Announcement

Collapse
No announcement yet.

Terminal Server Gateway deployment best practice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Albertwt
    started a topic Terminal Server Gateway deployment best practice

    Terminal Server Gateway deployment best practice

    Hi All,

    I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use Windows Server 2008 Std. x64 TSG service, but now in this case what is the best practice for deploying this infrastructure ?

    Do i need to join the TSG into the domain ?
    Should I need to open LDAP port 389 from DMZ into my local network --> security hole ?

    see the attached diagram.

    Any help and suggestion would be greatly appreciated.

    Thanks.
    Attached Files
    Last edited by Albertwt; 26th August 2009, 12:10.

  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Hi Virtual,

    Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway,

    here's what I did:

    on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver):
    1. Join the TSG server into the domain
    2. go through the steps in http://www.youtube.com/watch?v=x_0oeiCTTfU
    3. TS_CAP_01 settings:
    Requirement tab:
    select password for the authentication
    add BUILTIN\Administrators group
    Device Redirection tab:
    Enable device redirection for all devices
    4. TS_RAP_01 settings:
    User groups tab:
    *make the same members as the previous CAP_01 setting*
    Computer group tab:
    select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver.
    Allowed ports tab:
    select Allow connection through any port --> and this one as well.
    5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation.

    on the DMZ Webserver (open only on port 443 after going through this steps)
    1. join the webserver to the domain
    2. go to system properties | Remote tab and click on Allow connection from computers running....
    3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4)


    on the client:

    1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder).
    2. run mstsc (remote desktop application)
    3. General Tab:
    computer: (webserver IP address) --> due to the no DNS available.
    username: Webserver\Administrator
    Advanced Tab:
    select Connect and don't warn me.
    click on settings:
    select use these TS Gateway server settings:
    Server name: TSG.domain.com
    Login method: NTLM
    click on OK
    then connect by supplying the local admin password.

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    So you want the Consultant to use TS Web access to remote into the server. Have you tested remoting into the web server using MSTSC from your own machine when outside?

    With regards to the RDP connection process, have a look at the even viewer and check SSL certificates match and so on.

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Hi Virtual, thanks for replying back to my topic, I'm now in a stuck and ready to redeploy the server again from scratch.

    This is the picture of what I'm doing now,

    http://img91.imageshack.us/img91/8642/tsg.jpg

    at the moment I'm inside the local network and would like to publish the Web Server 2008 which is located same in the DMZ is it correct that i should

    1. publish the TSG.domain.com through the world using port 443
    2. create self signed certificate from TSG.domain.com and then give that to the client.
    3. setup the TS CAP and TS RAP
    4. the client install the SSL cert on the trusted Root CA,
    5. the client access remote desktop to TSG.domain.com.
    6. once the client logged in, he/she must remote desktop again into the webserver

    This web server will be managed by a consultant overseas for the web content and some programming stuff and it is not published to the internet.

    Up to this point, in TS Web Access, the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx and click on the RDP icon but somehow he got timed out during the RDP connection process.

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    Do you still have the same issue? I take it you can now connect ok after first connecting to the Terminal Server Gateway?

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Yes i have created self signed certificate named TSG.domain.com and this is the one that i shall distribute to the client as the Trusted Root CA.

    but the strange thing is that i couldn't connect directly to the web server box.

    thanks for your patience.

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    This is worth reviewing. Have you setup a CAP and RAP policy?

    http://www.windowsecurity.com/articl...way-Part2.html

    I believe you should be able to RDP straight into the web server providing you configure the client's RDP settings and the CAP and RAP policy has been setup.

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    ok, so now I'm able to remote desktop into the TSG from my laptop

    My ultimate goal is to be able to access a web server in the same DMZ, so does this means i need to double connect to the TSG server and then remote desktop again into the Web Server ?

    thanks for the help.

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    Originally posted by Albertwt View Post
    Hi Virtual,

    Does this means that i can just publish the Windows Server 2008 Web Edition to the internet and then through the TSG of WIndows Server 2008 that i am building it now, the NAP can be use like in the Second link that you gave to me ?

    cmiiw .

    Thanks for the help.
    You can setup using the second link I gave you. However, publishing websites to the internet will not use NAP. You can perhaps use NAP to monitor the health of the web server but it won't examine the health of clients connecting to those websites from outside.

    The second linked scenario will allow you to use NAP for clients remoting in via the TS Gateway Server, so if you allowed them to connect to the web server as a resource through that, they would be checked for Health compliance. That will be for Vista and Windows 2008 server clients in this particular scenario and not XP SP3 ones.
    Last edited by Virtual; 31st August 2009, 16:20.

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Originally posted by Virtual View Post
    Sorry for just coming back. You will be best to get a certificate from a 3rd Party and use that on the Terminal Server Gateway. You are best to place that server in the screened subnet.

    Please review this.

    http://technet.microsoft.com/en-us/l...52(WS.10).aspx

    I would recommend setting yours up using this method.

    http://technet.microsoft.com/en-us/l...72(WS.10).aspx

    Just a note regarding NAP with a TS Gateway Server, I believe it applies to Vista and Windows 2008 servers only.

    Hi Virtual,

    Does this means that i can just publish the Windows Server 2008 Web Edition to the internet and then through the TSG of WIndows Server 2008 that i am building it now, the NAP can be use like in the Second link that you gave to me ?

    cmiiw .

    Thanks for the help.

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Yes this is what i'd like to see and use.

    Thanks for the helps man !

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    Originally posted by Albertwt View Post
    Ah yes,

    I also see there is ADDS service in the TS Gateway, is that same as ADAM ?
    ADDS is Full blown AD. I wouldn't recommend the first scenario I have posted. AD LDS is ADAM.

    Leave a comment:


  • Albertwt
    replied
    Re: Terminal Server Gateway deployment best practice

    Ah yes,

    I also see there is ADDS service in the TS Gateway, is that same as ADAM ?

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    Sorry for just coming back. You will be best to get a certificate from a 3rd Party and use that on the Terminal Server Gateway. You are best to place that server in the screened subnet.

    Please review this.

    http://technet.microsoft.com/en-us/l...52(WS.10).aspx

    I would recommend setting yours up using this method.

    http://technet.microsoft.com/en-us/l...72(WS.10).aspx

    Just a note regarding NAP with a TS Gateway Server, I believe it applies to Vista and Windows 2008 servers only.
    Last edited by Virtual; 28th August 2009, 13:08.

    Leave a comment:


  • Virtual
    replied
    Re: Terminal Server Gateway deployment best practice

    Originally posted by Albertwt View Post
    Hi Virtual,

    thanks for replying to my thread, please have a look at the diagram that I'd like to achieve, the red dotted box is the DMZ and I just want that the remote user can access the Webserver and the Application server only, is that possible using TSG with self made CA ?
    I believe you can use your own CA. It's just that you will have to import the certificate locally into users machines to prevent a security error. If I was you, I would purchase a 3rd Party certificate. This is worth reviewing.

    http://technet.microsoft.com/en-us/l...64(WS.10).aspx

    Go Daddy has some good prices. They are not as expensive as you may think.

    With regards to your setup, I need to do some further research unless someone responds whilst I do. I haven't put the TS Gateway in a screened subnet before.

    Leave a comment:

Working...
X