Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 2)

If you would like to read the first part in this article series please go to Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1).

Introduction

In this short article series I will show you how to publish Remote Desktop Web Access with Remote Desktop Gateway over Microsoft Forefront TMG. In Part I of this article series I showed you the configuration of the RD Web Access and RD Desktop Gateway service. In this article I will show you how to publish RD Web Access with Forefront TMG and how to access RD Web Access with a Windows 7 client.

Let Us Begin

This article assumes that the Remote desktop Session Host feature is correctly installed and configured, so only the Remote Desktop Web Access and Remote Desktop Gateway components has to be installed and configured.

As a first step we have to issue a certificate with the Common Name (CN) webmail.trainer.de. This name is used by clients in the Internet to access the RD Web Access or RD Gateway service.

Figure 1: Import the Webserver certificate for TMG publishing

Figure 1: Import the Webserver certificate for TMG publishing

As a next step we have to create a Webserver or Exchange Web client publishing rule. You can use both publishing rules.

Figure 2: Create new Web publishing rule

Figure 2: Create new Web publishing rule

Select Allow as the rule action.

Select Publish a single Website or Load Balancer

Use SSL to connect to the Published Web server and enter the internal Hostname of the Server you want to publish.

Figure 3: Enter internal site name

Figure 3: Enter internal site name

It is possible to restrict the access from clients to specific paths, for RD Gateway access you need to allow the /RPC/* path, which is used by the RPC over HTTPS proxy service. After the wizard has finished we must modify the publishing rule to allow access to /RDWEB/* path too, which is used by the RD Web Access feature.

Figure 4: Select the /RPC path to publish

Figure 4: Select the /RPC path to publish

Now we have to enter the public Hostname which we be used to access the published server from the Internet.

Figure 5: Enter the public Hostname

Figure 5: Enter the public Hostname

Next we have to create a new Web listener for RD access. Because we want to use SSL Bridging, select Require SSL Secured Connections With Clients. If you only have one IP address bound to the external interface on Forefront TMG you do not need to change the Listener IP address. If you have more than one IP address bound to the external NIC interface of Forefront TMG, it is possible to select the IP address which we want to use to publish the RD server.

Figure 6: Select the Web listener

Figure 6: Select the Web listener

Now it is time to select the Certificate which will be bound to the Web listener. Select the webmail.trainer.de certificate.

Figure 7: Use the Webmail.trainer.de certificate

Figure 7: Use the Webmail.trainer.de certificate

The Authentication method is HTTP Integrated Authentication with Active Directory.

Figure 8: Select HTTP as the authentication method

Figure 8: Select HTTP as the authentication method

The Authentication delegation method is Kerberos constrained delegation (KCD). We also have to enter the correct Service Principal Name (SPN). The SPN for this lab environment is HOST/trainer-dc.trainer.intern.

Figure 9: Select KCD and enter the SPN

Figure 9: Select KCD and enter the SPN

The rule applies toAll authenticated users.

Click Finish. You will see an additional information message that you have to configure the TMG Server to allow for delegation against the RD server.

Figure 10: Information message for additional KCD configuration

Figure 10: Information message for additional KCD configuration

Click Apply.

After the configuration changes has been applied, we have to modify the publishing rule to allow access to the additional /RDWEB/* path which is used by the RD Web Access feature.

Figure 11: Add the /RDWEB path as an additional allowed path

Figure 11: Add the /RDWEB path as an additional allowed path

As a final step we must configure the Trust for Delegation settings. Open the Active Directory Computer and Users Snap In on a Domain Controller and navigate to the Computer account of the Forefront TMG Server, and select the delegation tab, select Advanced and choose the Server with the RD services and select Host as the service type.

Figure 12: Trust the RD Gateway for Kerberos Delegation

Figure 12: Trust the RD Gateway for Kerberos Delegation

The configuration of Forefront TMG has been finished so we can now configure the Windows 7 client in the Internet to get RD Gateway and RD Web Access.

Start the Remote Desktop connection utility (MSTSC.EXE) and enter the published public host name as the name of the computer where you want to connect to.

Figure 13: Connect to the public hostname

Figure 13: Connect to the public hostname

Next click Advanced and settings in the connect from anywhere section.

Figure 14: Connect from anywhere

Figure 14: Connect from anywhere

Manually specify the RD Gateway settings and as the RD Gateway Server enter the name of the internal Server with the RD Gateway role installed. Be sure that the checkbox Bypass RD Gateway Server for local access is checked.

Figure 15: Enter the RD Gateway INTERNAL Server name

Figure 15: Enter the RD Gateway INTERNAL Server name

Now try to make a connection to the RD Gateway Server. If your connection is successful you should see an additional icon in the Remote Desktop console which indicates that you are connect through the RD Gateway service.

Figure 16: Connected via HTTPS with the RD Gateway service

Figure 16: Connected via HTTPS with the RD Gateway service

If you are the Administrator of the RD Gateway server you can also monitor the connections from clients to the RD Gateway with the RD Gateway Manager console under the Monitoring node as you can see in the following picture.

Figure 17: Monitoring the connection with the RD Gateway manager

Figure 17: Monitoring the connection with the RD Gateway manager

Now try to open this Website from the Windows 7 client and you should also get access to the RD Web Access feature after a successful authentication. Depending on the RD Web Access and RD RemoteApp settings you can now access application over the web interface which will be tunneled through the RD Gateway service.

Figure 18: RD Web Access over the Internet

Figure 18: RD Web Access over the Internet

Conclusion

In this article I showed you how to publish the RD Gateway service and the RD Web Access feature with the help of Microsoft Forefront TMG and I also showed you how to access the RD Gateway service with the Remote Desktop client connection and how to access the RD Web Access feature with the client web browser.

If you would like to read the first part in this article series please go to Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1).

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top