Windows Server 2008: Configuring Terminal Services Gateway - Part 1

Microsoft security administrators have always been a bit wary of publishing Terminal Servers to the Internet. And for good reason – there was no ability to pre-authenticate connections or use policy to determine which users could access which Terminal Servers. The lack of pre-authentication was an especially difficult problem. Without pre-authentication, anonymous users could leverage […]

Microsoft security administrators have always been a bit wary of publishing Terminal Servers to the Internet. And for good reason – there was no ability to pre-authenticate connections or use policy to determine which users could access which Terminal Servers. The lack of pre-authentication was an especially difficult problem. Without pre-authentication, anonymous users could leverage their anonymous connections to compromise the published Terminal Server. A compromised Terminal Server is perhaps the most dangerous exploit possible against your network, as the attacker has access to a full operating system to launch his attacks.

Windows Server 2008 provides a solution to this security problem: Terminal Services Gateway. Using a Terminal Services Gateway, you can pre-authenticate users and control what Terminal Servers users can access based on credentials and policy. This gives you the fine grained control you need to insure that you have a secure remote access RDP solution.

In this two part series on how to put together a working Terminal Services Gateway solution, we will use the lab network you see in the figure below. The arrows show the flow of communications from the external RDP client to the Terminal Server.

Each of the servers in this scenario are running Windows Server 2008 Enterprise Edition.

In this example network, I am using the Windows Server 2008 NAT server as my Internet gateway. You could use any other simple NAT device or packet filtering router, like a PIX, or even an advanced firewall like the Microsoft ISA Firewall. The key configuration option here is that you forward TCP port 443 connections to the Terminal Service Gateway computer.

The Domain Controller has DNS, DHCP, Certificate Services in Enterprise CA mode, and WINS installed.

The Terminal Server has only the base operating system installed. We will install other services during the course of this article series.

The TS Gateway has only the base operating system installed. We will install other services during the course of this article series.

In this article series I will describe the following processes and procedures that you need to perform to get the basic solution running:

  • Install Terminal Services and Terminal Services Licensing on the Terminal Server
  • Configure Terminal Services Licensing
  • Install Desktop Experience on the Terminal Server (optional)
  • Configure the Terminal Services Licensing Mode
  • Install the Terminal Services Gateway Service on the Terminal Services Gateway
  • Request a Certificate for the Terminal Services Gateway
  • Configure Terminal Services Gateway to Use the Certificate
  • Create a Terminal Services Gateway RAP
  • Create a Terminal Services Gateway CAP
  • Configure the RDP Client to use the Terminal Services Gateway

Full Article

Windows Server 2008, WS2008, Terminal Services, Terminal Server, Configuration, Guide, Walkthrough