ts gateway 2008 & rsa
TRANSCRIPT
V1.2
Enhance TS Gateway Security with ISA
Server 2006 + RSA Security
Following the steps in this document will enable you to configure TS Gateway Web
Access with RSA SecurID and will prevent users from bypassing two-factor
authentication by launching MSTSC.exe.
Installing and configuring TS Gateway
Add required roles to your server:
o Terminal Server
o Select Terminal Services
o TS Web Access
On the Choose a Server Authentication Certificate for SSL Encryption page,
select the Choose an existing certificate for SSL encryption option. Import
your third party SSL certificate (TSGateway.company.com) in PFX format.
On the Create Authorization Policies for TS Gateway page, select the Later
option. I will show you how to configure authorization policies in the console.
Click Next.
Click Next on the Network Policy and Access Services page.
On the Select Role Services page, confirm that the Network Policy Server
checkbox is checked. Click Next.
On the Web Server (IIS) page, click Next.
On the Select Role Services page, accept the default role services selected by
the wizard. These are the services required to run the TS Gateway service. Click
Next.
Review the information on the Confirm Installation Selections page and click Install.
Create a connection authorization policy (CAP):
Open TS Gateway Manager
In the left pane of the console, click the Connection Authorization Policies
node that lies under the Policies node. In the right pane of the console, click the
arrow to the right of Create New Policy and then click Custom.
On the General tab, type a name for the policy, and then verify that the Enable
this policy check box is selected.
On the Requirements tab, under Supported Windows authentication methods,
select the following check box: Password
Under User group membership (required), click Add Group, and then specify a
user group whose members can connect to the TS Gateway server.
Create a resource authorization policy (RAP):
Click on the Resource Authorization Policies node in the left pane of the TS
Gateway Manager console. In the right pane of the console, click the arrow
sitting to the right of the Create New Policy link and then click Custom.
On the General tab, type a name for the policy, and then verify that the Enable
this policy check box is selected
On the User Groups tab, click Add to select the user groups to which you want
this TS RAP to apply.
In the Select Groups dialog box, specify the user group location and name, and
then click OK.
On the Computer Group tab, specify the computer group that users can connect
to through TS Gateway
Allow clients to connect through any port, click Allow connections through any
port.
Click OK to close the Properties dialog box for the TS RAP.
SSL Bridging
HTTPS-HTTPS bridging. In this configuration, the TS Gateway client initiates an SSL
(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new
HTTPS request to the TS Gateway server, for maximum security.
HTTPS-HTTP bridging. In this configuration, the TS Gateway client initiates an SSL
(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new
HTTP request to the TS Gateway server.
HTTPS-HTTP bridging on the TS Gateway server
Open TS Gateway Manager.
In the TS Gateway Manager console tree, right-click the local TS Gateway server,
and then click Properties.
On the SSL Bridging tab, Make sure the Use HTTPS-HTTP bridging check box is
Un-ticked, and then click OK.
Configuring RemoteApps for TS Web Access
To configure applications such that they can be launched from the Windows
Server 2008 TS Web Access page they must first be installed onto the TS
Gateway server.
Applications are configured as RemoteApps using the TS RemoteApp Manager
Start -> All Programs -> Terminal Services -> TS Remote App Manager
Begin by clicking on the Add RemoteApp Programs link in the Actions panel
located in the top right hand corner of the TS RemoteApp Manager screen. This
will display the RemoteApp wizard containing a list of currently installed
applications. One or more applications may be selected from the list before
pressing the Next button:
Select the appropriate application from the list and click on the Properties...
button to open the RemoteApp Properties dialog. Within this dialog, make sure
that the RemoteApp is available through TS Web Access box is checked.
Click OK to close the RemoteApp Properties dialog and then click Next in the
wizard to proceed to the Review Settings screen and click Finish to complete the
configuration.
Configure the digital certificate
In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings.
(Or, in the Overview pane, next to Digital Signature Settings, click Change.)
Select the Sign with a digital certificate check box.
In the Digital certificate details box, click Change.
In the Select Certificate dialog box, select the certificate
(TSGateway.company.com), and then click OK.
Configure TS Gateway settings
In the Actions pane of TS RemoteApp Manager, click TS Gateway Settings. (Or, in the Overview pane, next to TS Gateway Settings, click Change.)
On the TS Gateway tab, configure the desired TS Gateway behaviour. You can configure whether to automatically detect TS Gateway server settings, to use TS Gateway server settings that you specify, or to not use a TS Gateway server.
Select Use these TS Gateway server settings, do the following:
Configure the TS Gateway server name (TSGateway.company.com) and the logon method (NTLM)
Important
The server name must match what is
specified in the (SSL) certificate for the TS
Gateway server
Select Use the same user
credentials for TS Gateway and
Terminal Server
Select the Bypass TS Gateway
server for local addresses check
box.
When you are finished, click OK.
Configure terminal server settings
In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings.
(Or, in the Overview pane, next to Terminal Server Settings, click Change.)
On the Terminal Server tab, under Connection settings, Modify the server name
to be the fully qualified internal domain name, Leave the Remote Desktop
Protocol (RDP) port number as 3389, and tick “require server authentication
settings”.
Un tick “Show a remote desktop connection to this terminal server in TS Web
Access check box.”
Do not allow users to start unlisted programs on initial connection
(Recommended)
When you are finished, click OK.
Common & Custom RDP Settings
Enter the following under custom RDP settings
pre-authentication server address: s: https://TsGateway.company.com/ts
require pre-authentication:i:1
See link for more details: http://technet.microsoft.com/en-us/library/cc731249.aspx
IIS Settings
On the TS Web server, start Internet Information Services (IIS) Manager.
In the left pane, expand the server name, expand Sites, expand Default Web
Site, and then click TS.
In the middle pane, double-click Application Settings.
Configure the default TS Gateway server, double-click DefaultTSGateway, enter
the fully qualified domain name of the server in the Value box
(TSGateway.company.com), and then click OK.
To specify the TS Gateway authentication method, double-click
GatewayCredentialsSource, type the number that corresponds to the desired
authentication method in the Value box, and then click OK. The possible values
include:
0 = Ask for password (NTLM)
1 = Smart card
4 = Allow user to select later
To configure whether the Remote Desktop tab appears on the TS Web Access
page, double-click ShowDesktops. In the Value box, type true to show the
Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are
finished, click OK.
To configure default device and resource redirection settings, double-click the
setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,
xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable
the redirection setting by default, or type false to disable the redirection setting
by default, and then click OK.
IIS Authentications settings
Default TS RPCWithCert RPC
Anonymous Disabled Disabled Enable Disabled
ASP.NET Disabled Disabled Disabled Disabled
Basic Enabled Disabled Disabled Disabled
Forms Disabled Disabled Disabled Disabled
Windows Enabled Enabled Disabled Enable
Modifying Desktops.aspx
On the TSGateway Server navigate to: C:\Windows\Web\ts\en-US\
Make a backup of desktops.aspx
Right click desktops.aspx and choose edit
Search for authentication
Change and add the following lines to desktops.aspx
Save desktops.aspx
This is the TS Gateway setup
ISA Server 2006 Setup
You need 2 rules in the following order to allow TS Gateway web access through
using RSA
Importing GoDaddy SSL Certificate
Click the Start menu and select Run. Type MMC and press enter. In the File menu
choose "Add/Remove Snap-in".
Click Add, then double-click Certificates, choose Computer Account, then Finish.
Click "Close" and then "OK". Expand the Certificates node, then expand the
Personal node beneath it.
Right click the "personal" folder and select all "tasks>Import"
Find the .pfx file you saved previously and import the certificate and private key into the MMC
ISA Server Host File
You will need to add the following to the host file.
Disable the HTTPOnly attribute on the ISA Server
Copy and paste the following script into a text editor such as Notepad. On the ISA
Server, save the file to the C:\ directory as DisableHttpOnlyAuthCookies.vbs. You can obtain the script from:
http://technet.microsoft.com/en-us/library/cc731249.aspx
From a command prompt, run the following command from the C:\ directory:
cscript DisableHttpOnlyAuthCookies.vbs /WebListener:OTP /Value:False
Keep running the script until you see the following output:
HTTP only cookies: True
HTTP only cookies set to False
Create a new network
Enter an appropriate name Choose External network
Add range & enter the external IP address
of the ISA server
Click Finish
System Policy Rules
Make sure rule 24 is enable for SecurID
Create a Web Listener
In the console tree of ISA Server Management, click Firewall Policy.
On the Toolbox tab, click Network Objects.
On the toolbar beneath Network Objects, click New, and then click Web
Listener
Give the Web Listener a unique name In the next window of the Wizard select
Require SSL secured connections with
clients.
Select IP Addresses... You must specify the Web Listener IP
Address. If the request comes from the
Internet you must select the
External Network
On the Listener SSL Certificates page,
you select the certificates that you want bound to the Web listener.
Click the Select Certificate button
In the Select Certificate
dialog box, you’ll see a list of
certificates that can be used.
This dialog box will also
provide you with information
about the validity of the
certificate, whether the
certificate will expire soon,
and more information. When
you put a checkmark in the
Show only valid certificates
checkbox, you’ll only see
certificates that are valid to
bind to your Web listener.
On the Authentication Settings page you
have a number of options. Select the HTML
Form Authentication option from the drop down list
Note: The Collect additional delegation
credentials in the form option. You
enable this option when using RADIUS OTP or RSA SecurID authentication.
After the listener is created make sure the
Require all users to authenticate option
isn’t selected under Advanced
Authentication Options
The first rule: TS Gateway TS virtual Directory
To create the Web Publishing Rule, open the ISA firewall console, expand the
array name and click the Firewall Policy node. Click the Tasks tab in the Task
Pane and click the Publish Web Sites
Enter a name for the rule to publish the TS
Virtual directory
Allow this Rule
Publish a single Web site or load balancer Use SSL to connect to the published Web
server or server farm
Enter the DNS name of your Certfiicate ts/*
Enter the DNS name of your certificate Select the listener you created earlier
Select the authentication method of NTLM
Authentication
Allow All Authenticated Users
The Second rule: TS Gateway RPC virtual Directory
To create the Web Publishing Rule, open the ISA firewall console, expand the
array name and click the Firewall Policy node. Click the Tasks tab in the Task
Pane and click the Publish Web Sites
Enter a name for the rule to publish the TS
Virtual directory
Publish a single Web site or load balancer Use SSL to connect to the published Web
server or server farm
Enter the DNS name of your Certfiicate
rpc/*
Enter the DNS name of your Certfiicate Select the listener you created earlier
Select the authentication method of No
Delegation, but client may
authenticate directly
Allow All Authenticate Users
Make sure the Forward original host header
option is ticked