TS Gateway

With a TS Gateway server configured for your network you can route all of your RDP traffic through one (or more) TS Gateway servers. This allows you to centrally control and monitor all of the remote desktop connections flowing into your network. This is especially useful in environments where central IT doesn’t necessarily have control over the RDP permissions on each user’s desktop machine. With TS Gateway you can specify who is allowed to initiate remote desktop connections to your network, and which machines each user is allowed to connect to.

Instead of listening on the normal RDP port, 3389, TS Gateway uses SSL and listens on port 443. The RDP traffic is tunneled through SSL on port 443 and then converted back to normal RDP traffic on the internal network. The desktop that is being controlled by a remote user passing through the TS Gateway doesn’t need any special configuration. This has several advantages beyond the manageability perspective. First, port 443 is normally used by secure websites so most firewalls on remote networks will not filter the traffic. Second, by using industry standard SSL technology you can be sure that your RDP connection is safe from man-in-the-middle type attacks.

Server side
1. Open Server Manager and click on Roles >> Add Roles
2. Click on Next >> Select Terminal Services from the list >> Next >> Next
3. Select TS Gateway and then if prompted, click on “Add Required Role Services” >> Next
4. Choose the desired style of SSL certificate and click on Next (self-signed is fine for testing)
5. Read the on-screen instructions and configure the Authorization Policies for your environment
6. Accept all of the defaults for the rest of the installation >> Install

If you used a self-signed certificate then you will need to install the certificate on the machine that will be initiating connections through the TS Gateway.

Export self-signed certificate from the TS Gateway server
1.Start >> Administrative Tools >> Terminal Services >> TS Gateway Manager
2.Right click on your TS Gateway server and choose Properties >> SSL Certificate tab >> Browse Certificates
3.Select the self-signed certificate you created when you installed TS Gateway >> View Certificate >> Details tab >> Copy to File…
4.In the Certificate Export Wizard click Next >> choose No >> Next >> Next >> browse to a location to save the certificate >> Next >> Finish

Import self-signed certificate to the client initiating RDP connections through the TS Gateway
1.Copy the certificate file you exported from the TS Gateway server to the client that will be used to initiate RDP connections through the TS Gateway server
2.Double click on the certificate file from the client computer >> Install Certificate…
3.In the Certificate Import Wizard click on Next >> “Place all certificates in the following store >> Browse… >> choose “Trusted Root Certificate Authorities” >> Next >> Finish

Configure the Remote Desktop Connection settings on the client that will be used to initiate RDP connections through the TS Gateway
1.Open up the Remote Desktop Connection client (mstsc.exe)
2.Click on the Advanced tab, then Settings…
3.Click on the “Use these TS Gateway server settings” and put in the server name of your TS Gateway. IMPORTANT: Be sure the server name matches the “subject” attribute of the certificate you are using on the TS Gateway server.

That’s it, next time you initiate a remote desktop connection it will be passed through the TS Gateway. The TS Gateway will determine if you are authorized to connect to the desired workstation and then allow or disallow the RDP traffic.


Posted on January 1, 2015, in Windows. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: