Forefront Edge Security TechCenter >
Forefront Edge Security Forums
>
Forefront Edge Security - Publishing
>
Publishing TS Webaccess / TS 2006Gateway with ISA
Publishing TS Webaccess / TS 2006Gateway with ISA
- Hello
I have a TS Gateway with TS Webaccess Role on a Windows Server 2008 sp1. We have anoter TS Server which has Windows 2008 sp1 installed. We have published multiple application on the TS Webaccess pages. From the LAN everything works fine.
Now we would like to publish the TS Webaccess to the Internet vis ISA 2006. We would like to authenticate on the weblistener with a smart card and then start the application on the TS Gateway with a second login.Unfortunaltey I can not achieve this.
I configured the listener for SSL Client Authentication and defined the Web Publishing Rule under the Users Tab to grant access to all authenticated Users. The setting for the delegation ist set to No delegation, but client may authenticate directly. This szenario works, when the TS Webaccess Page Authentication is set to anonymous enabled.
After authentication with the smart card to access the TS Webaccess Page
I start a TS Webaccess Application and get immediatly the following error message:
"The computer can't connect to the remote computer because the Terminal Services Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance"
When i check the ISA Monitor I can see that the ISA blocks this traffice, because it is not authenticated
I have already checked different articles and blogs in the internet and on technet: http://technet.microsoft.com/en-us/library/cc731353(WS.10).aspx
but could'not help.
Maybe I'm running in the wrong direction and my szenario is no supported.
Can somebody help me - Thanks in advance.
Best Regards - Bueschu
Bueschu
Answers
- Please remember that you need 2 publishing rules.
1 for the TS web. That is typically /ts/*
1 for the TS gateway. This is /rpc/*
I am not sure exactly how your rules are set up. but...
For /ts you can have pre-authentication using certificate and KCD for delegation if you like.
But for TS gateway you will need a rule for anonymous on ISA since you cannot preauth the RDP client using your smartcard on ISA.
For the TS gateway you will then have no delegation but user may auth directly.
Hope this helps.- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 12, 2009 8:32 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 19, 2009 7:40 AM
Just a reminder... You cannot have "Require all users to authenticate" on the listener, you have to leave it to the rule to decide if auth is required.
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 19, 2009 7:40 AM
All Replies
- Please remember that you need 2 publishing rules.
1 for the TS web. That is typically /ts/*
1 for the TS gateway. This is /rpc/*
I am not sure exactly how your rules are set up. but...
For /ts you can have pre-authentication using certificate and KCD for delegation if you like.
But for TS gateway you will need a rule for anonymous on ISA since you cannot preauth the RDP client using your smartcard on ISA.
For the TS gateway you will then have no delegation but user may auth directly.
Hope this helps.- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 12, 2009 8:32 AM
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 19, 2009 7:40 AM
- Hello
Thanks for your answer.
I have two rules on the isa server and it only works if the authentication on the listener ist set to html forms authentication, but not with ssl client authentication. I will check the anynomus settings on the ts gateway rule and the IIS config.
best regards - bueschu
Bueschu Just a reminder... You cannot have "Require all users to authenticate" on the listener, you have to leave it to the rule to decide if auth is required.
- Marked As Answer byNick Gu - MSFTMSFT, ModeratorMonday, October 19, 2009 7:40 AM
