Unable to add domain resources in Windows Server 2008 TSG role.

[albertwt]

i've successfully deployed the TSG in my DMZ and now I'm confused in configuring Windows Server 2008 Std x64 to serve as my Terminal Server Gateway,

from the URL: Q. How can I install and configure Terminal Services Gateway?

you can actually select the AD domain, but in my case the Location can only select the local machine ?

Any kind of help would be greatly appreciated.

thanks.

[Ric_]

Have you also checked out the article at An Overview of Longhorn Server’s Terminal Service Gateway (Part 1) ?

[albertwt]

This is the picture of what I'm doing now,

at the moment I'm inside the local network and would like to publish the Web Server 2008 which is located same in the DMZ is it correct that i should

1. publish the TSG.domain.com through the world using port 443
2. create self signed certificate from TSG.domain.com and then give that to the client.
3. setup the TS CAP and TS RAP
4. the client install the SSL cert on the trusted Root CA,
5. the client access remote desktop to TSG.domain.com.
6. once the client logged in, he/she must remote desktop again into the webserver

cmiiw ?

can anyone shed some light here please ?

Thanks for all who reply to my thread.

[Ric_]

@albertwt: Aren't you missing a terminal server from your picture?

I've not had chance to play with Terminal Services Gateway, but if it works like Citrix Secure Gateway you would have your gateway in the DMZ and this then brokers a secure connection to a terminal server that is on your network.

The idea of the gateway server is to publish your terminal server on the web via SSL using only port 443. Meanwhile, your server still has access to your LAN.

You may find Remote Desktop Services (Terminal Services) Team Blog : RD Gateway deployment in a perimeter network & Firewall rules useful.

I have also attached a simple view of my setup.

[albertwt]

Hi Ric,

Do i need a terminal service server in this case ?
I thought that by just deploying TSG in the DMZ i can securely publish the Web Server to the world ?

This web server will be managed by a consultant overseas for the web content and some programming stuff and it is not published to the internet.

up to this point, in the TS Web Access, the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx but when he click on the Remote Desktop icon that i publish he connect to the TSG not to the Web server ?

thanks for the assistance and looking forward to solve this problem soon.

[Ric_]

Have a look at point 5 in the link in my previous post. That describes what else you need to do if the gateway and terminal server are the same box.

[albertwt]

if i tried to access the TSG server from the internet using IP address as i haven't register it yet, is that possible to causing the problem ?

should i use FQDN in this case for all of my settings ?

[Ric_]

The certificate check will probably fail if you do not use the FQDN so this may be your problem.

The following pic off that blog shows what traffic has to pass through the firewall.



That MS blog also mentions that you need WMI access between your DMZ and LAN.

[albertwt]

thanks for replying back to my topic, I'm now in a stuck and ready to redeploy the server again from scratch.

OK, Yesterday the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx and click on the RDP icon but somehow he got timed out during the RDP connection process ?

and myself as well from mu home internet connection, but It is working just fine from my company internal network.

this problem drives me crazy already for the past 2 days. :-(

[albertwt]

To All,

Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway,

here's what I did:

on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver):
1. Join the TSG server into the domain
2. go through the steps in [ame="http://www.youtube.com/watch?v=x_0oeiCTTfU"]YouTube - Windows Server 2008 - Installing Terminal Services[/ame]
3. TS_CAP_01 settings:
Requirement tab:
select password for the authentication
add BUILTIN\Administrators group
Device Redirection tab:
Enable device redirection for all devices
4. TS_RAP_01 settings:
User groups tab:
*make the same members as the previous CAP_01 setting*
Computer group tab:
select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver.
Allowed ports tab:
select Allow connection through any port --> and this one as well.
5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation.

on the DMZ Webserver (open only on port 443 after going through this steps)
1. join the webserver to the domain
2. go to system properties | Remote tab and click on Allow connection from computers running....
3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4)


on the client:

1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder).
2. run mstsc (remote desktop application)
3. General Tab:
computer: (webserver IP address) --> due to the no DNS available.
username: Webserver\Administrator
Advanced Tab:
select Connect and don't warn me.
click on settings:
select use these TS Gateway server settings:
Server name: TSG.domain.com
Login method: NTLM
click on OK
then connect by supplying the local admin password.