Today I will continue my series of articles on Microsoft’s latest Forefront Threat Management Gateway (TMG) and will focus our efforts in publishing Windows 2008 R2 Remote Desktop Web Access (RD Web) and Remote Desktop Gateway (RD Gateway) to the world wide web via TMG. If you missed my first article on installing Forefront TMG, you can access it here.
This article is assuming that your Remote Desktop Services infrastructure is already in place and that your RD Gateway and RD Web Access are on the same server. Refer to my 3 part series on Remote Desktop Services in Windows 2008 R2 which outlines the configuration of RD Host, RD Gateway and RD Web Access.
So let’s begin!
Export Certificate
We are assuming a trusted 3rd party certificate has already been issued for the Remote Desktop Services infrastructure. From your RD Web Access/Gateway server where the certificate is installed, launch IIS Manager and navigate to Server Certificates. Select the certificate in question and from the Actions navigation pane, select Export…
Image may be NSFW.
Clik here to view.
Specify the location and enter a password to protect the exportation of the certificate.
Import Certificate
We now need to take the exported certificate and import it directly into our personal certificate store located on the TMG server.
On the TMG server, launch the Microsoft Management Console (MMC) / Select File / Add or Remove Snap-ins / select Certificates from available snap-ins and select Add >
Image may be NSFW.
Clik here to view.
Select Computer account / Next.
Select Local computer / Finish. Then click OK.
Right click on Personal Folder under Certificates and select All Tasks / Import…
This will invoke the Certificate Import Wizard. Click Next.
Browse for the certificate that we exported earlier on.
Image may be NSFW.
Clik here to view.
Click Next
Enter the certificate password.
Image may be NSFW.
Clik here to view.
Click Next.
Ensure that the “Personal” Certificate store is selected to import into.
Image may be NSFW.
Clik here to view.
Click Next and Finish.
To confirm that the certificate was successfully imported, browse to Certificates / Personal / Certificate and double click on the imported certificate.
Image may be NSFW.
Clik here to view.
It’s important that the certificate states that a private key that corresponds to this certificate is present, otherwise it will not be visible in TMG when applying it against our Web Listener.
I would also navigate to the Certification Path tab for the certificate to also ensure that the Certificate status is OK, i.e. there isn’t a “break” in the certificate path and that all certificates in the chain are present.
Create Web Listener
Launch the TMG Management Console and click on Firewall Policy
Navigate to Toolbox / Network Objects and select New, Web Listener. This will invoke the New Web Listener Wizard.
Enter a friendly name.
Image may be NSFW.
Clik here to view.
Click Next.
Ensure that “Require SSL secured connections with clients” is selected.
Image may be NSFW.
Clik here to view.
Click Next
For your Web Listener IP address, select Internal and then click on Select IP Addresses.
You will need to specify a unique IP address for each Web Listener/Certificate that you setup on your TMG server.
Image may be NSFW.
Clik here to view.
Click Next
In the next window you will assign the recently imported certificate from your RD Web Access/Gateway server against the IP address that we added in the previous window.
Click on Select Certificate and click on the respective certificate that will be applied against your RD Web Access/Gateway Web Listener. Click on “Select” once done.
Image may be NSFW.
Clik here to view.
Click Next.
Select “No Authentication” from the drop down menu. This is important as we will not be utilising TMG’s Forms Based Authentication.
Image may be NSFW.
Clik here to view.
Click next.
The next screen will state that SSO is only available with HTML form Authentication.
Image may be NSFW.
Clik here to view.
Click Next.
Click Finish to complete the New Web Listener Wizard.
Finally, click Apply to save the changes.
Image may be NSFW.
Clik here to view.
TMG Web Publishing Rule
We can now proceed and create our RD Web Access/Gateway rule by right clicking on Firewall Policy / New / Exchange Web Client Access Publishing Rule… Specify a name for your rule;
Now you might be wondering why I have specifically selected the Exchange Publishing Rule as opposed to a generic Web Publishing rule. Firstly, I am still not sure why Microsoft have not created a specific template for Remote Desktop Services and secondly if you select the Generic Web Site Publishing Rule, you will receive the below warning when you come to test your rule later.
Category: General warning
Error details: The internal path of the URL was identified as part of a SharePoint or Exchange server publishing rule.
Action: Use the SharePoint Publishing Rule Wizard or the Exchange Publishing Rule Wizard.
Image may be NSFW.
Clik here to view.
Click Next
Select “Exchange Server 2007” and only select the Outlook Anywhere option. Leave “Publish additional folders on the Exchange Server for Outlook 2007 clients” unchecked
Image may be NSFW.
Clik here to view.
Click Next
Select Publish a single Web site or load balancer.
Image may be NSFW.
Clik here to view.
Click Next. Select Use SSL to connect to the published Web server or server farm.
Image may be NSFW.
Clik here to view.
Click Next. Specify the Internal site name.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Click Next.
Specify the Public FQDN which should be externally resolvable.
Image may be NSFW.
Clik here to view.
Click Next. Select the Web listener that we created earlier. Click Next
Image may be NSFW.
Clik here to view.
Select “No delegation, but client may authenticate directly” from the Authentication Delegation drop down.
Image may be NSFW.
Clik here to view.
Click Next.
Remove All Authenticated Users and Add All Users.
Image may be NSFW.
Clik here to view.
Click Finish to complete…
Image may be NSFW.
Clik here to view.
There is only one more step and we are done. Because there is no dedicated publishing rule template for RD Web Access/Gateway we need to add a couple of entries to the Paths area under RD Web Access/Gateway rule.
Right click on your designated rule and select properties, and navigate to the Paths tab.
Image may be NSFW.
Clik here to view.
Click Add..
Enter /rdweb/* as the path.
Image may be NSFW.
Clik here to view.
Now because we selected the Exchange Server 2007 publishing wizard and in particular the Outlook Anywhere service, the RPC path mapping should already be included under paths. Do NOT remove this path.
Image may be NSFW.
Clik here to view.
Finally, remove /* if it exists.
Make sure you click on Test Rule which should provide you with a green tick beside each path entry!
That’s all that is to it. In upcoming posts in this series, I will go through publishing other items such as Outlook Web App and SharePoint sites.