This test environment:
ISA 2006 on Windows 2003 Server in the DMZ (Proxy1)
Sonicwall firewall with the DMZ and LAN directly connected to an interface. (GW_FW)
Terminal server (RDServer): Remote app server, RD Gateway, 2008 R2
Overview of the connection process:
• Client connects to an HTTPS site over the internet.
• NAT at the firewall directs traffic destined for that address on port 443 to ISA on PROXY1 in the DMZ.
o The ISA listener secures the traffic using SSL.
• ISA creates an HTTPS connection to the Remote Desktop Gateway server (RD Gateway).
o This uses the internal DNS name for the site.
o In our case this is in the LAN.
o Here a private SSL certificate is appropriate because the ISA server is a member of the same domain and trusts the Certificate Authority (CA). If ISA were not on a machine in the same domain as the RD Gateway server then you would need to import a certificate for the CA as a trusted CA.
• IIS on the RD Gateway server returns a ‘forms-based’ authentication page.
• The user logs in using the domain\user format.
• There is a workspace page returned that shows the remote-apps allowed to that user.
o This is only displayed if the user is using IE and has allowed the active X control to run.
• The user clicks a remote-app icon and the RD client is started.
o The user is prompted for credentials by their local RD client in the format domain\user.
• The remote desktop client connects to the RD Gateway using HTTPS through ISA.
o This is an important distinction:
• The RD Client is launched on the CLIENT machine and makes a new connection to ISA
• ISA brokers the connection to the RD Gateway.
• The settings in the remote-app instruct the RD client to connect to the gateway using public address and then tell the gateway to connect to the INTERNAL address of the Remote-App Server (terminal server).
• The RD Gateway connects to the RD Server using SSL and TCP port 3389.
o In our case this is on the same machine so this traffic is not on the network.
o The same credentials are being passed to the RD Server that were used by the RD Gateway.
Steps taken to complete:
• Assign a public IP address to the RD Gateway process
o Create the address object in GW_FW
• Public IP – remote.publicDNS.com
o Create a DNS entry for remote.publicDNS.com
• Assign a DMZ address to the Proxy server for the RD Gateway process
o Create an address object in GW_FW
• DMZ address
• Create a firewall rule for WAN to DMZ traffic
o Allow WAN to DMZ – TCP 443 from anybody to Public IP
• Create a NAT policy at the firewall to direct traffic.
o From anywhere to Public IP on TCP 443; translate to DMZ IP on TCP 443
• Add the DMZ IP address to PROXY1
o Add to TCP/IP settings on the Network interface Windows 2003
• Get an SSL certificate from public CA for Remote.PublicDNS.com
o Use IIS on another web server to create the request and export the pfx file after complete
o Use the certificates MMC on PROXY1 to import the pfx file into personal certs for the local machine.
• Create the ISA listener that secures the traffic using SSL.
o Only allow HTTPS 443
o All users are allowed
• Necessary because the RD Client can’t have an authentication prompt
o Select the new DMZ IP
o Select the newly imported Cert for remote.PublicDNS.com
• Create an ISA firewall ACL to allow connections from the newly created listener to be directed over HTTPS to RDServer.domain.local
o The connection appears to come from the Proxy Server
o Unselect the bullet for ‘send the original address information to the internal site’
o The client can authenticate directly.
• Create a security group in AD for Web R-Proxy RD Gateway_G
• Install the RD Gateway role on RDServer
o Server Manager – Roles – Add new role services
• Install the RD Gateway role
• Configure RD Gateway in RD Gateway Manager
o Under the Properties of the Gateway
• SSL Certificates tab
• Import the certificate for RDServer that is signed by the domain CA
• RD CAP Store tab
• Use Local
• Server Farm
• Add RDServer
• Verify that the status changes to OK
• SSL Bridging
• SSL Bridging checked
• Select HTTPS to HTTPS
o Configure RDCAP and RDRAP policies
• RDCAP specifies Users allowed to use the RD Gateway
• RDRAP specifies network resources that a user is allowed to connect to
• Admin Security group = ALL LAN
• ‘Web R-Proxy RD Gateway_G’= RDServer
• Configure remote app in the RD Remote App Manager
o Remote app Deployment settings
• RD Gateway Tab
• Use these RD Gateway settings:
o Allow users to select logon method
o Use the Same credentials for RD Gateway and RD Session Host
o Bypass the RD Gateway for local addresses
• RD Host settings tab
o Port 3389
o Uncheck ‘Show remote desktop connection to this session host in rdweb access.’
o Do not allow users to start unlisted programs on initial connection
• Digital Signature tab
o Sign with certificate
o Change – Select RDServer issued by the local CA
• Custom RDP Settings Tab
o Add a line “authentication level:i:0”
• Add a remote app program.
• Browse for the executable to start.
• In the properties of the remote app
o Select the users allowed to launch the remote app.
o If users are not allowed they will not see a shortcut for the app in the web portal.
• Configure IIS
o From the IIS manager
• Expand Sites – Default Web Site – RDWEB virtual directory
• Set Authentication to Anonymous only
• Expand the pages virtual directory under RDWEB
• Set Authentication to Forms Based.
• Edit the application settings
o Create an entry for DefaultTSGateway
• Set the value = remote.PublicDNS.com
• Test using IE and at least XP SP3 from an inside connection and an outside connection.