TS Gateway #4
Server side configuration
In previous 3 postings I talked about why I liked TS gateway, the overall architecture for configuring TS Gateway in home lab environment and the client side configuration.
This time I'll show a few screen shots of the TS Gateway configuration. The configuration is very simple and one can figure it out by basically going through the wizard and consulting available help. But pictures sometime are nice to see too, especially of already configured server.
Anyway, in my lab I have TS Gateway server running the publically available beta of Windows Server 2008, it is running as virtual guest on Virtual PC hosted on Windows Vista. TS Gateway server has one network card assigned to it. It is important to know the IP address on this card and make sure your perimeter firewall (Linksys in my case) is configured to allow port 443 to this IP.
When you install TS Gateway the wizard will ask you to specify certificate, create new one or to choose one later. I didn't have one at the time of installation and decided to install certificate later. When TS Gateway is installed you can right-click on the server name and choose properties. For simple installations the "SSL Certificate" tab is of most importance as it will allow you to choose or replace certificates. Without certificate TS gateway cannot function. The following screenshot shows my certificate issued from my own CA. As I wrote before it is very important to make sure that certificate name (shown in Issued to: field) is the name you specify in the Remote Desktop connection client, if they don't match you won't be able to connect.
During installation wizard you'll be asked to configure 2 polices required for TS Gateway:
- Connection Authorization Policies
- Resource Authorization Policies
Connection Authorization Policy (TS CAP) allows you to specify the users who can connect to this TS Gateway server. The configuration is fairly simple and straightforward. You'd specify the groups or users who can connect to this TS Gateway server. Interesting granularity here is that you can specify the type of authentication will be supported by this TS CAP - Password and/or Smart Card. So if you have issued Smart Cards to your employees you can create policy that only allows Smart Card authentication into the TS Gateway server - very secure mechanism for remote authentication. Here is the shot of the TS CAP requirements.
Device Redirection tab can be useful in controlling who can redirect what from the TS server to their client PC.
The second policy that must be configured is the TS RAP which allows to specify the network resources that users can connect to remotely through this TS Gateway server. During configuration or later you can choose which computers you be able to access or just provide a blank policy that will allow connection to any target computer.
All in all , it is easy to configure a single server TS Gateway to allow access to your internal network.