Terminal Services (TS) has been around since the NT days. Windows 2000 Server gave us the ability to connect via the remote desktop protocol (RDP) to manage our servers, but Windows 2000 Professional did not provide the same convenience for desktop machines. It wasn’t until Windows XP that end users were given a built-in option for connecting remotely to their workstations. Adding RDP to Windows XP was great for end users, but created some challenges for IT administrators. Should IT allow anyone to connect remotely? If not, how do you control who can connect and who can’t?
There are some clunky ways to manage RDP access. A firewall can be used to control access to the RDP port (3389), but this can be cumbersome to manage, especially because most desktops have dynamic IP addresses. You could open up RDP completely or allow access via the VPN, but then you have to control access using permissions on each machine. Windows Server 2008 finally gives us a more elegant solution to managing RDP access with TS Gateway.
With a TS Gateway server configured for your network you can route all of your RDP traffic through one (or more) TS Gateway servers. This allows you to centrally control and monitor all of the remote desktop connections flowing into your network. This is especially useful in environments where central IT doesn’t necessarily have control over the RDP permissions on each user’s desktop machine. With TS Gateway you can specify who is allowed to initiate remote desktop connections to your network, and which machines each user is allowed to connect to.
Instead of listening on the normal RDP port, 3389, TS Gateway uses SSL and listens on port 443. The RDP traffic is tunneled through SSL on port 443 and then converted back to normal RDP traffic on the internal network. The desktop that is being controlled by a remote user passing through the TS Gateway doesn’t need any special configuration. This has several advantages beyond the manageability perspective. First, port 443 is normally used by secure websites so most firewalls on remote networks will not filter the traffic. Second, by using industry standard SSL technology you can be sure that your RDP connection is safe from man-in-the-middle type attacks.
Setup Your Own TS Gateway
Setting up a Server 2008 TS Gateway server is fairly simple. Follow these steps to get yours up and running in less than 60 minutes:
- Open Server Manager and click on Roles >> Add Roles
- Click on Next >> Select Terminal Services from the list >> Next >> Next
- Select TS Gateway and then if prompted, click on “Add Required Role Services” >> Next
- Choose the desired style of SSL certificate and click on Next (self-signed is fine for testing)
- Read the on-screen instructions and configure the Authorization Policies for your environment
- Accept all of the defaults for the rest of the installation >> Install
If you used a self-signed certificate then you will need to install the certificate on the machine that will be initiating connections through the TS Gateway.
Export self-signed certificate from the TS Gateway server
- Start >> Administrative Tools >> Terminal Services >> TS Gateway Manager
- Right click on your TS Gateway server and choose Properties >> SSL Certificate tab >> Browse Certificates
- Select the self-signed certificate you created when you installed TS Gateway >> View Certificate >> Details tab >> Copy to File…
- In the Certificate Export Wizard click Next >> choose No >> Next >> Next >> browse to a location to save the certificate >> Next >> Finish
Import self-signed certificate to the client initiating RDP connections through the TS Gateway
- Copy the certificate file you exported from the TS Gateway server to the client that will be used to initiate RDP connections through the TS Gateway server
- Double click on the certificate file from the client computer >> Install Certificate…
- In the Certificate Import Wizard click on Next >> “Place all certificates in the following store >> Browse… >> choose “Trusted Root Certificate Authorities” >> Next >> Finish
Configure the Remote Desktop Connection settings on the client that will be used to initiate RDP connections through the TS Gateway
- Open up the Remote Desktop Connection client (mstsc.exe)
- Click on the Advanced tab, then Settings…
- Click on the “Use these TS Gateway server settings” and put in the server name of your TS Gateway. IMPORTANT: Be sure the server name matches the “subject” attribute of the certificate you are using on the TS Gateway server.
That’s it, next time you initiate a remote desktop connection it will be passed through the TS Gateway. The TS Gateway will determine if you are authorized to connect to the desired workstation and then allow or disallow the RDP traffic.
Other Useful Bits
TS Gateway has a management console that can be used to view the current RDP connections that are being passed through it. You can view details such as how much information has been passed to/from the client. You can also configure advanced settings such as which SSL certificate should be used by the TS Gateway. If you have a load balancer or want to configure Microsoft’s Network Load Balancing then you can use the management console to add multiple TS Gateways to a “server farm”. This adds scalability and redundancy to a service that will likely need to have high availability.
Group policy can be used to define the TS Gateway server or “server farm” address on client machines that will be initiating connections through the TS Gateway. This makes life much easier for end users because they won’t have to delve into the Remote Desktop Connection advanced settings to configure the TS Gateway settings. It also allows IT administrators to force clients to use a specific TS Gateway address. The TS Gateway group policy settings are located under User Configuration >> Administrative Templates >> Windows Components >> Terminal Services >> TS Gateway.
TS Gateway is a great extension to the terminal services tool set. IT administrators finally have a good tool for managing remote desktop connections to their internal networks, and end users can feel safe using industry standard SSL technology when they connect from remote locations.