Microsoft Forefront TMG – Publishing RD Web Access with RD Gateway (Part 1)

by [Published on 11 Aug. 2010 / Last Updated on 20 May 2013]

How to publish Remote Desktop Web Access with Remote Desktop Gateway over Microsoft Forefront TMG.

If you would like to be notified of when Marc Grote releases the next part in this article series please sign up to our ISAserver.org Real Time Article Update newsletter.

Introduction

In this short article series I will show you how to publish Remote Desktop Web Access with Remote Desktop Gateway over Microsoft Forefront TMG. Part one of this article series shows the configuration of the RD Web Access and RD Desktop Gateway service. Part two will show you how to publish RD Web Access with Forefront TMG.


Get your copy of the German language "Microsoft ISA Server 2006 - Das Handbuch"

Let us Begin

Windows Server 2008 R2 provides some new and exciting features for Terminal services access. Starting with Windows Server 2008 R2 Microsoft changed the names of the Terminal Server components. For example the Terminal Server feature in previous Windows Server versions is now called Remote Desktop Session Host. One of the new features started with Windows Server 2008 is the Remote Desktop Gateway which allows Remote Desktop clients to establish a RDP connection trough HTTPS with the Remote Desktop Gateway which acts as a RPC over HTTPS proxy. The Remote Desktop Gateway will connect the RDP client with the RDP protocol to the internal Remote Desktop Session Hosts. This is great feature because HTTPS (The Universal Firewall Bypass Protocol) is widely allowed and will not be blocked by Firewalls or other devices. In conjunction with the Remote Desktop Web Access feature a user can connect to a website which provides access to published applications, called Remote Apps in Microsoft terms which are tunneled through HTTPS to the Remote Desktop Gateway service. To enhance the security for Remote Desktop access it is possible to use Forefront TMG to publish the Remote Desktop Web Access with Remote Desktop Gateway.

This article assumes that the Remote Desktop Session Host feature is correctly installed and configured, so only the Remote Desktop Web Access and Remote Desktop Gateway components has to be installed and configured.

For the examples in this article we will use the following lab environment:

  1. One Windows 7 Ultimate client for Remote Desktop client access
  2. One Forefront TMG Server for Remote Desktop publishing and acting as the Remote Desktop Gateway and Remote Desktop Web Access feature
  3. One Windows Server 2008 R2 with installed Remote Desktop Session Host services


Figure 1: Install Remote Desktop role service

After installing the Remote Desktop Web Access feature, you have to logon to the Remote Desktop Web Access configuration to change some settings.


Figure 2: Log on to the Remote Desktop Web Access configuration website

You must configure RD Web Access to provide users access to RemoteApp and Remote Desktop connections. Select an RD Connection Broker Server or a Remote App Server as the source as you can see in the following picture. We choose RemoteApp to get the published RD apps from the Remote Desktop Session Host.


Figure 3: Specify a source for RD Web Access

After the settings are saved, you will see the RemoteApp programs in RD Web access.


Figure 4: RemoteApp programs in RD Web Access

Because Forefront TMG acts as a SSL Bridging Gateway in the upcoming Secure Webserver publishing, it is important to implement the correct certificate Infrastructure. You have to make sure that the correct certificates are enrolled and all Servers which are involved in the publishing process (Forefront TMG, RD Session Host Server and Windows 7 client) trust the same issuing Certificate Authority (CA). For the examples in this article series, we use the DNS name webmail.trainer.de to access the RD Web Access and RD Gateway service, so we have to issue a certificate where the Common Name (CN) of the certificate matches the public URL which will be used to access RD Web Access or which must be entered in the Remote Desktop client connection from the Windows 7 machine in the Internet. The following picture shows the correct certificate which is used by the RD Web Access and RD Gateway services. This certificate must also be imported with the private key on the Forefront TMG Server which acts as the SSL Bridging device. I will show you how to do this in the second part of this article.


Figure 5: Correct SSL certificate for RD WebAccess

After installation of the RD Gateway service component, you must also select the correct SSL certificate webmail.trainer.de for the RD Gateway service as shown in the following picture.


Figure 6: Correct SSL certificate for the RD Gateway service

Another important configuration part is to specify the SSL Bridging settings for the RD Gateway service. For our lab environment we will use SSL Bridging in form of HTTPS to HTTPS Bridging.


Figure 7: Select SSL Bridging options.

The configuration of the RD Web Access and RD Gateway service components has been finished. In Part two of this article series I will show you how to configure a secure Webserver Publishing with Forefront TMG to publish RD Web Access to the Internet and I will also show you how to connect directly to the RD Gateway service with the Remote Desktop client of the Windows 7 machine in our test lab.

Conclusion

In this first article, I gave you an overview about the configuration of the Remote Desktop Web Access and the Remote Desktop Gateway Manager. I also showed you the required steps needed in order to prepare these features for publishing with Forefront TMG. If you would like to have a better integration of the Remote Desktop services with portal functionality I recommend having a look at Microsoft Forefront UAG which has some additional nice features. In the second part of our short article series, I will show you how to publish the RD Web Access feature over Forefront TMG and how to establish a RD Gateway connection with the Remote Desktop client connection over the Internet.

If you would like to be notified of when Marc Grote releases the next part in this article series please sign up to our ISAserver.org Real Time Article Update newsletter.

Related Links:

The Author — Marc Grote

Marc Grote avatar

Marc Grote is an MCSA/MCSE Messaging & Security, MCSE Private Cloud and Server Virtualization, an MCTS/MCITP and a Microsoft Certified Trainer and MCLC. He is a freelance Consultant and IT Trainer in the north of Germany near Hanover. He specializes in System Center, TMG/UAG Server, Exchange, Security for Windows Server 2012 R2 and Windows Server 2012 R2 designs, migrations and implementations. His efforts have earned him recognition as a Microsoft MVP for ISA Server since 2004 until 2014. Starting in 2014 he has been awarded as an MVP for Hyper-V.

Latest Contributions

Advertisement

Featured Links