Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010

Posted by on Apr 22, 2010 in Forefront, TMG

Today I will continue my series of articles on Microsoft’s latest Forefront Threat Management Gateway (TMG) and will focus our efforts in publishing Windows 2008 R2 Remote Desktop Web Access (RD Web) and Remote Desktop Gateway (RD Gateway) to the world wide web via TMG.  If you missed my first article on installing Forefront TMG, you can access it here.

This article is assuming that your Remote Desktop Services infrastructure is already in place and that your RD Gateway and RD Web Access are on the same server.   Refer to my 3 part series on Remote Desktop Services in Windows 2008 R2 which outlines the configuration of RD Host, RD Gateway and RD Web Access.

So let’s begin!

Export Certificate

We are assuming a trusted 3rd party certificate has already been issued for the Remote Desktop Services infrastructure.  From your RD Web Access/Gateway server where the certificate is installed, launch IIS Manager and navigate to Server Certificates.  Select the certificate in question and from the Actions navigation pane, select Export…

image3 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Specify the location and enter a password to protect the exportation of the certificate.

Import Certificate

We now need to take the exported certificate and import it directly into our personal certificate store located on the TMG server.

On the TMG server, launch the Microsoft Management Console (MMC) / Select File / Add or Remove Snap-ins / select Certificates from available snap-ins and select Add >

image thumb27 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Select Computer account / Next.

Select Local computer / Finish.  Then click OK.

Right click on Personal Folder under Certificates and select All Tasks / Import…

This will invoke the Certificate Import Wizard. Click Next.

Browse for the certificate that we exported earlier on.

image6 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next

Enter the certificate password.

image9 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Ensure that the “Personal” Certificate store is selected to import into.

image12 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next and Finish.

To confirm that the certificate was successfully imported, browse to Certificates / Personal / Certificate and double click on the imported certificate.

image15 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

It’s important that the certificate states that a private key that corresponds to this certificate is present, otherwise it will not be visible in TMG when applying it against our Web Listener.

I would also navigate to the Certification Path tab for the certificate to also ensure that the Certificate status is OK, i.e. there isn’t a “break” in the certificate path and that all certificates in the chain are present.

Create Web Listener

Launch the TMG Management Console and click on Firewall Policy

Navigate to Toolbox / Network Objects and select New, Web Listener.  This will invoke the New Web Listener Wizard.

Enter a friendly name.

image21 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Ensure that “Require SSL secured connections with clients” is selected.

image24 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next

For your Web Listener IP address, select Internal and then click on Select IP Addresses.

You will need to specify a unique IP address for each Web Listener/Certificate that you setup on your TMG server.

image27 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next

In the next window you will assign the recently imported certificate from your RD Web Access/Gateway server against the IP address that we added in the previous window.

Click on Select Certificate and click on the respective certificate that will be applied against your RD Web Access/Gateway Web Listener. Click on “Select” once done.

image30 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Select “No Authentication” from the drop down menu.  This is important as we will not be utilising TMG’s Forms Based Authentication.

image33 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click next.

The next screen will state that SSO is only available with HTML form Authentication.

image36 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Click Finish to complete the New Web Listener Wizard.

Finally, click Apply to save the changes.

image39 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

TMG Web Publishing Rule

We can now proceed and create our RD Web Access/Gateway rule by right clicking on Firewall Policy / New / Exchange Web Client Access Publishing Rule… Specify a name for your rule;

Now you might be wondering why I have specifically selected the Exchange Publishing Rule as opposed to a generic Web Publishing rule.  Firstly, I am still not sure why Microsoft have not created a specific template for Remote Desktop Services and secondly if you select the Generic Web Site Publishing Rule, you will receive the below warning when you come to test your rule later.

Category: General warning

Error details: The internal path of the URL was identified as part of a SharePoint or Exchange server publishing rule.

Action: Use the SharePoint Publishing Rule Wizard or the Exchange Publishing Rule Wizard.

image thumb28 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next

Select “Exchange Server 2007” and only select the Outlook Anywhere option.  Leave “Publish additional folders on the Exchange Server for Outlook 2007 clients” unchecked

image thumb29 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next

Select Publish a single Web site or load balancer.

image thumb30 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.  Select Use SSL to connect to the published Web server or server farm.

image51 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.  Specify the Internal site name.

image54 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

image57 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Specify the Public FQDN which should be externally resolvable.

image thumb31 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.  Select the Web listener that we created earlier.  Click Next

image66 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Select “No delegation, but client may authenticate directly” from the Authentication Delegation drop down.

image69 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Next.

Remove All Authenticated Users and Add All Users.

image72 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Finish to complete…

image thumb32 Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

There is only one more step and we are done.  Because there is no dedicated publishing rule template for RD Web Access/Gateway we need to add a couple of entries to the Paths area under RD Web Access/Gateway rule.

Right click on your designated rule and select properties, and navigate to the Paths tab.

image78 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Click Add..

Enter /rdweb/* as the path.

image81 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Now because we selected the Exchange Server 2007 publishing wizard and in particular the Outlook Anywhere service, the RPC path mapping should already be included under paths.  Do NOT remove this path.

image84 thumb Publish Remote Desktop Web Access and Gateway with Forefront TMG 2010 tmg forefront

Finally, remove /* if it exists.

Make sure you click on Test Rule which should provide you with a green tick beside each path entry!

That’s all that is to it.  In upcoming posts in this series, I will go through publishing other items such as Outlook Web App and SharePoint sites.