Configuring Terminal Services Gateway of Windows Server 2008 (Part 1)

Thomas Shinder

Microsoft security administrators are always a little wary of launching Terminal Servers on the Internet. The reason is because there is not yet a possibility to authenticate connections or user policies to determine which users can access the Terminal Server. The lack of pre-assessment is a really difficult problem. Without pre-authentication, anonymous users can enhance anonymous connections that compromise with the published Terminal Server. A compromised Terminal Server becomes a serious vulnerability to your network, since the attacker can then access the entire operating system and perform attacks.

In response to these difficulties, Windows Server 2008 provides you with a solution to this security problem: Terminal Services Gateway. Using the Terminal Services Gateway you can authenticate users beforehand and control which Terminal Servers users can access based on personal and policy information. This feature also allows you to have more subtle control over what you need to ensure that you have a secure remote access RDP solution.

In this two-part series, we will learn how to work with Terminal Servers solutions, using the lab network shown below. The arrows represent the direction of communication from the external RDP client to the Terminal Server.

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 1
Figure 1

Each server in this scenario is using Windows Server 2008 Enterprise Edition. In this example network, we are using a Windows Server 2008 NAT server as an Internet gateway. You can use any other simple NAT device or be a packet filtering router like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The main configuration option here is to direct TCP port 443 connections to the Terminal Service Gateway computer.

The domain controller has DNS, DHCP, Certificate Services in Enterprise CA mode and WINS already installed.

The Terminal Server has only one basic operating system installed. We will install other services throughout this series.

The TS Gateway has only one basic operating system installed. We will also install other services.

This series will describe the processes and procedures that need to be taken to run a basic solution:

1. Install Terminal Services and Terminal Services Licensing on the Terminal Server
2. Terminal Services Licensing configuration
3. Desktop Experience installation on Terminal Server (optional)
4. Configure Terminal Services Licensing mode
5. Install Terminal Services Gateway Service on Terminal Services Gateway
6. Certificate request for Terminal Services Gateway
7. Configure the Terminal Services Gateway to use the certificate
8. Create Terminal Services Gateway RAP
9. Create Terminal Services Gateway CAP
10. Configure the RDP Client to be able to use the Terminal Services Gateway

Install Terminal Services and Terminal Services Licensing on the Terminal Server

The first step is to install Terminal Services on the Terminal Services computer.

Follow the steps below to install Terminal Services and Terminal Services Licensing:

1. On the Terminal Server computer, open Server Manager . In Server Manager , click the Roles button in the left pane of the console.

2. Click the Add Roles link in the right pane of the console

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 2
Figure 2

3. Click Next on the Before You Begin page

4. On the Before You Begin page, put a checkmark in the Terminal Services checkbox, and then click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 3
Figure 3

5. Click Next in the Terminal Services page

6. In the Select Role Services window, check the Terminal Server and TS Licensing checkboxes. Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 4
Figure 4

7. Click Next in the Uninstall and Reinstall Application for Compatibility window

8. In the Specify Authentication Method for Terminal Server window, select Require Network Level Authentication . You can choose from each of your scenarios because we are only using Vista SP1 clients to connect to the Terminal Server through the TS Gateway. We will not be able to use this option if we need to support Windows XP SP2 clients. However, you can support Network Level Authentication with Windows XP SP3. But we have not confirmed this yet, so please check the release notes for Windows XP SP3. Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 5
Figure 5

9. On the Specify Licensing Mode page , select the Configure later option. You can choose another option but in this example we choose Configure later to tell you where to configure the subscription mode in the Terminal Services console. Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 6
Figure 6

10. In Select Use Groups Allowed Access To This Terminal Server , use the default options. You can add or delete groups if you want to refine more than access control on the Terminal Server. However, if all users have to go through the Terminal Services Gateway, you can control who connects to the Terminal Server using the TS Gateway policy settings. Leave the default settings and click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 7
Figure 7

11. In the Configure Discovery Scope page for TS Licensing , select this Domain option. Select this option in the scenario because we only have one domain. If you have a multi-domain forest, you can consider choosing the Forest option. Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 8
Figure 8

12. In Confirm Installation Selections , checking the warning indicator may require reinstalling the applications installed on this computer if you want them to work properly in the Terminal Services session environment. You should also note that IE Enhanced Security Configuration will be disabled. Click Install .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 9
Figure 9

13. In the Installation Results window you will see a warning asking you to restart the server to complete the installation. Click Close .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 10
Figure 10

14. Click Yes in the Add Roles Wizard dialog box, the dialog box asks if you want to restart the server.

15. Login as an administrator. The installation will continue after a few minutes because the Installation Progress page appears after the Server Manager appears.

16. Click Close on the Installation Results page after seeing the successful installation of Installation succeeded .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 11
Figure 11

17. You can see the message that Terminal Services licensing mode is not configured - meaning that the Terminal Services subscription mode is not configured . You can dismiss this notification because we will switch to configuring Terminal Services Licensing, then configure the registration mode on the Terminal Server.

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 12
Figure 12

Configure the registration on Terminal Services

Now we are ready to configure Terminal Services Licensing. The example uses some dummy data, which is not true for the actual requirements for registering Terminal Services client connections, but it will provide an example of how this process will work. Do not perform the same procedure that I introduced here to register Terminal Services clients because you have to do with the real registration requirements.

Follow the steps below to enable your Terminal Services Licensing Server:

1. From the Administrative Tools menu, click Terminal Services , and then click TS Licensing Manager .

2. In the TS Licensing Manager console, right-click the server name in the left pane of the interface. Click Activate Server .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 13
Figure 13

3. Click Next in the Welcome to the Activate Server Wizard page .

4. On the Connection Method page, select the Connection (recommended) then click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 14
Figure 14

5. In the Company Information page, enter the company information and click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 15
Figure 15

6. Enter optional information if you prefer on the Company Information page, and then click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 16
Figure 16

7. On the Completing the Activate Server Wizard page , make sure the Start Install Licenses Wizard option is selected, then click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 17
Figure 17

8. Click Next on the Welcome to the Install Licenses Wizard page .

9. In the License Program page, click the down arrow on the License program list and select the registration program that you performed. In this example we will select the Other agreement because this lab is not implemented in any subscription program. Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 18
Figure 18

10. On the License Program page, enter the Agreement number . In this example we enter a simple number 1234567 . Click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 19
Figure 19

11. On the Product Version and License Type page , select the Product version , License type and Quantity corresponding to the needs of your environment. In this lab setup, we are using Windows Server 2008 Terminal Servers, so choose Windows Server 2008 . Using user CALs in this example network, we selected Windows Server 2008 TS Per User CAL . Enter 50 in the Quantity text box and click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 20
Figure 20

12. Click Finish on the Completing the Install Licenses Wizard page

Install Desktop Experience on Terminal Server (optional)

When Windows Vista clients connect to the Windows Server 2008 Terminal Server, they can have the same desktop experience as Vista in the Terminal Services session if you install the Desktop Experience option on the Terminal Server.

Follow the steps below to install the Desktop Experience Feature for Terminal Server:

1. On the Select Features page, check the Desktop Experience checkbox, and then click Next .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 21
Figure 21

2. Click Install on the Confirm Installation Selections page

3. On the Installation Results page, read the warning information that needs to be restarted to finish the installation.

4. Click Yes in the dialog box asking if you want to restart the computer now.

5. Log in as an administrator. The installation will continue and takes a few minutes, so be patient.

6. Click Close on the Installation Results page, which is a way to show that the installation was successful.

Configure Terminal Services registration mode

We will finish configuring Terminal Services by setting up Terminal Services Licensing Mode. Follow the steps below to configure this mode:

1. From the Administrative Tools menu, click the Terminal Services item, and then click Terminal Services Configuration .

2. In the middle pane of the Terminal Services Configuration console, double-click Terminal Services Licensing mode .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 22
Figure 22

3. In the Properties dialog box, select the Per User option for Specify the Terminal Services licensing mode . Select Automatically discover license server for Specify the license server discovery mode . Click OK .

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 23
Figure 23

4. Click the Licensing Diagnosis button in the left panel of the console. In the middle pane you will see detailed information about the registry configuration for this Terminal Server.

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 24
Figure 24

5. Close the Terminal Service Configuration console

Conclude

In Part 1 of this two-part series, I showed you how to install Terminal Server services and Terminal Server registration on the Terminal Server, and then we configured the Terminal Services subscription, Desktop Experience installation. on the Terminal Server and configure the registration mode for the terminal server. Next, I will show you how to install and configure Terminal Services Gateway and RDP client. It will then end by creating a connection from an external location.

Configuring Terminal Services Gateway of Windows Server 2008 (Part 1) Picture 25 Configuring Terminal Services Gateway of Windows Server 2008 (Part 2)