8/5/2010 How to configure Remote Desktop in W…

Are You On Top of Your I.T.

[Game?]
Enter your email address to stay in the loop.

Search... BizTech Google CDW

BizTech » How To » Remote Access for Windows Server 2008

[ How To ] » comment del.icio.us

» print digg this
» email rss feeds
Remote Access for Windows Server 2008 SUBSCRIBE
Here's how to configure Remote Desktop and the Terminal Services Gateway.
By Tony Northrup
10/16/2007 Fortigate 330A Tutorial
Connor Anderson looks at unified threat
management products from Fortigate.

View video »
Remote Desktop lets users control their desktop
computer remotely. It’s a simple concept that, properly
implemented, can have a dramatic impact on your RELATED MOST POPULAR Get what you need to know
organization’s productivity so that staff can work from about information
Move On Up
home — even if they don’t have a mobile computer. technology solutions to
Companies share their tips about how to
grow your business.
prepare for a seamless upgrade to
subscribe now »
Until Microsoft Windows Server 2008 (set for February Window s 7.
release), the network connection itself has been the On the Move
Smartphones are proving to be a sound
biggest challenge. Your private network probably uses
tool for keeping businesses running.
private Internet Protocol addresses, which prevent users
Scan in a Flash
from connecting directly to their desktop computers from The Visioneer Strobe XP 100 scanner
the Internet. Even if you offered users a virtual private network connection, many helps mobile w orkers stay productive.
firewalls block VPNs. Dashboard
50 million Americans hold jobs that could
be performed via telew ork; if all did so at
To work around these limits, Windows Server 2008 introduces the Terminal Services
least half of the w orkw eek, the savings
(TS) Gateway role, which acts as a proxy server between the Internet and your internal w ould include 12 billion gallons of fuel
network. As illustrated, the Remote Desktop client uses encrypted Hypertext Transfer and 101 metric tons of greenhouse gas
emissions.
Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because
Mobility Meets Microsoft
HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway Window s 7 provides an easy operating
authenticates the user (via either a password or a smart card), verifies that the user is experience for road w arriors.
authorized to connect to the destination computer and then uses Remote Desktop Security Blanket: Vista's Outbound
Protocol (RDP) to complete the connection on your private network. Firew all
Want an extra layer of security for
Window s? Then enabling Vista's
outbound firew all just might do the trick.
Break Dow n the Walls
Providing a mobile environment is a good
w ay to boost employee morale.
Netbooks Gain Favor for Telew ork
The ultra-portable netbook platform offers
an inexpensive alternative for companies
that w ant to expand their telew ork
programs.
Window s 7 Q&A's
Expert Michael Van Cleave, CDW
Microsoft Technical Specialist, tells you
w hat you need to know about Window s
7.
Note: Throughout this article, the computer being controlled will be referred to as a
Fujitsu LifeBook Tablet PC
Remote Desktop server. The Remote Desktop server could be any Windows XP, Lightw eight tablet features sharp screen
Windows Server 2003, Windows Vista or Windows Server 2008 computer with Remote resolution and numerous connectivity
options.
Desktop enabled. It could also be any version of Terminal Server.

Planning Your Terminal Services Gateway SSL Certificate

Because clients use HTTPS to connect to the TS Gateway, the TS Gateway will need an SSL certificate — just like an
electronic-commerce Web server. To simplify the configuration of the Remote Desktop clients, purchase an SSL certificate
from one of the many public certificate authorities (CAs) that Windows trusts by default (a search for “ssl certificate” will turn up
several available for less than $20 per year). When configuring the SSL certificate, specify the full host name that clients will
use to connect to the TS Gateway from the Internet. If the host name doesn’t match what the users enter in the Remote

biztechmagazine.com/article.asp?item_… 1/3
8/5/2010 How to configure Remote Desktop in W…
Desktop Client, the server authentication will fail.

Although you can use a temporary or internal SSL certificate for testing purposes, client computers must trust the certificate’s
CA. Because many remote access scenarios involve computers that aren’t members of your Active Directory domain (such as
home computers), only SSL certificates issued by trusted public CAs will work by default.

Note: For testing purposes, the Add Roles Wizard can generate a temporary SSL certificate for you. You will need to import
the root CA certificate it generates into any client computers, clicking the Certificates button on the Content tab of the
Internet Options dialog box, and then importing the certificate into the list of Trusted Root Certification Authorities.

Configuring the Terminal Services Gateway

To add the Terminal Services Role to Windows Server 2008, follow these steps:

1. Log on to your Windows Server 2008 computer as an administrator. Click Start, and then click Server Manager.
2. Right-click Roles, and then click Add Roles.
The Add Roles Wizard appears.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, select Terminal Services. Then,
click Next.
5. On the Terminal Services page, click Next.
6. On the Role Services page, select TS Gateway. When prompted,
click Add Required Role Services. Then, click Next.
7. On the Server Authentication Certificate page, select an SSL
certificate, and then click Next.
8. On the Authorization Policies page, click Now, and then click Next.
9. On the TS Gateway User Groups page, click Add to select the user
groups that can connect through the terminal server gateway.
Typically, you should create an Active Directory security group for
Remote Desktop users connecting from the Internet, and add all
authorized users to that group. Then, click Next.
10. On the TS CAP page, enter a name for the Terminal Services
Connection Authorization Policy, and choose whether to allow authentication using passwords, smart cards or both.
Click Next.
11. On the TS RAP page, enter a name for the Terminal Services Resource Authorization Policy. Then, choose whether to
allow remote clients to connect to all computers on your internal network or just computers in a specific domain group.
For best results, create an Active Directory security group, and add the computer accounts for all authorized Remote
Desktop servers to that group. Click Next.
Note: The CAP defines who can connect to the TS Gateway, while the RAP defines which computers they can use the
gateway to access. Both must be defined for a user to establish a connection.
12. Complete any other wizard pages that appear for dependant roles by accepting the default settings, and then click
Install on the Confirmation page.
13. After the installation is complete, click Close, and then click Yes to restart the computer if required.
14. After the computer restarts, log back on and click Close in the Resume Installation Wizard.

Later, you can use the Server Manager console to modify the CAPs or RAPs by clicking the ROLES \TERMINAL SERVICES \TS
GATEWAY MANAGER\COMPUTER_NAME\POLICIES node.

If necessary, configure your firewall to allow incoming HTTPS connections to your TS Gateway on TCP port 443. Additionally,
the TS Gateway must be able to communicate to Remote Desktop servers using TCP port 3389.

Configuring the Remote Desktop Client

You must configure the Remote Desktop Client with the IP address of the TS gateway before connecting to a Remote Desktop
server on your internal network. To configure the Remote Desktop Client, follow these steps:

1. If the client computer is running Windows XP with Service Pack 1 or Windows Server 2003 with Service Pack 1 or 2,
install the Terminal Services Client 6.0. You can download the software at support.microsoft.com/kb/925876. Windows
Vista and Server 2008 have the client built in. Older versions of Windows cannot use the updated Terminal Services
Client and thus cannot connect through a TS Gateway.
2. Open Remote Desktop Connection from the Start menu.
3. If necessary, click the Options button to display the Remote Desktop Connection settings.
4. On the General tab, type the Remote Desktop server’s name or IP address (not the TS Gateway), even if the IP address
is private and not directly reachable.
5. Click the Advanced tab, and then click the Settings button.
6. On the Gateway Server Settings dialog box, click Use these TS Gateway server settings. Then, type the server
name (it must exactly match the name in the server’s SSL certificate) and select a logon method. Click OK to save the
settings.
7. After customizing any other settings, click the General tab, and click Save As to save the settings to an RDP file.
biztechmagazine.com/article.asp?item_… 2/3
8/5/2010 How to configure Remote Desktop in W…
Because the RDP file includes the TS Gateway settings, you can distribute it to any computer with the Remote Desktop
Client version 6.0 or later.

To connect to the server, open the RDP file, and click Connect. If prompted, provide credentials for both the TS Gateway and
the Remote Desktop server. In a few seconds, you should have complete control over the Remote Desktop server.

Note: The Remote Desktop Client 6.1, included with Windows Server 2008 and currently in beta testing for other operating
systems, can be configured to send the same credentials to both the TS Gateway and the Remote Desktop server. This
requires prompting the user only once.

If your employees have computers at home and broadband Internet connections, you can allow them to use Remote Desktop
to control their desktop computers at work. Instantly, the users gain access to their files, applications, printers and other
network resources on your internal network as if they were sitting at their desks. There’s no fussing with firewalls or VPNs
either — all users need to do is double-click an RDP file you provide.

Need More Help?

For more information about Terminal Services in Windows Server 2008, visit
technet2.microsoft.com/windowsserver2008/en/servermanager/terminalservices.mspx. Microsoft also offers a free virtual lab
that lets you work with the TS Gateway without configuring your own lab environment; it’s available at
msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032310513. For peer support with Terminal Services,
visit www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?
dg=microsoft.public.windows.terminal_services.

Tony Northrup is a developer, security consultant and author with more than 10 years of professional experience developing
applications for Microsoft Windows.

[ Related Articles ]
Move On Up
On the Move
Scan in a Flash
Dashboard
Mobility Meets Microsoft
Security Blanket: Vista's Outbound Firew all
Break Dow n the Walls
Netbooks Gain Favor f or Telew ork
Window s 7 Q&A's
Fujitsu LifeBook Tablet PC

COMMENTS

From: Steve, Manchester NH

Fantastic article! Clearly explained and the best part is, works as promised! :)

Home | Contact Us | About Us | Subscribe | Meet the Editors | Privacy | Site Map | Terms and Conditions

Copyright ©2010 CDW LLC | 300 N. Milw aukee Avenue, Vernon Hills, IL 60061

biztechmagazine.com/article.asp?item_… 3/3