An Overview of Longhorn Server’s Terminal Service Gateway (Part 1)

by [Published on 6 July 2006 / Last Updated on 6 July 2006]

In this article I will explain how the Terminal Services Gateway makes it easier for remote users to access a terminal server session.

If you would like to read the next articles in this series please go to

One aspect of networking that has always been a hot issue is making shared resources available to remote users. Those administrators who have deployed traditional Windows Server networks have long been able to accommodate remote users via either dial up or VPN connections. Those organizations that rely exclusively on the Windows Terminal Services though have faced much tougher challenges in making resources accessible to remote users though. One of Microsoft’s goals in Windows Longhorn Server was to make it easier for remote users to access a terminal server session. One of the ways that Microsoft has accomplished this goal is through a new server role known as the Terminal Services Gateway. In this article I will explain what this new role is and how it works.

What is the Terminal Services Gateway?

The best way that I can think of to describe the Terminal Services Gateway is that it is like having a Terminal Services VPN. Remote users are able to use their existing Internet connection to establish a secure, encrypted connection to your organization’s Terminal Server deployment. Once the connection is established, the users are able to perform a remote Terminal Services session by using the RDP protocol through the HTTPS protocol.

Although the Terminal Services Gateway is a service that is designed to make your Terminal Servers accessible via HTTPS (port 443), it is a lot more than just a proxy. The Terminal Services Gateway contains a comprehensive configuration mechanism that allows you to control access to network resources. The Terminal Services Gateway Management console allows you to control things such as which users are allowed to connect to your network, and the specific resources that can be accessed remotely. The management console also allows you to monitor events such as unsuccessful logons and generate corresponding alerts.

Some Considerations

The only real down side to the Terminal Services Gateway is that it tends to be a bit tedious to configure. Prior to configuring the service, you must have an enterprise certificate authority on your network. The reason why this is a requirement is because the RDP protocol will be encapsulated in HTTPS packets. The HTTPS protocol is an encrypted version of HTTP that uses port 443. The encryption is based on a certificate that has been issued to IIS. You must therefore have a certificate authority that can issue IIS the necessary certificate.

One other thing that I want to mention before I show you how to configure the Terminal Service Gateway Service is that at the time that I wrote this article, Longhorn Server was still in beta testing. It is therefore possible that the actual configuration process could change prior to Longhorn Server’s release.

Installing the Necessary Services

The Terminal Services Gateway Service has a number of dependency services. In order for the Terminal Services Gateway Service to work, IIS, IAS, and the RPC / HTTP services must be running. The Microsoft documentation that I was given along with my copy of Longhorn Server recommends using the command prompt to install the necessary services. I have personally found it to be easier to use the Server Manager.

You can access the Server Manager from the server’s Administrative Tools menu. When the Server Manager opens, click on the Manage Roles container on the tree on the left side of the console, and then click the Add Roles link on the far right side of the screen, as shown in Figure A.


Figure A: The Server Manager is the tool of choice for most server management tasks in Longhorn

When you click the Add Roles link, the Server Manager will launch the Add Roles Wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen containing a list of all of the available roles that the server can participate in, as shown in Figure B.


Figure B: The Add Roles Wizard allows you to select from several predefined roles

Select the Terminal Services role and click the Next button. You will now see a screen that gives you a paragraph introducing you to the Terminal Services. This screen also contains a couple of links that you can use to gain more detailed information about specific aspects of the Terminal Services, including information on the Terminal Services Gateway Service. There is really nothing that you have to do on this screen other than clicking Next.

At this point, you will see a screen asking you which roles you would like to install for the Terminal Services, as shown in Figure C. The Terminal Server role is selected by default.


Figure C: The Add Roles Wizard asks you which Terminal Server roles you would like to install

In a production environment, you would most likely want to run the Terminal Server role on a separate server from the Terminal Services Gateway. Keep in mind though that Longhorn Server is still in beta testing. My purpose in writing this article is to familiarize you with the new technology found in Longhorn Server, not to demonstrate the ideal method of deploying the Terminal Services in a production environment. Therefore, for demonstration purposes, I am going to install the Terminal Server role and the Terminal Server Gateway Services role on the same server.

Make sure that the Terminal Server check box is selected and then select the TS Gateway checkbox and click Next. When you do, you will see the pop-up dialog box that’s shown in Figure D appear.


Figure D: You can drill down and see which sub components will be installed

The last thing worth noting about Figure D is that the list of dependency services is slightly different from what I told you earlier. At the beginning of this article, I mentioned that IAS was a required service, and yet IAS is not on the list. Instead, there are a couple of services that I didn’t mention; Network Access Service and Windows Activation Service (WAS).

The Network Access Service seems to be a new name for IAS from what I can tell. This is one of those areas in which the product differs from the documentation. The requirements that I stated earlier were taken directly from Microsoft documentation. I am assuming that these contradictions will be ironed out by the time Longhorn Server ships. For now though, just click the Add Required Role Services button, followed by the Next button.

At this point, you will see a screen informing you that some applications may need to be reinstalled after you install the Terminal Services. Click Next and you will be prompted to specify the licensing model that you want to use. Make your selection and click Next. You can just keep clicking Next to go through the wizard’s remaining screens. Some screens will ask you which components you want to install, but just go with the pre-selected components.

Conclusion

You have now installed all of the necessary services. In Part 2, I will continue the discussion by showing you how to configure your server.

If you would like to read the next articles in this series please go to

Featured Links