Solved

Configure TS/RD Web Access + TS/RD Gateway + OWA + TMG 2010

Posted on 2011-02-22
12
6,292 Views
Last Modified: 2012-05-11
Hi,

I have this scenario:

- Router 1 public IP address
- W2008 R2 + Exchange 2010 w/ OWA
- Windows Server 2008 + TS + TS Web Access + TS RemoteApp + TS Gateway (not W2008R2 RD Web)
- W2008 R2 + Forefront TMG 2010 + RD Web + RD gateway

All Internet connections are received by the router.

Router is forwarding TCP ports 80 and 443 to TMG.

I have third-party certificates for mymail.mydomain.com and ts.mydomain.com

Through HTTP listener, TMG redirects traffic from mymail.mydomain.com to  https://mymail.mydomain.com/owa through a rule in TMG and it connects to OWA using a HTTPS listener with FBA with AD and Basic Authenticaton in the rule. This is working fine.

I'm trying to configure TS Web Access or RD Web Access.

Through the same OWA HTTP listener, TMG redirects traffic from ts.mydomain.com to https://ts.mydomain.com/TS using the same HTTPS listener from OWA and with Basic Authenticaton in the rule. I published the paths /RPC/* and /TS/*

I could not configure TMG to forward these requests to RD Web Access in the same TMG server.

When I go to ts.mydomain.com I can see TMG authentication form, I enter my user and password and then it forwards me to the TS Web Access site. I can see the remote desktop and remote apps but when I try to use them... I just can't :(... It ask me for a password, I enter my user and passw but... nothing... just keep asking again...

In TS Gateway Manager, under SSL Bridging, the option "Use HTTPS_HTTP bridging (terminate SSL requests and initiate new HTTP requests" is checked.

In TS RemoteApp Manager, under TS Gateway, I have these options configured:
Use these TS Gateway server settings:
Server name: ts.mydomain.com
Logon method: Allow user to select during connection

Checked "Use the same user credential for TS Gateway and terminal server


What am I missing? What am I doing wrong?

Thanks in advance!
0
Comment
Question by:rafaeldemartin
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:Llacy80
ID: 34954498
What client operating system are you trying to connect from? Xp, vista?
0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34954528
I tried with XP and Win7.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34954798
Go to IIS --> Click on TS under Default Web site --> Click Application settings --> What is the value for DefaultTsGateway?  ) (servername.domainname.local)?
Also what is the value for Gatewaycredentialsource?

When I set this up for my company a while back I had a heck of a time getting the gateway and remoteapps working properly.
0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34961089
Under DefaultTSGateway, it was empty...Do I user ts.mydomain.com or servername.domainname.local?

Under GatewayCredentialsSource, the value is 4.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34961366
Hi. You can try adding the fully qualified domain name (ts.mydomain.com)

Also for testing purposes.. On your LAN (internally), go to https://servername/rdweb and then try accessing the Icons from there. Does it still keep prompting for credentials?



0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34961541
Hi and thanks in advance for your help!

Internally, I access TS WEB access, it asks me for credential (basic auth). I can access internally (basic auth) and externally (forms based through TMG 2010).
Internally, when I try to access to any app, it asks me for credentials, I enter my creds and then this error (image attached). I tryed internally using W2008R2, W2003 and WXP and the error is the same.

I can access internally this server through RDP without problems.


error.jpg
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 4

Accepted Solution

by:
Llacy80 earned 500 total points
ID: 34962510
Hi. I am kind of thinking this error is certificate related. I had all sorts of issues even though we used third party certs.  Are you using a wildcard cert? See link below. I have seen this work for a few people. The only down side is you have to remove and re add the published apps from the remoteapp list

http://www.nicklloyd.it/blog/?p=36

0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34963361
Thanks! It worked... internally.

Any idea about externally? It keeps asking me for credentials to connect to the app.
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34964415
What client operating system are you using to connect externally? Hopefully not Vista ... I could never get Vista to work correctly (it would just keep prompting for credentials)with it but thankfully none of the emloyees run that at home.

I know you mentioned you are also using TMG. I am not familiar with that product but if it is anything simliar to ISA (which I have used in the distant past) you will need to make sure that the certificate is imported and web listener configured (which I am sure you have probably already done?).

0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34988665
I think that the problem is the "listener" in Forefront TMG.
I just can use one listener for port 443 and I have to use OWA and TS WEB + gateway... the problem is that the listener for OWA requires FBA authentication and the listener for TS gateway requieres "No Authentication"....

How can I resolve that?
0
 
LVL 4

Expert Comment

by:Llacy80
ID: 34988694
Hi there. Perhaps the link below will help out with that? How many Public IP's do you have?
http://social.technet.microsoft.com/Forums/en/ForefrontedgePub/thread/3ac5e8c0-0aeb-4544-be9f-06ed19a0333a

0
 
LVL 1

Author Comment

by:rafaeldemartin
ID: 34988880
Hi Llacy80,

I have just one public IP address but... I did it! It's working now!!!

I keep using the same listener for OWA with FBA with AD

But in the TS rule I changed:

Authentication Delegation: No delegation, but client may authenticate directly

Path: /TS/*
path: /Rpc/*

now... both OWA ant TS are working.

Thanks for your help!!!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now