Access TS Gateway from Internet - Certificate
in [Terminal Services]
|
Prev: RDWeb
Next: Migration Profiles, best practices help
From: Ian on 5 Mar 2010 17:07 I did the following: 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. 2. installed ADCS (Enterprise) on DC1 3. Create a Domain Certificate on DC1 IIS and export it with private key 4. import it in Personal foler on TSG and ISA Is it right above for the certificate part? for testing RDC/TSG from Internet, do you think I should import the cerficate above in Trust Root Cerfication Authorities folder on test PC or use http://dc1/certsrv to get one? "RCan" wrote: > Hi Ian :-) > > "Ian" <Ian(a)discussions.microsoft.com> wrote > > To my understanding, I need a certificate to imported in the Personal > > foler > > on ISA and Trusted Root folder on client computer. > > If this is right, do I still need create a certificate during TS Geateway > > installation? > > 80 % correct :-) You should install an webserver certificate on the TSG > server for RDP traffic (SSL) encrytion purposes. This certificate is ideally > issued by an trusted authoritiy AND the client+ISA MUST trust this > certificates authoritiy. Then you need to export this certificate with the > private key and import it at your ISA servers personal store. If the issued > CA of this cert is not an trusted authoritiy for the ISA server this will > not work or you also need to install the root CA in "trusted authorities" > store. If you had red the provided links by me you will find there an > step-by-step guide for setting this up, also check the script for > configuring TSG aka RD and ISA publishing, it works like a charm :-) > > > I don't have a public certificate. It is just a test envirement. What do > > you > > recommend to get a certificate for ISA and client? > > Install on your domain controller an enterprise certificate authoritiy which > should then be used issue the certificates to your RD (TSGI) server. if the > clients are domain member you don't need to do anything else, clients trust > the enterprise CA automatically. An step-by-step guide for settings this up > can be found here -> > http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > > > Another question: Is it OK if I instrall TS Gateway and TS Session Broker > > on > > the same server? > > yes, no issue for your test environments. > > > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as well > > as terminal servers? My plan is to test Terminal Services in Windows > > Server > > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web > > Access > > with TS Farm. Thanks. > > of course, this is always an question of performance but no limitation from > OS. R2 terminal services has really great improvements included. > > Hope that helps > > Regards > Ramazan > > . >
From: RCan on 6 Mar 2010 06:16 Hi Ian, I think you did it correct till step 3. As it sounds you had now installed an CA on your DC follow the below steps : 3. goto to your TSG -> IIS manager -> request an "Complete Domain Request" 4. Export this certificate with private key from TSG and import to ISA servers personal store IMPORTANT : the ISA server need to trust the CA which had issued the certificate for TSG (your root DC). let me know when you have any further issues. PS : You didn't read the step-by-step guide, correct ? Regards Ramazan "Ian" <Ian(a)discussions.microsoft.com> wrote in message news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... > I did the following: > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. > 2. installed ADCS (Enterprise) on DC1 > 3. Create a Domain Certificate on DC1 IIS and export it with private key > 4. import it in Personal foler on TSG and ISA > > Is it right above for the certificate part? > for testing RDC/TSG from Internet, do you think I should import the > cerficate above in Trust Root Cerfication Authorities folder on test PC or > use http://dc1/certsrv to get one? > > > "RCan" wrote: > >> Hi Ian :-) >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote >> > To my understanding, I need a certificate to imported in the Personal >> > foler >> > on ISA and Trusted Root folder on client computer. >> > If this is right, do I still need create a certificate during TS >> > Geateway >> > installation? >> >> 80 % correct :-) You should install an webserver certificate on the TSG >> server for RDP traffic (SSL) encrytion purposes. This certificate is >> ideally >> issued by an trusted authoritiy AND the client+ISA MUST trust this >> certificates authoritiy. Then you need to export this certificate with >> the >> private key and import it at your ISA servers personal store. If the >> issued >> CA of this cert is not an trusted authoritiy for the ISA server this will >> not work or you also need to install the root CA in "trusted authorities" >> store. If you had red the provided links by me you will find there an >> step-by-step guide for setting this up, also check the script for >> configuring TSG aka RD and ISA publishing, it works like a charm :-) >> >> > I don't have a public certificate. It is just a test envirement. What >> > do >> > you >> > recommend to get a certificate for ISA and client? >> >> Install on your domain controller an enterprise certificate authoritiy >> which >> should then be used issue the certificates to your RD (TSGI) server. if >> the >> clients are domain member you don't need to do anything else, clients >> trust >> the enterprise CA automatically. An step-by-step guide for settings this >> up >> can be found here -> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx >> >> > Another question: Is it OK if I instrall TS Gateway and TS Session >> > Broker >> > on >> > the same server? >> >> yes, no issue for your test environments. >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as >> > well >> > as terminal servers? My plan is to test Terminal Services in Windows >> > Server >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web >> > Access >> > with TS Farm. Thanks. >> >> of course, this is always an question of performance but no limitation >> from >> OS. R2 terminal services has really great improvements included. >> >> Hope that helps >> >> Regards >> Ramazan >> >> . >>
From: Ian on 6 Mar 2010 09:30 Yes, I did read the step-by-step guide yesterday. I did not have time to finish it and stopped at Step 4: Creating a Revocation Configuration. And then I found a cerficate issued by DC1 in Trust Root Cerfication Authorities folder on other servers. I will following your Step 3 today. BTW my ISA1 is also joined my domain. What is the reason to use a dedicated server for CA as in the guide (TEST_PKI1), best practice? For testing TS Services roles, do I need finishing the rest of the guide? Or can I do it laster? Thanks. "RCan" wrote: > Hi Ian, > > I think you did it correct till step 3. > As it sounds you had now installed an CA on your DC follow the below steps : > > 3. goto to your TSG -> IIS manager -> request an "Complete Domain Request" > 4. Export this certificate with private key from TSG and import to ISA > servers personal store > > IMPORTANT : the ISA server need to trust the CA which had issued the > certificate for TSG (your root DC). > > let me know when you have any further issues. > > PS : You didn't read the step-by-step guide, correct ? > > Regards > Ramazan > > > "Ian" <Ian(a)discussions.microsoft.com> wrote in message > news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... > > I did the following: > > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. > > 2. installed ADCS (Enterprise) on DC1 > > 3. Create a Domain Certificate on DC1 IIS and export it with private key > > 4. import it in Personal foler on TSG and ISA > > > > Is it right above for the certificate part? > > for testing RDC/TSG from Internet, do you think I should import the > > cerficate above in Trust Root Cerfication Authorities folder on test PC or > > use http://dc1/certsrv to get one? > > > > > > "RCan" wrote: > > > >> Hi Ian :-) > >> > >> "Ian" <Ian(a)discussions.microsoft.com> wrote > >> > To my understanding, I need a certificate to imported in the Personal > >> > foler > >> > on ISA and Trusted Root folder on client computer. > >> > If this is right, do I still need create a certificate during TS > >> > Geateway > >> > installation? > >> > >> 80 % correct :-) You should install an webserver certificate on the TSG > >> server for RDP traffic (SSL) encrytion purposes. This certificate is > >> ideally > >> issued by an trusted authoritiy AND the client+ISA MUST trust this > >> certificates authoritiy. Then you need to export this certificate with > >> the > >> private key and import it at your ISA servers personal store. If the > >> issued > >> CA of this cert is not an trusted authoritiy for the ISA server this will > >> not work or you also need to install the root CA in "trusted authorities" > >> store. If you had red the provided links by me you will find there an > >> step-by-step guide for setting this up, also check the script for > >> configuring TSG aka RD and ISA publishing, it works like a charm :-) > >> > >> > I don't have a public certificate. It is just a test envirement. What > >> > do > >> > you > >> > recommend to get a certificate for ISA and client? > >> > >> Install on your domain controller an enterprise certificate authoritiy > >> which > >> should then be used issue the certificates to your RD (TSGI) server. if > >> the > >> clients are domain member you don't need to do anything else, clients > >> trust > >> the enterprise CA automatically. An step-by-step guide for settings this > >> up > >> can be found here -> > >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > >> > >> > Another question: Is it OK if I instrall TS Gateway and TS Session > >> > Broker > >> > on > >> > the same server? > >> > >> yes, no issue for your test environments. > >> > >> > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as > >> > well > >> > as terminal servers? My plan is to test Terminal Services in Windows > >> > Server > >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web > >> > Access > >> > with TS Farm. Thanks. > >> > >> of course, this is always an question of performance but no limitation > >> from > >> OS. R2 terminal services has really great improvements included. > >> > >> Hope that helps > >> > >> Regards > >> Ramazan > >> > >> . > >> > . >
From: RCan on 7 Mar 2010 10:37 Hi Ian, candidly, also myself haven't red it fully yet :-) But one of the interesting sections are there the SSL area as it is really important that your certificates are correctly issued and configured. no warning are accepted here ! RD Gateway is an really cool and scalable solution for several business scenarios. Let me know when you have any further issues. PS : No - it is NOT important that CA must run on a dedicated server - it is always a questions of scalability and availibility but for testing environments no problem. In production environments normally this is role running on a single server or a.e. on a DC. Regards Ramazan "Ian" <Ian(a)discussions.microsoft.com> wrote in message news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... > Yes, I did read the step-by-step guide yesterday. > I did not have time to finish it and stopped at Step 4: Creating a > Revocation Configuration. And then I found a cerficate issued by DC1 in > Trust > Root Cerfication Authorities folder on other servers. I will following > your > Step 3 today. BTW my ISA1 is also joined my domain. What is the reason to > use > a dedicated server for CA as in the guide (TEST_PKI1), best practice? For > testing TS Services roles, do I need finishing the rest of the guide? Or > can > I do it laster? Thanks. > > "RCan" wrote: > >> Hi Ian, >> >> I think you did it correct till step 3. >> As it sounds you had now installed an CA on your DC follow the below >> steps : >> >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain >> Request" >> 4. Export this certificate with private key from TSG and import to ISA >> servers personal store >> >> IMPORTANT : the ISA server need to trust the CA which had issued the >> certificate for TSG (your root DC). >> >> let me know when you have any further issues. >> >> PS : You didn't read the step-by-step guide, correct ? >> >> Regards >> Ramazan >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... >> > I did the following: >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. >> > 2. installed ADCS (Enterprise) on DC1 >> > 3. Create a Domain Certificate on DC1 IIS and export it with private >> > key >> > 4. import it in Personal foler on TSG and ISA >> > >> > Is it right above for the certificate part? >> > for testing RDC/TSG from Internet, do you think I should import the >> > cerficate above in Trust Root Cerfication Authorities folder on test PC >> > or >> > use http://dc1/certsrv to get one? >> > >> > >> > "RCan" wrote: >> > >> >> Hi Ian :-) >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote >> >> > To my understanding, I need a certificate to imported in the >> >> > Personal >> >> > foler >> >> > on ISA and Trusted Root folder on client computer. >> >> > If this is right, do I still need create a certificate during TS >> >> > Geateway >> >> > installation? >> >> >> >> 80 % correct :-) You should install an webserver certificate on the >> >> TSG >> >> server for RDP traffic (SSL) encrytion purposes. This certificate is >> >> ideally >> >> issued by an trusted authoritiy AND the client+ISA MUST trust this >> >> certificates authoritiy. Then you need to export this certificate with >> >> the >> >> private key and import it at your ISA servers personal store. If the >> >> issued >> >> CA of this cert is not an trusted authoritiy for the ISA server this >> >> will >> >> not work or you also need to install the root CA in "trusted >> >> authorities" >> >> store. If you had red the provided links by me you will find there an >> >> step-by-step guide for setting this up, also check the script for >> >> configuring TSG aka RD and ISA publishing, it works like a charm :-) >> >> >> >> > I don't have a public certificate. It is just a test envirement. >> >> > What >> >> > do >> >> > you >> >> > recommend to get a certificate for ISA and client? >> >> >> >> Install on your domain controller an enterprise certificate authoritiy >> >> which >> >> should then be used issue the certificates to your RD (TSGI) server. >> >> if >> >> the >> >> clients are domain member you don't need to do anything else, clients >> >> trust >> >> the enterprise CA automatically. An step-by-step guide for settings >> >> this >> >> up >> >> can be found here -> >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx >> >> >> >> > Another question: Is it OK if I instrall TS Gateway and TS Session >> >> > Broker >> >> > on >> >> > the same server? >> >> >> >> yes, no issue for your test environments. >> >> >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway >> >> > as >> >> > well >> >> > as terminal servers? My plan is to test Terminal Services in Windows >> >> > Server >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS >> >> > Web >> >> > Access >> >> > with TS Farm. Thanks. >> >> >> >> of course, this is always an question of performance but no limitation >> >> from >> >> OS. R2 terminal services has really great improvements included. >> >> >> >> Hope that helps >> >> >> >> Regards >> >> Ramazan >> >> >> >> . >> >> >> . >>
From: Ian on 7 Mar 2010 12:41
On TSG -> IIS manager -> Server Certificate. Do you mean to use option "Create Domain Certificate..." ? "RCan" wrote: > Hi Ian, > > candidly, also myself haven't red it fully yet :-) > But one of the interesting sections are there the SSL area as it is really > important that your certificates are correctly issued and configured. no > warning are accepted here ! > > RD Gateway is an really cool and scalable solution for several business > scenarios. > > Let me know when you have any further issues. > > PS : No - it is NOT important that CA must run on a dedicated server - it is > always a questions of scalability and availibility but for testing > environments no problem. In production environments normally this is role > running on a single server or a.e. on a DC. > > Regards > Ramazan > > "Ian" <Ian(a)discussions.microsoft.com> wrote in message > news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... > > Yes, I did read the step-by-step guide yesterday. > > I did not have time to finish it and stopped at Step 4: Creating a > > Revocation Configuration. And then I found a cerficate issued by DC1 in > > Trust > > Root Cerfication Authorities folder on other servers. I will following > > your > > Step 3 today. BTW my ISA1 is also joined my domain. What is the reason to > > use > > a dedicated server for CA as in the guide (TEST_PKI1), best practice? For > > testing TS Services roles, do I need finishing the rest of the guide? Or > > can > > I do it laster? Thanks. > > > > "RCan" wrote: > > > >> Hi Ian, > >> > >> I think you did it correct till step 3. > >> As it sounds you had now installed an CA on your DC follow the below > >> steps : > >> > >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain > >> Request" > >> 4. Export this certificate with private key from TSG and import to ISA > >> servers personal store > >> > >> IMPORTANT : the ISA server need to trust the CA which had issued the > >> certificate for TSG (your root DC). > >> > >> let me know when you have any further issues. > >> > >> PS : You didn't read the step-by-step guide, correct ? > >> > >> Regards > >> Ramazan > >> > >> > >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... > >> > I did the following: > >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. > >> > 2. installed ADCS (Enterprise) on DC1 > >> > 3. Create a Domain Certificate on DC1 IIS and export it with private > >> > key > >> > 4. import it in Personal foler on TSG and ISA > >> > > >> > Is it right above for the certificate part? > >> > for testing RDC/TSG from Internet, do you think I should import the > >> > cerficate above in Trust Root Cerfication Authorities folder on test PC > >> > or > >> > use http://dc1/certsrv to get one? > >> > > >> > > >> > "RCan" wrote: > >> > > >> >> Hi Ian :-) > >> >> > >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote > >> >> > To my understanding, I need a certificate to imported in the > >> >> > Personal > >> >> > foler > >> >> > on ISA and Trusted Root folder on client computer. > >> >> > If this is right, do I still need create a certificate during TS > >> >> > Geateway > >> >> > installation? > >> >> > >> >> 80 % correct :-) You should install an webserver certificate on the > >> >> TSG > >> >> server for RDP traffic (SSL) encrytion purposes. This certificate is > >> >> ideally > >> >> issued by an trusted authoritiy AND the client+ISA MUST trust this > >> >> certificates authoritiy. Then you need to export this certificate with > >> >> the > >> >> private key and import it at your ISA servers personal store. If the > >> >> issued > >> >> CA of this cert is not an trusted authoritiy for the ISA server this > >> >> will > >> >> not work or you also need to install the root CA in "trusted > >> >> authorities" > >> >> store. If you had red the provided links by me you will find there an > >> >> step-by-step guide for setting this up, also check the script for > >> >> configuring TSG aka RD and ISA publishing, it works like a charm :-) > >> >> > >> >> > I don't have a public certificate. It is just a test envirement. > >> >> > What > >> >> > do > >> >> > you > >> >> > recommend to get a certificate for ISA and client? > >> >> > >> >> Install on your domain controller an enterprise certificate authoritiy > >> >> which > >> >> should then be used issue the certificates to your RD (TSGI) server. > >> >> if > >> >> the > >> >> clients are domain member you don't need to do anything else, clients > >> >> trust > >> >> the enterprise CA automatically. An step-by-step guide for settings > >> >> this > >> >> up > >> >> can be found here -> > >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > >> >> > >> >> > Another question: Is it OK if I instrall TS Gateway and TS Session > >> >> > Broker > >> >> > on > >> >> > the same server? > >> >> > >> >> yes, no issue for your test environments. > >> >> > >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway > >> >> > as > >> >> > well > >> >> > as terminal servers? My plan is to test Terminal Services in Windows > >> >> > Server > >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS > >> >> > Web > >> >> > Access > >> >> > with TS Farm. Thanks. > >> >> > >> >> of course, this is always an question of performance but no limitation > >> >> from > >> >> OS. R2 terminal services has really great improvements included. > >> >> > >> >> Hope that helps > >> >> > >> >> Regards > >> >> Ramazan > >> >> > >> >> . > >> >> > >> . > >> > . > |