Share via

Terminal Services Gateway and Terminal Services Web Access using Hyper-V (Part 3)

  • Article

Part three of my weekend project involves a little more reconfiguration of my ISA 2006 Server to allow TS Web access the Terminal Services virtual machine running under Hyper-V beta. There are two rules I need to create on the ISA server to achieve this, using a very similar process to the rules I blogged about a couple of years when publishing Exchange through ISA. Essentially I’m going to configure one rule to bounce users to a Forms Based Authentication (FBA) subnet listener where user authentication is made, and another rule to forwards authenticated user traffic from the FBA subnet to the Terminal Server machine itself.  

(Yes, I realize I’m probably using all the wrong terminology here, and some ISA guru is bound to correct me!)

This is what the rules like in the ISA 2006 management console.

ISAConfig2

I won’t go into all the details of how this is configured in detail – please refer back to previous blog posts and blogcasts where there is a lot of detailed information. Just replace “Exchange” with “TS” and you’re largely there. A few points to note though:

  • On the “Paths” tab of the rule forwarding from the Internet to the FBA ensure there is a mapping of External Path “<same as internal>” to Internal Path “/ts/*”
  • On the “Paths” tab of the rule forwarding from the FBA to the TS Gateway to ensure there is a mapping of External Path “<same as internal>” to Internal Path “/ts/*”
  • On the Authentication Delegation tab of the rule forwarding from the FBA to the TS Gateway, select “Negotiate (Kerberos/NTLM)” with an SPN of “http/<internal dns name of the TS gateway>”

The above allows me to go to an external path of https://externaldomainname.com/ts to access Terminal Server Web. However, before that, you also need to allow Windows Authentication in IIS on the Terminal Services virtual machine. To do this, start Internet Information Services (IIS) Manager, click on the local machine and choose the authentication option. Right click on Windows Authentication, and enable it.

web1

So with that all done, let’s give it a go. Start up your browser and point it to https://externaldomainname/ts. With a bit of customization I’ve made to the front end Forms Based Authentication screens you see below, you get a logon dialog. Here, I’m going to authenticate as myself.

web2

Currently, there are no remote applications, so the list is empty. In the next and last part, I’ll fix that and add the Hyper-V management programs to the list.

web3

Note also that there is a remote desktop tab which allows another way of accessing remote desktops without having to configure the mstsc client directly.

web4

Just for kicks, let’s logon to the TS Gateway machine using TS Web Access this time where you can see I still have IIS admin open after setting the authentication methods.

web5

So we’re nearly there. The last thing to do is to add the Hyper-V management tools to TS Web Access to allow me to control my Virtual Machines remotely over the Internet. Part 4 soon!

Cheers,
John.

Comments

  • Anonymous
    January 01, 2003
    Sorry for the dearth of posts - I have been rather busy lately.&#160; As such I thought I would quickly

  • Anonymous
    January 01, 2003
    PingBack from http://www.leadfollowmove.com/archives/virtualisation/jhoward-hyper-v-and-terminal-services-stuff

  • Anonymous
    January 01, 2003
    Sorry for the dearth of posts - I have been rather busy lately.&#160; As such I thought I would quickly

  • Anonymous
    January 01, 2003
    Thomas - can you drop me an email (email link at the top left) Thanks, John.

  • Anonymous
    January 01, 2003
    pgoodfellow - not to my knowledge. Sorry. But a quick Internet search for "RDP Client for Linux" showed there are some products out there. I have no experience attempting to use any of them though. Thanks, John.

  • Anonymous
    January 01, 2003
    John, can you shed some light on how to create the forms based authentication you've shown on this page?  Hopefully without using ISA?

  • Anonymous
    January 01, 2003
    Cenders - unfortunately not.... I am using ISA for FBA and have customised them for my domain. Thanks, John.

  • Anonymous
    February 17, 2008
    Hi, Thank you for the nice tutorials on setting up Hyper-V.  I was wondering if you knew of any RDP client for linux that will make use of the HTTPS web based TS Gateway feature? I read somewhere that there's an API available and some licensing stuff for "other OS" developers but I havn't seen anything yet.  I know the Mac client has support for TS Gateway but I have yet to find a linux client with it. Thanks!

  • Anonymous
    October 05, 2008
    John, I’m trying to get ISA2006 (SP2) to use FBA in accessing TS web access to launch RDP as a RemoteApp. Your article doing just that was great, but my missing piece was the articles you mention about creating the 2 ISA rules. I searched the blogs and found them (Part-25 right?). But I can’t access them. When I click on “Read more” I get “page not found”. I tried accessing thru the archives but same problem. Can you tell me where I can them? Thanks

  • Anonymous
    August 13, 2010
    Has there been any further news on an RDP client for linux that will make use of the HTTPS web based TS Gateway feature?