Chris Blankenship's Ramblings

After posting an entry about Windows 2008 Terminal Services Gateway I stumbled across something with the configuration that gave me pause.  During the installation process the TSG services configure the IIS services to listen on port 443 of the Default Web Site. So in addition to listening for RDP over HTTP(s) connection attempts the TSG server is also listening for regular HTTPS traffic.  To see this behavior you simply need to open up your browser and point it to your TSG server.  You will see the default web page that is configured for the Default Web Site.

Is this a bad thing?  I wasn’t really sure, so I started looking through all of the public articles and webcasts that outlined the configuration of TSG.  Not finding anything that described how the web services portion of the TSG should be configured I leveraged one of the greatest benefits of working for Microsoft:  I contacted the TSG Product Group.  After explaining my question to a Program Manager the initial response was surprise.  I was on the phone with him when he opened up his browser and connected to his own TSG server.  Sure enough he was greeted with the same default web page that I noticed.

I think it’s safe to say that Windows 2008 IIS services come pre-hardened by default so an unmodified default website shouldn’t have any security related issues with browser based connections.  And I wouldn’t think that anyone would be hosting their web applications on a TSG server so perhaps this really isn’t anything to be concerned with.

In any case I don’t feel that having the TSG server reachable with a web browser is all that critical.  I just hope the TSG Product Group adds some additional information about the IIS configuration that comes along with installing Terminal Services Gateway.  Is it worth it to try and modify the default behavior of IIS and change or disable the landing page?  I don’t think so and won’t be doing it on my TSG server.  What do you think?  Is it worth trying to change this default behavior?