Configuring the Windows Server Terminal Services Gateway.docx
《Configuring the Windows Server Terminal Services Gateway.docx》由会员分享,可在线阅读,更多相关《Configuring the Windows Server Terminal Services Gateway.docx(38页珍藏版)》请在冰豆网上搜索。
ConfiguringtheWindowsServerTerminalServicesGateway
∙Articles
∙Authors
∙Blogs
∙ISAServerArticles
∙Links
∙MessageBoards
∙Newsletter
∙RSS
∙SecurityTests
∙Services
∙Software
∙White Papers
TopofForm
SiteSearch
AdvancedSearch
BottomofForm
ConfiguringtheWindowsServer2008TerminalServicesGateway(Part2)
HowtoinstallandconfiguretheTSGatewayandtheRDPclient;makingandtestingtheconnection.
IfyoumissedthefirstpartinthisarticleseriespleasereadConfiguringtheWindowsServer2008TerminalServicesGateway(Part1)
Inthefirstpartofthisarticleseries,wedidabasicinstallationofTerminalServicesandTerminalServiceslicensingandconfiguretheTerminalServerlicensingmode.Inthis,parttwoofthearticleseries,wewillfinishupbyinstallingandconfiguringtheTSGatewayandtheRDPclient.Thenwewillmaketheconnectionandseeitwork.
InstalltheTerminalServicesGatewayServiceontheTerminalServicesGateway
NowwewillmoveourattentiontotheTerminalServicesGatewaycomputer.ThisisthemachinethatexternalclientswillinitiallyconnecttowhenmakingtheirTerminalServicesclientconnections.
PerformthefollowingstepstoinstalltheTerminalServicesGatewayontheTerminalServicesGatewaycomputer:
1.OpenServerManagerontheTerminalServicesGatewaycomputer.ClickontheRolesnodeintheleftpaneoftheconsoleandthenclicktheAddRolelinkintherightpane.
2.ClickNextontheBeforeYouBeginpage.
3.OntheSelectServerRolespage,putacheckmarkintheTerminalServicescheckbox.
4.OntheTerminalServicespage,clickNext.
5.OntheSelectRoleServicespage,putacheckmarkintheTSGatewaycheckbox.YouwillthenseeanAddRolesWizarddialogboxaskingifyouwanttoAddroleservicesandfeaturesrequiredforTSGateway.ClicktheAddRequiredRoleServicesbutton.
Figure1
6.ClickNextontheSelectRoleServicespage.
7.OntheChooseaServerAuthenticationCertificateforSSLEncryptionpage,selecttheChooseacertificateforSSLencryptionlateroption.WechoosethisoptionbecausewehavenotyetcreatedacertificatefortheTSGatewaytousefortheSSLconnectionbetweenitselfandtheRDPclient.WewillaskforthiscertificatelaterandthenconfigureTSGatewaytousethecertificate.ClickNext.
Figure2
8.OntheCreateAuthorizationPoliciesforTSGatewaypage,selecttheLateroption.WeselectthisoptionbecauseIwanttotakeyouintotheTSGatewayconsoleandshowyouhowtoconfigureauthorizationpoliciesintheconsole.ClickNext.
Figure3
9.ClickNextontheNetworkPolicyandAccessServicespage.
10.OntheSelectRoleServicespage,confirmthattheNetworkPolicyServercheckboxischecked.ClickNext.
Figure4
11.OntheWebServer(IIS)page,clickNext.
12.OntheSelectRoleServicespage,acceptthedefaultroleservicesselectedbythewizard.ThesearetheservicesrequiredtoruntheTSGatewayservice.ClickNext.
Figure5
13.ReviewtheinformationontheConfirmInstallationSelectionspageandclickInstall.
Figure6
14.ClickCloseontheInstallationResultspagewhichshowsthattheinstallsucceeded.
RequestaCertificatefortheTerminalServicesGateway
NowwecanrequestacertificatethattheTSGatewayWebsitecanusetoestablishtheSSLconnectionwiththeRDPclient.
PerformthefollowingstepstorequestthecertificatefortheTSGatewaycomputer:
1.FromtheAdministrativeToolsmenu,clickInternetInformationServices(IIS)Manager.
2.IntheInternetInformationServices(IIS)Managerconsole,clickontheservernameintheleftpaneoftheconsole.DoubleclicktheServerCertificatesiconinthemiddlepaneoftheconsole.
Figure7
3.Intherightpaneoftheconsole,clicktheCreateDomainCertificatelink.
Figure8
4.OntheDistinguishedNamePropertiespage,entertheinformationspecifiedonthispage.ThemostimportantentryistheCommonnameentry.ThenameyouenterheremustbethesamenamethattheTerminalServicesclientisconfiguredtousetocontacttheTSGatewaycomputer.ThisisalsothenamethatyourpublicDNSserverswouldbeconfiguredtoprovidethepublicaddressthatallowsaccesstotheTSGateway.Inmostcases,thiswillbearouterorNATdevice’sexternalinterface,orperhapstheexternalinterfaceofanadvancedfirewall,suchastheMicrosoftISAFirewall.ClickNext.
Figure9
5.OntheOnlineCertificationAuthoritypage,clicktheSelectbutton.IntheSelectCertificationAuthoritydialogbox,selectthenameoftheEnterpriseCAthatyouwanttoobtainthecertificatefrom.Remember,weareabletoobtainthisdomaincertificateandautomaticallyinstallitbecauseweareusinganEnterpriseCA.IfyouwereusingastandaloneCA,youwouldhavetosufferfromusingtheWebenrollmentsite,andthatwouldonlybeafteryoucreatedanofflinerequest,andthenyouwouldhavetomanuallyinstallthecomputercertificate.ClickOKafterselectingtheEnterpriseCA.
Figure10
6.EnteraFriendlynameontheOnlineCertificationAuthoritypage.InthisexamplewewillgivethecertificateafriendlynameofTSGCert.ClickFinish.
Figure11
7.Afterreceivingthecertificate,youwillseecertificaterelatedinformationinthemiddlepaneoftheconsole.Ifyoudoubleclickthecertificate,youwillseetheCertificatedialogbox,whichshowsyouthecommonnameintheIssuedtofieldandthefactthatYouhaveaprivatekeythatcorrespondstothiscertificate.Thisiscrucial,sincethecertificatewillnotworkifyoudonothaveaprivatekey.ClickOKtoclosetheCertificatedialogbox.
Figure12
ConfigureTerminalServicesGatewaytoUsetheCertificate
Withthecertificatenowinstalledinthemachine’scomputercertificatestore,youcanassigntheTSGatewaytousethiscertificate.
PerformthefollowingstepstoconfiguretheTSGatewaytousethiscertificate:
1.IntheAdministrativeToolsconsole,clicktheTerminalServicesentryandthenclickTSGateway.
2.IntheTSGatewayManager,clickthenameoftheTSGatewaycomputerintheleftpaneoftheconsole.Themiddlepaneprovidesusefulinformationaboutconfigurationstepsthatneedtobecompletedinordertofinishthesetup.ClicktheViewormodifycertificatepropertieslink.
Figure13
3.InthePropertiesdialogboxfortheTSGateway,ontheSSLCertificatetab,confirmthattheSelectanexistingcertificateforSSLencryptionisenabledandthenclicktheBrowseCertificatesbutton.ThisbringsuptheInstallCertificatedialogbox.Clickthecertificate,whichisinthiscase,tsg.msfirewall.organdthenclicktheInstallbutton.
Figure14
4.TheSSLCertificatetabnowshowsinformationaboutthecertificatethattheTSGatewaywillusetoestablishSSLconnections.ClickOK.
Figure15
5.Thecontentsofthemiddlepanechange,reflectingthefactthatthecertificateisnowinstalledontheTSGateway.However,wenowseeintheConfigurationStatussectionthatweneedtocreatebothaconnectionauthorizationpolicyandaresourceauthorizationpolicy.
Figure16
CreateaTerminalServicesGatewayCAP
Aconnectionauthorizationpolicy(CAP)allowsyoutocontrolwhocanconnecttotheTerminalServerthroughtheTerminalServicesGateway.
Performthefollowingstepstocreateaconnectionauthorizationpolicy:
1.Intheleftpaneoftheconsole,clicktheConnectionAuthorizationPoliciesnodethatliesunderthePoliciesnode.Intherightpaneoftheconsole,clickthearrowtotherightofCreateNewPolicyandthenclickWizard.
Figure17
2.OntheAuthorizationPoliciespage,selecttheCreateonlyaTSCAPoption.ClickNext.
Figure18
3.OntheConnectionAuthorizationPolicypage,enteranamefortheCAP.InthisexamplewewillnametheCAPGeneralCAP.ClickNext.
Figure19
4.OntheRequirementspage,putacheckmarkinthePasswordcheckbox.IfyouplanonusingSmartcardauthentication,thenyouwouldselecttheSmartcardoption.NowyouneedtoconfigurewhatgroupscanaccesstheTerminalServerthroughtheTSGateway.Todothis,clicktheAddGroupbutton.IntheSelectGroupsdialogbox,enterthenameofthegroupyouwanttoallowaccessandclickCheckNames.Inthisexample,enterDomainUsersandthenclickOK.
Figure20
5.NoticeontheRequirementspagethatyoualsohaveanoptiontocreatecomputergroupsandallowaccessonlytospecifiedcomputers.Wewillnotconfigurethatoptioninthisexample.ClickNext.
Figure21
6.OntheDeviceRedirectionpage,selecttheEnabledeviceredirectionforallclientdevicesoption.Notethatifyouwantahighersecurityenvironment,youmightconsiderselectingtheDisabledeviceredirectionforthefollowingclientdevicetypesandthenselecttheDrivesandClipboardoptions.Forevenhighersecurity,youmightevenselecttheDisabledeviceredirectionforallclientdevicesexceptforsmartcards.ClickNext.
Figure22
7.OntheSummaryofTSCAPSettingspage,readtheresultsofyourselectionsandthenclickFinish.
Figure23
8.ClickCloseontheConfirmPolicyCreationpage.
CreateaTerminalServicesGatewayRAP
ThenextpolicyweneedtocreateisaResourceAuthorizationPolicyorRAP.RAP’sareusedtocontrolwhichTerminalServerscanbeaccessedthroughtheTerminalServicesGateway.
PerformthefollowingstepstocreatetheRAP:
1.ClickontheResourceAuthorizationPoliciesnodeintheleftpaneoftheTSGatewayManagerconsole.Intherightpaneoftheconsole,clickthearrowsittingtotherightoftheCreateNewPolicylinkandthenclickWizard.
Figure24
2.OntheAuthorizationPoliciespage,