Search Jamil Mania

Saturday, 10 April 2010

Terminal Services Gateway with Network Policy Server

You can use the TS Gateway Microsoft Management Console (MMC) snap-in to configure the NPS policies for TS Gateway. TS Gateway uses a local NPS server to store an associated Terminal Services Connection Authorization Policy (TS CAP) as a network policy. (NPS is installed on the same computer as TS Gateway.) When a network policy is created from the TS Gateway user interface (UI), the policy is stored in the NPS back-end store (Ias.xml).

The NPS server also maintains a cache of the stored policies. Although TS Gateway updates changes that are made in the NPS back-end store, the NPS policy cache is not updated. If changes are made to the policy by using the NPS UI, the NPS UI overwrites the back-end store by using the contents of the cache. This behavior may cause you to lose the policy changes that you made by using the TS Gateway MMC snap-in.

TS Gateway is a role service in the Terminal Services server role of Windows Server 2008. The role allows for authorized remote users to connect to resources on an internal corporate network or on a private network from any Internet-connected device. The network resources can be terminal servers, terminal servers that are running RemoteApp programs, or computers that have Remote Desktop enabled.


 

  1. Deploying TS Gateway in Windows Server 2008

Deploying TS Gateway in Windows Server 2008


A number of requirements must be met before the TS Gateway role service can be installed. The requirements are as show below:

1) An SSL certificate must be obtained for and installed on the TS Gateway server(s).

2) For a TS Gateway authorization policy to use domain-based groups, Active Directory must be present.

3) The Remote Procedure Call (RPC) over HTTP Proxy feature must be installed.

4) The Web Server (Internet Information Servers 7.0) role must be installed.

5) Lastly, the Network Policy Server (NPS) role must be installed or present on the network.

After the previous requirements have been met, the TS Gateway role service can be installed and configured using the following steps:

1. Log on to the desired server with local administrator privileges.

2. Click on Start and then click Run.

3. In the Run dialog box, type in ServerManager.msc and click OK.

4. In the Roles Summary section, click the Add Roles task.

5. After the Add Roles Wizard loads, click Next.

6. On the Select Server Roles page, select the Terminal Services role, and click Next.

7. On the Terminal Services page, click Next.

8. Now, on the Select Role Services page, only select the Terminal Server role service. This is the only role service that is being installed at this time. Click Next.

NOTE: If any additional roles, role services, or feature are required when prompted to install these items, click Add Required Role Services.

9. Click Next on the Select Role Services page.

10. On the Choose a Server Authentication Certificate for SSL Encryption page, choose one of the following certificate options:

a) Choose an Existing Certificate for SSL Encryption (Recommended)
b) Create a Self-Signed Certificate for SSL Encryption
c) Choose a Certificate for SSL Encryption Later

11. On the Create Authorization Policies for TS Gateway page, select the Now option, and click Next.

NOTE: These steps assume that the NPS role will be installed on the TS Gateway server. If this is not the case, select the Later option and configure the TS CAP and a TS RAP at a later time.

12. On the Select User Groups That Can Connect Through TS Gateway page, click the Add button and define the local or domain groups that are allowed to connect through TS Gateway, click OK, and then click Next.

13. On the Create a TS CAP for TS Gateway page, either accept the default TS CAP name or define a new one. Then select the supported Windows authentication methods, and then click Next.

14. On the Create a TS RAP for TS Gateway page, either accept the default TS RAP name or define a new one. Then select the Allow Users to Connect to Any Computer on the Network option. Or, if security needs are greater, use the Allow Users to Connect Only to Computers in the Following Groups option.

15. Click Next.

16. On the Network Policy and Access Services page, click Next. This page will be displayed if the NPS role is not installed beforehand.

17. On the Select Role Services page, click Next.

18. On the Web Server (IIS) page, click Next. This page will be displayed if the Web Server role is not installed beforehand.

19. On the Select Role Services page, click Next.

20. On the Confirm Installation Options page, verify the information presented and click Install.

21. When the installation is finished, review the Installation Results page, and then click Close.

No comments:

Post a Comment