TS over the internet - directly attach, or require a VPN?

L

Leythos

A good topic for discussion!

We used to use VPN (before we implemented Terminal Server) and now we don't.
Instead we open a (non-standard) port on the firewall and use
port-forwarding to point incoming traffic from specific, permitted client
computers and users (both must be correctly identified) to port 3389 on the
TS.

The reason that we ended up dropping VPN was that we had no control over the
remote computers. When they become compromised and VPN to the network then
we had endless problems with the compromised machines being part of the LAN.
Click to expand...

If you didn't have control then you didn't have your firewall setup
properly.

We use VPN to the Firewall Appliance, not the server, and then a
firewall rule that permits ONLY 3389 to the Terminal Server or 3389 to
their work computer, nothing else.

This means that users with compromised machines don't expose their home
computers to any more than your solution, BUT they have a double
authentication method, first the firewall, then the RD connection to the
server/workstation and neither have the same user/password.

I would never expose RD/TS directly to the Internet.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Pass-through authentication? 5
RDP access to TS from remore site over site to site VPN 1
Workstation a member of an Active Directory Domain AND a Novell NDS directory? 1
Offer remote assistence - how to configure in a workgroup setting? 1
No AutoRun or AutoPlay option when installing from CD? 6
Connection With VPN To Sever & Internet Access @ Same Time 1
VPN Connection Issue 1
Printing over the Internet from TS 2

Top