An Overview of Longhorn Server’s Terminal Service Gateway (Part 3)

by [Published on 31 Aug. 2006 / Last Updated on 31 Aug. 2006]

In Part 2 of this article series, I showed you how to create an enterprise certificate authority that could be used to issue SSL certificates to your Terminal Service gateway. In this article, I will continue the discussion by showing you how to configure the Terminal Service gateway to interact with the certificate authority that you created.

If you would missed the previous articles in this series please read:

Configuring IIS

In Windows Longhorn Server, the process of requesting a certificate is not quite as easy as it was in Windows Server 2003. There are a lot of steps that you have to go through to prepare the server for the request, in an effort to make sure that everything is done securely.

The first thing that you have to do is to configure IIS on your Enterprise Certificate Authority server so that it can handle HTTPS requests. Before I show you how, I just want to remind you that this article assumes that the Enterprise CA is running Windows Longhorn Server. If your Enterprise CA is running Windows Server 2003, then the steps would be different.

With that said, enter the MMC command at the Run prompt. When you do, Windows will load an empty Microsoft Management Console. When the console opens, choose the Add / Remove Snap-in command from the console’s File menu. Windows will now display a long list of available snap-ins.  Select the Internet Information Services snap-in from the list, and click the Add button, followed by the OK button. The snap-in should now be loaded into the console.

At this point, you must navigate through the console tree to Web Sites | Default Web Site. Select the Default Web Site container, and then click the Bindings link in the column to the far right. When you do, you will see the Modify Site Bindings dialog box, which will show that the only existing binding is the HTTP protocol. Your job is to add the HTTPS protocol to the list of bindings.

Click the New button to reveal the Create Site Bindings dialog box. Choose HTTPS from the Type drop down list and make sure that the port is set  to 443. Now, select a certificate from the SSL Certificate drop down list that matches the fully qualified domain name of your server and click OK, followed by Close. The default Web site is now HTTPS enabled. You can close the IIS console.

Preparing Internet Explorer

Now that the Enterprise CA is fully configured, go to your Terminal Service gateway server. You will have to make the certificate request through a Web browser, so you will have to do a bit of prep work on Internet Explorer.

Open Internet Explorer and navigate to the Certificate Authority’s URL.

The URL is HTTPS:// followed by the server’s fully qualified domain name, and /CertSrv/Default.asp. For example, while researching this article, I installed the certificate services onto a server named LONGHORN-DC. That server is a domain controller in a domain named EXCH12.COM. As such, my certificate Authority’s URL is: https://longhorn-dc.exch12.com/certsrv/default.asp. What ever URL you are using, just make sure to enter it as HTTPS, and not as HTTP.

When Internet Explorer opens, select the Internet Options command from Internet Explorer’s Tools menu. This will cause Windows to display the Internet Options properties sheet. Select the properties sheet’s Security tab and you will see a list of different security zones. Select the Trusted Sites zone and click the Sites button. When the Trusted Sites dialog box opens, enter the URL of the CA’s Web interface into the place provided and click Add, followed by close. You must enter this URL in HTTPS format.

Requesting a Certificate

Now that Internet Explorer and IIS have been prepared, you are finally ready to request a certificate.  To do so, close Internet Explorer, and open it again. Navigate to the CA’s Web interface site. When you do, you might be prompted to install an ActiveX control. If so, then be sure to install the control.

The Certificate Authority’s Web interface contains three options. The first option on the list is Request a Certificate.  Click this option and the Web interface will ask you if you want to request a user certificate or if you would like to submit an advanced certificate request. Click the link to submit an advanced certificate request, followed by the link to create and submit a request to this CA.

You will now see the Advanced Certificate Request screen. The first option that you will have to set on this screen is the certificate template type. Choose the Web Server option.

Just below the Certificate Template section, you''ll see the Identifying Information section.  Although this section is very basic, it must be filled in. The only thing that might be a little bit tricky in this section is the Country/Region code. If you live in the United States, the country code is US.

In the real world, you want to carefully consider the options that you choose on the remaining sections.  For demonstration purposes though, you can just go with the defaults. The one extra field I do recommend filling in is the Friendly Name field. Assigning a friendly name to your certificate will make it easier to identify the certificate later on.

Click the Submit button and you will see a Web Access Confirmation dialog box appear. This dialog box is basically telling you that the web site is requesting a certificate on your behalf. In this particular case, you should just click Yes to allow the request.

You''ll now see a message stating that the certificate you requested was issued to you. Click the Install This Certificate link to begin the installation process. You will now see another warning message stating that the web site is attempting to install a certificate onto the computer. Click Yes to allow the installation, and you should see a message stating that your certificate has been successfully installed.

Configuring the Terminal Services Gateway to Use the Certificate

Now that we have requested and installed the certificate, we have to configure the Terminal Services Gateway to use it. Begin by opening the Terminal Services Gateway console. You can do this by selecting the Terminal Services Gateway command from the Administrative Tools menu.

When the console opens, navigate through the console tree on the left to Console Root | TS Gateway Management | your server. When you do, you will see the server’s properties sheet appear. If you look at the properties sheet’s General tab, you’ll notice a Browse Certificate button toward the middle of the window. If you click this button, you should see a list of the certificates that are installed on the server. Choose the certificate that you just created (the friendly name will not be displayed here) and click the Installed button, followed by the OK button. The certificate is now mapped to the Terminal Service gateway.

Conclusion

In this article, I have shown you how to request a certificate and then map that certificate to the Terminal Service gateway. In Part 4 of this article series, I will continue the discussion by walking you through some of the remaining configuration steps.

If you would missed the previous articles in this series please read:

Featured Links