locked
RDS Web Access

    Question

  • Is just 443 need to be opened via a firewall?  How does web access work with the gateway? This is really only for internal use. I need to get access to the demo lab which is where RDS Web Access resides behind a firewall. Do I need to have the gateway installed or just open up the ports on the firewall to connect to the URL for RDS Web Access?

    Thursday, February 11, 2010 6:48 PM

Answers

  • Hi!

    The two roles themself don't have to to anything with each other in the first place. The only connection is that the web access site offers RDP connections through the gateway. But the connection itself has nothing to do with the web access role. You can imagine the web access site as "library" for connections.

    If you want to use both roles you can have two scenarios:

    1) The web access role and the gateway role are installed on the SAME machine
    In this case you will need 443 for https://yourdomain.com/rdweb for the access to the web access portal. The clients can then connect to the gateway with the same URL (but without the /rdweb at the end), because the roles reside on the same machine.

    2) The web access role and the gateway role are installed on DIFFERENT machines
    Here you will need 443 to the web access portal machine with https://webaccesurl.com/rdweb and a second URL again with 443 (https://yourgatewayurl.com) for the connection of the clients.

    kr,
    Andreas
    • Proposed as answer by ND82 Monday, February 22, 2010 7:11 AM
    • Marked as answer by Lionel Chen - MSFT Wednesday, February 24, 2010 11:16 AM
    Saturday, February 13, 2010 8:58 AM

All replies

  • I'd guess that 3389 might be required as well, or perhaps even instead of 443.  I haven't configured RDS web access, just standard Remote Desktop though so I can't say for sure. 
    Thursday, February 11, 2010 6:52 PM
  • Hi,

     

    It depends on your requirement.

     

    RD Gateway, formerly TS Gateway, is mainly used for the remote user to access the internal resource over the Internet by using encrypted connection, without needing the VPN.

     

    If you only need to access the RD Web Access website, you only need to open the port 80 or 443 (for SSL). RD Gateway is not required.

     

    However, if you need to access the RD Session Host resided behind a firewall, the port 3389 is also required. If you don’t want to open the port 3389 on the firewall, then you need to install RD Gateway.

     

    For more information, please refer to the following articles:

     

    Terminal Services Gateway (TS Gateway)

    http://technet.microsoft.com/en-us/library/cc731264(WS.10).aspx

     

    Terminal Services Web Access and Resulting Internet Communication in Windows Server 2008

    http://technet.microsoft.com/en-us/library/cc754502(WS.10).aspx


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, February 12, 2010 3:45 AM
  • Hi!

    You can imagine the web access portal as nothing more than a way to offe rdp files which the client can download and "run" to open a connection. the connection itself has nothing to do with the web access role. As Joson said: If you don't want to install a gateway you will have to open 3389 in your firewall. If you have install a gateway you can connect through it which means that the RDP traffic is encapsulated into https. Therefor you only need 443 open in your firewall which points to your gateway. The web access portal and the gateway can reside on different machines which means you can have 443 for the web access site on IP1 and 443 for the RDP connection on IP2.

    hope that helps .-)

    kr,
    Andreas

    Friday, February 12, 2010 6:01 AM
  • If I have the gateway configured - do I access the rd web access server by the URL: https://servername/rdweb or do I need to use a the URL for the gateway. At that point, I would only need to have 443 open on the firewall. Is that correct?
    Friday, February 12, 2010 3:02 PM
  • Hi!

    The two roles themself don't have to to anything with each other in the first place. The only connection is that the web access site offers RDP connections through the gateway. But the connection itself has nothing to do with the web access role. You can imagine the web access site as "library" for connections.

    If you want to use both roles you can have two scenarios:

    1) The web access role and the gateway role are installed on the SAME machine
    In this case you will need 443 for https://yourdomain.com/rdweb for the access to the web access portal. The clients can then connect to the gateway with the same URL (but without the /rdweb at the end), because the roles reside on the same machine.

    2) The web access role and the gateway role are installed on DIFFERENT machines
    Here you will need 443 to the web access portal machine with https://webaccesurl.com/rdweb and a second URL again with 443 (https://yourgatewayurl.com) for the connection of the clients.

    kr,
    Andreas
    • Proposed as answer by ND82 Monday, February 22, 2010 7:11 AM
    • Marked as answer by Lionel Chen - MSFT Wednesday, February 24, 2010 11:16 AM
    Saturday, February 13, 2010 8:58 AM
  • Hello JMP,

    Does the response above answer your question? Please let us know if you need any further assistance.

    Thanks.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Monday, February 22, 2010 7:03 AM