If you would like to read the first part in this article series please go to Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1).
Introduction
In this short article series I will show you how to publish Remote Desktop Web Access with Remote Desktop Gateway over Microsoft Forefront TMG. In Part I of this article series I showed you the configuration of the RD Web Access and RD Desktop Gateway service. In this article I will show you how to publish RD Web Access with Forefront TMG and how to access RD Web Access with a Windows 7 client.“
Let Us Begin
This article assumes that the Remote desktop Session Host feature is correctly installed and configured, so only the Remote Desktop Web Access and Remote Desktop Gateway components has to be installed and configured.
As a first step we have to issue a certificate with the Common Name (CN) webmail.trainer.de. This name is used by clients in the Internet to access the RD Web Access or RD Gateway service.
Figure 1: Import the Webserver certificate for TMG publishing
As a next step we have to create a Webserver or Exchange Web client publishing rule. You can use both publishing rules.
Figure 2: Create new Web publishing rule
Select Allow as the rule action.
Select Publish a single Website or Load Balancer
Use SSL to connect to the Published Web server and enter the internal Hostname of the Server you want to publish.
Figure 3: Enter internal site name
It is possible to restrict the access from clients to specific paths, for RD Gateway access you need to allow the /RPC/* path, which is used by the RPC over HTTPS proxy service. After the wizard has finished we must modify the publishing rule to allow access to /RDWEB/* path too, which is used by the RD Web Access feature.
Figure 4: Select the /RPC path to publish
Now we have to enter the public Hostname which we be used to access the published server from the Internet.
Figure 5: Enter the public Hostname
Next we have to create a new Web listener for RD access. Because we want to use SSL Bridging, select Require SSL Secured Connections With Clients. If you only have one IP address bound to the external interface on Forefront TMG you do not need to change the Listener IP address. If you have more than one IP address bound to the external NIC interface of Forefront TMG, it is possible to select the IP address which we want to use to publish the RD server.
Figure 6: Select the Web listener
Now it is time to select the Certificate which will be bound to the Web listener. Select the webmail.trainer.de certificate.
Figure 7: Use the Webmail.trainer.de certificate
The Authentication method is HTTP Integrated Authentication with Active Directory.
Figure 8: Select HTTP as the authentication method
The Authentication delegation method is Kerberos constrained delegation (KCD). We also have to enter the correct Service Principal Name (SPN). The SPN for this lab environment is HOST/trainer-dc.trainer.intern.
Figure 9: Select KCD and enter the SPN
The rule applies toAll authenticated users.
Click Finish. You will see an additional information message that you have to configure the TMG Server to allow for delegation against the RD server.
Figure 10: Information message for additional KCD configuration
Click Apply.
After the configuration changes has been applied, we have to modify the publishing rule to allow access to the additional /RDWEB/* path which is used by the RD Web Access feature.
Figure 11: Add the /RDWEB path as an additional allowed path
As a final step we must configure the Trust for Delegation settings. Open the Active Directory Computer and Users Snap In on a Domain Controller and navigate to the Computer account of the Forefront TMG Server, and select the delegation tab, select Advanced and choose the Server with the RD services and select Host as the service type.
Figure 12: Trust the RD Gateway for Kerberos Delegation
The configuration of Forefront TMG has been finished so we can now configure the Windows 7 client in the Internet to get RD Gateway and RD Web Access.
Start the Remote Desktop connection utility (MSTSC.EXE) and enter the published public host name as the name of the computer where you want to connect to.
Figure 13: Connect to the public hostname
Next click Advanced and settings in the connect from anywhere section.
Figure 14: Connect from anywhere
Manually specify the RD Gateway settings and as the RD Gateway Server enter the name of the internal Server with the RD Gateway role installed. Be sure that the checkbox Bypass RD Gateway Server for local access is checked.
Figure 15: Enter the RD Gateway INTERNAL Server name
Now try to make a connection to the RD Gateway Server. If your connection is successful you should see an additional icon in the Remote Desktop console which indicates that you are connect through the RD Gateway service.
Figure 16: Connected via HTTPS with the RD Gateway service
If you are the Administrator of the RD Gateway server you can also monitor the connections from clients to the RD Gateway with the RD Gateway Manager console under the Monitoring node as you can see in the following picture.
Figure 17: Monitoring the connection with the RD Gateway manager
Now try to open this Website from the Windows 7 client and you should also get access to the RD Web Access feature after a successful authentication. Depending on the RD Web Access and RD RemoteApp settings you can now access application over the web interface which will be tunneled through the RD Gateway service.
Figure 18: RD Web Access over the Internet
Conclusion
In this article I showed you how to publish the RD Gateway service and the RD Web Access feature with the help of Microsoft Forefront TMG and I also showed you how to access the RD Gateway service with the Remote Desktop client connection and how to access the RD Web Access feature with the client web browser.
If you would like to read the first part in this article series please go to Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1).
