Terminal server through a secure connection

[Miha]

Hi



Is it possible to configure terminal services on Win2003 Standard to use
some kind of certificates? The idea is, every user who wants to log into
terminal server must have security certificate installed that is verified by
the terminal server. If there is no certificate, log-on is not possible.



Also is there any way to configure terminal server to be accessed through
SSL (HTTPS) like citrix? Because we don't want to open 3389 port to public,
our users use a VPN connection to connect into our company's network, and
then to terminal server, but if it is possible to configure terminal server
to use some kind of RPC over HTTP, so we could securely connect to TS
without VPN, this would be much easier.



Thank you all in advance



Regards,

Miha

 

[Cláudio Rodrigues]

For SSL you will need a third party product like the 2X LoadBalancer.
http://www.2x.com.

--

Cláudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services

 

[Leythos]

Hi

Is it possible to configure terminal services on Win2003 Standard to use
some kind of certificates? The idea is, every user who wants to log into
terminal server must have security certificate installed that is verified by
the terminal server. If there is no certificate, log-on is not possible.

Also is there any way to configure terminal server to be accessed through
SSL (HTTPS) like citrix? Because we don't want to open 3389 port to public,
our users use a VPN connection to connect into our company's network, and
then to terminal server, but if it is possible to configure terminal server
to use some kind of RPC over HTTP, so we could securely connect to TS
without VPN, this would be much easier.

You are missing out on the VPN, as you have several choices. If you have
a proper firewall appliance, meaning not the Windows server, you can
setup firewall User authentication accounts, where they can web into the
firewall itself, authenticate, and then from their authenticated
connection they can use 3389 inbound mapped from their authenticated
group/account to the terminal server. You could also just let them VPN
into the firewall and make a single rule to permit users of VPN_Group_X
only access via TCP 3389 to the server IP address - this would keep them
limited to TCP3389 and only to the terminal server - not full network
access.

 

[Guest]

I'm going to have to side with my buddy Claudio and recommend that you look
at a SSL VPN or Terminal Server Gateway Product. There are many of these out
there that provide the added security you're looking for and ease of access
for the clients over a standard SSL connection.

http://www.sessioncomputing.com/add-on.htm#security

In addition to the 2X product Claudio recomended, I'd take a look at AEP
Networks NSP, which is a SSL VPN w/ built-in Web Interface, built-in support
for secondary authentication, PDF Universal Printer Driver, and optional RDP
Load Balancer.

This is a really slick box, and there's an online demo here:

https://demo2.netillavo.com/

 

[Miha]

Thank you all.
I'm thinkig of implementing certificates on a TS server and clients, so that
only clients with installed certificates could log into terminal server,
directly through 3389 port. Is this OK, or would be better to use standard
option (without certificates and use of VPN tunnel)
Regards
Miha

 

[Guest]

The option you're implying is an IPSec VPN, yes? If that's what you're
implying, I'd recommend a SSL VPN solution that supports secondary
authentication, i.e. certificates, smart cards, secureID... as these offer
the feature you're looking for plus they connect over TCP Port 443 which is
almost never blocked at remote networks, i.e. hotels, airports, corporate
networks not under your management, and does not have the management overhead
of IPSec solutions.

 

[Miha]

Patrick thank's for suggestions. Yes I agree with you that SSL VPN is the
best choice, but since our FW supports only PPTP or L2TP we use IPSec for
our comapny users to log into LAN and then to to the terminal server.
I'm just wondering if it is a good idea to open terminal server directly to
public (via 3389) and configure it to require certificates. So our users
will only need to have certificate installed on their 'home' PC's (to limit
access only to them) and then could directly connect to TS (with their
username/password) without using VPN?
Regards
Miha

 

[Guest]

Although this isn't my recommendation, I don't see anything wrong with this
solution. Are you not planning to allow users to connect from computers
other than their home/remote office computer? How do you plan to deal with
replacement of remote/home office computers, i.e. upgrade/replacement of
certificates?

Does your firewall have a DMZ port? What is often done is to place an SSL
VPN in DMZ, i.e. so it doesn't not have to be your primary firewall, but
rather only a remote access solution.

I want to stress, that it is not my intention to get you to purchase
anything, but just to let you know what options are available, and which ones
are the ones that we server based computing consultants recommend and
implement, as there is almost never an all-in-one solution to any problem.

 

[Miha]

Thank's again for all the help and informations. We decided to use IPsec VPN
based on certificates, maybe in a near future we'll move to SSL VPN.
Regards
Miha

 

[Guest]

You're welcome. Let me know how it works out for you, positives and
negatives...

 

[Per1000IPDay9]

avoid typing the same text again and again (ID, password, phone,
homepage link, address, ...) in the messages, documents, web forms
stop wasting your time on mouse movements searching for an application
in a cascade of menus and folders
keep your desktop clean (photo of your dog looks better than 100 icons)

control computer sounds instantly from any app (somebody's calling?
mute music!)
open favorite web pages with a single hotkey press
build a sequence of actions and execute it with a shortcut
record keystrokes and play them back with a single hotkey press
keep the same hotkeys on different computers with import/export feature

shut down the computer at the specified time (Windows
95/98/ME/NT/2000/XP are supported)
http://www30.webSamba.com/SmartStudio

 

[Guest]

If this is helpful...
You can access a Terminal Server over SSL/TLS with the win2003 client. This
only gives you server authentication, not the client authentication you are
looking for.
Here is how:
http://technet2.microsoft.com/Windo...f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

In situations where you only need encryption, not authentication, you could
just run the RDP protocol on the SSL port.
http://support.microsoft.com/?id=187623

Jeff

 

[Axel van Lil]

Hi,


to route RDP via HTTP or HTTPS through firewalls and proxies you may try
Tunnel2, see

http://www.Tunnel2.com

for more information.

Disclaimer: I work for them.


Rgds,

Axel van Lil (LMIS)

 

[Alex Balcanquall [MSFT]]

You could always try using the TS Gateway in Windows Server "Longorn". If
you subscribe to Tech-Net or MSDN you will have copies of the beta CDs!

--
Alex Balcanquall
Microsoft

Longhorn TS Web
Forum:http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=580&SiteID=17

This e-mail is provided "AS IS" with no warranties, and confers no rights.