Hi All, I'm about to publish a certain servers available through port 443 (SSL) therefore I need to use Windows Server 2008 Std. x64 TSG service, but now in this case what is the best practice for deploying this infrastructure ? Do i need to join the TSG into the domain ? * Meaning that i also need to open LDAP port 389 from DMZ into my local network which would would lead to a security hole ? See the following diagram: http://img440.imageshack.us/img440/8642/tsg.jpg It shows what I want to achieve, Is that possible by just opening port 443 to the Internet and port 3389 from the internal for managing the DMZ servers ? The certificate will be made by the Internal Root CA. Any help and suggestion would be greatly appreciated. Thanks./* Windows Infrastructure Support Engineer */

Hi Albert, Thanks for your post. TS Gateway servers must be joined to an Active Directory domain in the following cases: If you configure a TS Gateway authorization policy that requires that users be domain members to connect to the TS Gateway server. If you configure a TS Gateway authorization policy that requires that client computers be domain members to connect to the TS Gateway server. If you are deploying a load-balanced TS Gateway server farm. Prerequisites for TS Gateway http://technet.microsoft.com/en-us/library/cc732039(WS.10).aspx Generally, we need to open the ports 88, 389, 135, <Port on which NTDS RPC service listens on AD>, 53, 3389 on the internal firewall. For more information, please refer to the following blog: RD Gateway deployment in a perimeter network & Firewall rules http://blogs.msdn.com/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx If there is anything unclear, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi Jason, thank you for replying to my topic, I've joined both Web Server and the TSG in the DMZ This is the picture of what I'm doing now, http://img91.imageshack.us/img91/8642/tsg.jpg at the moment I'm inside the local network and would like to publish the Web Server 2008 which is located same in the DMZ is it correct that i should 1. publish the TSG.domain.com through the world using port 443 2. create self signed certificate from TSG.domain.com and then give that to the client. 3. setup the TS CAP and TS RAP 4. the client install the SSL cert on the trusted Root CA, 5. the client access remote desktop to TSG.domain.com. 6. once the client logged in, he/she must remote desktop again into the webserver am I missing something in here ?/* Windows Infrastructure Support Engineer */

Hi, As you have a root CA in the internal network, I suggest that you request the certificate from the CA rather than create a self-signed certificate. For the detailed steps, you can refer to the 2. Obtain a certificate for the TS Gateway server section in the following article: Configuring the TS Gateway Core Scenario http://technet.microsoft.com/en-us/library/cc754252(WS.10).aspx#BKMK_ConfigCertIISTSGateway After you install the certificate on the TS Gateway server, please also ensure that the root CA certificate has been imported to the Trusted Root Certification Authority store on the client computers. The users do not need to access remote desktop to TS Gateway server. They can access the TS Web (webserver) directly. In other words, we do not need to first establish RDP session to TS Gateway Server and then to the web server.The following articles could be helpful for you to better understand Terminal Service-related features: TS RemoteApp Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx TS Gateway Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc771530(WS.10).aspx If there is anything unclear, please feel free to let me know. I look forward to your response. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, Hows everything going? Just wonder if my explanation is clear of if you need further assistance. If you have any questions or concerns, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Hi Joson, Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway, here's what I did: on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver): 1. Join the TSG server into the domain 2. go through the steps in http://www.youtube.com/watch?v=x_0oeiCTTfU 3. TS_CAP_01 settings: Requirement tab: select password for the authentication add BUILTIN\Administrators group Device Redirection tab: Enable device redirection for all devices 4. TS_RAP_01 settings: User groups tab: *make the same members as the previous CAP_01 setting* Computer group tab: select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver. Allowed ports tab: select Allow connection through any port --> and this one as well. 5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation. on the DMZ Webserver (open only on port 443 after going through this steps) 1. join the webserver to the domain 2. go to system properties | Remote tab and click on Allow connection from computers running.... 3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4) on the client: 1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder). 2. run mstsc (remote desktop application) 3. General Tab: computer: (webserver IP address) --> due to the no DNS available. username: Webserver\Administrator Advanced Tab: select Connect and don't warn me. click on settings: select use these TS Gateway server settings: Server name: TSG.domain.com Login method: NTLM click on OK then connect by supplying the local admin password./* Windows Infrastructure Support Engineer */

Glad to hear that. This posting is provided "AS IS" with no warranties, and confers no rights.