High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
V1.2
Enhance TS Gateway Security with ISAServer 2006 + RSA Security
Following the steps in this document will enable you to configure TS Gateway WebAccess with RSA SecurID and will prevent users from bypassing two-factorauthentication by launching MSTSC.exe.
Installing and configuring TS Gateway
Add required roles to your server:
o
Terminal Server
o
Select Terminal Services
o
TS Web Access
On the
Choose a Server Authentication Certificate for SSL Encryption
page,select the
Choose an existing certificate for SSL encryption
option. Importyour third party SSL certificate (TSGateway.company.com) in PFX format.
On the
Create Authorization Policies for TS Gateway
page, select the
Later
option. I will show you how to configure authorization policies in the console.Click
Next
.
Click
Next
on the
Network Policy and Access Services
page.
On the
Select Role Services
page, confirm that the
Network Policy Server
checkbox is checked. Click
Next
.
On the
Web Server (IIS)
page, click
Next
.
On the
Select Role Services
page, accept the default role services selected bythe wizard. These are the services required to run the TS Gateway service. Click
Next
.
Review the information on the
Confirm Installation Selections
page and click
Install
.
Create a connection authorization policy (CAP):
Open TS Gateway Manager
In the left pane of the console, click the
Connection Authorization Policies
node that lies under the
Policies
node. In the right pane of the console, click thearrow to the right of
Create New Policy
and then click
Custom
.
On the General tab, type a name for the policy, and then verify that the Enablethis policy check box is selected.
On the Requirements tab, under Supported Windows authentication methods,select the following check box: Password
Under User group membership (required), click Add Group, and then specify auser group whose members can connect to the TS Gateway server.
Create a resource authorization policy (RAP):
Click on the
Resource Authorization Policies
node in the left pane of the
TSGateway Manager
console. In the right pane of the console, click the arrowsitting to the right of the
Create New Policy
link and then click
Custom
.
On the General tab, type a name for the policy, and then verify that the Enablethis policy check box is selected
On the User Groups tab, click Add to select the user groups to which you wantthis TS RAP to apply.
In the Select Groups dialog box, specify the user group location and name, andthen click OK.
On the
Computer Group
tab, specify the computer group that users can connectto through TS Gateway
Allow clients to connect through any port, click Allow connections through anyport.
Click OK to close the Properties dialog box for the TS RAP.
SSL Bridging
HTTPS-HTTPS bridging
. In this configuration, the TS Gateway client initiates an SSL(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a newHTTPS request to the TS Gateway server, for maximum security.
HTTPS-HTTP bridging
. In this configuration, the TS Gateway client initiates an SSL(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a newHTTP request to the TS Gateway server.
HTTPS-HTTP bridging on the TS Gateway server
Open TS Gateway Manager.
In the TS Gateway Manager console tree, right-click the local TS Gateway server,and then click Properties.
On the SSL Bridging tab, Make sure the Use HTTPS-HTTP bridging check box isUn-ticked, and then click OK.
Configuring RemoteApps for TS Web Access
To configure applications such that they can be launched from the WindowsServer 2008 TS Web Access page they must first be installed onto the TSGateway server.
Applications are configured as RemoteApps using the TS RemoteApp ManagerStart -> All Programs -> Terminal Services -> TS Remote App Manager
Begin by clicking on the Add RemoteApp Programs link in the Actions panellocated in the top right hand corner of the TS RemoteApp Manager screen. Thiswill display the RemoteApp wizard containing a list of currently installedapplications. One or more applications may be selected from the list beforepressing the
Next
button:
Add a Comment