TS Gateway question

[Guest pdx]

I have some questions about a proposed TS Gateway and TS RAP setup.

 

My proposed setup is Windows 2008 server added to a Windows 2003 domain

(domain A) in order to run a TS Gateway.

 

1) Users from domain A will connect to the TS Gateway while logged onto the

domain either locally or via a vpn connection so a question is, is a cert

required on the TS Gateway? In my scenario it seems unecessary. Outside

access to the TS Gateway wouldn't be allowed.

 

2) Users from domain A would be connecting to TS servers in other

(independent/unrelated) domains and I'd like to setup a RAP to restrict

certain users to certain TSs. On the Computer Groups section of the RAP

configuration, of the two settings available for setting granular TS access,

the "An existing AD security group" option doesn't provide the ability to

configure access for untrusted domains. Does the second option, "An existing

TS Gateway-managed computer group", provide the capability to restrict Domain

A user access to TS in untrusted domains? Can it use IP addresses for

instance. If not, is there some other way? The domain A users would have

accounts in the untrusted domains to which they had TS access.

 

Thanks

[Guest Vikash]

RE: TS Gateway question

 

Answers:

 

1. TS Gateway certificate is used for the sole purpose of clients trusting

the TS Gateway. So, it should be there immaterial of whether you want to

connect from inside or outside world.

 

2. TS Gateway and the TS servers have to be on the same domain or trusted

domains. So, why would you want to add some untrusted domain user groups to

the TS RAP?

 

Thanks,

Vikash

 

"pdx" wrote:

> I have some questions about a proposed TS Gateway and TS RAP setup.

>

> My proposed setup is Windows 2008 server added to a Windows 2003 domain

> (domain A) in order to run a TS Gateway.

>

> 1) Users from domain A will connect to the TS Gateway while logged onto the

> domain either locally or via a vpn connection so a question is, is a cert

> required on the TS Gateway? In my scenario it seems unecessary. Outside

> access to the TS Gateway wouldn't be allowed.

>

> 2) Users from domain A would be connecting to TS servers in other

> (independent/unrelated) domains and I'd like to setup a RAP to restrict

> certain users to certain TSs. On the Computer Groups section of the RAP

> configuration, of the two settings available for setting granular TS access,

> the "An existing AD security group" option doesn't provide the ability to

> configure access for untrusted domains. Does the second option, "An existing

> TS Gateway-managed computer group", provide the capability to restrict Domain

> A user access to TS in untrusted domains? Can it use IP addresses for

> instance. If not, is there some other way? The domain A users would have

> accounts in the untrusted domains to which they had TS access.

>

> Thanks

[Guest pdx]

RE: TS Gateway question

 

Thanks for the reply.

Regarding #2, I might have worded that incorrectly. What I'm trying to do is

have users from Domain A connect to a TS Gateway in Domain A. That TS Gateway

will be used to control connectivity to TS Servers in a number of untrusted

domains. The Domain A users will connect to the TS Gateway server in Domain

A, and will access Terminal Servers in untrusted domains. The users will have

accounts in the untrusted domains which allow them to log on to those

Terminal Servers in the untrusted domains. These untrusted domain accounts

have no relation to the Domain A accounts.

Routers/firewalls will allow the connectivity from the Domain A TS Gateway

to the TS servers in the untrusted domains.

 

I'm under the impression that the ability to access untrusted domain servers

was possible with a TS Gateway (and it would be of limited usage if that's

not correct).

The following from the "Terminal Services Gateway (TS Gateway)" TechNet page

at

http://technet2.microsoft.com/windowsserver2008/en/library/9da3742f-699d-4476-b050-c50aa14aaf081033.mspx?mfr=true says in the "TS RAP" section:

 

"When you associate an Active Directory security group with a TS RAP, both

FQDNs and NetBIOS names are supported automatically if the internal network

computer that the client is connecting to belongs to the same domain as the

TS Gateway server. If the internal network computer belongs to a different

domain than the TS Gateway server, users must specify the FQDN of the

internal network computer"

 

My interpretation of that is the "Active Directory" security group is

comprised of whatever Domain A users are allowed access to particular TS

servers and that the "internal network computer" that "belongs to a different

domain than the TS Gateway server" is any server that is reachable from the

TS Gateway Server and doesn't have to have a trust relationship.

 

Is that not correct?

 

Thanks

 

 

"Vikash" wrote:

> Answers:

>

> 1. TS Gateway certificate is used for the sole purpose of clients trusting

> the TS Gateway. So, it should be there immaterial of whether you want to

> connect from inside or outside world.

>

> 2. TS Gateway and the TS servers have to be on the same domain or trusted

> domains. So, why would you want to add some untrusted domain user groups to

> the TS RAP?

>

> Thanks,

> Vikash

>

> "pdx" wrote:

>

> > I have some questions about a proposed TS Gateway and TS RAP setup.

> >

> > My proposed setup is Windows 2008 server added to a Windows 2003 domain

> > (domain A) in order to run a TS Gateway.

> >

> > 1) Users from domain A will connect to the TS Gateway while logged onto the

> > domain either locally or via a vpn connection so a question is, is a cert

> > required on the TS Gateway? In my scenario it seems unecessary. Outside

> > access to the TS Gateway wouldn't be allowed.

> >

> > 2) Users from domain A would be connecting to TS servers in other

> > (independent/unrelated) domains and I'd like to setup a RAP to restrict

> > certain users to certain TSs. On the Computer Groups section of the RAP

> > configuration, of the two settings available for setting granular TS access,

> > the "An existing AD security group" option doesn't provide the ability to

> > configure access for untrusted domains. Does the second option, "An existing

> > TS Gateway-managed computer group", provide the capability to restrict Domain

> > A user access to TS in untrusted domains? Can it use IP addresses for

> > instance. If not, is there some other way? The domain A users would have

> > accounts in the untrusted domains to which they had TS access.

> >

> > Thanks

[Guest Vikash]

RE: TS Gateway question

 

Sorry for the late response.

 

There are three ways to specify the allowed resource names in RAP.

The first option is to specify the existing active directory security group,

in which case what i said below is correct.

You will have to use the other two options in case you want to give access

to untrusted domains. You can either create a TS Gateway managed resource

group with all TS server names from untrusted domains or allow users to

connect to any resource.

 

Thanks,

Vikash

 

 

"pdx" wrote:

> Thanks for the reply.

> Regarding #2, I might have worded that incorrectly. What I'm trying to do is

> have users from Domain A connect to a TS Gateway in Domain A. That TS Gateway

> will be used to control connectivity to TS Servers in a number of untrusted

> domains. The Domain A users will connect to the TS Gateway server in Domain

> A, and will access Terminal Servers in untrusted domains. The users will have

> accounts in the untrusted domains which allow them to log on to those

> Terminal Servers in the untrusted domains. These untrusted domain accounts

> have no relation to the Domain A accounts.

> Routers/firewalls will allow the connectivity from the Domain A TS Gateway

> to the TS servers in the untrusted domains.

>

> I'm under the impression that the ability to access untrusted domain servers

> was possible with a TS Gateway (and it would be of limited usage if that's

> not correct).

> The following from the "Terminal Services Gateway (TS Gateway)" TechNet page

> at

> http://technet2.microsoft.com/windowsserver2008/en/library/9da3742f-699d-4476-b050-c50aa14aaf081033.mspx?mfr=true says in the "TS RAP" section:

>

> "When you associate an Active Directory security group with a TS RAP, both

> FQDNs and NetBIOS names are supported automatically if the internal network

> computer that the client is connecting to belongs to the same domain as the

> TS Gateway server. If the internal network computer belongs to a different

> domain than the TS Gateway server, users must specify the FQDN of the

> internal network computer"

>

> My interpretation of that is the "Active Directory" security group is

> comprised of whatever Domain A users are allowed access to particular TS

> servers and that the "internal network computer" that "belongs to a different

> domain than the TS Gateway server" is any server that is reachable from the

> TS Gateway Server and doesn't have to have a trust relationship.

>

> Is that not correct?

>

> Thanks

>

>

> "Vikash" wrote:

>

> > Answers:

> >

> > 1. TS Gateway certificate is used for the sole purpose of clients trusting

> > the TS Gateway. So, it should be there immaterial of whether you want to

> > connect from inside or outside world.

> >

> > 2. TS Gateway and the TS servers have to be on the same domain or trusted

> > domains. So, why would you want to add some untrusted domain user groups to

> > the TS RAP?

> >

> > Thanks,

> > Vikash

> >

> > "pdx" wrote:

> >

> > > I have some questions about a proposed TS Gateway and TS RAP setup.

> > >

> > > My proposed setup is Windows 2008 server added to a Windows 2003 domain

> > > (domain A) in order to run a TS Gateway.

> > >

> > > 1) Users from domain A will connect to the TS Gateway while logged onto the

> > > domain either locally or via a vpn connection so a question is, is a cert

> > > required on the TS Gateway? In my scenario it seems unecessary. Outside

> > > access to the TS Gateway wouldn't be allowed.

> > >

> > > 2) Users from domain A would be connecting to TS servers in other

> > > (independent/unrelated) domains and I'd like to setup a RAP to restrict

> > > certain users to certain TSs. On the Computer Groups section of the RAP

> > > configuration, of the two settings available for setting granular TS access,

> > > the "An existing AD security group" option doesn't provide the ability to

> > > configure access for untrusted domains. Does the second option, "An existing

> > > TS Gateway-managed computer group", provide the capability to restrict Domain

> > > A user access to TS in untrusted domains? Can it use IP addresses for

> > > instance. If not, is there some other way? The domain A users would have

> > > accounts in the untrusted domains to which they had TS access.

> > >

> > > Thanks