Remote Access for Windows Server 2008

Remote Desktop lets users control their desktop computer remotely. It’s a simple concept that, properly implemented, can have a dramatic impact on your organization’s productivity so that staff can work from home — even if they don’t have a mobile computer.

Until Microsoft Windows Server 2008 [2], the network connection itself has been the biggest challenge. Your private network probably uses private Internet Protocol addresses, which prevent users from connecting directly to their desktop computers from the Internet. Even if you offered users a virtual private network connection, many firewalls block VPNs [3].

To work around these limits, Windows Server 2008 introduces the Terminal Services (TS) Gateway role, which acts as a proxy server between the Internet and your internal network. As illustrated, the Remote Desktop client uses encrypted Hypertext Transfer Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway authenticates the user (via either a password or a smart card), verifies that the user is authorized to connect to the destination computer and then uses Remote Desktop Protocol (RDP) to complete the connection on your private network.

Planning Your Terminal Services Gateway SSL Certificate

Because clients use HTTPS to connect to the TS Gateway, the TS Gateway will need an SSL certificate — just like an electronic-commerce Web server. To simplify the configuration of the Remote Desktop clients, purchase an SSL certificate from one of the many public certificate authorities (CAs) that Windows trusts by default (a search for “ssl certificate” will turn up several available for less than $20 per year). When configuring the SSL certificate, specify the full host name that clients will use to connect to the TS Gateway from the Internet. If the host name doesn’t match what the users enter in the Remote Desktop Client, the server authentication will fail.

Although you can use a temporary or internal SSL certificate for testing purposes, client computers must trust the certificate’s CA. Because many remote access scenarios involve computers that aren’t members of your Active Directory domain (such as home computers), only SSL certificates issued by trusted public CAs will work by default.

Configuring the Terminal Services Gateway

To add the Terminal Services Role to Windows Server 2008, follow these steps:

1. Log on to your Windows Server 2008 computer as an administrator. Click Start, and then click Server Manager.
2. Right-click Roles, and then click Add Roles.
   The Add Roles Wizard appears.
3. On the Before You Begin page, click Next.
4. On the Select Server Roles page, select Terminal Services. Then, click Next.
5. On the Terminal Services page, click Next.
6. On the Role Services page, select TS Gateway. When prompted, click Add Required Role Services. Then, click Next.
7. On the Server Authentication Certificate page, select an SSL certificate, and then click Next.
8. On the Authorization Policies page, click Now, and then click Next.
9. On the TS Gateway User Groups page, click Add to select the user groups that can connect through the terminal server gateway. Typically, you should create an Active Directory security group for Remote Desktop users connecting from the Internet, and add all authorized users to that group. Then, click Next.
10. On the TS CAP page, enter a name for the Terminal Services Connection Authorization Policy, and choose whether to allow authentication using passwords, smart cards or both. Click Next.
11. On the TS RAP page, enter a name for the Terminal Services Resource Authorization Policy. Then, choose whether to allow remote clients to connect to all computers on your internal network or just computers in a specific domain group. For best results, create an Active Directory security group, and add the computer accounts for all authorized Remote Desktop servers to that group. Click Next.
Note: The CAP defines who can connect to the TS Gateway, while the RAP defines which computers they can use the gateway to access. Both must be defined for a user to establish a connection.
12. Complete any other wizard pages that appear for dependant roles by accepting the default settings, and then click Install on the Confirmation page.
13. After the installation is complete, click Close, and then click Yes to restart the computer if required.
14. After the computer restarts, log back on and click Close in the Resume Installation Wizard.

Later, you can use the Server Manager console to modify the CAPs or RAPs by clicking the roles\terminal services\ts gateway manager\computer_name\policies node.

If necessary, configure your firewall to allow incoming HTTPS connections to your TS Gateway on TCP port 443. Additionally, the TS Gateway must be able to communicate to Remote Desktop servers using TCP port 3389.

Configuring the Remote Desktop Client

You must configure the Remote Desktop Client with the IP address of the TS gateway before connecting to a Remote Desktop server on your internal network. To configure the Remote Desktop Client, follow these steps:

1. If the client computer is running Windows XP with Service Pack 1 or Windows Server 2003 with Service Pack 1 or 2, install the Terminal Services Client 6.0. You can download the software at support.microsoft.com/kb/925876 [4]. Windows Vista and Server 2008 have the client built in. Older versions of Windows cannot use the updated Terminal Services Client and thus cannot connect through a TS Gateway.
2. Open Remote Desktop Connection from the Start menu.
3. If necessary, click the Options button to display the Remote Desktop Connection settings.
4. On the General tab, type the Remote Desktop server’s name or IP address (not the TS Gateway), even if the IP address is private and not directly reachable.
5. Click the Advanced tab, and then click the Settings button.
6. On the Gateway Server Settings dialog box, click Use these TS Gateway server settings. Then, type the server name (it must exactly match the name in the server’s SSL certificate) and select a logon method. Click OK to save the settings.
7. After customizing any other settings, click the General tab, and click Save As to save the settings to an RDP file. Because the RDP file includes the TS Gateway settings, you can distribute it to any computer with the Remote Desktop Client version 6.0 or later.

To connect to the server, open the RDP file, and click Connect. If prompted, provide credentials for both the TS Gateway and the Remote Desktop server. In a few seconds, you should have complete control over the Remote Desktop server.

If your employees have computers at home and broadband Internet connections, you can allow them to use Remote Desktop to control their desktop computers at work. Instantly, the users gain access to their files, applications, printers and other network resources on your internal network as if they were sitting at their desks. There’s no fussing with firewalls or VPNs either — all users need to do is double-click an RDP file you provide.