*IMPORTANT* Firewall Considerations for Terminal Services Gateway

Hey all,

I just spent 3 days ripping my hair out over this and using packet analyzers so I hope I can save someone the trouble.

Symptom:
Your external users are trying to access RemoteApp or Desktops via Terminal Services Gateway from across the internet, and the initial connection takes 30-60 seconds.

Solution:
If you publish Terminal Services Gateway through a firewall and only allow SSL to come through, YOU MUST CONFIGURE YOUR FIREWALL TO ACTIVELY BLOCK PORT 3389 TO THE TS GATEWAY.

There's a bug (feature?) in RDC 6.1 where it will attempt to make an RDP connection first before it tries the SSL connection. I've found absolutely no way to configure the RDP shortcut to avoid this. If your firewall silently drops this request, RDP will sit there for about 30 seconds before it times out, making your RemoteApp connections painfully slow. If your firewall actively rejects the 3389 RDP connection, then RDC will make the SSL connection immediately.

If anyone can shed some more light on this or a better fix, that'd be great. Hope that helps, and maybe RDC 6.2 will fix that.

----
Justin Grote
Senior Systems Engineer
En Pointe Technologies