+ Post New Thread
Results 1 to 10 of 10
Windows Server 2008 Thread, Unable to add domain resources in Windows Server 2008 TSG role. in Technical; i've successfully deployed the TSG in my DMZ and now I'm confused in configuring Windows Server 2008 Std x64 to ...
  1. #1

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question Unable to add domain resources in Windows Server 2008 TSG role.

    i've successfully deployed the TSG in my DMZ and now I'm confused in configuring Windows Server 2008 Std x64 to serve as my Terminal Server Gateway,

    from the URL: Q. How can I install and configure Terminal Services Gateway?

    you can actually select the AD domain, but in my case the Location can only select the local machine ?

    Any kind of help would be greatly appreciated.

    thanks.

  2. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180

  3. Thanks to Ric_ from:

    albertwt (1st September 2009)

  4. #3

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    This is the picture of what I'm doing now,

    at the moment I'm inside the local network and would like to publish the Web Server 2008 which is located same in the DMZ is it correct that i should

    1. publish the TSG.domain.com through the world using port 443
    2. create self signed certificate from TSG.domain.com and then give that to the client.
    3. setup the TS CAP and TS RAP
    4. the client install the SSL cert on the trusted Root CA,
    5. the client access remote desktop to TSG.domain.com.
    6. once the client logged in, he/she must remote desktop again into the webserver

    cmiiw ?

    can anyone shed some light here please ?

    Thanks for all who reply to my thread.
    Attached Images Attached Images

  5. #4

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    @albertwt: Aren't you missing a terminal server from your picture?

    I've not had chance to play with Terminal Services Gateway, but if it works like Citrix Secure Gateway you would have your gateway in the DMZ and this then brokers a secure connection to a terminal server that is on your network.

    The idea of the gateway server is to publish your terminal server on the web via SSL using only port 443. Meanwhile, your server still has access to your LAN.

    You may find Remote Desktop Services (Terminal Services) Team Blog : RD Gateway deployment in a perimeter network & Firewall rules useful.

    I have also attached a simple view of my setup.
    Attached Images Attached Images

  6. Thanks to Ric_ from:

    albertwt (1st September 2009)

  7. #5

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question

    Hi Ric,

    Do i need a terminal service server in this case ?
    I thought that by just deploying TSG in the DMZ i can securely publish the Web Server to the world ?

    This web server will be managed by a consultant overseas for the web content and some programming stuff and it is not published to the internet.

    up to this point, in the TS Web Access, the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx but when he click on the Remote Desktop icon that i publish he connect to the TSG not to the Web server ?

    thanks for the assistance and looking forward to solve this problem soon.

  8. #6

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    Have a look at point 5 in the link in my previous post. That describes what else you need to do if the gateway and terminal server are the same box.

  9. Thanks to Ric_ from:

    albertwt (1st September 2009)

  10. #7

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question

    if i tried to access the TSG server from the internet using IP address as i haven't register it yet, is that possible to causing the problem ?

    should i use FQDN in this case for all of my settings ?

  11. #8

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,590
    Thank Post
    109
    Thanked 762 Times in 593 Posts
    Rep Power
    180
    The certificate check will probably fail if you do not use the FQDN so this may be your problem.

    The following pic off that blog shows what traffic has to pass through the firewall.



    That MS blog also mentions that you need WMI access between your DMZ and LAN.

  12. Thanks to Ric_ from:

    albertwt (1st September 2009)

  13. #9

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question

    thanks for replying back to my topic, I'm now in a stuck and ready to redeploy the server again from scratch.

    OK, Yesterday the consultant can login to the website https://tsg.domain.com/ts/en-US/default.aspx and click on the RDP icon but somehow he got timed out during the RDP connection process ?

    and myself as well from mu home internet connection, but It is working just fine from my company internal network.

    this problem drives me crazy already for the past 2 days. :-(

  14. #10

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Thumbs up Problem solved

    To All,

    Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway,

    here's what I did:

    on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver):
    1. Join the TSG server into the domain
    2. go through the steps in [ame="http://www.youtube.com/watch?v=x_0oeiCTTfU"]YouTube - Windows Server 2008 - Installing Terminal Services[/ame]
    3. TS_CAP_01 settings:
    Requirement tab:
    select password for the authentication
    add BUILTIN\Administrators group
    Device Redirection tab:
    Enable device redirection for all devices
    4. TS_RAP_01 settings:
    User groups tab:
    *make the same members as the previous CAP_01 setting*
    Computer group tab:
    select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver.
    Allowed ports tab:
    select Allow connection through any port --> and this one as well.
    5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation.

    on the DMZ Webserver (open only on port 443 after going through this steps)
    1. join the webserver to the domain
    2. go to system properties | Remote tab and click on Allow connection from computers running....
    3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4)


    on the client:

    1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder).
    2. run mstsc (remote desktop application)
    3. General Tab:
    computer: (webserver IP address) --> due to the no DNS available.
    username: Webserver\Administrator
    Advanced Tab:
    select Connect and don't warn me.
    click on settings:
    select use these TS Gateway server settings:
    Server name: TSG.domain.com
    Login method: NTLM
    click on OK
    then connect by supplying the local admin password.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 18th March 2010, 10:28 AM
  2. Add role crashes server
    By badders in forum Windows Server 2008
    Replies: 3
    Last Post: 22nd October 2009, 04:29 PM
  3. Windows 2008 Quotas (W2K3 Domain)
    By MYK-IT in forum Windows Server 2008
    Replies: 2
    Last Post: 13th May 2009, 11:09 AM
  4. Essential tools to manage a Windows 2003/2008 domain?
    By reggiep in forum Windows Server 2000/2003
    Replies: 8
    Last Post: 6th May 2009, 09:47 AM
  5. Replies: 3
    Last Post: 10th April 2007, 08:40 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •