If you would like to read the other articles in this series please see:
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 1)
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 2)
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 3)
So far in this article series, I have shown you how to install the Terminal Service Gateway components, and how to attach a certificate from an Enterprise Certificate Authority to the Terminal Server gateway. The Terminal Service gateway is nearly ready to use, but we need to make a final adjustment to IIS and set up a few policies.
So far in this series, we have configured the Terminal Services Gateway to an almost usable state. Keep in mind that the main purpose of the Terminal Services Gateway is to allow remote users to access the Terminal Services over the Internet. As such, your Terminal Services Gateway server must also act as an IIS server. There is a little bit of configuration that has to take place on the IIS side, but the procedure is very simple.
Normally when you configure IIS, you do so through the IIS console. In this particular case though you’re going to have to perform the IIS configuration through the Terminal Services Gateway Management console. When the console opens, navigate to the container and the console tree that represents your Terminal Service Gateway server. When you do, the middle pane of the console will display the Terminal Service Gateway status. Within the status section is a section labeled Configuration Tasks. Click on the configuration task labeled Configure IIS Settings for TS Gateway. You will now see a warning message indicating that IIS settings must be modified. Click Yes to allow the modification. You should now see a message indicating that IIS is successfully configured for Terminal Services Gateway operations.
Creating a Connection Authorization Policy
At this point, the Terminal Services Gateway should be functional and ready to use. The only thing left is to authorize some people to use it. The first step in doing so is to create a Connection Authorization Policy. Any Connection Authorization Policy, or CAP for short, is a policy that allows you to specify which user groups can access resources on your network through the Terminal Services Gateway.
Before I show you how to create a CAP, there is one thing that I want to mention. The way that Longhorn Server is designed, it is possible to create multiple Connection Authorization Policies. Although you can create multiple policies, each user group can belong to only one policy. This is to avoid the problems that would arise from contradictory policies.
With that said, let’s create a policy. Begin by opening the Terminal Services Gateway Management console if it is not already open. When the console opens, navigate through the console tree to the container that represents your Terminal Service Gateway server. When you select this container, the middle pane of the console will display the status information that you saw earlier. Go to the configuration status section and click the View Connection Authorization Policies link.
At this point, the middle section of the console should change to display any existing Connection Authorization Policies. Of course since were to setting up the server there shouldn’t be any. To create a policy, click the Create New Policy link found in the Actions pane. When you do, Windows will display the New Connection Authorization Policy properties sheet.
Begin by entering a name for the policy into the space provided on the General tab. The name that you enter will be used to differentiate this policy from other policies that you may create in the future. Therefore, I recommend using a descriptive name. You can use up to 64 characters.
Now go to the cap conditions tab. You must now specify the conditions that user accounts must meet in order to access the network through the Terminal Services Gateway. The first thing that you must do, it’s to select the user groups that you want to allow. This is an absolute requirement. To do so, just click the Add button found in the User Group Membership section, and then follow the prompts.
After entering a user group, you have the option of entering a client computer group. This is optional, but if you decide that you want to enter a client computer group, then just click the Add button found in the Client Computer Groups section and follow the prompts. Keep in mind that if you add a client computer group, then anyone accessing of the Terminal Services Gateway and using this policy must be a member of both one of the user groups listed and a member of a list of the client computer group.
The last thing that you must enter on the Conditions tab is an authentication method. You can allow smart cards and/or passwords. Select the authentication methods that you want to allow by selecting the corresponding checkboxes.
You have now entered all of the necessary information to create a Connection Authorization Policy. Even so, I recommend taking a look at the properties sheet’s Device Redirection tab before you click OK. You are required to use any of the security features found on the Device Redirection tab, but the options available to you are pretty cool, so wanted to at least mention them.
The Device Redirection gives you the option of disabling redirection for trusted a remote client devices. The tab contains a series of checkboxes that you can use to disable things like disk drives, the Windows clipboard, printers, serial ports, and even plug and play devices.
When you have finished configuring your Connection Authorization Policy, click OK to continue. The policy that you have created is now displayed on the Connection Authorization Policies portion of the Terminal Services Gateway Management console.
Earlier I mentioned that the user group can only be included in a single policy in order to avoid contradictions. Of course it is always possible that an individual user account will be included in multiple user groups. If this were the case, then it is possible that there may be multiple Connection Authorization Policies that apply to a user.
Fortunately, the Terminal Services Gateway Management console has a way of dealing with such contradictions. If you look at the list of Connection Authorization Policies, you will notice that each one is assigned an order number. Connection Authorization Policies are applied according to their order number. That being the case, the first policy on the list that a user matches is a policy that will be applied. For example, if policy numbers one and three were both matches for a specific user account, then policy number one would be applied because it has a lower order number than policy three.
We have now fully configured the Terminal Services Gateway, and created some Connection Authorization Policies defining which users are allowed to access network resources through the Gateway. In Part five, I will conclude the series by showing you how to create resource groups and resource access policies.
If you would like to read the other articles in this series please see: