Beruflich Dokumente
Kultur Dokumente
by-Step Guide
Microsoft Corporation
Published: April 2009
Updated: May 2011
Abstract
Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), in
the Windows Server® 2008 R2 operating system, provides technologies that enable authorized
remote users to connect to resources on an internal corporate or private network, from any
Internet-connected device that can run the Remote Desktop Connection (RDC) client. In this
guide, we will set up an RD Gateway server to use for connecting to a Remote Desktop Session
Host (RD Session Host) server by using a Remote Desktop client computer.
Copyright Information
This document is provided “as-is”. Information and views expressed in this document, including
URL and other Internet Web site references, may change without notice. You bear the risk of
using it.
This document does not provide you with any legal rights to any intellectual property in any
Microsoft product. You may copy and use this document for your internal, reference purposes.
© 2011 Microsoft Corporation. All rights reserved.Microsoft, Windows, and Windows Server are
trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
Deploying Remote Desktop Gateway Step-by-Step Guide.............................................................4
About this guide........................................................................................................................... 4
What this guide does not provide............................................................................................. 4
Technology review....................................................................................................................... 5
Scenario: Deploying Remote Desktop Gateway..........................................................................5
4
Important
If you have previously configured the computers in the Installing Remote Desktop
Session Host Step-by-Step Guide, you should repeat the steps in that guide with new
installations.
Guidance for setting up a perimeter network or firewall rules. This information can be found in
the RD Gateway deployment in a perimeter network & Firewall rules
(http://go.microsoft.com/fwlink/?LinkId=210571).
Complete technical reference for Remote Desktop Services.
Technology review
RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to help establish a secure,
encrypted connection between remote users on the Internet and the internal network resources
on which their productivity applications run.
To function correctly, RD Gateway requires several role services and features to be installed and
running. When you use Server Manager to install the RD Gateway role service, the following
additional roles, role services, and features are automatically installed and started, if they are not
already installed:
Remote procedure call (RPC) over HTTP Proxy
Web Server (IIS) [Internet Information Services]
IIS must be installed and running for the RPC over HTTP Proxy feature to function.
Network Policy and Access Services
5
RDG-SRV Windows Server 2008 R2 RD Gateway
The computers form a private network and are connected through a common hub or Layer 2
switch. This step-by-step exercise uses private addresses throughout the test lab configuration.
The private network ID 10.0.0.0/24 is used for the network. The domain controller is named
CONTOSO-DC for the domain named contoso.com. The following figure shows the configuration
of the test environment.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
6
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
RDSH-SRV Windows IP address: Preferred:
Server 2008 R2 10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
CONTOSO-CLNT Windows 7 IP address: Preferred:
10.0.0.3 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
RDG-SRV Windows IP address: Preferred:
Server 2008 R2 10.0.0.11 10.0.0.1
Subnet mask:
255.255.255.0
Default gateway:
10.0.0.1
To install Windows Server 2008 R2
1. Start your computer by using the Windows Server 2008 R2 product CD.
2. When prompted for a computer name, type RDG-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that RDG-SRV has an IPv4 static IP address of 10.0.0.11.
7
1. Log on to RDG-SRV with the RDG-SRV\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and
Sharing Center, click Change adapter settings, right-click Local Area Connection,
and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4. Click Use the following IP address. In the IP address box, type 10.0.0.11. In the
Subnet mask box, type 255.255.255.0. In the Default gateway box, type 10.0.0.1.
5. Click Use the following DNS server addresses. In the Preferred DNS server box,
type 10.0.0.1.
6. Click OK, and then close the Local Area Connection Properties dialog box.
Next, join RDG-SRV to the contoso.com domain.
8
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
9
RPC over HTTP Proxy
17. Click Install.
18. On the Installation Progress page, installation progress will be noted.
19. On the Installation Results page, confirm that installation for these roles, role
services, and features was successful, and then click Close.
To export the SSL certificate for the RD Gateway server and copy it to the CONTOSO-
CLNT computer
1. On the RD Gateway server, open the Certificates snap-in console. If you have not
already added the Certificates snap-in console, you can do so by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click
Next.
e. In the Select Computer dialog box, click Local computer: (the computer this
console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), expand Personal, and then click Certificates.
3. Right-click the certificate RDG-SRV.contoso.com, point to All Tasks, and then click
Export.
4. On the Welcome to the Certificate Export Wizard page, click Next.
5. On the Export Private Key page, click No, do not export private key, and then click
Next.
6. On the Export File Format page, ensure that DER encoded binary X.509 (.CER) is
selected, and then click Next.
7. On the File to Export page, in the File name box, click Browse.
8. In the Save As dialog box, in the File name box, enter RDG-SRV, and then click Save.
9. On the File to Export page, click Next.
10. On the Completing the Certificate Export Wizard page, confirm that the correct
certificate is specified, that Export Keys is set to No, and that Include all certificates
in the certification path is set to No, and then click Finish.
11. After the certificate export has successfully completed, a message appears confirming
that the export was successful. Click OK.
12. Close the Certificates snap-in.
13. Copy the RD Gateway server certificate
c:\users\administrator.CONTOSO\Documents\RDG-SRV.cer, to the CONTOSO-
CLNT computer.
10
Note
For single sign on, no changes are needed on the RD Gateway server. Review
Deploying Remote Desktop Web Access with Remote Desktop Connection Broker
Step-by-Step Guide to implement single sign on.
You have installed and configured an RD Gateway server. Now you can proceed to Step 3:
Verifying RD Gateway Functionality.
To install the SSL certificate for the RD Gateway server on the CONTOSO-CLNT
computer
1. Log on to CONTOSO-CLNT as CONTOSO\Administrator.
2. Open the Certificates snap-in console by doing the following:
a. Click Start, click Run, type mmc and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click
Next.
e. In the Select Computer dialog box, click Local computer: (the computer this
console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
3. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), and then click Trusted Root Certification Authorities.
4. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and
then click Import.
5. On the Welcome to the Certificate Import Wizard page, click Next.
6. On the File to Import page, in the File name box, click Browse, and then browse to
the location where you copied the SSL certificate for the RD Gateway server. From the
file type drop-down list, select All Files (*.*). Select the certificate RDG-SRV.cer, click
Open, and then click Next.
7. On the Certificate Store page, accept the default option (Place all certificates in the
following store - Trusted Root Certification Authorities), and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct
11
certificate has been selected and that the following certificate settings appear:
Certificate Store Selected by User: Trusted Root Certification Authorities
Content: Certificate
File Name: FilePath\RDG-SRV.cer
9. Click Finish.
10. After the certificate import has successfully completed, a message appears confirming
that the import was successful. Click OK.
11. With Certificates selected in the console tree, in the details pane, verify that the
correct certificate appears in the list of certificates on the CONTOSO-CLNT computer.
12. Log off from the CONTOSO-CLNT computer.
Warning
The publishing and maintenance of the certificate revocation list is an integral
part of the public key infrastructure (PKI), and it is external to RD Gateway. Do
not enable certificate revocation checking on RD Gateway client computers
until you have confirmed that your deployment can support this; otherwise,
even the basic connection to an end resource through the RD Gateway server
will not work. This is the reason why certificate revocation checking is disabled
by default on the RD Gateway client, and the recommendation is to turn it on
as a security best practice only after ensuring that the certificate revocation list
is accessible from the Internet.
6. Log off the computer.
12
Logon method: Allow me to select later
Bypass RD Gateway server for local addresses: Clear check box
6. On the General tab, in the Computer box, type rdsh-srv, and then click Connect.
7. In the Windows Security dialog box, type the password for contoso\mskinner, and
then click OK.
8. If the connection is successful, a Windows desktop will appear on the screen for
RDSH-SRV.
You have successfully deployed and demonstrated the functionality of RD Gateway on Remote
Desktop Services by using the simple scenario of connecting to an RD Session Host server by
using RD Gateway with an authorized remote user account by using Remote Desktop
Connection. You can also use this deployment to explore some of the additional capabilities of
Remote Desktop Services through additional configuration and testing.
Related topics
Step 1: Setting Up the Contoso Domain
Step 2: Installing RD Gateway
Step 3: Verifying RD Gateway Functionality
Deploying Remote Desktop Gateway Step-by-Step Guide (Home)
13