Announcement

Collapse
No announcement yet.

Question regarding TS Gateway 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question regarding TS Gateway 2008

    Hi,

    I have a small Lab environment to test TS Gateway as per our network environment. While testing I came across few question and I was wondering if someone can help me answer the same.

    1. During setup of RAP, under Computer Group, when you select Create a new group, is there a way to edit group which you have already made.
    Cause if I have group for DB server and later on when we add a new server in our DB zone, it seems that we have to make a new computer group on the TS Gateway as I don’t see a option to edit a already made group and add one more server. If it’s possible then do let me know


    2.Also for the New TS Gateway-Managed Computer Group under Network resources, does it have subnet mask support for network resources. Rather than adding 100’s of server one by one. Can I add a whole subnet.?




    3. Does it support Remote access clients like iPhone, BlackBerry, etc.


    4. About NAP. (Network Access Protection). Under Windows Security Health Validator it has tabs only for Windows XP and Windows VISTA. Does it support Windows 7 also.? And what about MAC users.If this two OS are supported then how do we setup their Health Validator using Network Policy Server.
    5. Also under NAP when you enable Virus Protection check box, which all Anti Virus are supported?As in for a SSL VPN it supports most of the 3rd party commercial and freeware anti virus. Does all those are include under Windows Security Health Validator by default.?






    I am sorry it ended up to be a big post and I am sorry if this was not the right place or a right way to ask question, but well any kind of help or information would be really appreicated.

    Thank you,
    Ruban.
    Last edited by Ruban; 4th February 2010, 02:26.

  • #2
    Re: Question regarding TS Gateway 2008

    1. + 2 RAP:

    "Important
    Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a Terminal Services resource authorization policy (TS RAP). A TS RAP allows you to specify the internal network resources that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to internal network resources through this TS Gateway server.

    TS RAPs
    TS RAPs allow you to specify the internal corporate network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the TS RAP.

    Remote users connecting to an internal network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP.

    Note
    When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer.

    Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.

    Security groups and TS Gateway-managed computer groups associated with TS RAPs
    Remote users can connect through TS Gateway to internal network resources in a security group or a TS Gateway-managed computer group. The group can be any one of the following:

    Members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.

    Members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group. You can configure a TS Gateway–managed computer group by using TS Gateway Manager after installation.
    A TS Gateway-managed computer group will not appear in Local Users and Groups on the TS Gateway server, nor can it be configured by using Local Users and Groups.
    When you add an internal network computer to the list of TS Gateway-managed computers, keep in mind that if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway.
    Important
    To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers. To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.

    Any network resource. In this case, users can connect to any computer on the internal network that they could connect to when they use Remote Desktop Connection.

    To ensure that the appropriate users have access to the appropriate network resources, plan and create security groups and TS Gateway-managed computer groups carefully. Evaluate the users who should have access to each group, and then associate the groups with TS RAPs to grant users access as needed."

    http://technet.microsoft.com/en-us/l...64(WS.10).aspx

    3. Well, I dont think that MS planed the TS to be used by third party OS. However, you can block
    access to the farm from non MS OS.

    4. NAP:

    "Computers running Windows Server 2008 cannot be used as NAP clients when TS Gateway enforces NAP. Only computers running Windows XP with SP3 and Windows Vista can be used as NAP clients when TS Gateway enforces NAP"

    http://technet.microsoft.com/en-us/l...64(WS.10).aspx

    http://blogs.technet.com/nap/

    So, I guess that the anaswer should be: Move to Windows 2008 R2.

    5. A list of supported vendors:

    http://www.microsoft.com/windowsserv...-partners.aspx

    http://www.windowsnetworking.com/art...ion-Part5.html
    Last edited by yuval14; 4th February 2010, 08:21.
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment

    Working...
    X