Terminal Services Gateway (TS Gateway)
Updated: September 24, 2007
Applies To: Windows Server 2008
Terminal Services Gateway (TS Gateway) is a role service in the Terminal Services server role of Windows Server® 2008 that allows authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device. The network resources can be terminal servers, terminal servers running RemoteApp programs, or computers with Remote Desktop enabled.
TS Gateway uses Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
What does TS Gateway do?
TS Gateway provides many benefits, including:
TS Gateway enables remote users to connect to internal network resources over the Internet, by using an encrypted connection, without needing to configure virtual private network (VPN) connections.
TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources.
TS Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.
TS Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario.
Prior to this release of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes at the firewalls. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
The TS Gateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:
Who can connect to network resources (in other words, the user groups who can connect).
What network resources (computer groups) users can connect to.
Whether client computers must be members of Active Directory security groups.
Whether device and disk redirection is allowed.
Whether clients need to use smart card authentication or password authentication, or whether they can use either method.
You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows® XP Service Pack 3 (SP3), Windows Vista®, and Windows Server 2008. With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.
Computers running Windows Server 2008 cannot be used as NAP clients when TS Gateway enforces NAP. Only computers running Windows XP with SP3 and Windows Vista can be used as NAP clients when TS Gateway enforces NAP.
For information about how to configure TS Gateway to use NAP for health policy enforcement for Terminal Services clients that connect to TS Gateway servers, see the TS Gateway Step-by-Step Guide (<http://go.microsoft.com/fwlink/?linkid=85872>).
You can use TS Gateway server with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.
For information about how to configure ISA Server as an SSL termination device for TS Gateway server scenarios, see the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=85872).
The TS Gateway Manager snap-in console provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes.
Who will be interested in this feature?
If your organization is interested in making Terminal Services–based applications and computers that run Remote Desktop available to users from outside your network perimeter, you can use TS Gateway to simplify network administration and reduce exposure to security risks.
TS Gateway can also make it easier for users because they do not have to configure VPN connections and can access TS Gateway servers from sites that can otherwise block outbound RDP or VPN connections.
You should review this section and the additional supporting documentation about TS Gateway if you are in any of the following groups:
IT administrators, planners, and analysts who are evaluating remote access and mobile solution products
Enterprise IT architects and designers for organizations
Security architects who are responsible for implementing trustworthy computing
IT professionals who are responsible for terminal servers or remote access to desktops
Are there any special considerations?
For TS Gateway to function correctly, you must meet these prerequisites:
You must have a server with Windows Server 2008 installed.
You must be a member of the Administrators group on the computer that you want to configure as a TS Gateway server.
You must obtain an externally trusted SSL certificate for the TS Gateway server if you do not have one already. By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TS Gateway server.
You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TS Gateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes.
The certificate must meet these requirements: - The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise CA, a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this. - The certificate is a computer certificate. - The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (184.108.40.206.220.127.116.11.1). - The certificate has a corresponding private key. - The certificate has not expired. We recommend that the certificate be valid one year from the date of installation. - A certificate object identifier (also known as OID) of 18.104.22.168 is not required. However, if the certificate that you plan to use contains an object identifier of 22.214.171.124, you can only use the certificate if at least one of the following key usage values is also set: **CERT\_KEY\_ENCIPHERMENT\_KEY\_USAGE**, **CERT\_KEY\_AGREEMENT\_KEY\_USAGE**, and **CERT\_DATA\_ENCIPHERMENT\_KEY\_USAGE**. For more information about these values, see Advanced Certificate Enrollment and Management ([http://go.microsoft.com/fwlink/?LinkID=74577](http://go.microsoft.com/fwlink/?linkid=74577)). - The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.
For more information about certificate requirements for TS Gateway and how to obtain and install a certificate if you do not have one already, see the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=85872).
Additionally, keep in mind the following considerations:
TS Gateway transmits all RDP traffic (that typically would have been sent over port 3389) to port 443 by using an HTTPS tunnel. This also means that all traffic between the client and TS Gateway is encrypted while in transit over the Internet.
To function correctly, TS Gateway requires several role services and features to be installed and running. When you use Server Manager to install the TS Gateway role service, the following additional role services and features are automatically installed and started, if they are not already installed:
Remote procedure call (RPC) over HTTP Proxy
Web Server (IIS) [Internet Information Services 7.0].
IIS 7.0 must be installed and running for the RPC over HTTP Proxy service to function.
Network Policy and Access Services.
You can also configure TS Gateway to use Terminal Services connection authorization policies (TS CAPs) that are stored on another server that runs the Network Policy Server (NPS) service. You can use this NPS server—formerly known as a Remote Authentication Dial-In User Service (RADIUS) server—to centralize the storage, management, and validation of TS CAPs. If you have already deployed an NPS server for remote access scenarios such as VPN and dial-up networking, using the existing NPS server for TS Gateway scenarios as well can enhance your deployment. However, in this configuration, the NPS server is still required on the TS Gateway server to act as a proxy server for the central NPS server.
How should I prepare for TS Gateway?
You should review this topic and the additional supporting documentation on TS Gateway, including the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=85872).
You should also prepare to acquire an SSL certificate, or to issue one from your own certification authority (CA).
You should become familiar with the TLS and SSL protocols if you are not already.
What new functionality does this feature provide?
TS Gateway provides access to RDP resources from outside the corporate network, and includes the following new features to simplify administration and enhance security.
Terminal Services connection authorization policies (TS CAPs) allow you to specify user groups, and optionally client computer groups, that can access a TS Gateway server. You can create a TS CAP by using TS Gateway Manager.
Why are TS CAPs important?
TS CAPs simplify administration and enhance security by providing a greater level of control over access to computers on your internal network.
TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access a TS Gateway server. You can list specific conditions in each TS CAP. For example, you might require a user to use a smart card to connect through TS Gateway.
Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP.
Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a Terminal Services resource authorization policy (TS RAP). A TS RAP allows you to specify the internal network resources that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to internal network resources through this TS Gateway server.
TS RAPs allow you to specify the internal corporate network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group (a list of computers on the internal network to which you want the remote users to connect) and associate it with the TS RAP.
Remote users connecting to an internal network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP.
When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer.
Together, TS CAPs and TS RAPs provide two different levels of authorization to provide you with the ability to configure a more specific level of access control to computers on an internal network.
Security groups and TS Gateway-managed computer groups associated with TS RAPs
Remote users can connect through TS Gateway to internal network resources in a security group or a TS Gateway-managed computer group. The group can be any one of the following:
Members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or it can exist in Active Directory Domain Services.
Members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group. You can configure a TS Gateway–managed computer group by using TS Gateway Manager after installation.
A TS Gateway-managed computer group will not appear in Local Users and Groups on the TS Gateway server, nor can it be configured by using Local Users and Groups.
When you add an internal network computer to the list of TS Gateway-managed computers, keep in mind that if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway.
To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers. To ensure that remote users connect to the internal corporate network computers that you intend, we recommend that you do not specify IP addresses for the computers, if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers.
- Any network resource. In this case, users can connect to any computer on the internal network that they could connect to when they use Remote Desktop Connection.
To ensure that the appropriate users have access to the appropriate network resources, plan and create security groups and TS Gateway-managed computer groups carefully. Evaluate the users who should have access to each group, and then associate the groups with TS RAPs to grant users access as needed.
You can use TS Gateway Manager to view information about active connections from Terminal Services clients to internal corporate network resources through TS Gateway. This information includes:
The connection ID. The connection ID is displayed in the format <a:b>, where "a" is the tunnel ID that uniquely identifies a specific connection to the TS Gateway server and "b" is the channel ID. The tunnel ID represents the number of connections that the TS Gateway server has received since the Terminal Services Gateway service has been running. Each time the TS Gateway server receives a new connection, the tunnel ID is incremented by 1.
The domain and user ID of the user logged on to the client.
The full name of the user logged on to the client.
The date and time when the connection was initiated.
The length of time the connection was active.
The length of time that the connection is idle, if applicable.
The name of the internal network computer to which the client is connected
The IP address of the client
If your network configuration includes proxy servers, the IP address that appears in the Client IP Address column (in the Monitoring details pane) might reflect the IP address of the proxy server, rather than the IP address of the Terminal Services client.
- The port on the internal network computer to which the client is connected
You can also specify the types of events that you want to monitor, such as unsuccessful or successful connection attempts to internal network computers through a TS Gateway server.
When these events occur, you can monitor the corresponding events by using Windows Event Viewer. TS Gateway events are stored in Event Viewer under Application and Services Logs\Microsoft\Windows\Terminal Services-Gateway\.
Group Policy settings for TS Gateway
You can use Group Policy and Active Directory Domain Services to centralize and simplify the administration of TS Gateway policy settings. You use the Local Group Policy Editor to configure local policy settings, which are contained within Group Policy objects (GPOs). You use the Group Policy Management Console (GPMC) to link GPOs to sites, domains, or organizational units (OUs) in Active Directory Domain Services.
Group Policy settings for Terminal Services client connections through TS Gateway can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. Suggesting a policy setting allows users on the client to enter alternate TS Gateway connection settings. Enforcing a policy setting prevents a user from changing the TS Gateway connection setting, even if they select the Use these TS Gateway server settings option on the client.
The following three Group Policy settings are available for TS Gateway server:
Set the TS Gateway Server Authentication Method: Enables you to specify the authentication method that Terminal Services clients must use when connecting to internal network resources through a TS Gateway server.
Enable Connections Through TS Gateway: Enables you to specify that, when Terminal Services clients cannot connect directly to an internal network resource, the clients will attempt to connect to the internal network resource through the TS Gateway server that is specified in the Set the TS Gateway server address policy setting.
Set the TS Gateway Server Address: Enables you to specify the TS Gateway server that Terminal Services clients use when they cannot connect directly to an internal network resource.
If you disable or do not configure this policy setting, but enable the Enable connections through TS Gateway policy setting, client connection attempts to any internal network resource will fail if the client cannot connect directly to the network resource.
Do I need to change any existing code?
You do not need to change any existing code to work with TS Gateway. TS Gateway only manages the way in which the connection to the internal corporate network computer is created.
TS Gateway can route connections to any Terminal Services–based session, including those on Windows Server 2008, Windows Server 2003, Windows Vista, and Windows XP–based computers.
If the internal corporate network computer is using new Terminal Services features, you will need to use the Remote Desktop Connection 6.1 software, which is included with Windows Server 2008, Windows Vista Service Pack 1, and Windows XP SP3.
The Remote Desktop Connection 6.0 software is also available for use on Windows Server 2003 with Service Pack 1, Windows Server 2003 with Service Pack 2, and Windows XP with Service Pack 2. To use any new Terminal Services features on any of these platforms, download the installer package from article 925876 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373).
For information about other new features in Terminal Services, see What's New in Terminal Services for Windows Server 2008.