• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1071
  • Last Modified:

Connecting to TS Web Access via TS Gateway

Hi all,

I'm trying to find an article on how to configure TS Web Access so a domain user can authenticate to a TS Web server via TS Gateway from outside. I have configured two Windows server 2008 R2 Standard servers, 1 as a TS Gateway with external access (terminal.blabla.ca) and 1 as TS Server which has a few apps installed such as MS Office, Adobe Acrobat, etc. This all works fine when using a RDP file, the user connects to the remote server easily thru the Gateway but when trying with the web access I can't get it to work from outside. It works fine inside obviously when typing the URL, I get redirected to the TS web access on the TS Server with access to the apps.  I have installed Remote Desktop Web Access Role on both machines and Remote Desktop Gateway Role on only one with a 3rd party SSL Cert. The fact that everything works fine with a RDP file makes me think that I'm not far but still not there!

thanks
0
Comptrib
Asked:
Comptrib
  • 5
  • 4
1 Solution
 
Ayman BakrSenior ConsultantCommented:
First see if your configuration is aligned to the checklist here:

http://technet.microsoft.com/en-us/library/cc772415.aspx

Moreover, if you deployed your RD Web Access and RD Gateway in DMZ, while your RD Session host was deployed internally, ensure you open WMI traffic on the firewall from the RD Web Access to the RD Session host.

Also ensure that your RD Web Access is configured to use Forms Authentication (it should by default).
0
 
ComptribAuthor Commented:
Thanks for the reply,

Both of my servers are inside the domain. When typing "https://terminal.blabla.ca" in tnhe browser, the address gets translated at the Firewall level to the TS Gateway. After going thru the checklist you sent me, I created an RDP file within RemoteAppManager, took a copy and tried it outside my domain with a wifi connection. It worked perfectly. However, what I am looking for is the possibility for a user to type the "https://terminal.blabla.ca" in his browser and be redirected and authenticated to the TS Web server so he can select the application he wants to work on. Is this feasable?

thanks
0
 
Ayman BakrSenior ConsultantCommented:
To have SSL, and thus HTTPS, on your RD Web Access you need to setup SSL in IIS for your site and create an HTTPS binding for that site. Have you done it? Check this link on how to do it:

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

Moreover, have you configured the RemoteApp programs to be available through RD WebAccess? Please verify your configurations with this checklist:

http://technet.microsoft.com/en-us/library/cc730739.aspx
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
ComptribAuthor Commented:
SSL is configured on RD Web Access and programs are available through RD Web access. I can access them in the browser from inside.

The problem seems to be at the Gateway. How can I set it up to have the user redirected to my RD Web Server? Actually when I type my address in the browser, I end up to the default web page of the TS Gateway server (iisstart.htm). Like I said, the address "terminal.blabla.ca" is translated to 192.168.x.x which is my TS Gateway. It stops there.

Thanks
0
 
Ayman BakrSenior ConsultantCommented:
Correct configuration should be as follows:

1. On RD Web Access the following should be configured:
    a. Source should be configured with the FQDN of your RD Session Hosts (have you configured this correctly?)

2. On Remote Desktop Session Host the following should be configured:
    a. Within the RemoteApp Manager settings you need to specify the RD Gateway settings including to 'Bypass RD Gateway Server for local addresses'
    b. Add your RDS User group to the TS Web Access Computers local group
    c. Publish the applications you want your users to run

How are your external users accessing your RD network - i.e. is terminal.blabla.ca the FQDN of your RD Gateway?
0
 
ComptribAuthor Commented:
Yes, external users accessing the Gateway via the FQDN terminal.blabla.ca.

Here's what I tried; I enabled Directory Browsing in RDWeb on my Gateway and added RDWeb in my URL (https://terminal.blabla.ca/RDWeb) and I got a page showing the directory. I clicked on "Pages" and the Login page (RD Services Default Connection page) opened. I was able to log and run the applications on my Web Server. I changed the physical path of the RDWeb directory so it points to the default.aspx page but that generates an error.  I'm not far from what I want. Why I see the Directory and not the Login page?

G
0
 
ComptribAuthor Commented:
Okay, I got it to work after reading this article on MS Forum http://social.technet.microsoft.com/Forums/en/winserverTS/thread/8d2af593-9f6f-4b5b-bf33-cfd29ad31db5. I simply redirected the default web site to "/RDWeb/Pages/default.aspx"

One more issue though, Once authentcated, I get the RD Web access page with the Apps available but to open one I have to authenticate again with Domain\username and also accept a "Unknow Publisher" warning. I need to do this for every App. Any idea how I can bypass this since I'm already authenticated as a domain user thru the Gateway.

Thanks
0
 
Ayman BakrSenior ConsultantCommented:
For single-sign on (SSO) you need to ensure that:
1. Certificate used to sign your RemoteApps is trusted
2. RD Session host servers are 2008 R2.
3. Client connecting should have RDC 7.0 and is either Windows 7, Vista or XP SP3.

RD Session Hosts 2008 do not support SSO with RD Web Access and you will have to do with it. However if your RD Session Hosts 2008 R2 then it should be fine provided you had the above prerequisites and your environment setup correctly for SSO. For more info see this link:

http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
0
 
ComptribAuthor Commented:
THak you for the help. Greatly appreciated.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now