DMZ and Terminal Services

[Jmoomaw]

WE are looking at setting up Terminal Services in this
fashion:
1: Servier outside the firewall handling the connections
2: Nortel Systemworks Box with Firewall (Instant Internet
software)
3: Application Server.

I have been told I can then configure the internal server
to only talk to the Terminal Services server and this will
protect our network.

We have a VPN set up from a Site in the southwest to the
main office in NY. WE have sales people needing to access
terminal services from the field through dial up and
internet access.

Will this model protect our network any better than
setting up RAS?
How would I configure the internal server to only talk to
the TS SErver.
Any information would be helpful

Thanks...Jim

 

[dlw]

Why not put the Terminal Server inside the firewall, too,
and use port forwarding (3389) to get to it? I assume the
only reason it's outside is so internet connections can
get to it. I'm about to set this up myself- am I right
that this is the most secure?

 

[Apocs]

you can install terminal services on the application
server (application mode). Then put the application server
outside the firewall (in the DMZ) and allow ONLY Port 3389
from the internet to youre application server (if the
internet conn. is firewalled, or routed through NAT). From
the internal network, clients need an extra route to the
application server. Do not make the TS server a member
server on the windows domain on youre internal network if
you have one. This is more secure. If you need access
groups for the application server, you might consider
making the server a DC for a seperate domain. This means
you can make a trust connection, in where youre domain is
the trusted domain. Then create a global group on youre
internal DC and put it in a local group at the TS server.
This way you can create access to the application server
on both machines. Giving you full control over the TS
users and the application.

I almost forgot. VPN or RAS. Well both methodes can be
very secure, or not. It depends on the design and methodes
used. So when you need security, check out how to secure
RAS en how to secure VPN connecions. Consider VPN when the
clients are at long range distance. You must know that RAS
is much more secure when dialing directly to a phone
number then to first connect to the internet by IP. When
VPN is used a secure tunnel is made through the internet,
this means no other connection is allow when connected
through VPN. Internet connections are much cheaper then
long distance phone calls ofcourse.

I guess I had nothing to do, but I'm out for sigarets

Cheers