Monday, October 20, 2008

Guide to getting TS Web Access Gateway Windows 2008 Working

I had quite a bit of trouble getting the TS Gateway to work for my home test lab.

Situation:
-TS Gateway box was also the Terminal server
-no fixed IP address
-no SSL certificate
-firewall fowarding only port 443 to internal TS server (not 80 or 3389)

I could gain access to the TS Gaterway webpage (easy to setup) but no further - couldn't run any of the published apps or remote desktops. This is what fixed it for me.

1) I use no-ip.info for my domain/IP. I created an additoanl zone on my internal DC/DNS server for no-ip.info and added the EXTERNAL host name I use to access my home lab, e.g. MYPC.NO-IP.INFO and added the INTERNAL IP address (e.g 192.168.1.20)
Apparently you need this split DNS if you want to use the Gaterway internally as well as the certificate is critical to this.

2) I generated a new self signed certificate on my TS Gateway box using the PUBLIC name e.g. MYPC.NO-IP.INFO -> when accessed from the outside, the certificate name now matches the site ->CRITICAL!!

3) On your TS GAte way, open server manager and dive into IIS>SERVER NAME>DEFAULT WEB SITE>TS - choose 'application settings' and change Group by to Entry type. You should now see and option for DefaultTSGateway. Edit this to be your EXTERNAL address (e.g. MYPC.NO-IP.INFO) and restart IIS

4) Now, on your client PC make sure you have version 6.1 of the RDP client - none of this will work without it.

5) Go to HTTPS://MYPC.NO-IP.INFO/TS (or whatever you use)

6) Make sure you accept the certificate and add it to your Trusted Certificate Root Authority store. - restart your IE and reconnect and ticks should be green.

7) This may not be necessary, but I went to the configuration tab and changed the TS Web Access Properties Terminal Server name to the internal DNS name of my Terminal server e.g. ts.internaldomain.lan

8) Give it a whirl, I can now connect to internal servers via their internal names or IP addresses and run up my remote apps.

9) To lock down access a bit (i.e. I don't want every man and their dog on the internet to see my TS Gateway) I added some simple authentication. Go into IIS>Default Web site and DISABLE anonymous authentication and enable Forms based authentication (tick the box for require SSL certificate) Doing this, any request to the front page requires logging in first.

10) Couple of other points that maybe relevant:
Under Terminal Services>TS Remote App Manager>Terminal server settings I used the full FQDN of my TS (VMTS.MYLAN.LAN)
Under TS GAteway Settings I chose the 'Use these TS Gateway server settings' and used the EXTERNAL site name (MYPV.NO-IP.INFO) and logon method NTLM. Ticked the 2 boxes underneath as well.

No comments: