The Terminal Services Gateway is simply a HTTPS-based connection for remote desktop. It does this by providing native encryption, using port 443, allowing enhanced logging, policy configuration, and central controlling of the remote desktop connections. The Terminal Services Gateway is a new role that is made available with Windows Server 2008, and it can provide some features that network administrators may be excited to use. The fundamental point is that the connections use port 443, instead of 3389, for traditional connections. With 443 being used, there is a certificate exchange, which is a good thing. Further, the Terminal Server Gateway’s Web front end can manage connections to resources on different networks that may contain NAT addresses, which when managed point-to-point from clients and VPN based connections could be a mess. With the Terminal Services Gateway, this can be consolidated to a single host that has specific rules that all clients come into and through with the certificate exchange.
Terminal Services Gateway sparked some interest in me while reading this MSDN blog and in particular looking at the very handy chart of certificate types and RDP client levels. Luckily, having a private certificate authority infrastructure in place makes most things easy. But what got me on a tear about this entire configuration is that most organizations do point-to-point RDP. This configuration has very difficult traceability for connections across large environments as well as frequent over-assigning of permissions by group memberships to systems that are not needed. Lastly, the nice certificate exchange does not occur here either. The Terminal Services Gateway offers a next level of management for the RDP connections that are a requirement for infrastructure administrators and developers alike. This isn’t simply a right-click and we are there, however. The Terminal Services Gateway takes some planning and additional components, IIS for starters and some various Network Policy Services that are part of Windows Server 2008 as well.
It is worth going ahead and taking the time to configure the gateway for the enhanced security configuration. There may be some overlap and co-administration needed between the infrastructure administration and network administration teams, but the enhanced management and security of Terminal Services Gateway could be a welcome addition to securing this frequently used traffic on the internal network. More information on the Terminal Services Gateway can be found on the TechNet Web site.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.