How to Reverse Proxy RD Gateway server over ISA 2006 to access a remote app over HTTPS

This test environment:

ISA 2006 on Windows 2003 Server in the DMZ (Proxy1)

Sonicwall firewall with the DMZ and LAN directly connected to an interface. (GW_FW)

Terminal server (RDServer): Remote app server, RD Gateway, 2008 R2

Overview of the connection process:

•    Client connects to an HTTPS site over the internet.
o    https://remote.publicDNS.com/rdweb
•    NAT at the firewall directs traffic destined for that address on port 443 to ISA on PROXY1 in the DMZ.
o    The ISA listener secures the traffic using SSL.
•    ISA creates an HTTPS connection to the Remote Desktop Gateway server (RD Gateway).
o    This uses the internal DNS name for the site.
o    In our case this is in the LAN.
o    Here a private SSL certificate is appropriate because the ISA server is a member of the same domain and trusts the Certificate Authority (CA). If ISA were not on a machine in the same domain as the RD Gateway server then you would need to import a certificate for the CA as a trusted CA.
•    IIS on the RD Gateway server returns a ‘forms-based’ authentication page.
•    The user logs in using the domain\user format.
•    There is a workspace page returned that shows the remote-apps allowed to that user.
o    This is only displayed if the user is using IE and has allowed the active X control to run.
•    The user clicks a remote-app icon and the RD client is started.
o    The user is prompted for credentials by their local RD client in the format domain\user.
•    The remote desktop client connects to the RD Gateway using HTTPS through ISA.
o    This is an important distinction:
•    The RD Client is launched on the CLIENT machine and makes a new connection to ISA
•    ISA brokers the connection to the RD Gateway.
•    The settings in the remote-app instruct the RD client to connect to the gateway using public address and then tell the gateway to connect to the INTERNAL address of the Remote-App Server (terminal server).
•    The RD Gateway connects to the RD Server using SSL and TCP port 3389.
o    In our case this is on the same machine so this traffic is not on the network.
o    The same credentials are being passed to the RD Server that were used by the RD Gateway.

Steps taken to complete:

•    Assign a public IP address to the RD Gateway process
o    Create the address object in GW_FW
•    Public IP – remote.publicDNS.com
o    Create a DNS entry for remote.publicDNS.com
•    Assign a DMZ address to the Proxy server for the RD Gateway process
o    Create an address object in GW_FW
•    DMZ address
•    Create a firewall rule for WAN to DMZ traffic
o    Allow WAN to DMZ  –  TCP 443 from anybody to Public IP
•    Create a NAT policy at the firewall to direct traffic.
o    From anywhere to Public IP on TCP 443; translate to DMZ IP on TCP 443
•    Add the DMZ IP address to PROXY1
o    Add to TCP/IP settings on the Network interface Windows 2003
•    Get an SSL certificate from public CA for Remote.PublicDNS.com
o    Use IIS on another web server to create the request and export the pfx file after complete
o    Use the certificates MMC on PROXY1 to import the pfx file into personal certs for the local machine.
•    Create the ISA listener that secures the traffic using SSL.
o    Only allow HTTPS 443
o    All users are allowed
•    Necessary because the RD Client can’t have an authentication prompt
o    Select the new DMZ IP
o    Select the newly imported Cert for remote.PublicDNS.com
•    Create an ISA firewall ACL to allow connections from the newly created listener to be directed over HTTPS to RDServer.domain.local
o    The connection appears to come from the Proxy Server
o    Unselect the bullet for ‘send the original address information to the internal site’
o    The client can authenticate directly.
•    Create a security group in AD for Web R-Proxy RD Gateway_G
•    Install the RD Gateway role on RDServer
o    Server Manager – Roles – Add new role services
•    Install the RD Gateway role
•    Configure RD Gateway in RD Gateway Manager
o    Under the Properties of the Gateway
•    SSL Certificates tab
•    Import the certificate for RDServer that is signed by the domain CA
•    RD CAP Store tab
•    Use Local
•    Server Farm
•    Add RDServer
•    Verify that the status changes to OK
• SSL Bridging
•    SSL Bridging checked
•    Select HTTPS to HTTPS
o    Configure RDCAP and RDRAP policies
•    RDCAP specifies Users allowed to use the RD Gateway

•    RDRAP specifies network resources that a user is allowed to connect to
•    Admin Security group = ALL LAN
•    ‘Web R-Proxy RD Gateway_G’= RDServer
•    Configure remote app in the RD Remote App Manager
o    Remote app Deployment settings
•    RD Gateway Tab
•    Use these RD Gateway settings:
o    Remote.PublicDNS.com
o    Allow users to select logon method
o    Use the Same credentials for RD Gateway and RD Session Host
o    Bypass the RD Gateway for local addresses
•    RD Host settings tab
o    RDServer.domain.local
o    Port 3389
o    Uncheck ‘Show remote desktop connection to this session host in rdweb access.’
o    Do not allow users to start unlisted programs on initial connection
•    Digital Signature tab
o    Sign with certificate
o    Change – Select RDServer issued by the local CA
•    Custom RDP Settings Tab
o    Add a line “authentication level:i:0”
•    Add a remote app program.
•    Browse for the executable to start.
•    In the properties of the remote app
o    Select the users allowed to launch the remote app.
o    If users are not allowed they will not see a shortcut for the app in the web portal.
•    Configure IIS
o    From the IIS manager
•    Expand Sites – Default Web Site – RDWEB  virtual directory
•    Set Authentication to Anonymous only
•    Expand the pages virtual directory under RDWEB
•    Set Authentication to Forms Based.
•    Edit the application settings
o    Create an entry for DefaultTSGateway
•    Set the value = remote.PublicDNS.com
•    Test using IE and at least XP SP3 from an inside connection and an outside connection.

Advertisements

2 Comments

Filed under RD Gateway

2 responses to “How to Reverse Proxy RD Gateway server over ISA 2006 to access a remote app over HTTPS

  1. I’m not sure it’s really clear why I’m excited about this.
    There are 2 parts that are relatively new features in Windows server.
    1.) Remote Apps over rdp.
    2.) RDP over HTTPS

    Remote apps are windows applications running on a user session on a terminal serve. Instead of launching Explorer as the shell the app is launched as the shell. The clever bit is that the rdp client is not showing a traditional rdp window, it is only showing the resulting windows from the terminal server’s session. So launching notepad on a remote app looks just like notepad locally.

    RDP over HTTPS doesn’t seem all that neat but in previous iterations of terminal server or remote desktop from the RD Gateway page (connected over HTTPS) launching the rd client would make a new connection over a new port to the target terminal server. even if you had changed the default rdp port the terminal server had to be listening on a port on a public address. Now you can have an HTTPS site authenticate users and then broker that connection over https to the target terminal server .

  2. Woah this weblog is great i really like reading your posts. Keep up the great paintings! You understand, lots of individuals are searching around for this information, you could help them greatly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s