Today I will continue my series of articles on Microsoft’s latest Forefront Threat Management Gateway (TMG) and will focus our efforts in publishing Windows 2008 R2 Remote Desktop Web Access (RD Web) and Remote Desktop Gateway (RD Gateway) to the world wide web via TMG. If you missed my first article on installing Forefront TMG, you can access it here.
This article is assuming that your Remote Desktop Services infrastructure is already in place and that your RD Gateway and RD Web Access are on the same server. Refer to my 3 part series on Remote Desktop Services in Windows 2008 R2 which outlines the configuration of RD Host, RD Gateway and RD Web Access.
So let’s begin!
We are assuming a trusted 3rd party certificate has already been issued for the Remote Desktop Services infrastructure. From your RD Web Access/Gateway server where the certificate is installed, launch IIS Manager and navigate to Server Certificates. Select the certificate in question and from the Actions navigation pane, select Export…
Specify the location and enter a password to protect the exportation of the certificate.
We now need to take the exported certificate and import it directly into our personal certificate store located on the TMG server.
On the TMG server, launch the Microsoft Management Console (MMC) / Select File / Add or Remove Snap-ins / select Certificates from available snap-ins and select Add >
Select Computer account / Next.
Select Local computer / Finish. Then click OK.
Right click on Personal Folder under Certificates and select All Tasks / Import…
This will invoke the Certificate Import Wizard. Click Next.
Browse for the certificate that we exported earlier on.
Enter the certificate password.
Ensure that the “Personal” Certificate store is selected to import into.
Click Next and Finish.
To confirm that the certificate was successfully imported, browse to Certificates / Personal / Certificate and double click on the imported certificate.
It’s important that the certificate states that a private key that corresponds to this certificate is present, otherwise it will not be visible in TMG when applying it against our Web Listener.
I would also navigate to the Certification Path tab for the certificate to also ensure that the Certificate status is OK, i.e. there isn’t a “break” in the certificate path and that all certificates in the chain are present.
Create Web Listener
Launch the TMG Management Console and click on Firewall Policy
Navigate to Toolbox / Network Objects and select New, Web Listener. This will invoke the New Web Listener Wizard.
Enter a friendly name.
Ensure that “Require SSL secured connections with clients” is selected.
For your Web Listener IP address, select Internal and then click on Select IP Addresses.
You will need to specify a unique IP address for each Web Listener/Certificate that you setup on your TMG server.
In the next window you will assign the recently imported certificate from your RD Web Access/Gateway server against the IP address that we added in the previous window.
Click on Select Certificate and click on the respective certificate that will be applied against your RD Web Access/Gateway Web Listener. Click on “Select” once done.
Select “No Authentication” from the drop down menu. This is important as we will not be utilising TMG’s Forms Based Authentication.
The next screen will state that SSO is only available with HTML form Authentication.
Click Finish to complete the New Web Listener Wizard.
Finally, click Apply to save the changes.
TMG Web Publishing Rule
We can now proceed and create our RD Web Access/Gateway rule by right clicking on Firewall Policy / New / Exchange Web Client Access Publishing Rule… Specify a name for your rule;
Now you might be wondering why I have specifically selected the Exchange Publishing Rule as opposed to a generic Web Publishing rule. Firstly, I am still not sure why Microsoft have not created a specific template for Remote Desktop Services and secondly if you select the Generic Web Site Publishing Rule, you will receive the below warning when you come to test your rule later.
Category: General warning
Error details: The internal path of the URL was identified as part of a SharePoint or Exchange server publishing rule.
Action: Use the SharePoint Publishing Rule Wizard or the Exchange Publishing Rule Wizard.
Select “Exchange Server 2007” and only select the Outlook Anywhere option. Leave “Publish additional folders on the Exchange Server for Outlook 2007 clients” unchecked
Select Publish a single Web site or load balancer.
Click Next. Select Use SSL to connect to the published Web server or server farm.
Click Next. Specify the Internal site name.
Specify the Public FQDN which should be externally resolvable.
Click Next. Select the Web listener that we created earlier. Click Next
Select “No delegation, but client may authenticate directly” from the Authentication Delegation drop down.
Remove All Authenticated Users and Add All Users.
Click Finish to complete…
There is only one more step and we are done. Because there is no dedicated publishing rule template for RD Web Access/Gateway we need to add a couple of entries to the Paths area under RD Web Access/Gateway rule.
Right click on your designated rule and select properties, and navigate to the Paths tab.
Enter /rdweb/* as the path.
Now because we selected the Exchange Server 2007 publishing wizard and in particular the Outlook Anywhere service, the RPC path mapping should already be included under paths. Do NOT remove this path.
Finally, remove /* if it exists.
Make sure you click on Test Rule which should provide you with a green tick beside each path entry!
That’s all that is to it. In upcoming posts in this series, I will go through publishing other items such as Outlook Web App and SharePoint sites.