Friday, January 23, 2009

Setting up TS Gateway

TS Gateway on Windows 2008 is a solution that allows one to connect to resources on a remote terminal server without using a VPN connection. It connects a client to the remote resource using port 443 and can be used in conjunction with TS Web Access or TS RemoteApp. Traffic is encrypted using TLS 1.0. There are three ways to deploy TS gateway: for use with Network Access Protection (NAP), ISA server, or by itself. I will address the NAP scenario here.

Step 1: Install the TS Gateway role service. From server manager, click "add roles" and add the terminal services role. On the "select role services" screen, select TS Gateway. Allow Server Manager to install the additional required role services as well (RPC over HTTP, IIS 7, NPS).

Step 2: Configuring Certificates in TS Gateway. Once you have added the appropriate role services, you will need to obtain a certificate for use with TS Gateway. The certificate can be self-signed, or you can use certutil to create a certificate request for a third-party certification authority. If you choose a third-party certificate, you'll want to make sure the vendor participates in the Microsoft Root Certificate Program so that the certificate is automatically trusted by clients.

With the self-signed certificate, each client computer connecting to the terminal server will need to add the certificate to the trusted root certification authorities store for their user account, either manually or through group policy.

The common name of the certificate should match the external DNS name of the TS Gateway server.

Once you have your certificate, install it in the personal store for the computer account on the TS Gateway server. Now open the TS Gateway Manager from Administrative Tools, right click the server name in the right-hand pane, and go to properties. On the SSL Certificate tab, select an existing certificate and point it to the location of your new cert.

Step 3: TS-RAP and TS-CAP policies. Before clients can connect using TS Gateway, you must set up two policies: Terminal Services Connection Authorization Policies (TS-CAPs) define who is allowed to connect to a TS Gateway server. You can specify either local or Active Directory user groups who are allowed (or denied) access to terminal services, and decide which devices can be redirected when connecting to TS Gateway. You can also specify what authentication method you want the client to use – password or smartcard.

Terminal Services Resource Authorization Policies (TS-RAPs) identify which network resources users can connect to using the TS Gateway server. You can create TS-Gateway managed computer groups, or use Active Directory defined user groups to create a TS-RAP policy.

You will be prompted to create at least one TS-RAP and TS-CAP policy as part of the initial TS Gateway configuration. Creating TS-RAP and TS-CAP policies:

  1. Enter a name for the TS-CAP policy

  2. Choose the authentication method you want clients to use to connect, then add allowed user groups or even computer groups that are allowed to connect to the server.

  3. Choose the which devices are allowed to redirect from the client:

  4. Review the summary and click Finish (here I am creating both a TS-CAP and a TS-RAP, so I don't have a finish option yet.)

    Creating a TS-RAP:

  5. Enter a name for the TS-RAP policy:

  6. Choose which user groups the TS-RAP will apply to:

  7. Here you can specify which resources clients are allowed to connect to using either active directory security groups (computer objects), or TS-Gateway managed computer groups.

  8. Choose which port RDP should run on. I will leave the default (remember, TS Gateway operates over port 443 on the internet. 3389 only needs to be open internally)

  9. Review the configuration and click Finish.

    ****The policies work just like the old IAS policies in 2003 – order matters!****

    Step 4: Configuring the Client for Connection to TS Gateway

    First, you must ensure that you have purchased a trusted third-party root certificate, or that you have installed the self-signed certificate either manually or through group policy into the Trusted Root Certification Authority store for the client's user account.

    Also, the client must be running at least Windows XP SP3 or Windows Vista – make sure you have at least RDP 6.1.

    Now the RDP client should be able to automatically detect the TS Gateway settings, but for me, it takes longer to connect every time when the RDP client has to search for the settings. So I would rather specify manually in the "Advanced" tab of the Remote Desktop Client:

  10. Open the client, expand options, and go to the Advanced tab. Click "Settings" under the Connect From Anywhere section

  11. For server name, enter the same name used on the common name of the TS Gateway certificate (also the DNS name of the TS Gateway server):

  12. Select the computer you want to connect to, and off you go!


Anonymous said...

Hi Guys,

Looks great, I'm setting this up now but have hit a problem.
I am creating a DNS name from dynamic dns (free) they provide free dynamic dns and IP address so that is cool - do I need to do anything else there with the hosting?
I have an internal self signed CA authority which provides me with the cert no problems there but where do I specify the URL /IP from the dynamic dns hoster? or actually basically how do I link the two together?


Chris Lehr said...


You need to pick a DNS name and get the IP/DNS/ Firewall port opening to all occur. NAT is typically used to not reveal your internal IP information. Using the internal CA will work as long as only domain computers are utilizing this resource. If non domain machines will hit this site, they will receive a warning that the SSL cert is not from a trusted CA.

Bob said...

I am trying to set up a gateway for our external users to connect via https. Internally the gw works fine by going to but when I try this from the outside I get a "404-file or directory not found." I get the default IIS 7 web page if I go to so I am getting to the server. The way I understand the connection to work is when you first connect to // you are connecting to a tsweb server. Then when you launch an app you are redirected through the gw. How does this work for external connections? Do I need tsweb installed on the gateway?


Robin said...


I'm not sure that I have enough information to answer your question. TS gateway by itself does not offer a website, but rather acts as an intermediary to translate RDP traffic to SSL and allow you to connect much like a VPN connection. If you have TS gateway installed and have configured access to resources, from the outside you would RDP to the resource using your TS Gateway settings and you will be able to use the remote resource over an encrypted connection without VPN.

If you are trying create an externally accessible website on which to view available resources, then you will need to also deploy TS Web access either on the gateway server or on another server.

Bob said...

Thanks Robin. I have two tsweb servers using nlb but they are inside my firewall, not directly accessable from the Internet. My thought was external users would be able to access them via the gateway. Is that the way it should work or do I need to put tsweb on the gateway?


Robin said...


External users will be able to access machines through the gateway by using RDP with a TS Gateway server specified. If you want your users to be able to select a server to connect to through a web page, you will need to install TSWeb.

farmamick said...

I am having an issue, which I have detailed at:

I think my main issue is what name to use in the RAP, for the VirtualServer02 (the server that is hosting the application, ie the one I want to RDP to).

Can anyone help please?


tsotsi said...

hy all.

i wanna know if i can use ts gateway to connect from outside into my local network without having a dns.

my ts gateway server is locally without an real ip. it has an dns but it's only locally.

i use a linux machine with simple there a solution to bypass the necessary "ts gateway address" on remote client?