none
RDG & TMG: Better Together? RRS feed

  • Question

  • When you publish Remote Desktop Gateway with UAG, you install RDG on the UAG computer. And everyone here knows that TMG is providing the connection security for UAG. That means that for UAG, TMG & RDG together is a supported configuration.

    Is it possible and supported to install RDG on a TMG (only) computer? I have to confess I've not seen this configuration described anywhere, so I'm guessing the answer's no, despite it being supported when UAG is present. But it would offer a LOT of advantages over RDG in the DMZ or internal network:

    • Auth at the edge
    • No DCs in the DMZ
    • Only have to allow HTTPS in.

    And, while it would lack the features of UAG's client browser add-in, it would offer the HUGE advantage of using RDWEB instead of UAG's clumsy, admin-intensive portal. RDWEB can't be published through UAG. And the "A website wants to run a RemoteApp program" warning can't be suppressed on UAG, whereas it can be with RDWEB. I feel that dialog box is a major UX problem with UAG.

    So while it seems great on paper...anyone know if it's supported?

    And a related question: In the unlikely event RDG & TMG together IS supported, is it supported when we're also running EX2010 Edge Transport on the same TMG box? (Small system at this point; no worries about performance. Will add TMGs as needed as load increases.) All we're publishing thru TMG is SMTP, so HTTP/S is available.

    • Moved by Nick Gu - MSFT Thursday, November 3, 2011 6:13 AM (From:Forefront TMG and ISA Server)
    Wednesday, November 2, 2011 7:45 PM

All replies

  • I am trying to accomplish this exact setup at the moment but without success. And I wasn't able to find anything useful neither... If I manage to make it running I will post my solution.
    Ivailo Tzenkov
    Thursday, November 10, 2011 3:12 PM
  • Thanks. I've not tried it but would be very interested in the results. If you think the problem might be firewall rules, I'll be glad to post the rules my UAG set up for RDG.

    Silence has otherwise been deafening in this thread! Hard to believe we're the only people to think of this config.

    Thursday, November 10, 2011 3:23 PM
  • I've found those two interesting articles that show our scenario in working condition (http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part1.html and http://www.isaserver.org/tutorials/Microsoft-Forefront-TMG-Publishing-RD-Web-Access-RD-Gateway-Part2.html) but, to be honest, I didn't manage to reproduce them successfully (that is, I couldn't configure successfully TMG and RDG on the same box). As time pressures me now, I just installed RDG on another VM (one of the terminal servers, actually) and it just worked... Maybe it does not worth the troubles to configure it on the same server?
    Ivailo Tzenkov
    Friday, November 11, 2011 2:55 PM
  • Good catch! I'd still like to know if it's supported, but having it documented on isaserver.org is somewhat encouraging. I should post this question there. Although that board isn't very active any more.

    For me, the HUGE advantage of running RDG on TMG is that unauthenticated traffic is kept off the Internal network. That's UAG's big advantage (along with the NAP client, which I'd have to do without), but doesn't force me into using UAGs clunky portal.

    Friday, November 11, 2011 3:13 PM
  • Well, I haven't tried it yet, but even when using multiple servers you might be able to accomplish what you want to - using NTLM to KDC translation (the way the guy on the isaserver.org article did it). That way TMG will authenticate the user before he is redirected to the RDG.

     

    If you are interested I will try to find the article that explains that configuration about publishing Exchange outlook anywhere access - but it is absolutely the same. And I am thinking of doing it that way in my setup - I will post with more info if/when I do it.


    Ivailo Tzenkov
    Friday, November 11, 2011 3:32 PM
  • Ahhh...interesting thought. That would certainly be a supported config for TMG, and a more economical choice for scaling up, too. I will probably give that a try, when I get back to this project, and I'll post back with results. Hopefully within the next week or so. Thanks!

     


    • Edited by JRV529088 Friday, November 11, 2011 4:41 PM
    Friday, November 11, 2011 4:39 PM
  • Much more than a week later, but I've tried it. I'm not very experienced with delegated authentication, but I THINK I've done what's in the isaserver.org article, but slightly adapted as needed for RDWEB/RDG on a different machine.

    I get prompted for creds, but when I enter them, I'm prompted for them again by RDWEB.

    RDWEB works normally from the Internal network.

    I've read here--

     http://www.sole.dk/post/how-to-publish-rd-web-and-gateway-2008-r2-on-isa-2006-with-fba-and-rsa-plus-delegation-of-authentication/?p=245 

    --that delegated auth cannot be used with RDG. And I think I've read that elsewhere, too. The blog offers a workaround, but the workaround is to authenticate only for RDWEB and leave RDG anonymous--which doesn't accomplish a lot. But I gather that explains the behavior I'm seeing.

    My guess--and 'guess' is a carefully chosen word!--is that the reason UAG can authenticate RDG, and likewise the isaserver.org scenario (presumably) works, is that RDG is installed on the TMG server. Thus, once the user has authenticated to TMG, they're also authenticated to the RDG that shares the machine, and no delegation is needed.

    So I'm going to try that next and see how it goes.

    Which returns us to the original, unanswered, is-it-supported question!


    • Edited by JRV529088 Wednesday, December 14, 2011 12:50 AM
    Tuesday, December 13, 2011 10:25 PM
  • I'm still fussing with trying to make the separate RDG server work with TMG, but to no avail. Only way I can get RDWEB to work AT ALL from the Internet is to create a separate publishing rule for RDG that includes "All Users" on the Users tab, thus allowing anonymous traffic onto the LAN. And then I get prompted for RDG creds as I open RemoteApps, and that's not acceptable.

    It doesn't look like RDWEB is even working with TMG SSO, because I'm being prompted by ISA and then, again, by RDWEB. I had thought that was the RDG forcing the 2nd authentication, but evidently it's not, because RDG isn't even involved without the extra publishing rule that allows anonymous.

    To really understand what's going on with the 2 server scenario, I probably need to look at http://www.sole.dk/post/how-to-publish-rd-web-and-gateway-2008-r2-on-isa-2006-with-fba-and-rsa-plus-delegation-of-authentication/?p=245 more closely and duplicate his config; I've already duplicated part of it. Regardless, his solution still allows anonymous RDG traffic, and I gather, requires 2 logons.

    The more I learn the more I'm inclined to think RDG on the TMG box may be the only way to get there--if that even works. So I guess I will try that tomorrow.

    Here's what really bothers me about RDG:

    RDG is intended for Internet use, but neither of MS's Internet security products work well with it. TMG compromises network security by allowing anonymous HTTPS onto the LAN. UAG compromises UX with the security warning, and ENORMOUSLY complicates RemoteApp administration. Neither is acceptable.

    Even if RDG on TMG is supported, for service providers, scaling is not very cost-effective.

    At least we now have SSO; I can't believe that MS ever thought 2 logons would be acceptable for WS2008 users!

    I feel like Microsoft hasn't completely finished baking RDG.

    Wednesday, December 14, 2011 6:20 AM