Publishing Remote Desktop Service with Forefront TMG 2010

When you have successfully deployed RDS in your network up and running, here is how to publish it via Forefront TMG 2010 to your external and mobile users.

Note: We suspect you used SAN certificates during your RDS deployment, which contain at least the internal and external FQDN of your RDS environment. And you have a single certificate for your RD Session Host, as RDP connection security still not support SAN certificates.

Now we are going to start with the Publishing Rule for your RD WebAccess and RD Gateway Server.

Import your SAN certificate into the local certificate store of your TMG.

Create a simple Web Listener for HTTPS with your imported certificate and select no client authentication.

Now use the Exchange Web Client Access Publishing Wizard and create a publishing rule just if you would create or already have created for OWA publishing, but choose your HTTPS Web Listener which you created before when requested. On the Authentication Delegation step select ‘no delegation, but client may authenticate directly’ and leave it with ‘All users’ on the next wizard page and finalize.

Note: If you have separated your RDS environment so that the RD Gateway and RD WebAccess are on different server, you need to create two of this publishing rules, one for RDG and another for RD WebAccess. If you use Split-DNS you can go with one rule when you enable forwarding the original host header in your rule.

After you‘ve created what you need, go into each of this publishing rules and check the ‘Public Name’ and the ‘Path’ tabs and make sure, you have only /rdweb/* for your RD WebAccess Publishing Rule and /rpc/* for your RD Gateway Publishing Rule, or all in one rule if you have all on one server.

So now from the TMG site we are done. Easy isn’t it? 🙂

Now take care your RD environment is configured well for internet publishing. Perhaps check the documentations on TechNet where you find all what needs to be prepared. Look very carefully into RD WebAccess and RD Session Host RDP Connection configuration regarding the certificates and don’t forget to to add your RD Gateway settings with RemoteApp Manager on your RD Session Host.

And now you are done and your published apps are available for external users. Keep in mind, if you used your own CA, that the clients must have the Root CA certificate to trust the certificates which have been issued for your RDS environment. And of course, your clients needs latest RDP protocol version with RDP client 6.1 or higher installed.

When you use Windows 7 and/or Windows 2008 as a client, you have to publish your CA if you used an own one. Because this new OS have a more restricted security, they want to check the CRL (Certificate Revocation List) if the certificate is still valid. Older OS don’t do this.

Before you can publish your CA via TMG you need to add the path how to access your CertEnroll virtual directory on your CA. Open the CA MMC and open the properties. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP) and add the HTTP URL for your CA. Make sure the /CertEnroll virtual directory of your Root CA is enabled to accept anonymous read access.

If you have still problems with the certificate, even you published your CA’s CRL, try following registry key on your Windows Vista or Windows 7 client to solve the issue:

Add DWORD key in the registry: UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

Under the location:  HKLM\\System\\CurrentControlSet\\Control\\LSA\\CredSSP

Value: 1

The following informations for ISA should work for TMG also:

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 1 – Remote Desktop Web Services Concepts

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 2: Creating the Web and Server Publishing Rules

Publishing Remote Desktop Web Connection Sites with the ISA Firewall Part 3: Testing and Troubleshooting