How to publish RD Web & Gateway (2008 r2) on ISA 2006, and still have time to watch The Big Bang Theory!

« How to get Outlook 2007 to save sent e-mail from a shared mailbox in the shared mailbox, and not pay for it!

How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts! »

How to publish RD Web & Gateway (2008 r2) on ISA 2006, and still have time to watch The Big Bang Theory!

So I was asked the question, how do You publish the new Windows Server 2008 and 2008 R2 editions of Terminal Server, including the RD Web and RD Gateway (GW) services. And on top of that still use the ISA 2006 as authentication with Forms Based Authentication (needed in this case for RSA keys). Sounds easy enough right? Wrong!

Well once You get your head wrapped around the limitations, which of course are always hard to find documentation on, then it is easy enough. Basicly the RD Web service is easy enough to get working, simple next next next, will get You there with little trouble.(The RD Gateway on the other hand…)

Configure a ISA 2006 rule, with relevant web listener (or existing if appropiate), allow the /rdweb/* paths, use FBA authentication, use NTLM delegation of authentication to the internal webserver, configure the webserver (RD WEB) to use NTLM, install relevant SSL certificates to ISA and webserver, and presto it works! It even works with SSO if needed, and the user is only prompted by the ISA forms and not a second time by the RD Web site.

So far so good! A small hint before we go on, if You want to add multiple connections to other Terminal Servers in the RD Website, just create your RDP files, and sign them using the servers SSL certificate and place them in the relevant folder on your RD Website. Then the tricky part, You need to add the name of the RDP file in a registry key on the RD Web server. Then it all works – if You would like more info on this, leave a comment and I might just write some more details on this.

Now the RD Gateway server, I was expecting I could just add it to the same listener, use the same authentication, use SSO to avoid getting second login prompt, and then presto? Wrong!

The RD GW server is basicly just an RPC Proxy, that translate the clients rdp/rpc over https connection into an RDP connection for the internal RDP Server, so theoretically it should be easy to add some type of authentication to the web part of the connection. Unfortunately that is not possible, any type of authentication in the RPC/HTTPS stream will kill the connection. Personally I tried with any combination I could imagine, including FBA/HTTP Authentication, Basic, Integrated, Digest, Delegation, No delegation, etc. The client will either complain that the terminal gateway server is unfortunately unavailable at the moment or even worse just repeat the login prompt continously for ever.

So after extensive research (Google is my friend!), I came to the conclusion that all of the technet, MS blogs, various articles, and MS Scripts regarding ISA 2006 and Terminal Server Gateway services for Windows Server 2008 (R2), that always mentioned recommended and supported configurations, all used no authentication on the ISA 2006 server and then secondly allowed the client to authenticate directly on the RD Gateway server. At first I find this weird, I even found an article with an ISA MVP describing how to setup the rule, with Basic Authentication – cool! Finally I found a way, but no after some testing and further examination of the blog article, I noticed after all of that authentication configuration he set users to “All Users”, even if it looks safe with Basic Authentication over SSL – that little setting at the end, meant ISA was never authenticating anything.

So I have come to the final conclusion, Microsoft have designed it like this. User connects to RD Website thru ISA and can authenticate either on the ISA or the actual RD Website, the RD Website is located in the DMZ so no hard feelings there. Then secondly the user is directed to a RD Gateway server, thru a RDP initiated RPC/HTTPS connection, the RD GW server is also located in the DMZ, so they use that for the authentication, and never needed the ISA server to authenticate. Only when the RD GW server allowed the connection, would it open a connection to the internal server and network, with RDP.

In this setup, the client is never allowed further than the DMZ. The only ones doing any connections to the internal network is the servers in the DMZ.

Enough with the ramblings, basicly it means that anyone using SSO on the ISA server (should be possible to do full SSO on 2008 R2 by using only the authentication on the RD Web and RD Gateway servers), will need to allow external un-authenticated connections thru the ISA server and to the RD Gateway server. In it self this should not be a problem, however if as in this case, You use RSA keys to authenticate on the ISA server, You no longer have the option of closing the RD GW from outside connections without RSA keys (client can open RDP them self and manually connect to the GW directly without using the RD Web).

So my setup requires, one listener for the login.domain.dk website, using FBA authentication, with NTLM delegation to the RD website. A second listener for the gw.domain.dk website on the RD GW server, using No authentication, with delegation set to None, but client may authenticate directly. Dont forget to setup SSL certificates! – personally I would recommend a GlobalSign Domain Validated SAN certificate, with the two FQDN’s in it. (that way You have included license in the price for 3 servers)

I have attached a visio design draft of my setup.

Feel free to comment, snipe, steal, link or add information if You have it!

Sole's Blog

How to publish RD Web & Gateway (2008 r2) on ISA 2006, and still have time to watch The Big Bang Theory!

2 Responses to “How to publish RD Web & Gateway (2008 r2) on ISA 2006, and still have time to watch The Big Bang Theory!”

Leave a Reply