Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1)
In this short article series I will show you how to publish Remote Desktop Web Access with Remote Desktop Gateway over Microsoft Forefront TMG. Part one of this article series shows the configuration of the RD Web Access and RD Desktop Gateway service. Part two will show you how to publish RD Web Access with Forefront TMG.
Let us Begin
Windows Server 2008 R2 provides some new and exciting features for Terminal services access. Starting with Windows Server 2008 R2 Microsoft changed the names of the Terminal Server components. For example the Terminal Server feature in previous Windows Server versions is now called Remote Desktop Session Host. One of the new features started with Windows Server 2008 is the Remote Desktop Gateway which allows Remote Desktop clients to establish a RDP connection trough HTTPS with the Remote Desktop Gateway which acts as a RPC over HTTPS proxy. The Remote Desktop Gateway will connect the RDP client with the RDP protocol to the internal Remote Desktop Session Hosts. This is great feature because HTTPS (The Universal Firewall Bypass Protocol) is widely allowed and will not be blocked by Firewalls or other devices. In conjunction with the Remote Desktop Web Access feature a user can connect to a website which provides access to published applications, called Remote Apps in Microsoft terms which are tunneled through HTTPS to the Remote Desktop Gateway service. To enhance the security for Remote Desktop access it is possible to use Forefront TMG to publish the Remote Desktop Web Access with Remote Desktop Gateway.
This article assumes that the Remote Desktop Session Host feature is correctly installed and configured, so only the Remote Desktop Web Access and Remote Desktop Gateway components has to be installed and configured.
For the examples in this article we will use the following lab environment:
One Windows 7 Ultimate client for Remote Desktop client access
One Forefront TMG Server for Remote Desktop publishing and acting as the Remote Desktop Gateway and Remote Desktop Web Access feature
One Windows Server 2008 R2 with installed Remote Desktop Session Host services
After installing the Remote Desktop Web Access feature, you have to logon to the Remote Desktop Web Access configuration to change some settings.
You must configure RD Web Access to provide users access to RemoteApp and Remote Desktop connections. Select an RD Connection Broker Server or a Remote App Server as the source as you can see in the following picture. We choose RemoteApp to get the published RD apps from the Remote Desktop Session Host.
After the settings are saved, you will see the RemoteApp programs in RD Web access.
Because Forefront TMG acts as a SSL Bridging Gateway in the upcoming Secure Webserver publishing, it is important to implement the correct certificate Infrastructure. You have to make sure that the correct certificates are enrolled and all Servers which are involved in the publishing process (Forefront TMG, RD Session Host Server and Windows 7 client) trust the same issuing Certificate Authority (CA). For the examples in this article series, we use the DNS name webmail.trainer.de to access the RD Web Access and RD Gateway service, so we have to issue a certificate where the Common Name (CN) of the certificate matches the public URL which will be used to access RD Web Access or which must be entered in the Remote Desktop client connection from the Windows 7 machine in the Internet. The following picture shows the correct certificate which is used by the RD Web Access and RD Gateway services. This certificate must also be imported with the private key on the Forefront TMG Server which acts as the SSL Bridging device. I will show you how to do this in the second part of this article.
After installation of the RD Gateway service component, you must also select the correct SSL certificate webmail.trainer.de for the RD Gateway service as shown in the following picture.
Another important configuration part is to specify the SSL Bridging settings for the RD Gateway service. For our lab environment we will use SSL Bridging in form of HTTPS to HTTPS Bridging.
The configuration of the RD Web Access and RD Gateway service components has been finished. In Part two of this article series I will show you how to configure a secure Webserver Publishing with Forefront TMG to publish RD Web Access to the Internet and I will also show you how to connect directly to the RD Gateway service with the Remote Desktop client of the Windows 7 machine in our test lab.
In this first article, I gave you an overview about the configuration of the Remote Desktop Web Access and the Remote Desktop Gateway Manager. I also showed you the required steps needed in order to prepare these features for publishing with Forefront TMG. If you would like to have a better integration of the Remote Desktop services with portal functionality I recommend having a look at Microsoft Forefront UAG which has some additional nice features. In the second part of our short article series, I will show you how to publish the RD Web Access feature over Forefront TMG and how to establish a RD Gateway connection with the Remote Desktop client connection over the Internet.