Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TS Gateway security question 1

Status
Not open for further replies.

systemsadmin3000

Technical User
Sep 8, 2005
65
TT
I have configured a server 2008 machine as a TS Gateway. For testing purposes I used a self signed certificate. I created my CAPs and RAPs. I connected my TS Gateway to a DSL router with a static ip address so it is accessible on the internet. Using a client machine on the internet i initiated a remote desktop connection and was able to log into my TS Gateway with a username and password which I find was strange because I did not install the self signed certificate on the client machine. Wasn't the TS Gateway server supposed to block the connection because the certificate was not installed on the client? Please help...
 
Not an expert on TSG, have a few but all with public certs..

It is supposed to deny access. By any chance do you have port 3389 open for incoming traffic to the TSG? Only 443 is supposed to be open to the TSG. If open, for security I would close it to the entire network.

Is "Use these TSG server setting" enabled in the RDP "settings"

Client side cert install...


........................................
Chernobyl disaster..a must see pictorial
 
Thanks. The issue was port 3389 was open so it was allowing all RDP traffic. I blocked 3389 and opened 443 and I was not allowed to connect without the cert. I installed the cert and only then was I able to connect. Thanks for your help.
 
Great, you got it. TSG access is pretty stable, had very few issues with it. One issues, sometimes if you make parameter changes, it do not behave properly until the server is rebooted.


........................................
Chernobyl disaster..a must see pictorial
 
i'm having a similar issue. maybe you could offer me some insight...

i configured my port options and i'm able to connect with the client but it doesn't like my self signed certificate and give me this certificate status:

"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

i'm wanting to try to delete them and make a new one... to see if that works but can't get rid of them?

other than that i'm all out of ideas

all suggestions are appreciated

Thank you
 
Did you add the self signed certificate on the client machine to the Trusted Root Certification store? It must be added there also. Also if you signed the cert using the CN name of the computer you must also use the CN name when you are configuring the remote desktop-advanced-settings options on the client machine.
 
yes i'm using the self signed cert with the CN name of the computer with domain. connection seems to work but when i try and connect from the client it give me this error:

"this computer can't connect to the remote computer because the certificate authority that is generated from the Terminal Services Gateway's server certificate is not valid. contact network administrator"

this leads me to believe that problem is on the server and not on the client. although i'm not sure how to add the certificate to the clients Trusted Root Certificate store.

i would have thought that the client needs to connect first and then add the cert to the client?
 
Did you try these steps for installing the cert on the client?

To install the TS Gateway server root certificate on the Terminal Services client

1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following:
· Click Start, click Run, type mmc, and then click OK.
· On the File menu, click Add/Remove Snap-in.
· In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add.
· In the Certificates snap-in dialog box, click Computer account, and then click Next.
· In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
· In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import.
3. On the Welcome to the Certificate Import Wizard page, click Next.
4. On the File to Import page, in the File name box, specify the name of the TS Gateway server root certificate, and then click Next.
If you created a self-signed certificate as described in Appendix A of Windows Server “Longhorn” Community Technology Preview (August 2006) Release TS Gateway Server Step-By-Step Setup Guide and installed this certificate on the client, the name of the root certificate that appears in this list would be <COMPUTERNAME> Test Root.
5. On the Password page, if you specified a password for the private key associated with the certificate earlier, type the password.
6. On the Certificate Store page, accept the default option (Place all certificates in the following store -Trusted Root Certification Authorities), and then click Next.
7. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear:
· Certificate Store Selected by User: Trusted Root Certification Authorities
· Content: Certificate
· File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the TS Gateway server root certificate.
8. Click Finish.
9. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK.
10. With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the client.
 
I would have thought that the client needs to connect first and then add the cert to the client?"

If this was allowed, then the SSL encryption security function would be negated for the initial connection to get the cert. See your point, there should be a way the cert is securely pushed out by the server to designated client machines.

........................................
Chernobyl disaster..a must see pictorial
 
thank you systemsadmin3000. i got the certificate to add to the client machine, but something is still not working for me. i double checked the server for some of the naming of the cert., and did some minor troubleshooting. thank goodness this is for learning purposes and not the real environment. thanks again.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top