Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 2: Creating the Web and Server Publishing Rules

Publishing Remote Desktop Web Connection Sites with the ISA Firewall
Part 2: Creating the Web and Server Publishing Rules
By Thomas W Shinder MD, MVP



Have Questions about the article? 
Ask at: http://tinyurl.com/9o2dr

If you would like to read the other articles in the series please go to: 

In the first part of this three part series on publishing remote desktop Web sites, we went over the details of how the remote desktop Web connections works and also how it doesn’t work. I also discussed scenarios where there are multiple RDP servers you want to publish.

In this article we’ll move our attention to the details of the configuration. Enabling remote access to remote desktop Web connections sites is fairly straightforward: you need to create a Web Publishing Rule and one or more RDP Server Publishing Rules, depending on how many RDP servers you want to make available to external users.

Before we go into the configuration details, let’s take a short look at the lab network I’m using for the configuration examples. This is a very simple network configuration and not a recommended design by any means. In order to save time building the lab, I’ve consolidated the Web server and the RDP server. In your production environment you’ll most likely have the Web server and RDP server(s) on different machines. In addition, in this lab environment I’ve made the Web server/terminate server a domain controller and installed Microsoft Certificate services on the machine, making it an enterprise CA.


Figure 1: The lab network for the walkthrough

Note that this is one of the rare times when we’ll be using SSL to HTTP bridging. The reason for this is that the Remote Desktop Web Services server site does not require authentication. I suppose that you could require authentication at the site, but I don’t see the point. This also allows us to avoid the overhead of a second SSL link between the ISA firewall and the Web server on the internal network. However, we will protect our Web server from external attacks by requiring that users authenticate at the ISA firewall before they are allowed access to the Web server.

We’ll carry out the following steps to complete the configuration:

  • Install the Remote Desktop Web Services Server service The Remote Desktop Web Services server is an optional add-on component, so we’ll begin with installing the service on the Web server.
  • Request a Web site certificate to use on the ISA firewall’s Web listener. Since we’re going to require a secure SSL connection from the external client to the ISA firewall (in order to protect the user credentials), we’ll need a Web site certificate bound to the Web listener. The first step is to request the Web site certificate.
  • Install the Web site certificate and CA certificate into the ISA firewall’s machine certificate store Once we’ve obtained the Web site certificate and exported it to a file and copied the file to the ISA firewall, we’ll install the certificates (Web site certificate and CA certificate) into the ISA firewall’s machine certificate store.
  • Create the Web listener for the Web Publishing Rule With the certificate installed in the ISA firewall’s machine certificate store, we’re now ready to create the Web listener and bind the certificate to the Web listener. This listener will be used in the Web Publishing Rule that will allow connections to the Remote Desktop Web Services server.
  • Create the Web Publishing Rule You will create a Web Publishing Rule that accepts incoming connection requests to the Remote Desktop Web Service site.
  • Create the RDP Server Publishing Rule You will create an RDP Server Publishing Rule to allow incoming connections from the remote desktop Web client to the terminal server on the corporate network
  • Configure the RDP Listener on the ISA Firewall if Remote Desktop Connections are Enabled If the ISA firewall is configured to allow remote desktop connections for firewall management, then you’ll need to configure the RDP listener for the remote desktop service to listen only on the internal interface.
  • Test the solution With the ISA firewall configuration complete, you’re ready to test the solution.

Install the Remote Desktop Web Services Server Service

The first step is to install the Remote Desktop Web Service on the Web server. This is an optional component that is installed from the Add/Remove Programs Control Panel applet.

Perform the following steps to install the Remote Desktop Web Service:

  1. Click Start and point Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
  3. On the Windows Components page, select the Application Server entry and click Details.
  4. In the Application Server dialog box, select the Internet Information Services (IIS) entry and click Details.
  5. In the Internet Information Services (IIS) dialog box, select the World Wide Web Service entry and click Details.
  6. In the World Wide Web Service dialog box, put a checkmark in the Remote Desktop Web Connection checkbox and click OK.


Figure 2

  1. Click OK in the Internet Information Services (IIS) dialog box.
  2. Click OK in the Application Server dialog box.
  3. Click OK on the Windows Components page.
  4. Click Finish on the Completing the Windows Components Wizard page.

Request a Web site Certificate to use on the ISA Firewall’s Web Listener

In order to enable an SSL link between the remote client and the external interface of the ISA firewall, we will need to install a Web site certificate into the ISA firewall’s machine certificate store. Once the Web site certificate is installed in the ISA firewall’s machine certificate store, we’ll be able to bind that certificate to a Web listener that will be used in a Web Publishing Rule that makes the Remote Desktop Web Connection site available to external users.

There are several ways to obtain a Web site certificate:

  • You can get a Web site certificate from a commercial CA
  • You can install a Microsoft Certificate Server in the role of a standalone CA
  • You can install a Microsoft Certificate Server in the role of a enterprise CA
  • You can generate self-signed certificate using the command line tool, which can be found in the IIS resource kit

A discussion of how to configure a PKI and generate certificates is way beyond what I want to do in this article. However, if you’re interested in your options, one of the best document collections on how to generate certificates in different scenarios can be found in the ISA Server 2000 VPN Deployment Kit, which you can find at http://isaserver.org/articles/isa2000vpndeploymentkit.html

In this article the Web Server/Terminal Server machine is a domain controller and I’ve installed Microsoft Certificate Services on the machine and made it an enterprise CA. This allows us to use the IIS Certificate Request Wizard to request and install a certificate from an online CA. Note that this is not required, but it does represent the path of least resistance.

Perform the following steps to request a certificate from an enterprise CA (you can skip this step if you already have a Web site certificate):

  1. Click Start and then point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager console, expand the Web Sites node and click the Default Web Site node. Right click Default Web Site and click Properties.
  3. In the Default Web Site Properties dialog box, click the Directory Security tab. On the Directory Security tab, click the Server Certificate button in the Secure Communications frame.
  4. On the Welcome to the Web Server Certificate Wizard page, click Next.
  5. On the Server Certificate page, select the Create a new certificate option and click Next.


Figure 3

  1. On the Delayed or Immediate Request page, select the Send the request immediately to an online certification authority option and click Next.


Figure 4

  1. Click Next on the Name and Security Settings page.
  2. On the Organization Information page, enter your Organization and Organizational Unit information and click Next.
  3. On the Your Site’s Common Name page, enter the name that you want users on the external network to use when they connect to the site. For example, if the users will connect to the Web site by entering into the browser http://tsweb.msfirewall.org, then enter tsweb.msfirewall.org. This name must be resolvable on a public network via publicly accessible DNS servers, and the name must resolve to the IP address on the external interface of the ISA firewall what will be used by the Web listener, or an IP address of a device in front of the ISA firewall that has a public address that will forward the Web connections to the ISA firewall’s external interface. This is a critical step. If the name on the Web site certificate does not match the name the user users to access the site, then the connection attempt will fail. In this example, we’ll use the name tsweb.msfirewall.org. Click Next.


Figure 5

  1. Enter your State/province and City/locality information on the Geographical Information page. Click Next.
  2. On the SSL Port page, accept the default value, 443, and click Next.
  3. On the Choose a Certification Authority page, accept the default entry in the Certification Authorities list and click Next.
  4. Review the settings on the Certificate Request Submission page and click Next.
  5. Click Finish on the Completing the Web Server Certificate Wizard page.
  6. Leave the Default Web Site Properties dialog box open for the next procedure.

Export the Web Site and CA Certificates to a File

Now that you have the Web site certificate, you can export that certificate to a file. Remember, we don’t need the certificate on the Web site, we need the certificate on the ISA firewall. You can leave the certificate on the Web site if you like. Leaving the certificate on the Web site will not require you to use SSL to connect to the Web site, although it does leave the option open for you to force SSL connections to folders on that site if you wish.

Perform the following steps to export the Web site certificate along with the CA certificate:

  1. On the Directory Security tab in the Default Web Site Properties dialog box, click the View Certificate button.
  2. In the Certificate dialog box, click the Details tab.
  3. On the Details tab, click the Copy to File button.
  4. On the Welcome to the Certificate Export Wizard page, click Next.
  5. On the Export Private Key page, select the Yes, export the private key option. This is a critical setting. If you do not export the private key, you will not be able to use the certificate to impersonate the Web site at the ISA firewall. Click Next.


Figure 6

  1. On the Export File Format page, remove the checkmark from the Enable strong protection checkbox and put a checkmark in the Include all certificate in the certification path if possible checkbox, so that the page appears like that in the figure below. Click Next.


Figure 7

  1. Enter a password and confirm the password on the Password page and click Next.

  2. On the File to Export page, enter a path and a filename in the File name text box. In this example, we’ll enter c:\websitecert and click Next.


Figure 8

  1. Click Finish on the Completing the Certificate Export Wizard page.
  2. Click OK in the dialog box informing you that the certificate export was successful.
  3. Copy the websitecert.pfx file to the ISA firewall machine.

Install the Web Site Certificate and CA Certificate into the ISA Firewall’s Machine Certificate Store

Now that the certificate is copied to the ISA firewall, you can import the Web site certificate into the machine’s certificate store. In addition, the ISA firewall needs to trust CA that issued the certificate, so we’ll need to import the CA certificate into the ISA firewall’s Trusted Root Certification Authorities machine certificate store.

Perform the following steps to import the certificates into the appropriate certificate stores:

  1. Click Start and click the Run command. Enter mmc in the Open text box and click OK.
  2. In the mmc console, click the File menu and then click Add/Remove Snap-in.
  3. In the Add/Remove Snap in dialog box, click Add.
  4. In the Add Standalone Snap-in dialog box, select the Certificates entry and click Add.
  5. On the Certificates snap-in page, select the Computer account option and click Next.


Figure 9

  1. On the Select Computer page, select the Local Computer option and click Finish.

  2. Click Close in the Add Standalone Snap-in dialog box.

  3. Click OK in the Add/Remove Snap-in dialog box.

  4. Certificates (Local Computer)


node in the left pane.

  • Right click the Personal node, point to All Tasks and click Import.

  • On the Welcome to the Certificate Import Wizard page, click Next.

  • On the File to import page, use the Browse button to locate the Web site certificate and then click Next.

  • On the Password page, enter the password you assigned to the certificate file and click Next. You do not need to mark the key as exportable, although you can select this option if you like. However, do not mark the key as exportable unless you appreciate the potential security implications of this option.

  • On the Certificate Store page, accept the default settings and click Next.

  • Click Finish on the Completing the Certificate Import Wizard page.

  • OK
  • in the dialog box indicating that the import was successful.

  • Expand the Personal node and click the Certificates node. You’ll notice that there are two certificates appearing in the right pane of the console. One of the certificates is the Web site certificate and the other certificate is the CA certificate. The Web site certificate is the one that shows the common name/subject name that you assigned to the certificate when you made the certificate request. The other certificate is the CA certificate. We need to move the CA certificate into the Trust Root Certificate Authorities certificate store.

  • Figure 10

    1. Right click the CA certificate (in this example, the certificate issued to EXCHANGE2003BE is the CA certificate) and click Cut.

    2. Expand the Trusted Root Certification Authorities node in the left pane of the console and click the Certificates node. Then right click the Certificates node and click Paste.

    3. The CA certificate now appears in the right pane of the Trusted Root Certification Authorities\Certificates node.


    Figure 11

    1. Close the mmc console and do not save it, unless you want to.

    Have Questions about the article? 
    Ask at: http://tinyurl.com/9o2dr

    Create the Web listener for the Web Publishing Rule

    A Web listener is a software component used in a Web Publishing Rule that accepts incoming connections to a published Web site. We can create the Web listener while creating the Web Publishing Rule or we can create the Web listener before creating the Web Publishing Rule. I generally create Web listeners while creating the Web Publishing Rule, but in order to reduce the number of steps in the procedures, and for a change of pace, we’ll create the Web listener before creating the Web Publishing Rule.

    Perform the following steps to create the Web listener:

    1. Open the ISA firewall console from the Start menu. In the console, expand the server name and then click the Firewall Policy node.
    2. On the Firewall Policy node, click the Toolbox tab in the Task Pane. Click the Network Objects section header and click the New menu. Click Web Listener.
    3. On the Welcome to the new Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we’ll call it SSL Listener and click Next.
    4. On the IP Address page, put a checkmark in the External checkbox. If you have more than one IP address bound to the external interface, then you should click the Address button and select the specific IP address you want to accept incoming connections for the Web site. Click Next.


    Figure 12

    1. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox. Put a checkmark in the Enable SSL checkbox. Click the Select button. Select the Web site certificate in the Select Certificate dialog box and click OK.


    Figure 13

    1. Click Next on the Port Specification page.
    2. Click Finish on the Completing the Web Listener Wizard page.
    3. Click the SSL Listener entry in the Web Listeners list and click the Edit menu.


    Figure 14

    1. In the SSL Listener Properties dialog box, click the Preferences tab.
    2. On the Preferences tab, click the Authentication button. In the Authentication dialog box remove the checkmark from the Integrated checkbox. Click OK in the dialog box informing you that you have no authentication methods selected. Put a checkmark in the Basic checkbox. Click Yes in the dialog box informing you that you should use an SSL connection when using Basic authentication. Put a checkmark in the Require all users to authenticate checkbox.

      This will help secure our Web server by requiring users to authenticate with the ISA firewall before the connection is forwarded to the Web server. Even though the Web server itself doesn’t require authentication, we increase our security be preventing anonymous connections from the Internet. Note that you need to have an authentication database to authenticate users against. If you want to authenticate against the Active Directory, then you should make the ISA firewall a domain member, or you can use the less desirable option of RADIUS authentication. You can also maintain the user database on the local SAM of the ISA firewall itself, but this has the potential of increasing your management overhead. In this example, the ISA firewall is a domain member and authenticate with the Active Directory. Click OK.


    Figure 15

    1. Click OK in the SSL Listener Properties dialog box.

    Create the Web Publishing Rule

    With the Web listener in place, we’re ready to create the Web Publishing Rule that allows incoming connections to the Web site. Perform the following steps to create the Web Publishing Rule:

    1. In the ISA firewall console, click the Firewall Policy node in the left pane of the console and then click the Tasks tab in the Task Pane. Click the Publish a Secure Web Server link.
    2. On the Welcome to the SSL Web Publishing Rule Wizard page, enter a name for the rule in the SSL Web publishing rule name text box. In this example we’ll name the rule Remote Desktop Web Site and click Next.
    3. On the Publishing Mode page, select the SSL Bridging option and click Next.


    Figure 16

    1. On the Select Rule Action page, select the Allow option and click Next.
    2. On the Bridging Mode page, select the Secure connection to clients option. This will allow us to force the external client to use an SSL connection to the ISA firewall, but all the ISA firewall to use HTTP when communicating with the Web site. This reduces the processor overhead that would be required if we were to use SSL to SSL bridging. In this scenario, when no authentication is required at the Web site, there is no reason to use SSL from the ISA firewall to the Web site, since no credentials are being passed over the network. Click Next.


    Figure 17

    1. On the Define Website to Publish page, enter the IP address of the Web server in the Computer name or IP address text box. If you’ve been following my articles over the years, you might wonder why I don’t require you to enter a FQDN into this text box. The reason is that since we’re not using SSL from the ISA firewall to the Web site, the name used in this text box does not matter, so we can use an IP address instead of a name. In the Path text box, enter /tsweb/* This is the only directly remote desktop Web users need to access so we limit their connection to only this directory. This limits the exposure of your Web server. Click Next.


    Figure 18

    1. On the Public Name Details page, in the Accept requests for drop down list, select the This domain name (type below) option. In the Public name text box, enter the name that users will use to connect to the Web site. Note that since we’re using an SSL connection from the external client to the ISA firewall, this name must match the common/subject name on the Web site certificate. In this example, the common/subject name on the Web site certificate is tsweb.msfirewall.org, so we must enter that name in the Public name text box. The Path (optional) text box is filled in automatically for you, and you do not need to make any chances to that entry. Click Next.


    Figure 19

    1. On the Select Web Listener page, click the down arrow in the Web listener drop down list and select the SSL Listener entry, which is the name of the Web listener we created earlier. Click Next.


    Figure 20

    1. On the User Sets page, click the All Users entry and then click Remove. Click the Add button. In the Add Users dialog box, double click the All Authenticated Users entry and click Close. Note that we’re using the All Authenticated Users option as an example only. You might want to create your own ISA firewall Groups and get more granular control over who can access the Web site. Click Next on the User Sets page.


    Figure 21

    1. Click Finish on the Completing the New SSL Web Publishing Rule Wizard page.
    2. On the ISA Server Error page, click Continue. The error page is spurious and does not indicate a true problem.
    3. Click Apply to save the changes and update the firewall policy.
    4. Click OK in the Apply New Configuration dialog box.

    Create the RDP Server Publishing Rule

    The RDP Server Publishing Rule allows the external remote desktop Web client access to the terminal server on the internal network. You need to create an RDP Server Publishing Rule for each terminal server you want to publish.

    Perform the following steps to create the RDP Server Publishing Rule:

    1. In the ISA firewall console, expand the server name and click the Firewall Policy node. Click the Tasks tab in the Task Pane and click the Create New Server Publishing Rule link.
    2. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server Publishing Rule name text box. In this example we’ll name the rule RDP Server and click Next.
    3. On the Select Server page, enter the IP address of the RDP server in the Server IP address text box. In this example the IP address is 10.0.0.2. Click Next.


    Figure 22

    1. On the Select Protocol page, select the RDP (Terminal Services) Server entry from the Selected protocol list. Click Next.


    Figure 23

    1. On the IP Addresses page, put a checkmark in the External checkbox. If you have multiple IP addresses bound to the external interface of the ISA firewall, then after putting the checkmark in the External checkbox, then click the Address button and select the specific IP address you want the RDP listener to listen on. Click Next.
    2. Click Finish on the Completing the New Server Publishing Rule Wizard page.
    3. Click Apply to save the changes and update the firewall policy
    4. Click OK in the Apply New Configuration dialog box.

    Have Questions about the article? 
    Ask at: http://tinyurl.com/9o2dr

    Summary

    In this article we went over the configuration details involved in publishing the remote desktop Web services Web server and RDP server. In part 3, and the last part of this series, we’ll go over some important troubleshooting issues common in Web and server publishing scenarios.

    If you would like to read the other articles in the series please go to: 

    About The Author

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top