V1.

Enhance TS Gateway Security with ISA

Server 2006 + RSA Security
Following the steps in this document will enable you to configure TS Gateway Web
Access with RSA SecurID and will prevent users from bypassing two-factor
authentication by launching MSTSC.exe.

Installing and configuring TS Gateway

 Add required roles to your server:
o Terminal Server
o Select Terminal Services
o TS Web Access
 On the Choose a Server Authentication Certificate for SSL Encryption page,
select the Choose an existing certificate for SSL encryption option. Import
your third party SSL certificate (TSGateway.company.com) in PFX format.
 On the Create Authorization Policies for TS Gateway page, select the Later
option. I will show you how to configure authorization policies in the console.
Click Next.
 Click Next on the Network Policy and Access Services page.
 On the Select Role Services page, confirm that the Network Policy Server
checkbox is checked. Click Next.
 On the Web Server (IIS) page, click Next.
 On the Select Role Services page, accept the default role services selected by
the wizard. These are the services required to run the TS Gateway service. Click
Next.
 Review the information on the Confirm Installation Selections page and click
Install.

Create a connection authorization policy (CAP):

 Open TS Gateway Manager
 In the left pane of the console, click the Connection Authorization Policies
node that lies under the Policies node. In the right pane of the console, click the
arrow to the right of Create New Policy and then click Custom.
 On the General tab, type a name for the policy, and then verify that the Enable
this policy check box is selected.
 On the Requirements tab, under Supported Windows authentication methods,
select the following check box: Password
  Under User group membership (required), click Add Group, and then specify a
user group whose members can connect to the TS Gateway server.

Create a resource authorization policy (RAP):

 Click on the Resource Authorization Policies node in the left pane of the TS
Gateway Manager console. In the right pane of the console, click the arrow
sitting to the right of the Create New Policy link and then click Custom.
 On the General tab, type a name for the policy, and then verify that the Enable
this policy check box is selected
 On the User Groups tab, click Add to select the user groups to which you want
this TS RAP to apply.
 In the Select Groups dialog box, specify the user group location and name, and
then click OK.
 On the Computer Group tab, specify the computer group that users can connect
to through TS Gateway

 Allow clients to connect through any port, click Allow connections through any
port.
 Click OK to close the Properties dialog box for the TS RAP.

SSL Bridging

HTTPS-HTTPS bridging. In this configuration, the TS Gateway client initiates an SSL

(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new
HTTPS request to the TS Gateway server, for maximum security.

HTTPS-HTTP bridging. In this configuration, the TS Gateway client initiates an SSL

(HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new
HTTP request to the TS Gateway server.
HTTPS-HTTP bridging on the TS Gateway server
 Open TS Gateway Manager.
 In the TS Gateway Manager console tree, right-click the local TS Gateway server,
and then click Properties.
 On the SSL Bridging tab, Make sure the Use HTTPS-HTTP bridging check box is
Un-ticked, and then click OK.

Configuring RemoteApps for TS Web Access

 To configure applications such that they can be launched from the Windows
Server 2008 TS Web Access page they must first be installed onto the TS
Gateway server.
 Applications are configured as RemoteApps using the TS RemoteApp Manager
Start -> All Programs -> Terminal Services -> TS Remote App Manager

 Begin by clicking on the Add RemoteApp Programs link in the Actions panel
located in the top right hand corner of the TS RemoteApp Manager screen. This
will display the RemoteApp wizard containing a list of currently installed
applications. One or more applications may be selected from the list before
pressing the Next button:
  Select the appropriate application from the list and click on the Properties...
button to open the RemoteApp Properties dialog. Within this dialog, make sure
that the RemoteApp is available through TS Web Access box is checked.
 Click OK to close the RemoteApp Properties dialog and then click Next in the
wizard to proceed to the Review Settings screen and click Finish to complete the
configuration.

Configure the digital certificate

 In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings.

(Or, in the Overview pane, next to Digital Signature Settings, click Change.)
 Select the Sign with a digital certificate check box.
 In the Digital certificate details box, click Change.
 In the Select Certificate dialog box, select the certificate
(TSGateway.company.com), and then click OK.
Configure TS Gateway settings
 In the Actions pane of TS RemoteApp
Manager, click TS Gateway Settings. (Or,
in the Overview pane, next to TS
Gateway Settings, click Change.)

On the TS Gateway tab, configure the desired TS

Gateway behaviour. You can configure whether
to automatically detect TS Gateway server
settings, to use TS Gateway server settings that
you specify, or to not use a TS Gateway server.

 Select Use these TS Gateway server

settings, do the following:
 Configure the TS Gateway server name
(TSGateway.company.com) and the
logon method (NTLM)

Important
The server name must match what is
specified in the (SSL) certificate for the TS
Gateway server

 Select Use the same user

credentials for TS Gateway and
Terminal Server
 Select the Bypass TS Gateway
server for local addresses check
box.
 When you are finished, click OK.

Configure terminal server settings

 In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings.
(Or, in the Overview pane, next to Terminal Server Settings, click Change.)
  On the Terminal Server tab, under Connection settings, Modify the server name
to be the fully qualified internal domain name, Leave the Remote Desktop
Protocol (RDP) port number as 3389, and tick “require server authentication
settings”.
 Un tick “Show a remote desktop connection to this terminal server in TS Web
Access check box.”
 Do not allow users to start unlisted programs on initial connection
(Recommended)
 When you are finished, click OK.

Common & Custom RDP Settings

 Enter the following under custom RDP settings

pre-authentication server address: s: https://TsGateway.company.com/ts

require pre-authentication:i:1

 See link for more details: http://technet.microsoft.com/en-us/library/cc731249.aspx

IIS Settings
 On the TS Web server, start Internet Information Services (IIS) Manager.
 In the left pane, expand the server name, expand Sites, expand Default Web
Site, and then click TS.
 In the middle pane, double-click Application Settings.
  Configure the default TS Gateway server, double-click DefaultTSGateway, enter
the fully qualified domain name of the server in the Value box
(TSGateway.company.com), and then click OK.
 To specify the TS Gateway authentication method, double-click
GatewayCredentialsSource, type the number that corresponds to the desired
authentication method in the Value box, and then click OK. The possible values
include:

0 = Ask for password (NTLM)

1 = Smart card

4 = Allow user to select later

 To configure whether the Remote Desktop tab appears on the TS Web Access
page, double-click ShowDesktops. In the Value box, type true to show the
Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are
finished, click OK.
 To configure default device and resource redirection settings, double-click the
setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,
xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable
the redirection setting by default, or type false to disable the redirection setting
by default, and then click OK.

IIS Authentications settings

Default TS RPCWithCert RPC
Anonymous Disabled Disabled Enable Disabled
ASP.NET Disabled Disabled Disabled Disabled
Basic Enabled Disabled Disabled Disabled
Forms Disabled Disabled Disabled Disabled
Windows Enabled Enabled Disabled Enable
Modifying Desktops.aspx
 On the TSGateway Server navigate to: C:\Windows\Web\ts\en-US\
 Make a backup of desktops.aspx
 Right click desktops.aspx and choose edit
 Search for authentication

 Change and add the following lines to desktops.aspx

 Save desktops.aspx
 This is the TS Gateway setup
 ISA Server 2006 Setup
 You need 2 rules in the following order to allow TS Gateway web access through
using RSA

Importing GoDaddy SSL Certificate

 Click the Start menu and select Run. Type MMC and press enter. In the File menu
choose "Add/Remove Snap-in".
 Click Add, then double-click Certificates, choose Computer Account, then Finish.
Click "Close" and then "OK". Expand the Certificates node, then expand the
Personal node beneath it.
 Right click the "personal" folder and select all "tasks>Import"
 Find the .pfx file you saved previously and import the certificate and private key
into the MMC

ISA Server Host File

 You will need to add the following to the host file.

Disable the HTTPOnly attribute on the ISA Server

 Copy and paste the following script into a text editor such as Notepad. On the ISA
Server, save the file to the C:\ directory as DisableHttpOnlyAuthCookies.vbs.
You can obtain the script from:

http://technet.microsoft.com/en-us/library/cc731249.aspx

 From a command prompt, run the following command from the C:\ directory:
 cscript DisableHttpOnlyAuthCookies.vbs /WebListener:OTP /Value:False
 Keep running the script until you see the following output:

HTTP only cookies: True

HTTP only cookies set to False

Create a new network

Enter an appropriate name Choose External network

Add range & enter the external IP address Click Finish

of the ISA server

System Policy Rules

Make sure rule 24 is enable for SecurID

Create a Web Listener

 In the console tree of ISA Server Management, click Firewall Policy.

 On the Toolbox tab, click Network Objects.
 On the toolbar beneath Network Objects, click New, and then click Web
Listener

Give the Web Listener a unique name In the next window of the Wizard select
Require SSL secured connections with
clients.

Select IP Addresses... You must specify the Web Listener IP

Address. If the request comes from the
Internet you must select the
External Network

On the Listener SSL Certificates page,

you select the certificates that you want
bound to the Web listener.

Click the Select Certificate button

 In the Select Certificate
dialog box, you’ll see a list of
certificates that can be used.
This dialog box will also
provide you with information
about the validity of the
certificate, whether the
certificate will expire soon,
and more information. When
you put a checkmark in the
Show only valid certificates
checkbox, you’ll only see
certificates that are valid to
bind to your Web listener.

On the Authentication Settings page you After the listener is created make sure the
have a number of options. Select the HTML Require all users to authenticate option
Form Authentication option from the isn’t selected under Advanced
drop down list Authentication Options

Note: The Collect additional delegation

credentials in the form option. You
enable this option when using RADIUS
OTP or RSA SecurID authentication.

The first rule: TS Gateway TS virtual Directory

 To create the Web Publishing Rule, open the ISA firewall console, expand the
array name and click the Firewall Policy node. Click the Tasks tab in the Task
Pane and click the Publish Web Sites
Enter a name for the rule to publish the TS Allow this Rule
Virtual directory

Publish a single Web site or load balancer Use SSL to connect to the published Web
server or server farm

Enter the DNS name of your Certfiicate ts/*

 Enter the DNS name of your certificate Select the listener you created earlier

Select the authentication method of NTLM Allow All Authenticated Users

Authentication

The Second rule: TS Gateway RPC virtual Directory

 To create the Web Publishing Rule, open the ISA firewall console, expand the
array name and click the Firewall Policy node. Click the Tasks tab in the Task
Pane and click the Publish Web Sites
Enter a name for the rule to publish the TS
Virtual directory

Publish a single Web site or load balancer Use SSL to connect to the published Web
server or server farm

Enter the DNS name of your Certfiicate rpc/*

 Enter the DNS name of your Certfiicate Select the listener you created earlier

Select the authentication method of No Allow All Authenticate Users

Delegation, but client may
authenticate directly

Make sure the Forward original host header

option is ticked