You are on page 1of 21

Configuring the Windows Server 2008 Terminal Services Gateway (Part 1

)
Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway. Using a Terminal Services Gateway, you can pre-authenticate users and control what Terminal Servers users can access based on credentials and policy. This gives you the fine grained control you need to insure that you have a secure remote access RDP solution. In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you see in the figure below. The arrows show the flow of communications from the external RDP client to the Terminal Server.

Figure 1 Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition. In this example network, I am using the Windows Server 2008 NAT server as my Internet gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or

1|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that you forward TCP port 443 connections to the Terminal Service Gateway computer. The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed. The Terminal Server has only the base operating system installed. We will install other services during the course of this article series. The TS Gateway has only the base operating system installed. We will install other services during the course of this article series. In this article series I will describe the following processes and procedures that you need to perform to get the basic solution running:
         

Install Terminal Services and Terminal Services Licensing on the Terminal Server Configure Terminal Services Licensing Install Desktop Experience on the Terminal Server (optional) Configure the Terminal Services Licensing Mode Install the Terminal Services Gateway Service on the Terminal Services Gateway Request a Certificate for the Terminal Services Gateway Configure Terminal Services Gateway to Use the Certificate Create a Terminal Services Gateway RAP Create a Terminal Services Gateway CAP Configure the RDP Client to use the Terminal Services Gateway

Install Terminal Services and Terminal Services Licensing on the Terminal Server
The first step is to install Terminal Services on the Terminal Services computer. Perform the following steps to install Terminal Services and Terminal Services Licensing:
1. On the Terminal Server computer, open the Server Manager. In the Server Manager, click on the Roles node in the left pane of the console. 2. Click the Add Roles link in the right pane of the console.

2|Page

ICT Trendy Co., Ltd

Prepared By: Kheuangkham Phothisan

4. On the Select Role Services page. 3|Page ICT Trendy Co. 6. Click Next. put a checkmark in the Terminal Services checkbox. put a checkmark in the Terminal Server and TS Licensing checkboxes.Figure 2 3. Figure 3 5. Ltd Prepared By: Kheuangkham Phothisan . On the Select Server Roles page. Click Next on the Terminal Services page. Click Next. Click Next on the Before You Begin page..

select the Require Network Level Authentication. Click Next on the Uninstall and Reinstall Application for Compatibility page. I have not yet confirmed this. 4|Page ICT Trendy Co. However. so make sure to check the release notes on Windows XP SP3 when it is released later this year. We would not be able to use this option if we needed to support Windows XP SP2 clients. 8.Figure 4 7. you should be able to support Network Level Authentication with Windows XP SP3. Ltd Prepared By: Kheuangkham Phothisan . However. Click Next.. On the Specify Authentication Method for Terminal Server page. We can select this option in our current scenario because we are using only Vista SP1 clients to connect to the Terminal Server through the TS Gateway.

Figure 6 5|Page ICT Trendy Co. Click Next. We could select an option now. select the Configure later option.. Ltd Prepared By: Kheuangkham Phothisan .Figure 5 9. On the Specify Licensing Mode page. but I decided that we should select Configure later so that I can show you where in the Terminal Services console you configure the licensing mode.

Leave the default settings as they are and click Next.. use the default options. On the Select Use Groups Allowed Access To This Terminal Server page. Ltd Prepared By: Kheuangkham Phothisan . You can add or remove groups if you want finer tuned access control over the Terminal Server. Figure 7 11. On the Configure Discovery Scope for TS Licensing page. Figure 8 12. Click Next. if all of your users will be going through the Terminal Services Gateway. you might consider selecting the The forest option.10. select the This domain option. check the warning information indicating that you might have to reinstall applications that were already installed on this machine if you want them 6|Page ICT Trendy Co. However. If you have a multidomain forest. On the Confirm Installation Selections page. We select this option in this scenario because we only have a single domain. then you can control who can connect to the Terminal Server using the TS Gateway policy settings.

7|Page ICT Trendy Co. On the Installation Results page.. you will see a warning that you must restart the server to complete the installation. Click Install. Figure 9 13. Also note that IE Enhanced Security Configuration will be turned off. Ltd Prepared By: Kheuangkham Phothisan .to work properly in a Terminal Services session environment. Click Close.

The installation will continue for a few minutes as the Installation Progress page appears after the Server Manager comes up. Click Close on the Installation Results page after you see the Installation succeeded message. Ltd Prepared By: Kheuangkham Phothisan . 8|Page ICT Trendy Co.. 16. Click Yes in the Add Roles Wizard dialog box that asks if you want to restart the server. 15. Log on as Administrator.Figure 10 14.

Please do not use the same procedure that I show here to license your Terminal Services clients. In this example I will use some dummy data. as we will next configure Terminal Services Licensing and then configure the licensing mode on the Terminal Server.Figure 11 17. Ltd Prepared By: Kheuangkham Phothisan . Perform the following steps to activate your Terminal Services Licensing Server: 9|Page ICT Trendy Co. which does not meet the actual requirements for licensing Terminal Services client connections. but it will provide an example of how the process works. You can dismiss that warning. because you will not be compliant with actual licensing requirements. Figure 12 Configure Terminal Services Licensing At the point we are ready to configure Terminal Services Licensing. You may see a balloon telling you that Terminal Services licensing mode is not configured..

10 | P a g e ICT Trendy Co. Figure 13 3. 4. Click Next on the Welcome to the Activate Server Wizard page. select the Automatic Connection (recommended) option. From the Administrative Tools menu.1.. right click the server name in the left pane of the console. Ltd Prepared By: Kheuangkham Phothisan . On the Connection Method page. 2. Click on Activate Server. Click Next. click the Terminal Services menu and then click on TS Licensing Manager. In the TS Licensing Manager console.

enter your company information and click Next. On the Company Information page.. Ltd Prepared By: Kheuangkham Phothisan . 11 | P a g e ICT Trendy Co.Figure 14 5.

.Figure 15 6. Enter optional information if you like on the Company Information page. 12 | P a g e ICT Trendy Co. Click Next. Ltd Prepared By: Kheuangkham Phothisan .

13 | P a g e ICT Trendy Co. Ltd Prepared By: Kheuangkham Phothisan . Click Next. make sure that the Start Install Licenses Wizard now option is checked. On the Completing the Activate Server Wizard page.Figure 16 7..

14 | P a g e ICT Trendy Co. click the down arrow on the License program list and pick the license program that you participate in. Ltd Prepared By: Kheuangkham Phothisan . On the License Program page. In this example I will select Other agreement since this lab is not participating in any license program. 9.Figure 17 8.. Click Next on the Welcome to the Install Licenses Wizard page. Click Next.

On the License Program page. In this example we’ll just enter 1234567.Figure 18 10.. Ltd Prepared By: Kheuangkham Phothisan . 15 | P a g e ICT Trendy Co. Click Next. enter your Agreement number.

License type and Quantity that fits the needs of your environment. 16 | P a g e ICT Trendy Co. On the Product Version and License Type page. And we will enter 50 in the Quantity text box.Figure 19 11. we are using Windows Server 2008 Terminal Servers. Ltd Prepared By: Kheuangkham Phothisan . In this lab setup.. We will use per user CALs in this example network. Click Next. so we will select Windows Server 2008. select the Product version. so we will select Windows Server 2008 TS Per User CAL.

Install Desktop Experience on the Terminal Server (optional) When Windows Vista clients connect to a Windows Server 2008 Terminal Server. 17 | P a g e ICT Trendy Co. On the Select Features page. Click Next. put a checkmark in the Desktop Experience checkbox. Perform the following steps to install the Desktop Experience Feature to the Terminal Server: 1.Figure 20 12. they can have a Vista-like desktop experience in the Terminal Services session if you install the Desktop Experience option on the Terminal Server. Ltd Prepared By: Kheuangkham Phothisan .. Click Finish on the Completing the Install Licenses Wizard page.

Click Install on the Confirm Installation Selections page. Configure the Terminal Services Licensing Mode We will now finish up with configuring the Terminal Server by setting the Terminal Services Licensing Mode. 3. Ltd Prepared By: Kheuangkham Phothisan . 6. In the middle pane of the Terminal Services Configuration console. Click Yes in the dialog box asking if you want to restart now. On the Installation Results page. click the Terminal Services entry and then click Terminal Services Configuration.Figure 21 2. 4. double click Terminal Services Licensing mode. Log on as administrator. Click Close. which shows that the installation was successful. Installation will resume and take a few minutes. so be patient. 18 | P a g e ICT Trendy Co. read the warning information that you must restart the computer to finish the installation process. Perform the following steps to configure the Terminal Services Licensing Mode: 1. 5.. 2. Click Close on the Installation Results page. From the Administrative Tools menu.

Ltd Prepared By: Kheuangkham Phothisan .Figure 22 3.. Select Automatically discover license server for the Specify the license server discovery mode option. In the Properties dialog box. Click OK. 19 | P a g e ICT Trendy Co. select the Per User option for the Specify the Terminal Services licensing mode option.

Figure 23 4. Ltd Prepared By: Kheuangkham Phothisan .. 20 | P a g e ICT Trendy Co. In the middle pane you will see details for the licensing configuration for this Terminal Server. Click the Licensing Diagnosis node in the left pane of the console.

.Figure 24 5. 21 | P a g e ICT Trendy Co. Ltd Prepared By: Kheuangkham Phothisan . Close the Terminal Service Configuration console.