Terminal Services Gateway and the RDP client.

We will then finish up by making the connection from an external location. See you then! Tom.

If you would like to read the next part in this article series please go to Configuring the Windows Server 2008 Terminal

Services Gateway (Part 2)

About Thomas Shinder

Dr. Thomas W . Shinder is an MCSE and MVP in ISA Firewalls. He has worked as a technology trainer, writeand consultant in the Dallas-Ft. Worth metro area for over a decade, assisting in development and

implementation of security strategies for major firms such as Micorosoft, HP, the US Federal Government,

and many other Fortune 500 companies. Tom is the CIO of TACTEAM, a writing, training and consulting

firm focused on Windows security planning and deployment.

Click here for Thomas Shinder's section.

Latest articles by Thomas Shinder




20/20

DirectAccess: Microsoft's Newest VPN Solution - Part 1: Overview of Current Remote Access Solutions

Understanding Microsofts Secure Remote Access Offerings

Security Zoning for Virtualized Environments

Deploying IPsec Server and Domain Isolation us ing Windows Server 2008 Group Policy (Part 4)

Deploying IPsec Server and Domain Isolation us ing Windows Server 2008 Group Policy (Part 3)

Receive all the latest articles by email!Receive Real-Time & Monthly W indowSecurity.com article updates in your mailbox. Enter your email below!

Click for Real-Time s ample & Monthly sample

Enter Email

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

About Us : Email us : Product Submission Form: Advertising Information

WindowsSecurity.com is in no way affiliated with Microsoft Corp. *Links are s ponsored by advertisers.

Copyright 2010 TechGenix Ltd. All rights reserved. Please read ourPrivacy Policy andTerms & Conditions.


configuring the windows server 2008 terminal services gateway (part 1)

Documents