Announcement

Collapse
No announcement yet.

Terminal Server Gateway deployment best practice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Terminal Server Gateway deployment best practice

    Hi All,

    I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use Windows Server 2008 Std. x64 TSG service, but now in this case what is the best practice for deploying this infrastructure ?

    Do i need to join the TSG into the domain ?
    Should I need to open LDAP port 389 from DMZ into my local network --> security hole ?

    see the attached diagram.

    Any help and suggestion would be greatly appreciated.

    Thanks.
    Attached Files
    Last edited by Albertwt; 26th August 2009, 12:10.

  • #2
    Re: Terminal Server Gateway deployment best practice

    Personally, I would look into implementing a NAP/TS Gateway deployment. This will allow the computers of people remoting into to receive a health check. You can then make use of connection and resource authorisation policies on the server with the TS gateway role. AFAIK, you join it to the domain and then just ensure the registered external domain name is redirected by your firewall to the TS Gateway.

    Comment


    • #3
      Re: Terminal Server Gateway deployment best practice

      Hi Virtual,

      thanks for replying to my thread, please have a look at the diagram that I'd like to achieve, the red dotted box is the DMZ and I just want that the remote user can access the Webserver and the Application server only, is that possible using TSG with self made CA ?

      Comment


      • #4
        Re: Terminal Server Gateway deployment best practice

        Originally posted by Albertwt View Post
        Hi Virtual,

        thanks for replying to my thread, please have a look at the diagram that I'd like to achieve, the red dotted box is the DMZ and I just want that the remote user can access the Webserver and the Application server only, is that possible using TSG with self made CA ?
        I believe you can use your own CA. It's just that you will have to import the certificate locally into users machines to prevent a security error. If I was you, I would purchase a 3rd Party certificate. This is worth reviewing.

        http://technet.microsoft.com/en-us/l...64(WS.10).aspx

        Go Daddy has some good prices. They are not as expensive as you may think.

        With regards to your setup, I need to do some further research unless someone responds whilst I do. I haven't put the TS Gateway in a screened subnet before.

        Comment


        • #5
          Re: Terminal Server Gateway deployment best practice

          Sorry for just coming back. You will be best to get a certificate from a 3rd Party and use that on the Terminal Server Gateway. You are best to place that server in the screened subnet.

          Please review this.

          http://technet.microsoft.com/en-us/l...52(WS.10).aspx

          I would recommend setting yours up using this method.

          http://technet.microsoft.com/en-us/l...72(WS.10).aspx

          Just a note regarding NAP with a TS Gateway Server, I believe it applies to Vista and Windows 2008 servers only.
          Last edited by Virtual; 28th August 2009, 13:08.

          Comment


          • #6
            Re: Terminal Server Gateway deployment best practice

            Ah yes,

            I also see there is ADDS service in the TS Gateway, is that same as ADAM ?

            Comment


            • #7
              Re: Terminal Server Gateway deployment best practice

              Originally posted by Albertwt View Post
              Ah yes,

              I also see there is ADDS service in the TS Gateway, is that same as ADAM ?
              ADDS is Full blown AD. I wouldn't recommend the first scenario I have posted. AD LDS is ADAM.

              Comment


              • #8
                Re: Terminal Server Gateway deployment best practice

                Yes this is what i'd like to see and use.

                Thanks for the helps man !

                Comment


                • #9
                  Re: Terminal Server Gateway deployment best practice

                  Originally posted by Virtual View Post
                  Sorry for just coming back. You will be best to get a certificate from a 3rd Party and use that on the Terminal Server Gateway. You are best to place that server in the screened subnet.

                  Please review this.

                  http://technet.microsoft.com/en-us/l...52(WS.10).aspx

                  I would recommend setting yours up using this method.

                  http://technet.microsoft.com/en-us/l...72(WS.10).aspx

                  Just a note regarding NAP with a TS Gateway Server, I believe it applies to Vista and Windows 2008 servers only.

                  Hi Virtual,

                  Does this means that i can just publish the Windows Server 2008 Web Edition to the internet and then through the TSG of WIndows Server 2008 that i am building it now, the NAP can be use like in the Second link that you gave to me ?

                  cmiiw .

                  Thanks for the help.

                  Comment


                  • #10
                    Re: Terminal Server Gateway deployment best practice

                    Originally posted by Albertwt View Post
                    Hi Virtual,

                    Does this means that i can just publish the Windows Server 2008 Web Edition to the internet and then through the TSG of WIndows Server 2008 that i am building it now, the NAP can be use like in the Second link that you gave to me ?

                    cmiiw .

                    Thanks for the help.
                    You can setup using the second link I gave you. However, publishing websites to the internet will not use NAP. You can perhaps use NAP to monitor the health of the web server but it won't examine the health of clients connecting to those websites from outside.

                    The second linked scenario will allow you to use NAP for clients remoting in via the TS Gateway Server, so if you allowed them to connect to the web server as a resource through that, they would be checked for Health compliance. That will be for Vista and Windows 2008 server clients in this particular scenario and not XP SP3 ones.
                    Last edited by Virtual; 31st August 2009, 16:20.

                    Comment


                    • #11
                      Re: Terminal Server Gateway deployment best practice

                      ok, so now I'm able to remote desktop into the TSG from my laptop

                      My ultimate goal is to be able to access a web server in the same DMZ, so does this means i need to double connect to the TSG server and then remote desktop again into the Web Server ?

                      thanks for the help.

                      Comment


                      • #12
                        Re: Terminal Server Gateway deployment best practice

                        This is worth reviewing. Have you setup a CAP and RAP policy?

                        http://www.windowsecurity.com/articl...way-Part2.html

                        I believe you should be able to RDP straight into the web server providing you configure the client's RDP settings and the CAP and RAP policy has been setup.

                        Comment


                        • #13
                          Re: Terminal Server Gateway deployment best practice

                          Yes i have created self signed certificate named TSG.domain.com and this is the one that i shall distribute to the client as the Trusted Root CA.

                          but the strange thing is that i couldn't connect directly to the web server box.

                          thanks for your patience.

                          Comment


                          • #14
                            Re: Terminal Server Gateway deployment best practice

                            Do you still have the same issue? I take it you can now connect ok after first connecting to the Terminal Server Gateway?

                            Comment


                            • #15
                              Re: Terminal Server Gateway deployment best practice

                              Hi Virtual, thanks for replying back to my topic, I'm now in a stuck and ready to redeploy the server again from scratch.

                              This is the picture of what I'm doing now,

                              http://img91.imageshack.us/img91/8642/tsg.jpg

                              at the moment I'm inside the local network and would like to publish the Web Server 2008 which is located same in the DMZ is it correct that i should

                              1. publish the TSG.domain.com through the world using port 443
                              2. create self signed certificate from TSG.domain.com and then give that to the client.
                              3. setup the TS CAP and TS RAP
                              4. the client install the SSL cert on the trusted Root CA,
                              5. the client access remote desktop to TSG.domain.com.
                              6. once the client logged in, he/she must remote desktop again into the webserver

                              This web server will be managed by a consultant overseas for the web content and some programming stuff and it is not published to the internet.

                              Up to this point, in TS Web Access, the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx and click on the RDP icon but somehow he got timed out during the RDP connection process.

                              Comment

                              Working...
                              X