If you would like to read the previous articles in this series:
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 1)
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 2)
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 3)
- An Overview of Longhorn Server’s Terminal Service Gateway (Part 4)
In Part Four of this series I walked you through the procedure for creating a Connection Authorization Policy. The only piece of the puzzle that still has yet to be completed is that we need to put some controls in place that limit the resources that remote users have access to. In this article, I will conclude this series by demonstrating how to create resource groups and how to create resource access policies that control user access to resource groups.
Creating a Resource Group
The first thing that we need to do is to create one or more resource groups. The idea behind a resource group is that not all remote users will need access to all of the servers on your private network. A resource group is a collection of server names or server IP addresses. After you define a resource group, you’ll be able to define a Resource Access Policy that controls which server resources various users can access.
To create a resource group, begin by opening the Terminal Services Gateway Management console, if it is not already open. When the console opens, navigate through the console tree to the container that represents your Terminal Services Gateway server. When you select this container, the console’s middle pane will display status information for the server.
Go to the Configuration Status section of the console’s middle pane, and click the View Resource Authorization Policies link. When you do, the middle pane of the console will display any existing Resource Authorization Policies. Since we’re still working on the server’s initial setup, there shouldn’t be any.
If you look back at the console tree on the left, you’ll see that the Resource Authorization container has been expanded and that the Resource Authorization Policies container is selected. Select the Resource Groups container found just beneath the Resource Authorization Policies container. The console’s middle pane should now show any existing resource groups (there aren’t any).
Now go to the Actions pane and click the Create button. When you do, you’ll see the New Local Resource Group properties sheet. The first thing that you must do is to enter a name for the new resource group into the space provided on the properties sheet’s General tab. The resource group name should be descriptive, but you need to keep it short and you must avoid using spaces or special characters.
After entering a resource group name, select the properties sheet’s Resources tab. This tab allows you to control which resources remote users, to whom the resource group applies, are allowed to access. You have the option of granting access to all resources, or to specific servers. If you decide to limit the resource group to accessing specific servers, you must enter either the name or the IP address of each server that you want to grant the group access to. When you’re finished, click OK to create the resource group.
When you are creating resource groups, there is one thing to keep in mind. When a user is accessing a remote server, there are a couple of different ways that the user can access that remote server. The server can be addressed by its IP address, it’s NetBIOS name, or by its fully qualified domain name. Longhorn server is still in beta testing, so this might change by the time the product is eventually released. For now though, a resource group is unable to differentiate between a server’s NetBIOS name and its fully qualified domain name.
What this means is that if you’ve entered a server’s NetBIOS name into a resource group, but did not enter the server’s fully qualified domain name, then a user may be denied access to the server if they try to address it by fully qualified domain name. Again, I’m not sure if this is something that Microsoft plans to address before Longhorn Server is eventually released.
Creating a Resource Access Policy
Now that you have defined one or more resource groups, it’s time to create a Resource Access Policy. As I explained earlier, Resource Access Policies allow you to control user access to the resource groups that you just created.
To create a Resource Access Policy, begin by opening of the Terminal Services Gateway Management console, if it is not already open. When the console opens, navigate through the console tree to the container that represents your Terminal Services Gateway server. When you select this container, the console’s middle pane will display status information for the server.
Go to the Configuration Status section of the console’s middle pane, and click the View Resource Authorization Policies link. When you do, the middle pane of the console will display any existing Resource Authorization Policies. Since we’re still working on the server’s initial setup, there shouldn’t be any Resource Authorization Policies listed.
The next step in the process is to go to the Actions pane, and click the Create New Policy link. When you do, Windows will display the New Resource Authorization Policy properties sheet. When the properties sheet opens, go to the General tab and enter a policy name and the space provided. You’ll need to limit the policy name to no more than 64 characters. If you need more space, then the General tab also allows you to enter an optional description.
Now that you have entered a name for the new Resource Authorization Policy, it’s time to link user groups and resource groups to the policy. Select the properties sheet’s User Groups tab, and you will see a list of user groups that are bound to the Resource Authorization Policy. Since this is a brand new policy, there should not be any user groups currently bound to it. However, if you click the Add button you’ll have the opportunity to specify the names of the user groups that you want the Resource Authorization Policy to apply to.
After you finish entering the user groups that you want the policy to apply to, select the properties sheet’s Resource Group tab. This is where you select the resource groups that you want to bind to the policy. All you have to do is to make sure that the Local Resource Group radio button is selected, and click the Browse button. When you do, you’ll see a list of the resource groups that you defined earlier. Select the resource group that you want to bind to the policy, and click OK.
Putting it all Together
We have finally finished the procedure of configuring the Terminal Service Gateway server, and defining the necessary policies. Before I end this article, I just want to take a minute to clarify what is actually happening when a user attaches to the Terminal Service Gateway.
One array user connects to the Terminal Service Gateway, the first thing that the Terminal Service Gateway looks at is the Connection Authorization Policy. The server has to verify that the remote user account belongs to a security group that is included and one of the Connection Authorization Policies. The Terminal Service Gateway also checks to make sure that the user’s authentication method (password or smart card) is allowed.
After the Terminal Service Gateway server determines that the remote user is allowed to connect, it looks at the Resource Authorization Policies. As you saw earlier, the Resource Authorization Policies are based on security group membership. The Terminal Service Gateway server looks at the user’s security group membership to determine which Remote Authorization Policies apply to the user.
Once the Terminal Service Gateway server knows which Resource Authorization Policies apply to the remote user, it looks inside of those policies to determine which resource groups the user should be granted access to. Keep in mind that resource groups only grant the remote user access to connect to the server in question. Resources on the server are still protected by access control lists, just as they would be if the user were connecting from the computer on the local area network.
In this article series, I have explained that the Terminal Service Gateway is a new feature in Longhorn Server that allows remote users to engage in terminal server sessions over the Internet. I then walked you through the process of configuring a Terminal Service Gateway server.
As you attempt these procedures on your own, there are two things to keep in mind. First, at the time that I wrote this article, Longhorn Server was still in beta testing. Anything that I have talked about could potentially change by the time that Longhorn Server is ultimately released. The other thing to keep in mind is that the configuration techniques that have been demonstrated may or may not be sufficiently secure for real world use. This is especially true for the portion of the configuration that I talked about then Part three that involved acquiring a digital certificate and by making it to the server.
If you would like to read the previous articles in this series: