Enable HTTPS-HTTP Bridging on the TS Gateway Server
Applies To: Windows Server 2008
To enhance security for a TS Gateway server, you can configure Microsoft Internet Security and Acceleration (ISA) Server or a non-Microsoft product to function as a Secure Sockets Layer (SSL) bridging device. The SSL bridging device can enhance security by terminating SSL sessions, inspecting packets, and re-establishing SSL sessions.
You can configure ISA Server communication with the TS Gateway server in either of the two following ways:
HTTPS-HTTPS bridging. In this configuration, the TS Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new HTTPS request to the TS Gateway server, for maximum security.
HTTPS-HTTP bridging. In this configuration, the TS Gateway client initiates an SSL (HTTPS) request to the SSL bridging device. The SSL bridging device initiates a new HTTP request to the TS Gateway server.
Important
The TS Gateway protocol stack includes the following protocols, in order: Secure Sockets Layer (SSL), HTTP, remote procedure call (RPC), and the Remote Desktop Protocol (RDP). Even when SSL bridging devices are used, the RPC and RDP packets are encrypted to the TS Gateway server and the terminal server, respectively. However, HTTP packets that are sent between the SSL bridging device and the TS Gateway server might not be encrypted, depending on the configuration of the SSL bridging device. Be aware that HTTP communication between the SSL bridging device and the TS Gateway server functions in a manner similar to HTTP communication between an SSL bridging device and a Web site that is published through the SSL bridging device. For information about how to secure HTTP communication between the SSL bridging device and a Web site, see the SSL bridging device manufacturer's documentation.
If you plan to use an SSL bridging device to terminate SSL with smart card authentication, you must take additional steps to secure HTTP communication. For example, you might consider using Internet Protocol security (IPsec), which supports mutual authentication, to help secure HTTP communication in this scenario. For information about IPsec, see the Internet Protocol security page on the TechNet site (https://go.microsoft.com/fwlink/?LinkId=84638).
To use HTTPS-HTTP bridging, you must enable the Use HTTPS-HTTP bridging setting on the TS Gateway server, as described in this procedure.
Important
To use an SSL bridging device with TS Gateway, you must also enable external SSL termination on the SSL bridging device that you plan to use and you must configure it to connect to the TS Gateway server. For detailed instructions for configuring ISA Server for use as an external SSL bridging device for TS Gateway, see "Steps for Configuring the TS Gateway ISA Server Scenario" in the TS Gateway Server Step-by-Step Setup Guide (https://go.microsoft.com/fwlink/?LinkId=79605).
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To enable HTTPS-HTTP bridging on the TS Gateway server
Open TS Gateway Manager.
In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties.
On the SSL Bridging tab, select the Use HTTPS-HTTP bridging check box, and then click OK.
A warning message will appear, stating that for the SSL bridging settings to take effect, you must recycle the default application pool of IIS. Read the warning message and decide whether you want to recycle the default application pool now or later. To recycle the default application pool now, click Yes. To recycle the default application pool manually later, click No.
If you are using ISA Server as the external SSL bridging device for TS Gateway, ensure that you have configured ISA Server as described in "Steps for Configuring the TS Gateway ISA Server Scenario" in the TS Gateway Server Step-by-Step Setup Guide (https://go.microsoft.com/fwlink/?LinkId=79605).