What is Terminal Services Gateway?

Terminal Services Gateway, or TS Gateway, is a new role in Windows Server 2008.  Using the Remote Desktop Protocol (RDP) over HTTPS, users can establish a secure, encrypted connection with internal network resources where their applications run.  The primary benefit is that the user does not need to first establish a VPN connection with the corporate network before connecting to a Terminal Server.  They instead connect to the Terminal Server through the Terminal Server Gateway.

From TechNet –

 TS Gateway provides many benefits, including:

•  TS Gateway enables remote users to connect to internal network resources over the Internet, by using an encrypted connection, without needing to configure virtual private network (VPN) connections.

•  TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources.

•  TS Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.

•  TS Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario.

Prior to this release of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes at the firewalls. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.

•  The TS Gateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:

    • Who can connect to network resources (in other words, the user groups who can connect).
    • What network resources (computer groups) users can connect to.
    • Whether client computers must be members of Active Directory security groups.
    • Whether device and disk redirection is allowed.
    • Whether clients need to use smart card authentication or password authentication, or whether they can use either method.

•  You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows® XP Service Pack 2, Windows Vista®, and Windows Server 2008. With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.

•  You can use TS Gateway server with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.

For information about how to configure ISA Server as an SSL termination device for TS Gateway server scenarios, see the TS Gateway Server Step-by-Step Setup Guide on the TS Gateway page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=79605 ).

•  The TS Gateway Manager snap-in console provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes.

Check out all the information at the following TechNet page:


Also, be sure to check out the Windows Server 2008 Terminal Services page for more information, including the Windows Server 2008 TS Gateway Server Step-By-Step Setup Guide: