Part three of my weekend project involves a little more reconfiguration of my ISA 2006 Server to allow TS Web access the Terminal Services virtual machine running under Hyper-V beta. There are two rules I need to create on the ISA server to achieve this, using a very similar process to the rules I blogged about a couple of years when publishing Exchange through ISA. Essentially I’m going to configure one rule to bounce users to a Forms Based Authentication (FBA) subnet listener where user authentication is made, and another rule to forwards authenticated user traffic from the FBA subnet to the Terminal Server machine itself.
(Yes, I realize I’m probably using all the wrong terminology here, and some ISA guru is bound to correct me!)
This is what the rules like in the ISA 2006 management console.
I won’t go into all the details of how this is configured in detail – please refer back to previous blog posts and blogcasts where there is a lot of detailed information. Just replace “Exchange” with “TS” and you’re largely there. A few points to note though:
The above allows me to go to an external path of https://externaldomainname.com/ts to access Terminal Server Web. However, before that, you also need to allow Windows Authentication in IIS on the Terminal Services virtual machine. To do this, start Internet Information Services (IIS) Manager, click on the local machine and choose the authentication option. Right click on Windows Authentication, and enable it.
So with that all done, let’s give it a go. Start up your browser and point it to https://externaldomainname/ts. With a bit of customization I’ve made to the front end Forms Based Authentication screens you see below, you get a logon dialog. Here, I’m going to authenticate as myself.
Currently, there are no remote applications, so the list is empty. In the next and last part, I’ll fix that and add the Hyper-V management programs to the list.
Note also that there is a remote desktop tab which allows another way of accessing remote desktops without having to configure the mstsc client directly.
Just for kicks, let’s logon to the TS Gateway machine using TS Web Access this time where you can see I still have IIS admin open after setting the authentication methods.
So we’re nearly there. The last thing to do is to add the Hyper-V management tools to TS Web Access to allow me to control my Virtual Machines remotely over the Internet. Part 4 soon!
PingBack from http://www.leadfollowmove.com/archives/virtualisation/jhoward-hyper-v-and-terminal-services-stuff
Sorry for the dearth of posts - I have been rather busy lately.  As such I thought I would quickly
Thank you for the nice tutorials on setting up Hyper-V. I was wondering if you knew of any RDP client for linux that will make use of the HTTPS web based TS Gateway feature?
I read somewhere that there's an API available and some licensing stuff for "other OS" developers but I havn't seen anything yet. I know the Mac client has support for TS Gateway but I have yet to find a linux client with it.
Thomas - can you drop me an email (email link at the top left)
John, I’m trying to get ISA2006 (SP2) to use FBA in accessing TS web access to launch RDP as a RemoteApp. Your article doing just that was great, but my missing piece was the articles you mention about creating the 2 ISA rules. I searched the blogs and found them (Part-25 right?). But I can’t access them. When I click on “Read more” I get “page not found”. I tried accessing thru the archives but same problem. Can you tell me where I can them?
John, can you shed some light on how to create the forms based authentication you've shown on this page? Hopefully without using ISA?
Cenders - unfortunately not.... I am using ISA for FBA and have customised them for my domain.
Has there been any further news on an RDP client for linux that will make use of the HTTPS web based TS Gateway feature?
pgoodfellow - not to my knowledge. Sorry. But a quick Internet search for "RDP Client for Linux" showed there are some products out there. I have no experience attempting to use any of them though.