Microsoft Virtual Labs

Managing TS Gateway and RemoteApps in Windows Server 2008

Managing TS Gateway and RemoteApps in Windows Server 2008

Table of Contents
Managing TS Gateway and RemoteApps in Windows Server 2008 ........................................ 3
Exercise 1 Configuring TS Gateway Server ..................................................................................................................4 Exercise 2 Terminal Services Remote Programs ...........................................................................................................7

Page 2 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008

Managing TS Gateway and RemoteApps in Windows Server 2008

After completing this lab, you will be better able to:

Objectives

Create Connection Authorization Policy, Create a Resource Group, and Create a Resource Authorization Policy for the TS Gateway Server Configure and Connect a TS Gateway Client Configure and Distribute TS Remote Programs Configure TS Web Access

Scenario

The procedures in this lab manual describe how you can configure TS Gateway to allow an authorized user on an Internet-connected computer running Microsoft Windows Vista to easily and securely connect to remote computers on the corporate network through TS Gateway.

Estimated Time to Complete This Lab Computers used in this Lab

60 Minutes

NYC-DC-1

NYC-SRV-1 The password for the Administrator account on all computers in this lab is: pass@word1.

Page 3 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008

Exercise 1 Configuring TS Gateway Server

Scenario
In this exercise, you will explore how to configure a TS Gateway Server. Tasks Complete the following 3 tasks on: NYC-DC-1
1. Verify a Certificate

Detailed Steps Note: For this lab the Certificate has already been setup on the Server and installed on the Client. Note: Perform the following steps on the NYC-DC-1 virtual machine. a. Ensure you are logged in as WOODGROVEBANK\Administrator with a password of pass@word1. b. Click Start, point to Administrative Tools, and then select Terminal Services , then TS Gateway Manager. c. In the TS Gateway Management console tree, right-click NYC-DC-1 and then click Properties. d. On the SSL Certificate tab, verify whether server certificate information is available. e. Click Ok in the NYC-DC-1 Properties dialog box.

for the TS Gateway Server is installed.

2. Create a CAP for the

a. If not already open, open the TS Gateway Manager snap-in console. b. In the left pane view of the console tree, expand NYC-DC-1. c. Right click Policies and click Create New Authorization Policies. d. Complete the Policy Wizard with the settings below: Field Create Policy Type: TS CAP Name: Password: User Group: Device Redirection: TS RAP Name: User Group: Computer Group: Allowed Ports: Value Create TS CAP and a TS RAP

TS Gateway Server.

SampleCAP Checked WOODGROVEBANK\TS Gateway Enable All (Default)

SampleRAP WOODGROVEBANK\TS Gateway Allow users to connect to any network resource (Computer) Allow connection through any port

Page 4 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks

3. Apply the TS

Detailed Steps e. Click Finish and then close when the wizard has successfully completed. Note: Your computer must verify and trust the identity of the TS Gateway server before you can send your password and logon credentials securely over SSL/TLS, and complete the authentication process. To establish this trust, these requirements must be met:

Gateway Server Certificate.

The client must have installed the certificate issued to the TS Gateway server. The clients must trust the root of the servers certificate. That is, clients must have
the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snapin. Note: This procedure is not required if a VeriSign or other non-Microsoft, trusted PKI certificate is installed on the TS Gateway server and the TS Gateway client computer trusts the certificate. Note: For this lab the certificate issued by NYC-DC-1 has already been installed on NYC-SRV-1. Complete the following 2 tasks on: Note: Perform the following steps on the NYC-SRV-1 virtual machine. a. Ensure you are logged in as woodgrovebank\administrator with a password of pass@word1. b. Click Start, and then click Run. In the Open text box, type mstsc. Click OK. c. Click Options to expand the dialog box and view settings.
4. Configure Remote

NYC-SRV-1

Desktop Connection Settings.

d. On the General tab, type the name of the remote computer to which you want to connect, NYC-DC-1.WOODGROVEBANK.com. e. On the Advanced tab, in the Connect from anywhere area, click Settings. f. In the Gateway Server Settings dialog box click Use these TS Gateway server settings. g. Type the name of the TS Gateway server to which you want to connect, NYC-DC1.WOODGROVEBANK.com. h. In Server name, uncheck the checkbox for Bypass TS Gateway server for local addresses.

Page 5 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks Detailed Steps

i. Click OK. j. Click the General tab, and then click Save As to save the TS Gateway server connection settings as an RDP file. k. Browse to the desktop and save it as TS Gateway.rdp. Click Cancel to close the Remote Desktop Connection dialog box once saved to your desktop.
5. Log On to the TS

Note: Perform the following steps on the NYC-SRV-1 virtual machine. a. Double-click the file to start the connection, TS Gateway.rdp from your desktop. b. In the Enter your credentials dialog box, type the credentials required to connect to the remote computer, WOODGROVEBANK\dbarber with a password of pass@word1. Click Ok. c. If a Security Warning dialog box appears, click Yes. d. In the Gateway Server Credentials dialog box, type the credentials required to connect to the TS Gateway server, WOODGROVEBANK\dbarber with a password of pass@word1. Click Ok. e. If prompted with a Security Warning dialog box, click Yes. f. In the Gateway Server Credentials dialog box, type WOODGROVEBANK\dbarber with a password of pass@word1 and then click OK. g. Once connected, you will now have a secure, full, rich TS session, all via the Gateway, not VPN. Note: Once your TS session starts, notice the padlock icon in the top left. (The bar containing the padlock may auto-hide. Move your mouse at the top of the screen to make the bar and the special secure padlock icon re-appear. Click the pushpin icon if desired.) h. Click the padlock icon to view the certificate details, and then click OK. i. After viewing the TS session, log off of the NYC-DC-1 TS session.

Gateway Server.

Page 6 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008

Exercise 2 Terminal Services Remote Programs

Scenario
In this exercise, you will explore how to configure RemoteApps on your terminal server. Tasks Complete the following 3 tasks on: NYC-DC-1
1. Add a Program to the

Detailed Steps Note: To make a program available remotely to users, you must add the program to the Allow List. To perform this procedure, you must be a member of the Administrators group on the terminal server. Note: Perform the following steps on the NYC-DC-1 virtual machine. a. Ensure you are logged in as WOODGROVEBANK\Administrator with a password of pass@word1. b. Click Start, point to Administrative Tools, Terminal Services folder, and then select TS RemoteApp Manager. c. From the right pane, in Remote Programs, under Actions, click Add RemoteApps. d. In the RemoteApps Wizard, on the Welcome to the RemoteApps Wizard page, click next. e. On the Choose RemoteApps to add to the allow list page, select the check box for the program that you want to add to the Allow List. You can select multiple programs. f. For this lab, select ALL of the Microsoft Office applications. Caution: The Allow List does not prevent users from starting other applications or accessing items on the desktop remotely once they have connected to the terminal server using the Remote Program. g. For this lab, select ALL of the Microsoft Office applications. h. If you want to change how the name of the program will appear to the users, select the program, and then click Properties. i. After you have selected the programs to add to the Allow List and you have configured the program's properties, click next. j. On the Review Settings page, click Finish. The programs you selected should now appear in the Allow List. k. By default, a program added to the Allow List will be available to users through TS Web Access. This is indicated by a Yes in the TS Web Access column.

Allow List.

2. Create an RDP

Package.

Note: Perform the following steps on the NYC-DC-1 virtual machine. a. Ensure you are logged in as WOODGROVEBANK\Administrator with a password of pass@word1. b. First, create a share for the RDP files to live. Click Start, and select Computer. Browse to C:\RDPShare. c. Now, change the share properties of thefolder. Right-click RDPShare, select Share, select Change sharing permissions and type Domain Users in the Choose people on your network to share with field. Click Add and then click Share. Page 7 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks Detailed Steps d. In the File Sharing dialog box, click done. e. If not already open, Click Start, point to Administrative Tools, Terminal Services folder, and then select TS RemoteApp Manager. f. Scroll down to the Remote Apps section. Select ALL of the Remote Microsoft Office programs in the List. g. In the right pane, under the Actions menu for ALL of the selected programs, click Create .rdp file. h. In the RemoteApps Wizard, on the Welcome to the RemoteApps Wizard page, click next. i. Change the location where the wizard will save the .rdp file it creates; click Browse, and specify a folder, C:\RDPShare and then click OK. j. To configure TS Gateway settings for the .rdp file, under TS Gateway Settings, click change. k. Check the Use these TS Gateway Server Settings check box, and in the server name field, type the name of the TS Gateway server to connect to, NYC-DC1.WOODGROVEBANK.com. l. In the Logon Method field, select Ask for Password (NTLM). m. Click OK. n. After you have configured the properties for the .rdp file, click next. o. On the Review Settings page, click Finish. p. When the wizard completes, open the folder where the .rdp files are saved to confirm that the .rdp files have been created. The folder should open automatically or become highlighted on the taskbar at bottom of screen.
3. Create a MSI

Package.

Note: Perform the following steps on the NYC-DC-1 virtual machine. a. Ensure you are logged in as WOODGROVEBANK\Administrator with a password of pass@word1. b. First, create a share for the MSI files to live. Click Start, and select Computer. Browse to C:\. Create a new folder C:\MSIShare. c. Now, share properties of the MSIShare folder. Right-click MSIShare, select Share, click Change sharing permissions, type Domain Users in the Choose people on your network to share with field, click Add and then click Share. d. In the File Sharing dialog box, click done. e. If not already open, click Start, point to Administrative Tools, and then select Terminal Services Remote Programs. f. In Remote Programs, select ALL (highlight) of the Remote Microsoft Office programs in the Allow list. g. In the right pane, under Actions for the program, click Create Windows Installer Package. h. In the RemoteApps Wizard, on the Welcome to the RemoteApps Wizard page, click next. i. Change the location where the wizard will save the .msi file it creates, click Browse, and specify a folder, C:\MSIShare and then click OK. j. Under TS Gateway settings, click Change. k. Check the Use TS Gateway server settings check box, and in the Server name field, type NYC-DC-1.WOODGROVEBANK.com. l. Under Logon Method, select Ask for Password (NTLM). m. Click OK. Page 8 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks Detailed Steps n. After you have configured the properties for the .msi file, click next. o. On the Configure Distribution Package page, check the checkboxes for Desktop, Start menu folder, and Associate client file extensions for this program with the remote program. p. After you have configured the properties of the distribution package, click next. q. On the Review Settings page, click Finish. r. When the wizard completes, open the folder where the .msi files are saved to confirm that the .msi files have been created. The folder should open automatically or become highlighted on the taskbar at bottom of screen.
4. Distribute

Note: For Windows Server 2008, users can access RemoteApps several ways:

RemoteApps to Users.

Double-clicking an .rdp file that has been created and distributed by their
administrator. Double-clicking a program icon on their desktop or Start menu that has been created and distributed by their administrator with an .msi file. Double-clicking a file whose extension is associated with a Remote Program. This can be configured by their administrator with an .msi file. Accessing a link to the program on a Web site using Terminal Services Web Access. Note: By default, you can access the TS Web Access Web page at the following location (where servername is the name of the Web server where you installed TS Web Access): https://servername.domain.com/ts/ Client Requirements and Configuration To connect to TS Web Access, the client computer must be running any one of the following operating systems:

5. Connect to TS Web

Access.

Windows Vista Microsoft Windows XP with Service Pack 2 or later Windows Server 2008 Beta 3 Microsoft Windows Server 2003 with Service Pack 1 or later

In addition, the client computer must be configured in the following manner:

The Terminal Services ActiveX Client control must be enabled. If you are
prompted to run the Terminal Services ActiveX Client control when you access TS Web Access, click the message line, click Run ActiveX Control, and then click Run. If you are running Windows Vista or Windows Server 2008 Beta 3, click the bubble at the lower right corner of the screen to enable the ActiveX control. The TS Web Access server must be added to the trusted sites zone or the Local intranet zone in Internet Explorer. Complete the following 4 tasks on: Note: Perform the following steps on the NYC-SRV-1 virtual machine. a. Ensure you are logged in as Woodgrovebank\dbarber with a password of pass@word1. b. Open Internet Explorer and then on the Tools menu, click Internet Options. c. Click the Security tab.
6. Add the Site to the

NYC-SRV-1

d. Click Trusted Sites. e. Click Sites. f. In the Add this Web site to the zone box, type the URL of the Web server (for example, type https://servername.domain.com), https://NYC-DC1.WOODGROVEBANK.com click Add, and then click Close. g. Click OK to close the Internet Options dialog box.

Trusted Sites Zone using Internet Options.

Page 9 of 12

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks

7. Open Remote Office

Detailed Steps a. In Internet Explorer, visit the site https://servername.domain.com/ts/, where servername is the name of the Web server where you installed TS Web Access, https://NYC-DC-1.WOODGROVEBANK.com/ts/ b. Type the credentials WOODGROVEBANK\dbarber with a password of pass@word1 and then click OK. Note: If prompted from here on out, select Yes and/or Run to install and run the Active X control(s). Select to Display Blocked Content (allow). (Basically get rid of the yellow bar at the top of IE). c. If prompted, select to display blocked content, etc. d. Click the icon for Remote Microsoft Office Word. e. If prompted with a Trust Warning and then a RemoteApps dialog box, click Yes on both f. If prompted with an Internet Explorer Security dialog box, click Allow. g. If prompted, enter your credentials for the resource, WOODGROVEBANK\dbarber with a password of pass@word1 and click Submit. h. If prompted with a Security Warning dialog box, click Connect. Note: You may need to click Continue to get past the User Account Control dialog box(es). i. Double Click Microsoft Office Word, click yes, connect, and type Woodgrovebank\dbarber with password of pass@word1. You can click details, but Remote Microsoft Office Word should open. Notice, once connected, that it behaves and acts just like a normal local program running on your machine except it is running via a secure gateway on a remote server. j. Go back to the Terminal Services RemoteApps Webpage and start another Office program. This new program opens much faster now that Dbarber has a session loaded. Also note that when you chose for example Open in an application it behaves just like a locally running copy of the program. k. Once you are done playing close the two Office programs.

Programs via TS Web.

8. Open Remote Office

Note: Perform the following steps on the NYC-SRV-1 virtual machine. a. Ensure you are logged in as Woodgrovebank\dbarber with a password of pass@word1. b. Click Start, select Run, type the server share \\NYC-DC1.WOODGROVEBANK.com\RDPShare and then click OK. c. Double-click the file Remote Microsoft Office Excel 2007. d. If prompted, enter your credentials for the resource, WOODGROVEBANK\dbarber with a password of pass@word1 and click Submit. e. If prompted with a Security Warning dialog box, click Connect. f. If prompted, enter your credentials in the Gateway Server Credentials dialog box, WOODGROVEBANK\dbarber with a password of pass@word1 and click Submit. Note: You may need to click Continue to get past the User Account Control dialog box(es). Note: If a RemoteApps Disconnected error dialog box appears, click OK. Remember, this is beta software! g. Remote Microsoft Office Excel should open. Notice, once connected, that it Page 10 of 12

Programs via RDP Share.

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks Detailed Steps behaves and acts just like a normal local program running on your machine except it is running via a secure gateway on a remote server. h. If prompted to click next, make sure every box is unchecked and click next. On the Update screen, click the second choice: I dont want to update. Click close. i. Once you are done playing with Excel, close the Excel program.
9. Install Remote Office

Note: Perform the following steps on the NYC-SRV-1 virtual machine. a. Ensure you are logged in as Woodgrovebank\dbarber with a password of pass@word1. Note: If you see a RemoteApps Disconnected dialog box, click OK as this is a known issue. b. Click Start, select Run, type the server share \\NYC-DC1.WOODGROVEBANK.com\MSIShare and click OK. c. Double-click the file MSAccess.rap. d. If prompted, select Run to run a quick Windows Installer package. If prompted, click Allow to allow the installer to run. If prompted, enter your credentials for the resource and the gateway, WOODGROVEBANK\dbarber with a password of pass@word1. e. There is now a shortcut on your desktop to open Access, as well as a shortcut in your Start Menu > All Programs > Remote Programs. Select one of these options to open the program Access. f. If prompted with a Security Warning dialog box, click Connect. g. If prompted, enter your credentials in the Gateway Server Credentials dialog box, WOODGROVEBANK\dbarber with a password of pass@word1 and click Submit. h. Remote Microsoft Office Access should open. Notice, once connected, that it behaves and acts just like a normal local program running on your machine except it is running via a secure gateway on a remote server. i. Once you are done playing with Access, close the Access program.

Programs via MSI Share.

Complete the following task on: NYC-DC-1 NYC-SRV-1

10. Configure Add or

Note: Perform the following steps on the NYC-DC-1 and NYC-SRV-1virtual machine. a. Ensure you are logged in as WOODGROVEBANK\Administrator with a password of pass@word1. b. From NYC-DC-1, click Start, point to Run, and type GPMC.MSC. c. Expand Forest:woodgrovebank.com. d. Expand Domains. e. Expand woodgrovebank.com. f. Right Click Default Domain Policy and then click Edit. g. Expand User Configuration, expand Software Settings. h. Right-click Software installation, point to New, select Package. i. In the File name field, type \\NYC-DC-1.WOODGROVEBANK.com\MSIShare and press Enter. j. Select the package that you want to publish Outlook.rap. Click Open. k. Select the radio button Published and then click OK. If desired, publish additional Office packages, one at a time. Note: Perform the following steps on the NYC-DC-1 virtual machine. l. Ensure you are logged in as WOODGROVEBANK\administrator with a password of pass@word1. Page 11 of 12

Remove Programs via Group Policy.

Managing TS Gateway and RemoteApps in Windows Server 2008 Tasks Detailed Steps m. Switch back to the NYC-SRV-1 client virtual machine. n. In order to ensure updates from Group Policy have been applied in a timely manner, log off the NYC-SRV-1 virtual machine. Then log on to the NYC-SRV-1 virtual machine as WOODGROVEBANK\administrator with a password of pass@word1. o. Click Start, and select Control Panel. Double-Click Programs and Features, and then click Install a program from the network. p. You should now see the program(s) you published via Group Policy. Double-click Remote Microsoft Office Outlook 2007. This will launch a quick Windows Installer package. Once installed, click OK. q. Notice the new Outlook shortcut on your desktop and in your Start Menu > All Programs > Remote Programs. r. Launch Remote Microsoft Office Outlook 2007 (Beta) either from your desktop shortcut or from RemoteApps in your Start menu. s. If prompted: click Connect. t. If prompted, type your credentials WOODGROVEBANK\dbarber with a password of pass@word1 and then click Submit. u. If prompted with a Security Warning dialog box, click Yes. v. If prompted to enter your Gateway Server Credentials, type WOODGROVEBANK\dbarber with a password of pass@word1 and then click Submit. w. If prompted with a User Account Control dialog box, you may need to click Details and then click Continue. x. The Microsoft Office Outlook setup wizard will run. For the purposes of this lab, select to open Outlook without configuring an email account. y. Remote Microsoft Office Outlook should now be open. Notice, once connected, that it behaves and acts just like a normal local program running on your machine except it is running via a secure gateway on a remote server. Notice that the remote icons appear in your systrey (next to your clock) and that even things like Remote Reminders will appear. z. Once you are done playing with Outlook, close the Outlook program.

Page 12 of 12