RD Gateway
The Remote Desktop Gateway
(RD Gateway) role service allows users to access network resources
(like RD Session Host servers, RD Session Host servers running RemoteApp
programs, RD Virtualization Host–based virtual machines, or computers
with Remote Desktop enabled) that are located behind firewalls in a
private network from any Internet-based client (or internally based
clients if TCP 3389 is an internally restricted port). To do this, the
RD Gateway employs something that is called an SSL relay (also known as
an SSL VPN). In short, an SSL relay allows clients to connect to
internal resources over a secure, encrypted HTTPS connection. In this
case, the traffic that is being passed through the SSL relay is just RDP
(TCP 3389).
Note
RD Gateway must be installed on
Windows Server 2008 R2 servers, but it can perform SSL relay for both
Windows Server 2008 R2 RD Session Host servers and Windows Server
2008/2003 Terminal Servers.
RD Gateway was first
introduced in Windows Server 2008 as the TS Gateway. The reason
Microsoft has included this feature in Windows Server 2008 was because
security measures were typically put into
place to block traffic such as RDP (TCP 3389). In other words, IT
security departments typically blocked RDP or were reluctant to open
ports on their firewalls for it. Microsoft took a card from networking
companies and built an SSL VPN solution into their Remote Desktop
Services offerings. The result of this effort is the RD Gateway, which
allows users to gain access to the services that are provided by Remote
Desktop Services, regardless of their location.
As hinted previously, the
RD Gateway uses an HTTP Secure Sockets Layer/Transport Layer Security
(SSL/TLS) tunnel to transmit RDP traffic. Because the RD Gateway server
is using HTTPS, a server authentication certificate needs to be
installed. Furthermore, the certificate that is installed needs to be
issued by a certificate authority (CA) that is trusted on clients
accessing the RD Gateway. In other words, the certificate of the CA that
signed the RD Gateway server certificate must be located in the
client’s Trusted Root Certification Authority store. A trusted
certificate can either be obtained from a publicly trusted CA or an
internal CA to your organization that is already trusted by clients.
The following are some
additional requirements that should be taken into account when using the
RD Gateway:
The Remote Procedure
Call (RPC) over HTTP Proxy service must be installed (this is installed
when you install the RD Gateway role service).
Internet Information Services 7.5
must be installed and running for the RPC over HTTP Proxy service to
function.
The
Network Policy Server (NPS) service must be installed or an existing NPS
server must be present that can be used by the RD Gateway.
RD Gateway servers and
Remote Desktop Services clients can be configured to use Network Access
Protection (NAP).
Active
Directory Domain Services is required if the RD Gateway authorization
policy is defined such that clients must be a member of a domain-based
group.
Note
The RD Gateway feature
is only supported on clients running Windows Server 2008 (R2), Windows
7, Windows Vista, Windows XP with Service Pack 2 or higher, or Windows
Server 2003 with Service Pack 1 or higher that have the Remote Desktop
Connection (RDC) client installed.
The new features that
have been introduced in Windows Server 2008 R2 for the RD Gateway role
service are discussed in the following sections.
Configurable Idle and
Session Timeouts
In Windows Server 2008
R2, an administrator can now configure idle and session timeouts for an
RD Gateway server. An idle timeout is used to reclaim unused resources.
If a user’s session is idle longer than the specified time, that user’s
RD Gateway session is disconnected. When this occurs, a user will still be able to
reestablish the session, if they choose to. A session timeout allows for
the ability to periodically enforce new policies on active user
connections. Policy refreshes mean that Remote Desktop connection
authorization policy (RD CAP) changes or Remote Desktop resource
authorization policy (RD RAP) changes can be enforced on existing
sessions.
Background Session
Authentication and Authorization
If a timeout is reached, a
session can either be disconnected or silently reauthenticated and
reauthorized. When enabled for background authentication and
authorization, the authentication and authorization requests for the
session are automatically done in the background with no interaction.
System and Logon
Messages
Now when a user starts a new
RD Gateway session, an administrator can define system and logon
messages. System messages can be used to inform users about system
status changes, upcoming server maintenance, and so on, whereas a logon
message can be used to display a legal-logon notice to users before they
gain access to any protected resources.
Device Redirection
Enforcement
RD Gateway now has the option
to only allow Remote Desktop clients to connect to RD Session Host and
RD Virtualization Host servers that enforce secure device redirection.
This change was put in place to prevent non-Microsoft Remote Desktop
clients from overriding the gateway device redirection controls.
However, this new feature is only supported on RDC 7.0 or later clients.
Network Access
Protection (NAP) Remediation
When using a Windows
Server 2008 R2 RD Gateway server, clients that are found
out-of-compliance with a health policy can now be brought into
compliance via software updates. By using this feature, an administrator
can use a CAP policy to ensure that remote clients that connect to
internal resources through an RD Gateway are always kept current with
the latest software updates.
Pluggable
Authentication and Authorization
The pluggable
authentication and authorization feature exposes a set of APIs that
allow organizations custom or third-party authentication and
authorization plug-ins that integrate with RD Gateway. By using this
feature, RD Gateway authentication and authorization can be tailored to
fit a wide range of security requirements.
Windows Server 2008 R2
Feature Requirements
For an administrator to
utilize the new RD Gateway features introduced in Windows Server 2008
R2, the following requirements must be met:
RD Session Host servers must be Windows
Server 2008 R2.
RD Gateway servers must
be Windows Server 2008 R2.
Users must use
the Remote Desktop Connection (RDC) 7.0.
RD Web Access
The
Remote Desktop Web Access role service is designed to allow users
(internally and remotely) to access RemoteApp programs, session-based
remote desktops, or virtual desktops from within a website. Using RD Web
Access, a user accessing a website (hosting the RD Web Access web part)
would be presented with a single consolidated list of published
RemoteApps. This list consists of the application icons for each
RemoteApp that has been published either from a single RD Session Host
server or RD Session Host server farms. By clicking on one of these
icons, a session would then be launched on the remote RD Session Host or
RD Virtualization Host that is hosting the published resource. RD Web
Access is especially useful to administrators who want to deploy Remote
Desktop Services–based programs from a central location, from a
customized web page, or from a Windows SharePoint Services site.
To use RD Web Access, clients
must meet the following requirements:
The version of the RDC
client on Windows 7 and Windows Server 2008 R2 supports RDP 7.0. The RDC
client that is being used determines which RD Web Access features will
be available to users. Additionally, the Remote Desktop Services ActiveX
Client control must be enabled.
The new features that have
been introduced in Windows Server 2008 R2 for the RD Session Host role
service are discussed in the following sections.
Forms-Based
Authentication
Forms-based
authentication (FBA) is an ASP.NET authentication service that enables
applications to provide their own logon page and do their own credential
verification. Additionally, this service authenticates users, redirects
unauthenticated users to the logon page, and performs all the necessary
cookie management. Like Outlook Web Access (OWA), by supporting FBA, RD
Web Access users will now have an improved logon experience. For
example, administrators can customize the RD Web Access logon page to
include such things as branding stylization and other important
look-and-feel items.
Single Sign-On Between
RD Session Host and RD Web Access
An important feature that was
missing from the Windows Server 2008 Terminal Services version of Web
Access was support for Single Sign-On. In that version, when a user
connected to a RemoteApp program using Web Access, they were prompted
for their credentials twice. Needless to say, the double credential
prompting led to a poor user experience. However, with the Windows
Server 2008 R2 version of Web Access (RD Web Access), support for Single
Sign-On has been added. When used correctly, users will only have to
provide their credential information once when connecting to a RemoteApp
program using RD Web Access.
Note
To
use RD Web Access Single Sign-On, several dependencies must be met.
First, the certificate used to sign the RemoteApp programs must be
trusted. Second, Single Sign-On is only supported from clients running
Remote Desktop Connection (RDC) 7.0.
Public and Private
Computer Option
Like OWA, the RD Web Access
Web page can now be accessed via either a public or private mode. If the
public computer option is used, cookies storing the username are
available for about 20 minutes. If the cookie is left to expire, the
user’s information is technically purged from the system being used.
When the private computer option is used, cookies storing the username
are available for about 4 hours.
Note
A user’s password is never
cached on a system when either the public or private RD Web Access
options are used.
