Client Side Configuration to access remote TS Server via TS Gateway
Windows Vista Remote Desktop Connection client has new option under Advanced Tab - "Connect from anywhere"
If you click on the Settings button it will allow to specify the TS Gateway server:
Server name that you type here must resolve to the Public IP address on your firewall and it must match the name on the certificate installed on the TS Gateway.
And finally what name are you going to specify for the target server that you are actually trying to access? It might be confusing at first but the IP must be the actual IP of the target server and it must be accessible from the TS Gateway server. You are not connecting to this IP directly, TS Gateway server connects to it. So we put the actual private IP of my Domain Controller, it will look like that:
OK, but what if I have Windows XP and not Vista? If you open Remote Desktop Connection and look under advanced tab you won't see Connect from anywhere configuration button. No problem, just go to the Windows Update site and under optional updates you'll find new version for Remote Desktop Connection client. Just install it and you are in business.
Configuration of the Terminal Services Gateway is fairly straightforward. The following diagram shows the simplified configuration of how I configured it to get access to my home lab.
Windows 2008 provides wizards for all of it different components and the configuration of Terminal Services Gateway is probably the easiest in the entire solution. The most difficulty most people will encounter will be with acquiring SSL certificate for TS Gateway. You have a few choices here:
1. Get this certificate from one of the commercial CAs.
2. Implement your own PKI (like in my lab)
3. TS Gateway can issue self signed certificate. This is usually used only for testing.
Another challenge is to provide name resolution to the public IP address assigned to your router by your Internet service provider. Usually this IP is assigned via DHCP and unless you pay extra money to have static IP it can change. In my experience, if you keep your router powered on 24/7 the IP address doesn’t change very frequently. So use one of the many Dynamic DNS free services to keep the DNS name up to date with current IP address or just update it manually if you find that the IP has changed.
The key point here is that the name on the certificate you install on the TS Gateway must match the FQDN assigned to Public IP address on your router
Next time we’ll talk about how to configure TS Gateway server.
One of the new exciting technologies that will be shipped with Windows 2008 Server is the Terminal Services Gateway. It is exciting not just because it will be used by many companies but because it can be used by many other technologists and make our life a little easier and more exciting.
I like to test new technologies and for my work sometimes I have to test or show different new and old products. I have 2 laptops, one is for my general day-day work with bunch of productivity applications and all required corporate tools, it runs Windows Vista. The second laptop is running Windows XP Pro with Windows Virtual Server 2005 R2 SP1. It acts as the host platform to run different virtual guest systems - DC, CA, ILM, SQL etc etc. I use to carry both laptops on my trips because I needed access to my virtual environment to test certain things or learn new product. As you imagine carrying 2 laptops is not fun, it is heavy, it is pain to go through the security checks at the airports, requires extra space at any table...
So I've been looking forward to a solution that will allow me to keep my virtual network back at my house and have full secure access to it from any network that I have to be - it is usually 90% of the time at my client, or on my BlackJack 3G Cingular network.
Of course I could always leave my virtual network back at my house and configure my Linksys router to path port 3389 to one of the systems. What is the problem with such solution? None of the corporate firewalls allow outbound port 3389. So I could not connect to my home based virtual network via normal TS session.
So thankfully now we have a solution for this type of problem - use Windows 2008 Terminal Services gateway. It works over SSL port 443. Is that port open on corporate firewalls? You betcha it is. Now you can connect to you home network from any location via normal SSL port.
Next time I’ll write how I configured Windows 2008 Server Terminal Services gateway to get into my home network virtually from any location.