Access TS Gateway from Internet - Certificate
in [Terminal Services]
|
Prev: RDWeb
Next: Migration Profiles, best practices help
From: RCan on 7 Mar 2010 13:47 correct - if you had correctly configured your CA you can request here an webserver certificate which can later also be used for TSG SSL usage -> TSG(RD) Manager ->Servername Properties -> SSL Certificate -> "Select an existing...." Regards Ramazan "Ian" <Ian(a)discussions.microsoft.com> wrote in message news:80C4DE07-BD40-4CC6-8AB3-117EE0650636(a)microsoft.com... > On TSG -> IIS manager -> Server Certificate. Do you mean to use option > "Create Domain Certificate..." ? > > > "RCan" wrote: > >> Hi Ian, >> >> candidly, also myself haven't red it fully yet :-) >> But one of the interesting sections are there the SSL area as it is >> really >> important that your certificates are correctly issued and configured. no >> warning are accepted here ! >> >> RD Gateway is an really cool and scalable solution for several business >> scenarios. >> >> Let me know when you have any further issues. >> >> PS : No - it is NOT important that CA must run on a dedicated server - it >> is >> always a questions of scalability and availibility but for testing >> environments no problem. In production environments normally this is role >> running on a single server or a.e. on a DC. >> >> Regards >> Ramazan >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... >> > Yes, I did read the step-by-step guide yesterday. >> > I did not have time to finish it and stopped at Step 4: Creating a >> > Revocation Configuration. And then I found a cerficate issued by DC1 in >> > Trust >> > Root Cerfication Authorities folder on other servers. I will following >> > your >> > Step 3 today. BTW my ISA1 is also joined my domain. What is the reason >> > to >> > use >> > a dedicated server for CA as in the guide (TEST_PKI1), best practice? >> > For >> > testing TS Services roles, do I need finishing the rest of the guide? >> > Or >> > can >> > I do it laster? Thanks. >> > >> > "RCan" wrote: >> > >> >> Hi Ian, >> >> >> >> I think you did it correct till step 3. >> >> As it sounds you had now installed an CA on your DC follow the below >> >> steps : >> >> >> >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain >> >> Request" >> >> 4. Export this certificate with private key from TSG and import to ISA >> >> servers personal store >> >> >> >> IMPORTANT : the ISA server need to trust the CA which had issued the >> >> certificate for TSG (your root DC). >> >> >> >> let me know when you have any further issues. >> >> >> >> PS : You didn't read the step-by-step guide, correct ? >> >> >> >> Regards >> >> Ramazan >> >> >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... >> >> > I did the following: >> >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. >> >> > 2. installed ADCS (Enterprise) on DC1 >> >> > 3. Create a Domain Certificate on DC1 IIS and export it with private >> >> > key >> >> > 4. import it in Personal foler on TSG and ISA >> >> > >> >> > Is it right above for the certificate part? >> >> > for testing RDC/TSG from Internet, do you think I should import the >> >> > cerficate above in Trust Root Cerfication Authorities folder on test >> >> > PC >> >> > or >> >> > use http://dc1/certsrv to get one? >> >> > >> >> > >> >> > "RCan" wrote: >> >> > >> >> >> Hi Ian :-) >> >> >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote >> >> >> > To my understanding, I need a certificate to imported in the >> >> >> > Personal >> >> >> > foler >> >> >> > on ISA and Trusted Root folder on client computer. >> >> >> > If this is right, do I still need create a certificate during TS >> >> >> > Geateway >> >> >> > installation? >> >> >> >> >> >> 80 % correct :-) You should install an webserver certificate on the >> >> >> TSG >> >> >> server for RDP traffic (SSL) encrytion purposes. This certificate >> >> >> is >> >> >> ideally >> >> >> issued by an trusted authoritiy AND the client+ISA MUST trust this >> >> >> certificates authoritiy. Then you need to export this certificate >> >> >> with >> >> >> the >> >> >> private key and import it at your ISA servers personal store. If >> >> >> the >> >> >> issued >> >> >> CA of this cert is not an trusted authoritiy for the ISA server >> >> >> this >> >> >> will >> >> >> not work or you also need to install the root CA in "trusted >> >> >> authorities" >> >> >> store. If you had red the provided links by me you will find there >> >> >> an >> >> >> step-by-step guide for setting this up, also check the script for >> >> >> configuring TSG aka RD and ISA publishing, it works like a charm >> >> >> :-) >> >> >> >> >> >> > I don't have a public certificate. It is just a test envirement. >> >> >> > What >> >> >> > do >> >> >> > you >> >> >> > recommend to get a certificate for ISA and client? >> >> >> >> >> >> Install on your domain controller an enterprise certificate >> >> >> authoritiy >> >> >> which >> >> >> should then be used issue the certificates to your RD (TSGI) >> >> >> server. >> >> >> if >> >> >> the >> >> >> clients are domain member you don't need to do anything else, >> >> >> clients >> >> >> trust >> >> >> the enterprise CA automatically. An step-by-step guide for settings >> >> >> this >> >> >> up >> >> >> can be found here -> >> >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx >> >> >> >> >> >> > Another question: Is it OK if I instrall TS Gateway and TS >> >> >> > Session >> >> >> > Broker >> >> >> > on >> >> >> > the same server? >> >> >> >> >> >> yes, no issue for your test environments. >> >> >> >> >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS >> >> >> > Gateway >> >> >> > as >> >> >> > well >> >> >> > as terminal servers? My plan is to test Terminal Services in >> >> >> > Windows >> >> >> > Server >> >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS >> >> >> > Web >> >> >> > Access >> >> >> > with TS Farm. Thanks. >> >> >> >> >> >> of course, this is always an question of performance but no >> >> >> limitation >> >> >> from >> >> >> OS. R2 terminal services has really great improvements included. >> >> >> >> >> >> Hope that helps >> >> >> >> >> >> Regards >> >> >> Ramazan >> >> >> >> >> >> . >> >> >> >> >> . >> >> >> . >>
From: Ian on 8 Mar 2010 11:11 I created a Domain Certificate on TSG, installed on TSG and imported on ISA. In Certificate snap-in, I found a certificate with a private key in Remote Desktop\Certificates store. It is issued to/by the server itself on all Windows 2008/R2 servers. For example, on TS1, the certificate is issued to/by TS1.domain.com. There is no this store on Windows Server 2003. What is for? When open it, it shows: this ca root certificate is not trusted. to enable trust, install this certificate in trusted root certification authorities store. Do I need to do it manually on each of servers? Thanks. "RCan" wrote: > correct - if you had correctly configured your CA you can request here an > webserver certificate which can later also be used for TSG SSL usage -> > TSG(RD) Manager ->Servername Properties -> SSL Certificate -> "Select an > existing...." > > Regards > Ramazan > > "Ian" <Ian(a)discussions.microsoft.com> wrote in message > news:80C4DE07-BD40-4CC6-8AB3-117EE0650636(a)microsoft.com... > > On TSG -> IIS manager -> Server Certificate. Do you mean to use option > > "Create Domain Certificate..." ? > > > > > > "RCan" wrote: > > > >> Hi Ian, > >> > >> candidly, also myself haven't red it fully yet :-) > >> But one of the interesting sections are there the SSL area as it is > >> really > >> important that your certificates are correctly issued and configured. no > >> warning are accepted here ! > >> > >> RD Gateway is an really cool and scalable solution for several business > >> scenarios. > >> > >> Let me know when you have any further issues. > >> > >> PS : No - it is NOT important that CA must run on a dedicated server - it > >> is > >> always a questions of scalability and availibility but for testing > >> environments no problem. In production environments normally this is role > >> running on a single server or a.e. on a DC. > >> > >> Regards > >> Ramazan > >> > >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... > >> > Yes, I did read the step-by-step guide yesterday. > >> > I did not have time to finish it and stopped at Step 4: Creating a > >> > Revocation Configuration. And then I found a cerficate issued by DC1 in > >> > Trust > >> > Root Cerfication Authorities folder on other servers. I will following > >> > your > >> > Step 3 today. BTW my ISA1 is also joined my domain. What is the reason > >> > to > >> > use > >> > a dedicated server for CA as in the guide (TEST_PKI1), best practice? > >> > For > >> > testing TS Services roles, do I need finishing the rest of the guide? > >> > Or > >> > can > >> > I do it laster? Thanks. > >> > > >> > "RCan" wrote: > >> > > >> >> Hi Ian, > >> >> > >> >> I think you did it correct till step 3. > >> >> As it sounds you had now installed an CA on your DC follow the below > >> >> steps : > >> >> > >> >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain > >> >> Request" > >> >> 4. Export this certificate with private key from TSG and import to ISA > >> >> servers personal store > >> >> > >> >> IMPORTANT : the ISA server need to trust the CA which had issued the > >> >> certificate for TSG (your root DC). > >> >> > >> >> let me know when you have any further issues. > >> >> > >> >> PS : You didn't read the step-by-step guide, correct ? > >> >> > >> >> Regards > >> >> Ramazan > >> >> > >> >> > >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... > >> >> > I did the following: > >> >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. > >> >> > 2. installed ADCS (Enterprise) on DC1 > >> >> > 3. Create a Domain Certificate on DC1 IIS and export it with private > >> >> > key > >> >> > 4. import it in Personal foler on TSG and ISA > >> >> > > >> >> > Is it right above for the certificate part? > >> >> > for testing RDC/TSG from Internet, do you think I should import the > >> >> > cerficate above in Trust Root Cerfication Authorities folder on test > >> >> > PC > >> >> > or > >> >> > use http://dc1/certsrv to get one? > >> >> > > >> >> > > >> >> > "RCan" wrote: > >> >> > > >> >> >> Hi Ian :-) > >> >> >> > >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote > >> >> >> > To my understanding, I need a certificate to imported in the > >> >> >> > Personal > >> >> >> > foler > >> >> >> > on ISA and Trusted Root folder on client computer. > >> >> >> > If this is right, do I still need create a certificate during TS > >> >> >> > Geateway > >> >> >> > installation? > >> >> >> > >> >> >> 80 % correct :-) You should install an webserver certificate on the > >> >> >> TSG > >> >> >> server for RDP traffic (SSL) encrytion purposes. This certificate > >> >> >> is > >> >> >> ideally > >> >> >> issued by an trusted authoritiy AND the client+ISA MUST trust this > >> >> >> certificates authoritiy. Then you need to export this certificate > >> >> >> with > >> >> >> the > >> >> >> private key and import it at your ISA servers personal store. If > >> >> >> the > >> >> >> issued > >> >> >> CA of this cert is not an trusted authoritiy for the ISA server > >> >> >> this > >> >> >> will > >> >> >> not work or you also need to install the root CA in "trusted > >> >> >> authorities" > >> >> >> store. If you had red the provided links by me you will find there > >> >> >> an > >> >> >> step-by-step guide for setting this up, also check the script for > >> >> >> configuring TSG aka RD and ISA publishing, it works like a charm > >> >> >> :-) > >> >> >> > >> >> >> > I don't have a public certificate. It is just a test envirement. > >> >> >> > What > >> >> >> > do > >> >> >> > you > >> >> >> > recommend to get a certificate for ISA and client? > >> >> >> > >> >> >> Install on your domain controller an enterprise certificate > >> >> >> authoritiy > >> >> >> which > >> >> >> should then be used issue the certificates to your RD (TSGI) > >> >> >> server. > >> >> >> if > >> >> >> the > >> >> >> clients are domain member you don't need to do anything else, > >> >> >> clients > >> >> >> trust > >> >> >> the enterprise CA automatically. An step-by-step guide for settings > >> >> >> this > >> >> >> up > >> >> >> can be found here -> > >> >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > >> >> >> > >> >> >> > Another question: Is it OK if I instrall TS Gateway and TS > >> >> >> > Session > >> >> >> > Broker > >> >> >> > on > >> >> >> > the same server? > >> >> >> > >> >> >> yes, no issue for your test environments. > >> >> >> > >> >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS > >> >> >> > Gateway > >> >> >> > as > >> >> >> > well > >> >> >> > as terminal servers? My plan is to test Terminal Services in > >> >> >> > Windows > >> >> >> > Server > >> >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS > >> >> >> > Web > >> >> >> > Access > >> >> >> > with TS Farm. Thanks. > >> >> >> > >> >> >> of course, this is always an question of performance but no > >> >> >> limitation > >> >> >> from > >> >> >> OS. R2 terminal services has really great improvements included. > >> >> >> > >> >> >> Hope that helps > >> >> >> > >> >> >> Regards > >> >> >> Ramazan > >> >> >> > >> >> >> . > >> >> >> > >> >> . > >> >> > >> . > >> > . >
From: RCan on 8 Mar 2010 14:55 Hi Ian, > I created a Domain Certificate on TSG, installed on TSG and imported on > ISA. correct here. > In Certificate snap-in, I found a certificate with a private key in Remote > Desktop\Certificates store. It is issued to/by the server itself on all > Windows 2008/R2 servers. For example, on TS1, the certificate is issued > to/by > TS1.domain.com. There is no this store on Windows Server 2003. What is > for? wrong path - your web server certificate should be Computer -> Personal -> Certificates and the issued CA root certificate must be installed in Computer -> Trusted Root Authoritiy Certificates -> Certificates. nope, when you had requested the certificate and configured your TSG like already described (TSG(RD) Manager ->Servername Properties -> SSL Certificate -> "Select an existing....") that is totally enough. Before too much confusion cames up here, why do you need use the published script which is doing all that stuff for you ? http://gallery.technet.microsoft.com/ScriptCenter/en-us/d401d7d1-3805-40ef-a4a6-f3d4763380a2 Regards Ramazan > When open it, it shows: > > this ca root certificate is not trusted. to enable trust, install this > certificate in trusted root certification authorities store. > > Do I need to do it manually on each of servers? Thanks. > > > "RCan" wrote: > >> correct - if you had correctly configured your CA you can request here an >> webserver certificate which can later also be used for TSG SSL usage -> >> TSG(RD) Manager ->Servername Properties -> SSL Certificate -> "Select an >> existing...." >> >> Regards >> Ramazan >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> news:80C4DE07-BD40-4CC6-8AB3-117EE0650636(a)microsoft.com... >> > On TSG -> IIS manager -> Server Certificate. Do you mean to use option >> > "Create Domain Certificate..." ? >> > >> > >> > "RCan" wrote: >> > >> >> Hi Ian, >> >> >> >> candidly, also myself haven't red it fully yet :-) >> >> But one of the interesting sections are there the SSL area as it is >> >> really >> >> important that your certificates are correctly issued and configured. >> >> no >> >> warning are accepted here ! >> >> >> >> RD Gateway is an really cool and scalable solution for several >> >> business >> >> scenarios. >> >> >> >> Let me know when you have any further issues. >> >> >> >> PS : No - it is NOT important that CA must run on a dedicated server - >> >> it >> >> is >> >> always a questions of scalability and availibility but for testing >> >> environments no problem. In production environments normally this is >> >> role >> >> running on a single server or a.e. on a DC. >> >> >> >> Regards >> >> Ramazan >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> >> news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... >> >> > Yes, I did read the step-by-step guide yesterday. >> >> > I did not have time to finish it and stopped at Step 4: Creating a >> >> > Revocation Configuration. And then I found a cerficate issued by DC1 >> >> > in >> >> > Trust >> >> > Root Cerfication Authorities folder on other servers. I will >> >> > following >> >> > your >> >> > Step 3 today. BTW my ISA1 is also joined my domain. What is the >> >> > reason >> >> > to >> >> > use >> >> > a dedicated server for CA as in the guide (TEST_PKI1), best >> >> > practice? >> >> > For >> >> > testing TS Services roles, do I need finishing the rest of the >> >> > guide? >> >> > Or >> >> > can >> >> > I do it laster? Thanks. >> >> > >> >> > "RCan" wrote: >> >> > >> >> >> Hi Ian, >> >> >> >> >> >> I think you did it correct till step 3. >> >> >> As it sounds you had now installed an CA on your DC follow the >> >> >> below >> >> >> steps : >> >> >> >> >> >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain >> >> >> Request" >> >> >> 4. Export this certificate with private key from TSG and import to >> >> >> ISA >> >> >> servers personal store >> >> >> >> >> >> IMPORTANT : the ISA server need to trust the CA which had issued >> >> >> the >> >> >> certificate for TSG (your root DC). >> >> >> >> >> >> let me know when you have any further issues. >> >> >> >> >> >> PS : You didn't read the step-by-step guide, correct ? >> >> >> >> >> >> Regards >> >> >> Ramazan >> >> >> >> >> >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message >> >> >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... >> >> >> > I did the following: >> >> >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. >> >> >> > 2. installed ADCS (Enterprise) on DC1 >> >> >> > 3. Create a Domain Certificate on DC1 IIS and export it with >> >> >> > private >> >> >> > key >> >> >> > 4. import it in Personal foler on TSG and ISA >> >> >> > >> >> >> > Is it right above for the certificate part? >> >> >> > for testing RDC/TSG from Internet, do you think I should import >> >> >> > the >> >> >> > cerficate above in Trust Root Cerfication Authorities folder on >> >> >> > test >> >> >> > PC >> >> >> > or >> >> >> > use http://dc1/certsrv to get one? >> >> >> > >> >> >> > >> >> >> > "RCan" wrote: >> >> >> > >> >> >> >> Hi Ian :-) >> >> >> >> >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote >> >> >> >> > To my understanding, I need a certificate to imported in the >> >> >> >> > Personal >> >> >> >> > foler >> >> >> >> > on ISA and Trusted Root folder on client computer. >> >> >> >> > If this is right, do I still need create a certificate during >> >> >> >> > TS >> >> >> >> > Geateway >> >> >> >> > installation? >> >> >> >> >> >> >> >> 80 % correct :-) You should install an webserver certificate on >> >> >> >> the >> >> >> >> TSG >> >> >> >> server for RDP traffic (SSL) encrytion purposes. This >> >> >> >> certificate >> >> >> >> is >> >> >> >> ideally >> >> >> >> issued by an trusted authoritiy AND the client+ISA MUST trust >> >> >> >> this >> >> >> >> certificates authoritiy. Then you need to export this >> >> >> >> certificate >> >> >> >> with >> >> >> >> the >> >> >> >> private key and import it at your ISA servers personal store. If >> >> >> >> the >> >> >> >> issued >> >> >> >> CA of this cert is not an trusted authoritiy for the ISA server >> >> >> >> this >> >> >> >> will >> >> >> >> not work or you also need to install the root CA in "trusted >> >> >> >> authorities" >> >> >> >> store. If you had red the provided links by me you will find >> >> >> >> there >> >> >> >> an >> >> >> >> step-by-step guide for setting this up, also check the script >> >> >> >> for >> >> >> >> configuring TSG aka RD and ISA publishing, it works like a charm >> >> >> >> :-) >> >> >> >> >> >> >> >> > I don't have a public certificate. It is just a test >> >> >> >> > envirement. >> >> >> >> > What >> >> >> >> > do >> >> >> >> > you >> >> >> >> > recommend to get a certificate for ISA and client? >> >> >> >> >> >> >> >> Install on your domain controller an enterprise certificate >> >> >> >> authoritiy >> >> >> >> which >> >> >> >> should then be used issue the certificates to your RD (TSGI) >> >> >> >> server. >> >> >> >> if >> >> >> >> the >> >> >> >> clients are domain member you don't need to do anything else, >> >> >> >> clients >> >> >> >> trust >> >> >> >> the enterprise CA automatically. An step-by-step guide for >> >> >> >> settings >> >> >> >> this >> >> >> >> up >> >> >> >> can be found here -> >> >> >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx >> >> >> >> >> >> >> >> > Another question: Is it OK if I instrall TS Gateway and TS >> >> >> >> > Session >> >> >> >> > Broker >> >> >> >> > on >> >> >> >> > the same server? >> >> >> >> >> >> >> >> yes, no issue for your test environments. >> >> >> >> >> >> >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS >> >> >> >> > Gateway >> >> >> >> > as >> >> >> >> > well >> >> >> >> > as terminal servers? My plan is to test Terminal Services in >> >> >> >> > Windows >> >> >> >> > Server >> >> >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and >> >> >> >> > TS >> >> >> >> > Web >> >> >> >> > Access >> >> >> >> > with TS Farm. Thanks. >> >> >> >> >> >> >> >> of course, this is always an question of performance but no >> >> >> >> limitation >> >> >> >> from >> >> >> >> OS. R2 terminal services has really great improvements included. >> >> >> >> >> >> >> >> Hope that helps >> >> >> >> >> >> >> >> Regards >> >> >> >> Ramazan >> >> >> >> >> >> >> >> . >> >> >> >> >> >> >> . >> >> >> >> >> . >> >> >> . >>
From: Ian on 9 Mar 2010 12:55 Sorry, I should say the question is new and may not relate to my original question: In Certificate snap-in, I found a certificate with a private key in Remote Desktop\Certificates store. It is issued to/by the server itself on all Windows 2008/R2 servers. For example, on TS1, the certificate is issued to/by TS1.domain.com. When open it, it shows: this ca root certificate is not trusted. to enable trust, install this certificate in trusted root certification authorities store. this store is not found on Windows Server 2003. Is it new in Windows Server 2008? What is used for? "RCan" wrote: > Hi Ian, > > > I created a Domain Certificate on TSG, installed on TSG and imported on > > ISA. > > correct here. > > > In Certificate snap-in, I found a certificate with a private key in Remote > > Desktop\Certificates store. It is issued to/by the server itself on all > > Windows 2008/R2 servers. For example, on TS1, the certificate is issued > > to/by > > TS1.domain.com. There is no this store on Windows Server 2003. What is > > for? > > wrong path - your web server certificate should be Computer -> Personal -> > Certificates and the issued CA root certificate must be installed in > Computer -> Trusted Root Authoritiy Certificates -> Certificates. > > nope, when you had requested the certificate and configured your TSG like > already described (TSG(RD) Manager ->Servername Properties -> SSL > Certificate -> "Select an existing....") that is totally enough. > Before too much confusion cames up here, why do you need use the published > script which is doing all that stuff for you ? > > http://gallery.technet.microsoft.com/ScriptCenter/en-us/d401d7d1-3805-40ef-a4a6-f3d4763380a2 > > Regards > Ramazan > > > When open it, it shows: > > > > this ca root certificate is not trusted. to enable trust, install this > > certificate in trusted root certification authorities store. > > > > Do I need to do it manually on each of servers? Thanks. > > > > > > "RCan" wrote: > > > >> correct - if you had correctly configured your CA you can request here an > >> webserver certificate which can later also be used for TSG SSL usage -> > >> TSG(RD) Manager ->Servername Properties -> SSL Certificate -> "Select an > >> existing...." > >> > >> Regards > >> Ramazan > >> > >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> news:80C4DE07-BD40-4CC6-8AB3-117EE0650636(a)microsoft.com... > >> > On TSG -> IIS manager -> Server Certificate. Do you mean to use option > >> > "Create Domain Certificate..." ? > >> > > >> > > >> > "RCan" wrote: > >> > > >> >> Hi Ian, > >> >> > >> >> candidly, also myself haven't red it fully yet :-) > >> >> But one of the interesting sections are there the SSL area as it is > >> >> really > >> >> important that your certificates are correctly issued and configured. > >> >> no > >> >> warning are accepted here ! > >> >> > >> >> RD Gateway is an really cool and scalable solution for several > >> >> business > >> >> scenarios. > >> >> > >> >> Let me know when you have any further issues. > >> >> > >> >> PS : No - it is NOT important that CA must run on a dedicated server - > >> >> it > >> >> is > >> >> always a questions of scalability and availibility but for testing > >> >> environments no problem. In production environments normally this is > >> >> role > >> >> running on a single server or a.e. on a DC. > >> >> > >> >> Regards > >> >> Ramazan > >> >> > >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> >> news:9EFC8D0A-230D-4E50-9F07-222FA2AF7EA6(a)microsoft.com... > >> >> > Yes, I did read the step-by-step guide yesterday. > >> >> > I did not have time to finish it and stopped at Step 4: Creating a > >> >> > Revocation Configuration. And then I found a cerficate issued by DC1 > >> >> > in > >> >> > Trust > >> >> > Root Cerfication Authorities folder on other servers. I will > >> >> > following > >> >> > your > >> >> > Step 3 today. BTW my ISA1 is also joined my domain. What is the > >> >> > reason > >> >> > to > >> >> > use > >> >> > a dedicated server for CA as in the guide (TEST_PKI1), best > >> >> > practice? > >> >> > For > >> >> > testing TS Services roles, do I need finishing the rest of the > >> >> > guide? > >> >> > Or > >> >> > can > >> >> > I do it laster? Thanks. > >> >> > > >> >> > "RCan" wrote: > >> >> > > >> >> >> Hi Ian, > >> >> >> > >> >> >> I think you did it correct till step 3. > >> >> >> As it sounds you had now installed an CA on your DC follow the > >> >> >> below > >> >> >> steps : > >> >> >> > >> >> >> 3. goto to your TSG -> IIS manager -> request an "Complete Domain > >> >> >> Request" > >> >> >> 4. Export this certificate with private key from TSG and import to > >> >> >> ISA > >> >> >> servers personal store > >> >> >> > >> >> >> IMPORTANT : the ISA server need to trust the CA which had issued > >> >> >> the > >> >> >> certificate for TSG (your root DC). > >> >> >> > >> >> >> let me know when you have any further issues. > >> >> >> > >> >> >> PS : You didn't read the step-by-step guide, correct ? > >> >> >> > >> >> >> Regards > >> >> >> Ramazan > >> >> >> > >> >> >> > >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote in message > >> >> >> news:B864B074-E33C-4E0A-A07D-27C10D5F2917(a)microsoft.com... > >> >> >> > I did the following: > >> >> >> > 1. rebuilt TS1, TS2 and TSG with Windows Server 2008 R2. > >> >> >> > 2. installed ADCS (Enterprise) on DC1 > >> >> >> > 3. Create a Domain Certificate on DC1 IIS and export it with > >> >> >> > private > >> >> >> > key > >> >> >> > 4. import it in Personal foler on TSG and ISA > >> >> >> > > >> >> >> > Is it right above for the certificate part? > >> >> >> > for testing RDC/TSG from Internet, do you think I should import > >> >> >> > the > >> >> >> > cerficate above in Trust Root Cerfication Authorities folder on > >> >> >> > test > >> >> >> > PC > >> >> >> > or > >> >> >> > use http://dc1/certsrv to get one? > >> >> >> > > >> >> >> > > >> >> >> > "RCan" wrote: > >> >> >> > > >> >> >> >> Hi Ian :-) > >> >> >> >> > >> >> >> >> "Ian" <Ian(a)discussions.microsoft.com> wrote > >> >> >> >> > To my understanding, I need a certificate to imported in the > >> >> >> >> > Personal > >> >> >> >> > foler > >> >> >> >> > on ISA and Trusted Root folder on client computer. > >> >> >> >> > If this is right, do I still need create a certificate during > >> >> >> >> > TS > >> >> >> >> > Geateway > >> >> >> >> > installation? > >> >> >> >> > >> >> >> >> 80 % correct :-) You should install an webserver certificate on > >> >> >> >> the > >> >> >> >> TSG > >> >> >> >> server for RDP traffic (SSL) encrytion purposes. This > >> >> >> >> certificate > >> >> >> >> is > >> >> >> >> ideally > >> >> >> >> issued by an trusted authoritiy AND the client+ISA MUST trust > >> >> >> >> this > >> >> >> >> certificates authoritiy. Then you need to export this > >> >> >> >> certificate > >> >> >> >> with > >> >> >> >> the > >> >> >> >> private key and import it at your ISA servers personal store. If > >> >> >> >> the > >> >> >> >> issued > >> >> >> >> CA of this cert is not an trusted authoritiy for the ISA server > >> >> >> >> this > >> >> >> >> will > >> >> >> >> not work or you also need to install the root CA in "trusted > >> >> >> >> authorities" > >> >> >> >> store. If you had red the provided links by me you will find > >> >> >> >> there > >> >> >> >> an > >> >> >> >> step-by-step guide for setting this up, also check the script > >> >> >> >> for > >> >> >> >> configuring TSG aka RD and ISA publishing, it works like a charm > >> >> >> >> :-) > >> >> >> >> > >> >> >> >> > I don't have a public certificate. It is just a test > >> >> >> >> > envirement. > >> >> >> >> > What > >> >> >> >> > do > >> >> >> >> > you > >> >> >> >> > recommend to get a certificate for ISA and client? > >> >> >> >> > >> >> >> >> Install on your domain controller an enterprise certificate > >> >> >> >> authoritiy > >> >> >> >> which > >> >> >> >> should then be used issue the certificates to your RD (TSGI) > >> >> >> >> server. > >> >> >> >> if > >> >> >> >> the > >> >> >> >> clients are domain member you don't need to do anything else, > >> >> >> >> clients > >> >> >> >> trust > >> >> >> >> the enterprise CA automatically. An step-by-step guide for > >> >> >> >> settings > >> >> >> >> this > >> >> >> >> up > >> >> >> >> can be found here -> > >> >> >> >> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > >> >> >> >> > >> >> >> >> > Another question: Is it OK if I instrall TS Gateway and TS > >> >> >> >> > Session > >> >> >> >> > Broker > >> >> >> >> > on > >> >> >> >> > the same server? > >> >> >> >> > >> >> >> >> yes, no issue for your test environments. > >> >> >> >> > >> >> >> >> > BTW, do you know if I can use Windows Server 2008 R2 as TS > >> >> >> >> > Gateway > >> >> >> >> > as > >> >> >> >> > well > >> >> >> >> > as terminal servers? My plan is to test Terminal Services in > >> >> >> >> > Windows > >> >> >> >> > Server > >> >> >> >> > 2008 including TS Gateway, TS Session broker, TS RemoteApp and > >> >> >> >> > TS > >> >> >> >> > Web > >> >> >> >> > Access > >> >> >> >> > with TS Farm. Thanks. > >> >> >> >> > >> >> >> >> of course, this is always an question of performance but no > >> >> >> >> limitation > >> >> >> >> from > >> >> >> >> OS. R2 terminal services has really great improvements included. > >> >> >> >> > >> >> >> >> Hope that helps > >> >> >> >> > >> >> >> >> Regards > >> >> >> >> Ramazan > >> >> >> >> > >> >> >> >> . > >> >> >> >> > >> >> >> . > >> >> >> > >> >> . > >> >> > >> . > >> > . >
From: RCan on 9 Mar 2010 17:55
No Problem at all :-) > In Certificate snap-in, I found a certificate with a private key in Remote > Desktop\Certificates store. It is issued to/by the server itself on all > Windows 2008/R2 servers. For example, on TS1, the certificate is issued > to/by TS1.domain.com. When open it, it shows: > this ca root certificate is not trusted. to enable trust, install this > certificate in trusted root certification authorities store. > this store is not found on Windows Server 2003. Is it new in Windows > Server > 2008? What is used for? This is used to store all Root CA certificates which are trusted from the host system. In RD SSL scenarios you should install here the Root CA certificate from your issuer of the webserver certificate, if not trusted already. Can you please install the Root CA certificate in your certificates -> computer -> Trusted Authorities....? Regards Ramazan |