Configure the TS Web Access Server to Allow Access from the Internet
Applies To: Windows Server 2008
To allow users to access the TS Web Access server from the Internet through TS Gateway, the recommended configuration is to place both the TS Gateway server and the TS Web Access server in the perimeter network, and to place the terminal servers that host RemoteApp programs behind the internal firewall.
Alternatively, you can deploy TS Web Access on the internal network, and then make the Web site available through Microsoft Internet Security and Acceleration (ISA) Server. For more information about Web publishing through ISA Server 2006, see Publishing Concepts in ISA Server 2006 (http://go.microsoft.com/fwlink/?LinkId=86359).
If you deploy TS Web Access in the perimeter network, you must configure your firewall to allow Windows Management Instrumentation (WMI) traffic from the TS Web Access server to the terminal server. You must ensure that TCP port 135 is open for WMI-related DCOM traffic. To control the other ports that are used for WMI traffic, you can configure a fixed port. For information about how to do this, see Setting Up a Fixed Port for WMI on MSDN® (http://go.microsoft.com/fwlink/?LinkId=109867). To use this procedure on a Windows Server 2008-based server, note the following additional information:
If you are not logged on by using the local Administrator account, you must run the commands from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
The procedure shows how to configure TCP port 24158 for WMI traffic. By default, the winmgmt -standalonehost command moves the Windows Management Instrumentation service (Winmgmt) to a standalone Svchost process that has a fixed DCOM endpoint of "ncacn_ip_tcp.0.24158".
To specify a different port number, do not use the winmgmt -standalonehost command. Instead, you must use the following procedure.
To specify a port number that is different from the default
Use Component Services to configure the fixed DCOM endpoint for WMI to the port that you want. To do this, follow these steps:
Open Component Services. To do this, click Start, point to Administrative Tools, and then click Component Services.
In the console tree, expand Component Services, expand Computers, expand My Computer, and then click DCOM Config.
In the middle pane, right-click Windows Management and Instrumentation, and then click Properties.
On the Endpoints tab, click either Properties or Add, depending on whether an existing custom entry already exists.
Click Use static endpoint, enter the port number to use, and then click OK two times.
Restart the Winmgmt service for the change to take effect. To restart the service, run the commands net stop winmgmt and net start winmgmt from the command line.
Run the netsh command with the port parameter set to the same port that you specified in Component Services.
When you run the netsh command to create a firewall rule, you must include the protocol parameter and specify TCP as the protocol type. The following is an example of the command syntax: netsh firewall add portopening protocol=TCP port=24158 profile=domain name=WMIFixedPort
The profile parameter indicates whether the firewall rule applies to the Domain, Private, or Public profile. For more information, see "Understanding Windows Firewall with Advanced Security Profiles" in the Windows Firewall with Advanced Security Help.
Additionally, the TS Web Access Web site must be configured to use Windows authentication. By default, Windows authentication is enabled for the TS Web Access Web site.
To verify that Windows authentication is enabled
On the TS Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the left pane of Internet Information Services (IIS) Manager, expand the server name, expand Sites, expand Default Web Site, and then click TS.
In the middle pane, under IIS, double-click Authentication.
Ensure that Windows Authentication is set to Enabled. If it is not, right-click Windows Authentication, and then click Enable.
If you placed TS Web Access in a custom Web site, you must ensure that the authentication method that is used for the Web site can map to the user's Windows account. You can do this by using integrated Windows authentication on the custom Web site.