TS Gateway Overview
Updated: November 18, 2007
Applies To: Windows Server 2008
Windows Server® 2008 Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be terminal servers, terminal servers running RemoteApp™ programs, or computers with Remote Desktop enabled.
TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. In this way, TS Gateway helps improve security by establishing an encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
The procedures in this guide will help you set up a TS Gateway server, enabling remote users to access terminal servers, terminal servers running RemoteApp programs, or computers with Remote Desktop enabled on your internal corporate or private network.
Who should use TS Gateway?
This guide is targeted at these audiences:
IT administrators, planners, and analysts who are evaluating remote access and mobile solution products
Enterprise IT architects and designers
Security architects who are responsible for implementing trustworthy computing
IT professionals who are responsible for terminal servers or remote access to desktops
Benefits of TS Gateway
TS Gateway provides many benefits, including the following:
TS Gateway enables remote users to connect to internal network resources over the Internet, by using an encrypted connection, without needing to configure virtual private network (VPN) connections.
TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources. TS Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.
TS Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario.
In earlier versions of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
The TS Gateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:
Who can connect to network resources (in other words, the user groups who can connect).
What network resources (computer groups) users can connect to.
Whether client computers must be members of Active Directory® security groups.
Whether device and disk redirection is allowed.
Whether clients need to use smart card authentication or password authentication, or whether they can use either method.
You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Vista® RTM, Windows Server 2008, and Windows Vista Service Pack 1 (SP1) and Windows XP Service Pack 3 (SP3).
With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.
You can use a TS Gateway server in conjunction with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network, and host ISA Server in the perimeter network. Or, ISA Server can serve as an isolation point for either or both ends of the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.
TS Gateway Manager provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes.
For product support, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=48555).
To access newsgroups for Terminal Services, see the Terminal Services Community page on the Microsoft TechNet Web site (http://go.microsoft.com/fwlink/?LinkId=85730).