V1.2

Enhance TS Gateway Security with ISA

Server 2006 + RSA Security

Following the steps in this document will enable you to configure TS Gateway Web

Access with RSA SecurID and will prevent users from bypassing two-factor

authentication by launching MSTSC.exe.

Installing and configuring TS Gateway

Add required roles to your server:

o Terminal Server

o Select Terminal Services

o TS Web Access

On the Choose a Server Authentication Certificate for SSL Encryption page,

select the Choose an existing certificate for SSL encryption option. Import

your third party SSL certificate (TSGateway.company.com) in PFX format.

On the Create Authorization Policies for TS Gateway page, select the Later

option. I will show you how to configure authorization policies in the console.

Click Next.

Click Next on the Network Policy and Access Services page.

On the Select Role Services page, confirm that the Network Policy Server

checkbox is checked. Click Next.

On the Web Server (IIS) page, click Next.

On the Select Role Services page, accept the default role services selected by

the wizard. These are the services required to run the TS Gateway service. Click

Next.

Review the information on the Confirm Installation Selections page and click Install.

Create a connection authorization policy (CAP):

Open TS Gateway Manager

In the left pane of the console, click the Connection Authorization Policies

node that lies under the Policies node. In the right pane of the console, click the

arrow to the right of Create New Policy and then click Custom.

On the General tab, type a name for the policy, and then verify that the Enable

this policy check box is selected.

On the Requirements tab, under Supported Windows authentication methods,

select the following check box: Password

Under User group membership (required), click Add Group, and then specify a

user group whose members can connect to the TS Gateway server.

Create a resource authorization policy (RAP):

Click on the Resource Authorization Policies node in the left pane of the TS

Gateway Manager console. In the right pane of the console, click the arrow

sitting to the right of the Create New Policy link and then click Custom.

On the General tab, type a name for the policy, and then verify that the Enable

this policy check box is selected

On the User Groups tab, click Add to select the user groups to which you want

this TS RAP to apply.

In the Select Groups dialog box, specify the user group location and name, and

then click OK.

On the Computer Group tab, specify the computer group that users can connect

to through TS Gateway

Allow clients to connect through any port, click Allow connections through any

port.

Click OK to close the Properties dialog box for the TS RAP.

SSL Bridging

HTTPS-HTTPS bridging. In this configuration, the TS Gateway client initiates an SSL

(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new

HTTPS request to the TS Gateway server, for maximum security.

HTTPS-HTTP bridging. In this configuration, the TS Gateway client initiates an SSL

(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new

HTTP request to the TS Gateway server.

HTTPS-HTTP bridging on the TS Gateway server

Open TS Gateway Manager.

In the TS Gateway Manager console tree, right-click the local TS Gateway server,

and then click Properties.

On the SSL Bridging tab, Make sure the Use HTTPS-HTTP bridging check box is

Un-ticked, and then click OK.

Configuring RemoteApps for TS Web Access

To configure applications such that they can be launched from the Windows

Server 2008 TS Web Access page they must first be installed onto the TS

Gateway server.

Applications are configured as RemoteApps using the TS RemoteApp Manager

Start -> All Programs -> Terminal Services -> TS Remote App Manager

Begin by clicking on the Add RemoteApp Programs link in the Actions panel

located in the top right hand corner of the TS RemoteApp Manager screen. This

will display the RemoteApp wizard containing a list of currently installed

applications. One or more applications may be selected from the list before

pressing the Next button:

Select the appropriate application from the list and click on the Properties...

button to open the RemoteApp Properties dialog. Within this dialog, make sure

that the RemoteApp is available through TS Web Access box is checked.

Click OK to close the RemoteApp Properties dialog and then click Next in the

wizard to proceed to the Review Settings screen and click Finish to complete the

configuration.

Configure the digital certificate

In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings.

(Or, in the Overview pane, next to Digital Signature Settings, click Change.)

Select the Sign with a digital certificate check box.

In the Digital certificate details box, click Change.

In the Select Certificate dialog box, select the certificate

(TSGateway.company.com), and then click OK.

Configure TS Gateway settings

In the Actions pane of TS RemoteApp Manager, click TS Gateway Settings. (Or, in the Overview pane, next to TS Gateway Settings, click Change.)

On the TS Gateway tab, configure the desired TS Gateway behaviour. You can configure whether to automatically detect TS Gateway server settings, to use TS Gateway server settings that you specify, or to not use a TS Gateway server.

Select Use these TS Gateway server settings, do the following:

Configure the TS Gateway server name (TSGateway.company.com) and the logon method (NTLM)

Important

The server name must match what is

specified in the (SSL) certificate for the TS

Gateway server

Select Use the same user

credentials for TS Gateway and

Terminal Server

Select the Bypass TS Gateway

server for local addresses check

box.

When you are finished, click OK.

Configure terminal server settings

In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings.

(Or, in the Overview pane, next to Terminal Server Settings, click Change.)

On the Terminal Server tab, under Connection settings, Modify the server name

to be the fully qualified internal domain name, Leave the Remote Desktop

Protocol (RDP) port number as 3389, and tick “require server authentication

settings”.

Un tick “Show a remote desktop connection to this terminal server in TS Web

Access check box.”

Do not allow users to start unlisted programs on initial connection

(Recommended)

When you are finished, click OK.

Common & Custom RDP Settings

Enter the following under custom RDP settings

pre-authentication server address: s: https://TsGateway.company.com/ts

require pre-authentication:i:1

See link for more details: http://technet.microsoft.com/en-us/library/cc731249.aspx

IIS Settings

On the TS Web server, start Internet Information Services (IIS) Manager.

In the left pane, expand the server name, expand Sites, expand Default Web

Site, and then click TS.

In the middle pane, double-click Application Settings.

Configure the default TS Gateway server, double-click DefaultTSGateway, enter

the fully qualified domain name of the server in the Value box

(TSGateway.company.com), and then click OK.

To specify the TS Gateway authentication method, double-click

GatewayCredentialsSource, type the number that corresponds to the desired

authentication method in the Value box, and then click OK. The possible values

include:

0 = Ask for password (NTLM)

1 = Smart card

4 = Allow user to select later

To configure whether the Remote Desktop tab appears on the TS Web Access

page, double-click ShowDesktops. In the Value box, type true to show the

Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are

finished, click OK.

To configure default device and resource redirection settings, double-click the

setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,

xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable

the redirection setting by default, or type false to disable the redirection setting

by default, and then click OK.

IIS Authentications settings

Default TS RPCWithCert RPC

Anonymous Disabled Disabled Enable Disabled

ASP.NET Disabled Disabled Disabled Disabled

Basic Enabled Disabled Disabled Disabled

Forms Disabled Disabled Disabled Disabled

Windows Enabled Enabled Disabled Enable

Modifying Desktops.aspx

On the TSGateway Server navigate to: C:\Windows\Web\ts\en-US\

Make a backup of desktops.aspx

Right click desktops.aspx and choose edit

Search for authentication

Change and add the following lines to desktops.aspx

Save desktops.aspx

This is the TS Gateway setup

ISA Server 2006 Setup

You need 2 rules in the following order to allow TS Gateway web access through

using RSA

Importing GoDaddy SSL Certificate

Click the Start menu and select Run. Type MMC and press enter. In the File menu

choose "Add/Remove Snap-in".

Click Add, then double-click Certificates, choose Computer Account, then Finish.

Click "Close" and then "OK". Expand the Certificates node, then expand the

Personal node beneath it.

Right click the "personal" folder and select all "tasks>Import"

Find the .pfx file you saved previously and import the certificate and private key into the MMC

ISA Server Host File

You will need to add the following to the host file.

Disable the HTTPOnly attribute on the ISA Server

Copy and paste the following script into a text editor such as Notepad. On the ISA

Server, save the file to the C:\ directory as DisableHttpOnlyAuthCookies.vbs. You can obtain the script from:

http://technet.microsoft.com/en-us/library/cc731249.aspx

From a command prompt, run the following command from the C:\ directory:

cscript DisableHttpOnlyAuthCookies.vbs /WebListener:OTP /Value:False

Keep running the script until you see the following output:

HTTP only cookies: True

HTTP only cookies set to False

Create a new network

Enter an appropriate name Choose External network

Add range & enter the external IP address

of the ISA server

Click Finish

System Policy Rules

Make sure rule 24 is enable for SecurID

Create a Web Listener

In the console tree of ISA Server Management, click Firewall Policy.

On the Toolbox tab, click Network Objects.

On the toolbar beneath Network Objects, click New, and then click Web

Listener

Give the Web Listener a unique name In the next window of the Wizard select

Require SSL secured connections with

clients.

Select IP Addresses... You must specify the Web Listener IP

Address. If the request comes from the

Internet you must select the

External Network

On the Listener SSL Certificates page,

you select the certificates that you want bound to the Web listener.

Click the Select Certificate button

In the Select Certificate

dialog box, you’ll see a list of

certificates that can be used.

This dialog box will also

provide you with information

about the validity of the

certificate, whether the

certificate will expire soon,

and more information. When

you put a checkmark in the

Show only valid certificates

checkbox, you’ll only see

certificates that are valid to

bind to your Web listener.

On the Authentication Settings page you

have a number of options. Select the HTML

Form Authentication option from the drop down list

Note: The Collect additional delegation

credentials in the form option. You

enable this option when using RADIUS OTP or RSA SecurID authentication.

After the listener is created make sure the

Require all users to authenticate option

isn’t selected under Advanced

Authentication Options

The first rule: TS Gateway TS virtual Directory

To create the Web Publishing Rule, open the ISA firewall console, expand the

array name and click the Firewall Policy node. Click the Tasks tab in the Task

Pane and click the Publish Web Sites

Enter a name for the rule to publish the TS

Virtual directory

Allow this Rule

Publish a single Web site or load balancer Use SSL to connect to the published Web

server or server farm

Enter the DNS name of your Certfiicate ts/*

Enter the DNS name of your certificate Select the listener you created earlier

Select the authentication method of NTLM

Authentication

Allow All Authenticated Users

The Second rule: TS Gateway RPC virtual Directory

To create the Web Publishing Rule, open the ISA firewall console, expand the

array name and click the Firewall Policy node. Click the Tasks tab in the Task

Pane and click the Publish Web Sites

Enter a name for the rule to publish the TS

Virtual directory

Publish a single Web site or load balancer Use SSL to connect to the published Web

server or server farm

Enter the DNS name of your Certfiicate

rpc/*

Enter the DNS name of your Certfiicate Select the listener you created earlier

Select the authentication method of No

Delegation, but client may

authenticate directly

Allow All Authenticate Users

Make sure the Forward original host header

option is ticked