This topic assumes an understanding of certificate trust chaining, certificate signing, and general public key infrastructure and certificate configuration principles. For information about PKI configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (http://go.microsoft.com/fwlink/?LinkID=54917).
By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that is used to provide secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the Secure Sockets Layer (SSL) protocol. For more information about TLS, see:
- SSL/TLS in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkID=19646)
- RFC 2246, The TLS Protocol Version 1.0
(http://go.microsoft.com/fwlink/?LinkID=40979)
For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server.
Certificate installation and configuration process overview
The process of obtaining, installing, and configuring a certificate for the RD Gateway server involves these steps.
Step 1: Obtain a certificate for the Remote Desktop Gateway server
You can obtain a certificate for the RD Gateway server by using one of the following methods:
- If your company maintains a stand-alone or
enterprise CA that is configured to issue SSL-compatible X.509
certificates that meet RD Gateway requirements, you can
generate and submit a certificate request in several ways,
depending on the policies and configuration of your organization's
CA. Methods for obtaining a certificate include:
- Initiating auto-enrollment from the
Certificates snap-in.
- Requesting certificates by using the
Certificate Request Wizard.
- Requesting a certificate over the Web.
Note If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows Server 2003, Windows 2000, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=94472).
- Using the Certreq command-line tool.
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway or RD Gateway servers. These connections might fail because the CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks.
- Initiating auto-enrollment from the
Certificates snap-in.
- If your company does not maintain a
stand-alone or enterprise CA that is configured to issue
SSL-compatible X.509 certificates, you can purchase a certificate
from a trusted public CA that participates in the Microsoft Root
Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547). Some of
these public CAs might offer certificates at no cost on a trial
basis.
- Alternatively, if your company does not
maintain a stand-alone or enterprise CA and you do not have a
compatible certificate from a trusted public CA, you can create and
import a self-signed certificate for your RD Gateway server
for technical evaluation and testing purposes. For more
information, see Create a Self-Signed
Certificate for the Remote Desktop Gateway Server.
Important If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also Import a Certificate into Remote Desktop Gateway Server and Select an Existing Certificate for Remote Desktop Gateway. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the Remote Desktop Gateway role service or by using Remote Desktop Gateway Manager after installation (as described in Create a Self-Signed Certificate for the Remote Desktop Gateway Server), you do not need to install or map the certificate to the RD Gateway server. In this case, the certificate is automatically created, installed in the correct location on the RD Gateway server, and mapped to the RD Gateway server.
If you used one of the first two methods to obtain a certificate and the Remote Desktop Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the RD Gateway server. If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to install the certificate of the CA that issued the server certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see Install the Remote Desktop Gateway Server Root Certificate on the Remote Desktop Services Client.
Step 2: Import a certificate
After you obtain a certificate, you can import the certificate to the RD Gateway server by using one of the following methods:
- To install a certificate to the certificate
store and import the certificate to the RD Gateway server, see
Import a
Certificate into Remote Desktop Gateway Server.
- To import an existing certificate from the
certificate store to the RD Gateway server, see Select an Existing
Certificate for Remote Desktop Gateway.