locked
TS Gateway RRS feed

  • Question

  • Hi!

    Please, help with a silly thing.

    Is it possible to add special cookie control as TS Gateway is using HTTPs protocol, to check if it is authenitcated RDP connection. I need it to perform two factor authentication? Maybe ISA 2006 can help? (OTP scenario I read but it didn't work) :(

    Thank a lot
    Thursday, April 9, 2009 9:47 AM

Answers

All replies

  • Yes, you can use OTP with ISA 2006 and TS Gateway as a two facor authentication. I assume you have read the step-by-step documentation on TS Gateway for this topic. Please let me know what issues you encountered with that when you say that it did not work so that i can get that working for you :)

    Thanks
    Vikash
    Thursday, April 9, 2009 1:08 PM
  • Hi Vikash

    Thank you for reply.

    The problem is that when I add these strings to RDP settings box like in step-by-step guide:

    pre-authentication server address: s: https://smstest/ts

    require pre-authentication:i:1

    where "smstest" is my ISA 2006 server, I've got the next error in the message box when I'm trying to launch RemoteApp from TS WebAccess site:

    "This computer can't connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again; or contact your network administrator for assistance."

    But I did all things from step-to-step guide. Maybe NPS should be configured somehow specific regarding OTP?

    Also, is it possible to enable ClientRDPActiveX component logs which may help me to determine the problem?

    Thanks

    Friday, April 10, 2009 7:42 AM
  • Hi Romario,

    If you have followed the Step by Step guide to the dot things should work like a charm. No extra configuration is required on part of NPS with respect to OTP except what is mentioned in the guide. However, there seems to be a problem with your setup and so let us trouble-shoot it :)

    To begin with, let us clarify a few points:

    1.https://smstest/ts  --> smtest is the name of the TSG server which is mapped to the ISA server address in the client's host file.It is not the hostname of the ISA server.
    2. The Remote app with TS Web Access has been setup correctly http://technet.microsoft.com/en-us/library/cc730673.aspx
     Please look under "Configure TS Gateway settings" for TSG specefic entries. Make sure that "Use these RD Gateway server settings" check box is enabled with valid entries.

    To ascertain whether the Radius OTP has been configured correctly, do the following things on the client:

    1. Open IE and browse to the IIS website on TSG i.e. type the following in the browser : https://<TSGServerName> 
        e.g. https://www.contoso.com/  (According to step by step guide).
    2. The Radius OTP page should come up asking for credentials. Supply the correct OTP credentials and see if the IIS page opens. This implies that OTP is working fine.
    3. Further try opening  https://www.contoso.com/rpc . Supply valid credentials (non-OTP) when prompted. If authentication is successful, it means that password auth is working.


    Please do the above steps and tell me the observations. If they are successful, it means that the problem lies in the TS Web Acess, TS Remote App setup. We'll then pick up from there and trouble-shoot.

    Thanks,
    Kaustubh.



    Monday, April 13, 2009 6:07 AM
  • Hi Kaustubh.

    Thanks for a reply, please help me again to determine the problem.

    >1.https://smstest/ts  --> smtest is the name of the TSG server which is mapped to the ISA server address in the client's host file.It is not the hostname of the ISA server.

    Yes, smstest is a name of the TSG which is mapped to the ISA 2006 server. (in hosts file, test environment). In ISA 2006 server smstest is a name of the TSG server itselft (also in hosts file)

    >2. The Remote app with TS Web Access has been setup correctly http://technet.microsoft.com/en-us/library/cc730673.aspx
    >Please look under "Configure TS Gateway settings" for TSG specefic entries. Make sure that "Use these RD Gateway server settings" check box is enabled with valid entries.
    Yes, all this have been done.

    >1. Open IE and browse to the IIS website on TSG i.e. type the following in the browser : https://<TSGServerName> 
    >    e.g. https://www.contoso.com/  (According to step by step guide).
    >2. The Radius OTP page should come up asking for credentials. Supply the correct OTP credentials and see if the IIS page opens. This implies that OTP is working fine.
    Yes this works, but with any Passcode. Maybe because I haven't any OTP on my RADIUS server?

    >3. Further try opening  https://www.contoso.com/rpc . Supply valid credentials (non-OTP) when prompted. If authentication is successful, it means that password auth is working.
    This works, i.e. first is user\passcode page appears, then I prompted to submit credentials (username, password) if I enter valid one then it pass me through


    Additionally, if "All users" is enabled on ISA, and I remove

    pre-authentication server address: s: https://smstest/ts

    require pre-authentication:i:1
    then it allows me to connecto to RemoteApp.

    Please, point me what to do next?
    Best regards,
    Romario

    Wednesday, April 15, 2009 9:25 AM
  • Hi all.
    Sorry, it all works, great thing by the way.
    Thanks for help.

    Wednesday, April 15, 2009 7:35 PM
  • Hi Romario,
    Just curious..what was the issue??

    Thanks,
    Kaustubh
    Friday, April 17, 2009 9:22 AM
  • Hi Kaustubh

    I don't why, maybe because lack of memory for windows 2008 :) I upgraded RAM and it works

    Thanks

    Saturday, April 18, 2009 10:07 AM
  • Hi Romario,

      The following error

    "This computer can't connect to the remote computer because authentication to the firewall failed due to missing firewall credentials. To resolve the issue, go to the firewall website that your network administrator recommends, and then try the connection again; or contact your network administrator for assistance."


    is seen when we try to configure RADIUS OTP with gateway on an unsupported ISA version. Currently, the supported ISA versions are ISA server 2006 with supportability update or above . This inforamtion is mentioned in the step by step documentation for this topic also.

    Thanks,
    Kaustubh

    Monday, May 18, 2009 8:35 AM