TS Gateway service
Hi, I've created a certificate on TS Gateway and installed it (import) localy on my computer. Now, regardinig TS CAP and RAP I can connect to the servers on internal network through RDP. My questions: - how to skip installation of the certificate and publish it to all computers on the domain? - I don't have separate IP address for SLL listener. Is it possible to user existing SLL certificate (for example for exchange/OWA and use it for TS service). In that way I can create additional rule on ISA server. How to publish TS gateway service? - what is the real advantage for internal/external users to use TS Gateway? For external - they don't need to use VPN connection anymore. What else? Thnx!
April 16th, 2008 8:22pm

Hello Jack, - how to skip installation of the certificate and publish it to all computers on the domain? You can use a public certificate which participates in the Microsoft Root Certificate Program Members program and is trusted by default, such as VeriSign; meanwhile, you can generate and install a certificate issued by your Enterprise CA. - I don't have separate IP address for SLL listener. Is it possible to user existing SLL certificate (for example for exchange/OWA and use it for TS service). In that way I can create additional rule on ISA server. How to publish TS gateway service? Yes, If you already have a certificate, you can reuse it for the TSGateway server if the certificate meets some conditions. Only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the TSGateway role service will appear in the list of certificates. For detailed requirement, please refer to the Certificate requirements for TS Gateway section of the following link: http://technet2.microsoft.com/windowsserver2008/en/library/5fdeb161-31c7-41b2-aaa3-7a4d5f5e3cda1033.mspx?mfr=true - what is the real advantage for internal/external users to use TS Gateway? For external - they don't need to use VPN connection anymore. What else? For internal client, we generally do not use TS Gateway. For external client, TS Gateway can also make it easier for users because they do not have to configure VPN connections and can access TS Gateway servers from sites that can otherwise block outbound RDP or VPN connections. It uses Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources. Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2008 1:41pm

Hi, we are using our CA server (on AD server) and that server issued certificates for Exchange and web server (2 IP's and 2 HTTPS cers). Unfortunatelly I don't have any free external IP address so my question is: is it possible to use currently certificate and create separate rule to forward traffic to TS 2008 server?
April 24th, 2008 4:03pm

Hello Jack, Yes, implementing TS Gateway remaining the current certificates and without public IP addresses can be achieved. However, you may have to implement ISA (Internet Security and Acceleration) server that will function as an SSL bridging device. When SSL bridging is used, ISA Server can terminate SSL sessions, inspect packets, and re-establish SSL sessions. ISA Server helps enhance security by decrypting incoming SSL traffic, statefully inspecting the traffic for malicious code, and then blocking connections that contain suspicious packets or packets that reflect known exploits. When the ISA Server is configured as an SSL bridging device (Web proxy), ISA Server is hosted in a perimeter network and provides SSL bridging between the Terminal Services client and the TSGateway server. The TSGateway server is hosted in the corporate/private network. For more detailed information about TS Gateway configuration you may refer to: Configuring the TS Gateway ISA Server Scenario http://technet2.microsoft.com/WindowsServer2008/en/library/9f293f18-b0fd-48f8-b103-957fad92d70b1033.mspx Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2008 2:00pm

Hi, yes, link helps. Can you please confirm for the latest time: is it possible to use currently Exchange certificate or I really need to obtain new public IP address and assign new SSL listener? my idea is: use currently SSL certificate and create a new rule for TS service. Thnx.
April 25th, 2008 2:18pm

Hello Jack, Yes, you can use one public IP address to publish both OWA and TSG while using the current OWA SSL certificate in the ISA. However, the TS gateway server and Exchange Server may have to coexist on the same machine. Moreover, additional configurations are needed to prevent Exchange Server rewrite the RPC proxy configuration. Please note that don't use the generic web publishing steps described in the document. Use the Exchange 2007 outlook Anywhere publishing wizard provided by ISA 2004 / 2006. If there is any update of the document on this issue, I will let you know ASAP. Thanks.
Free Windows Admin Tool Kit Click here and download it now
May 7th, 2008 6:16am

Any further technical information on running TS Gateway services and Exchange OLanywhere from a single IP? (Co-hosted on a single server or not)I have read on other forums that it is not possible to change the TCP port listener for the TS Gateway, but have not found a MS KB or tech article. Further proof of this may be the RDC client does not seem to offer an obvious option to redirect TS gateway settings to a specific port. I am researching this as I would like to run Exchange OLAnywhere and TS Gateway services from a single IP (yes, my lame residential internet circuit).Thanks!
March 20th, 2009 12:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics