First, what exactly is Terminal Services Gateway? It is a role service that enables authorized remote users to connect to resources on an internal corporate or private network from Internet-connected devices. The network resources can be either Terminal Servers running RemoteApp programs or systems with Remote Desktop enabled. If you think about Terminal Services Gateway as Terminal Services Proxy (which was the original name for this feature) or a VPN for Terminal Services, it may help with understanding exactly what it does. TS Gateway uses RDP over HTTPS to help form a secure, encrypted connection between remote users on the Internet and the internal network resources to which they need to connect. Sounds like a VPN without the actual VPN doesn’t it?
So what benefits are there in running TS Gateway? Since the TS Gateway connection is encrypted, you do not have to configure a VPN connection. TS Gateway also provides a comprehensive security model that enables the administrator to control access to specific internal network resources. TS Gateway provides a point-to-point RDP connection rather than blanket access to the internal network. Using TS Gateway you can connect to internal resources that are hosted behind firewalls on private networks and across Network Address Translators (NATs). Prior to Windows Server 2008, remote users were often prevented from connecting to internal network resources across firewalls and NAT’s because port 3389 was typically blocked on the firewalls. Since TS Gateway uses port 443 for an HTTP SSL / TLS tunnel (which most organizations have open for Internet connectivity), remote access connectivity across multiple firewalls is possible.
Within TS Gateway you can also define and configure Connection Authorization Policies that define conditions that must be met for a remote user to connect to an internal resource. We’ll go Connection Authorization Policies in a bit more detail later on in this post. TS Gateway servers and Terminal Services clients can be configured to use Network Access Protection (NAP). NAP is a health policy creation, enforcement, and remediation technology. Using NAP, administrators can enforce system health requirements such as software requirements (for example the client must have an approved and updated Anti-Virus program running), as well as security update requirements, required computer configurations and other settings. Using TS Gateway in conjunction with Microsoft ISA Server, a TS Gateway server could be hosted in a DMZ network with the ISA server sitting in the perimeter network.
So as you can see, TS Gateway provides several benefits. Now let’s take a look at the architecture of TS Gateway. The diagram below shows a high level view of the architecture and connection processes:
Microsoft, WS2008, Win2K8, Windows Server 2008, Terminal Service, Terminal Server, Gateway, Architecture, Knowledgebase