Access TS Gateway from Internet - Certificate
in [Terminal Services]
|
Prev: RDWeb
Next: Migration Profiles, best practices help
From: Ian on 27 Feb 2010 13:45 I did the following: ..Created a self-signed certificate on TS Gateway(TSG1) and exported/copied it ..imported it in "Trusted Root Certification Authorites" folder and "Personal" folder on ISA 2006(ISA1) ..imported it in "Trusted Root Certification Authorites" folder on a XP PC which is on Internet ..Created a web publishing rule and a web listener with the certificate on ISA1 ..Run RDC 6.1 on XP PC, via ISA1 and TSG1, conneting TS1, I got warning: "Name in the certificate form the remote computer TS1.MYDOMAIM.COM. The cerfificate is not from a trusted certifying authority. Do you want to connect despite these certificate errors?" When clicked Yes, I logged on TS1. I tried connecting TS2 and got the same result. My questions are: 1. Is it wrong somewhere I did in export/import proceture? 2. Is it because it needs a public CA signed certificate not self-signed certificate? Thanks
From: RCan on 28 Feb 2010 13:27 Hi Ian, this depends in the art of your implementation of TS (RD) gateway services+ISA. If you are using a HTTPS-HTTPS publishing then you need to export the certificate with the responsible private key and do an import on your ISA server(Computer->Personal + Computer->Trusted Root CAs"). This certificate should then be used for the SSL listener. I'm unsure and haven't tried it with self signed, but why not use an internal CA for this purpose ? If the clients are domain members then you will have automatically a trusted CA otherwise all other clients need to trust your CA (Trusted root authority). you could also use the following script to configure your environment for RD Gateway<->ISA or to scan for configuration issues. http://blogs.msdn.com/rds/archive/2010/01/08/publish-rd-gateway-on-an-isa-server-using-a-script.aspx General documentation around this scenario can also be found on technet: Configuring the RD Gateway & ISA Server Scenario http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx Hope that helps Ramazan "Ian" <Ian(a)discussions.microsoft.com> wrote in message news:436BC988-69A4-44C9-8E77-F9C3030CA934(a)microsoft.com... > I did the following: > > .Created a self-signed certificate on TS Gateway(TSG1) and exported/copied > it > .imported it in "Trusted Root Certification Authorites" folder and > "Personal" folder on ISA 2006(ISA1) > .imported it in "Trusted Root Certification Authorites" folder on a XP PC > which is on Internet > .Created a web publishing rule and a web listener with the certificate on > ISA1 > > .Run RDC 6.1 on XP PC, via ISA1 and TSG1, conneting TS1, I got warning: > > "Name in the certificate form the remote computer TS1.MYDOMAIM.COM. > The cerfificate is not from a trusted certifying authority. > Do you want to connect despite these certificate errors?" > > When clicked Yes, I logged on TS1. I tried connecting TS2 and got the same > result. > > My questions are: > 1. Is it wrong somewhere I did in export/import proceture? > 2. Is it because it needs a public CA signed certificate not self-signed > certificate? > > Thanks
From: Ian on 2 Mar 2010 11:46 I think I did wrong with Certificate. What I want to do is: 1. Use HTTPS between RDC client and NIC1 of ISA which is joined domain 2. Use HTTP between NIC2 of ISA and TS Gateway in the domain To my understanding, I need a certificate to imported in the Personal foler on ISA and Trusted Root folder on client computer. If this is right, do I still need create a certificate during TS Geateway installation? I don't have a public certificate. It is just a test envirement. What do you recommend to get a certificate for ISA and client? Another question: Is it OK if I instrall TS Gateway and TS Session Broker on the same server? BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as well as terminal servers? My plan is to test Terminal Services in Windows Server 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web Access with TS Farm. Thanks. "RCan" wrote: > Hi Ian, > > this depends in the art of your implementation of TS (RD) gateway > services+ISA. If you are using a HTTPS-HTTPS publishing then you need to > export the certificate with the responsible private key and do an import on > your ISA server(Computer->Personal + Computer->Trusted Root CAs"). This > certificate should then be used for the SSL listener. > > I'm unsure and haven't tried it with self signed, but why not use an > internal CA for this purpose ? If the clients are domain members then you > will have automatically a trusted CA otherwise all other clients need to > trust your CA (Trusted root authority). > > you could also use the following script to configure your environment for RD > Gateway<->ISA or to scan for configuration issues. > http://blogs.msdn.com/rds/archive/2010/01/08/publish-rd-gateway-on-an-isa-server-using-a-script.aspx > > General documentation around this scenario can also be found on technet: > Configuring the RD Gateway & ISA Server Scenario > http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx > > Hope that helps > Ramazan > > "Ian" <Ian(a)discussions.microsoft.com> wrote in message > news:436BC988-69A4-44C9-8E77-F9C3030CA934(a)microsoft.com... > > I did the following: > > > > .Created a self-signed certificate on TS Gateway(TSG1) and exported/copied > > it > > .imported it in "Trusted Root Certification Authorites" folder and > > "Personal" folder on ISA 2006(ISA1) > > .imported it in "Trusted Root Certification Authorites" folder on a XP PC > > which is on Internet > > .Created a web publishing rule and a web listener with the certificate on > > ISA1 > > > > .Run RDC 6.1 on XP PC, via ISA1 and TSG1, conneting TS1, I got warning: > > > > "Name in the certificate form the remote computer TS1.MYDOMAIM.COM. > > The cerfificate is not from a trusted certifying authority. > > Do you want to connect despite these certificate errors?" > > > > When clicked Yes, I logged on TS1. I tried connecting TS2 and got the same > > result. > > > > My questions are: > > 1. Is it wrong somewhere I did in export/import proceture? > > 2. Is it because it needs a public CA signed certificate not self-signed > > certificate? > > > > Thanks > > . >
From: RCan on 2 Mar 2010 16:54 Hi Ian :-) "Ian" <Ian(a)discussions.microsoft.com> wrote > To my understanding, I need a certificate to imported in the Personal > foler > on ISA and Trusted Root folder on client computer. > If this is right, do I still need create a certificate during TS Geateway > installation? 80 % correct :-) You should install an webserver certificate on the TSG server for RDP traffic (SSL) encrytion purposes. This certificate is ideally issued by an trusted authoritiy AND the client+ISA MUST trust this certificates authoritiy. Then you need to export this certificate with the private key and import it at your ISA servers personal store. If the issued CA of this cert is not an trusted authoritiy for the ISA server this will not work or you also need to install the root CA in "trusted authorities" store. If you had red the provided links by me you will find there an step-by-step guide for setting this up, also check the script for configuring TSG aka RD and ISA publishing, it works like a charm :-) > I don't have a public certificate. It is just a test envirement. What do > you > recommend to get a certificate for ISA and client? Install on your domain controller an enterprise certificate authoritiy which should then be used issue the certificates to your RD (TSGI) server. if the clients are domain member you don't need to do anything else, clients trust the enterprise CA automatically. An step-by-step guide for settings this up can be found here -> http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > Another question: Is it OK if I instrall TS Gateway and TS Session Broker > on > the same server? yes, no issue for your test environments. > BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as well > as terminal servers? My plan is to test Terminal Services in Windows > Server > 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web > Access > with TS Farm. Thanks. of course, this is always an question of performance but no limitation from OS. R2 terminal services has really great improvements included. Hope that helps Regards Ramazan
From: RCan on 2 Mar 2010 17:58
step-by-step guide which could useful for you: RDS: RD Gateway must be configured to use an SSL certificate signed by a trusted certification authority http://technet.microsoft.com/en-us/library/dd320345(WS.10).aspx Regards Ramazan "RCan" <noospam(a)arcor.de> wrote in message news:#pJg6LluKHA.4940(a)TK2MSFTNGP05.phx.gbl... > Hi Ian :-) > > "Ian" <Ian(a)discussions.microsoft.com> wrote >> To my understanding, I need a certificate to imported in the Personal >> foler >> on ISA and Trusted Root folder on client computer. >> If this is right, do I still need create a certificate during TS Geateway >> installation? > > 80 % correct :-) You should install an webserver certificate on the TSG > server for RDP traffic (SSL) encrytion purposes. This certificate is > ideally issued by an trusted authoritiy AND the client+ISA MUST trust this > certificates authoritiy. Then you need to export this certificate with the > private key and import it at your ISA servers personal store. If the > issued CA of this cert is not an trusted authoritiy for the ISA server > this will not work or you also need to install the root CA in "trusted > authorities" store. If you had red the provided links by me you will find > there an step-by-step guide for setting this up, also check the script for > configuring TSG aka RD and ISA publishing, it works like a charm :-) > >> I don't have a public certificate. It is just a test envirement. What do >> you >> recommend to get a certificate for ISA and client? > > Install on your domain controller an enterprise certificate authoritiy > which should then be used issue the certificates to your RD (TSGI) server. > if the clients are domain member you don't need to do anything else, > clients trust the enterprise CA automatically. An step-by-step guide for > settings this up can be found here -> > http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx > >> Another question: Is it OK if I instrall TS Gateway and TS Session Broker >> on >> the same server? > > yes, no issue for your test environments. > >> BTW, do you know if I can use Windows Server 2008 R2 as TS Gateway as >> well >> as terminal servers? My plan is to test Terminal Services in Windows >> Server >> 2008 including TS Gateway, TS Session broker, TS RemoteApp and TS Web >> Access >> with TS Farm. Thanks. > > of course, this is always an question of performance but no limitation > from OS. R2 terminal services has really great improvements included. > > Hope that helps > > Regards > Ramazan |