Monthly Archives: November 2010

How to Reverse Proxy RD Gateway server over ISA 2006 to access a remote app over HTTPS

This test environment:

ISA 2006 on Windows 2003 Server in the DMZ (Proxy1)

Sonicwall firewall with the DMZ and LAN directly connected to an interface. (GW_FW)

Terminal server (RDServer): Remote app server, RD Gateway, 2008 R2

Overview of the connection process:

•    Client connects to an HTTPS site over the internet.
•    NAT at the firewall directs traffic destined for that address on port 443 to ISA on PROXY1 in the DMZ.
o    The ISA listener secures the traffic using SSL.
•    ISA creates an HTTPS connection to the Remote Desktop Gateway server (RD Gateway).
o    This uses the internal DNS name for the site.
o    In our case this is in the LAN.
o    Here a private SSL certificate is appropriate because the ISA server is a member of the same domain and trusts the Certificate Authority (CA). If ISA were not on a machine in the same domain as the RD Gateway server then you would need to import a certificate for the CA as a trusted CA.
•    IIS on the RD Gateway server returns a ‘forms-based’ authentication page.
•    The user logs in using the domain\user format.
•    There is a workspace page returned that shows the remote-apps allowed to that user.
o    This is only displayed if the user is using IE and has allowed the active X control to run.
•    The user clicks a remote-app icon and the RD client is started.
o    The user is prompted for credentials by their local RD client in the format domain\user.
•    The remote desktop client connects to the RD Gateway using HTTPS through ISA.
o    This is an important distinction:
•    The RD Client is launched on the CLIENT machine and makes a new connection to ISA
•    ISA brokers the connection to the RD Gateway.
•    The settings in the remote-app instruct the RD client to connect to the gateway using public address and then tell the gateway to connect to the INTERNAL address of the Remote-App Server (terminal server).
•    The RD Gateway connects to the RD Server using SSL and TCP port 3389.
o    In our case this is on the same machine so this traffic is not on the network.
o    The same credentials are being passed to the RD Server that were used by the RD Gateway.

Steps taken to complete:

•    Assign a public IP address to the RD Gateway process
o    Create the address object in GW_FW
•    Public IP –
o    Create a DNS entry for
•    Assign a DMZ address to the Proxy server for the RD Gateway process
o    Create an address object in GW_FW
•    DMZ address
•    Create a firewall rule for WAN to DMZ traffic
o    Allow WAN to DMZ  –  TCP 443 from anybody to Public IP
•    Create a NAT policy at the firewall to direct traffic.
o    From anywhere to Public IP on TCP 443; translate to DMZ IP on TCP 443
•    Add the DMZ IP address to PROXY1
o    Add to TCP/IP settings on the Network interface Windows 2003
•    Get an SSL certificate from public CA for
o    Use IIS on another web server to create the request and export the pfx file after complete
o    Use the certificates MMC on PROXY1 to import the pfx file into personal certs for the local machine.
•    Create the ISA listener that secures the traffic using SSL.
o    Only allow HTTPS 443
o    All users are allowed
•    Necessary because the RD Client can’t have an authentication prompt
o    Select the new DMZ IP
o    Select the newly imported Cert for
•    Create an ISA firewall ACL to allow connections from the newly created listener to be directed over HTTPS to RDServer.domain.local
o    The connection appears to come from the Proxy Server
o    Unselect the bullet for ‘send the original address information to the internal site’
o    The client can authenticate directly.
•    Create a security group in AD for Web R-Proxy RD Gateway_G
•    Install the RD Gateway role on RDServer
o    Server Manager – Roles – Add new role services
•    Install the RD Gateway role
•    Configure RD Gateway in RD Gateway Manager
o    Under the Properties of the Gateway
•    SSL Certificates tab
•    Import the certificate for RDServer that is signed by the domain CA
•    RD CAP Store tab
•    Use Local
•    Server Farm
•    Add RDServer
•    Verify that the status changes to OK
• SSL Bridging
•    SSL Bridging checked
•    Select HTTPS to HTTPS
o    Configure RDCAP and RDRAP policies
•    RDCAP specifies Users allowed to use the RD Gateway

•    RDRAP specifies network resources that a user is allowed to connect to
•    Admin Security group = ALL LAN
•    ‘Web R-Proxy RD Gateway_G’= RDServer
•    Configure remote app in the RD Remote App Manager
o    Remote app Deployment settings
•    RD Gateway Tab
•    Use these RD Gateway settings:
o    Allow users to select logon method
o    Use the Same credentials for RD Gateway and RD Session Host
o    Bypass the RD Gateway for local addresses
•    RD Host settings tab
o    RDServer.domain.local
o    Port 3389
o    Uncheck ‘Show remote desktop connection to this session host in rdweb access.’
o    Do not allow users to start unlisted programs on initial connection
•    Digital Signature tab
o    Sign with certificate
o    Change – Select RDServer issued by the local CA
•    Custom RDP Settings Tab
o    Add a line “authentication level:i:0”
•    Add a remote app program.
•    Browse for the executable to start.
•    In the properties of the remote app
o    Select the users allowed to launch the remote app.
o    If users are not allowed they will not see a shortcut for the app in the web portal.
•    Configure IIS
o    From the IIS manager
•    Expand Sites – Default Web Site – RDWEB  virtual directory
•    Set Authentication to Anonymous only
•    Expand the pages virtual directory under RDWEB
•    Set Authentication to Forms Based.
•    Edit the application settings
o    Create an entry for DefaultTSGateway
•    Set the value =
•    Test using IE and at least XP SP3 from an inside connection and an outside connection.



Filed under RD Gateway