Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Remote desktop publishing-Opinions please
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Remote desktop publishing-Opinions please - 12.Jan.2007 12:42:10 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
I have a user who wants to remotely control his desktop from home.
My question is:
If I publsih RDP to his desktops IP address and only allow the outside connection from his home address (yes they are DHCP which means if the IPs change it would have to be adjusted.) how bad that woudl be considered.
I would make certain his wireless router is locked down and encrypted.
The AV on his desktop (and our servers) is updated daily.
The only realstic issue I can see would be if he he shared "local drives".
Opinions?
Thanks,
Bob
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 12.Jan.2007 2:47:24 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Bob,
I would require a remote access VPN solution on the basis of L2TP/IPSec with strong machine and user authentication. By doing this you can make the remote user accountable for what he/she is doing.
HTH,
Stefaan
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 12.Jan.2007 4:46:09 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Ah, but the issue with a VPN is I do not have control over the computer as it is at their home. Thus no GPOs can be applied (for example), I can't verify patch levels, antivirus levels etc. I know, I know, NAC.....
Thanks again,
Bob
< Message edited by BobW -- 12.Jan.2007 4:55:13 PM >
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 12.Jan.2007 7:17:53 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
OK, granted the VPN solution would be better.
I guess my real question is "what is so bad about pushing rdp through to a workstation inside of my network?"
I mean if I limit 3389 from one outside IP to one inside IP what could happen that would be bad? If someone did find my IP and found that 3389 was open all of the packets would be directed to a fully patched XP box without network admin rights.
The obvious limitation is the number of external IPs available.....
Any thoughts?
Bob
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 13.Jan.2007 2:17:34 AM
|
|
|
rginfi
Posts: 14
Joined: 7.Jun.2006
Status: offline
|
You can disable drive mapping via GPO on the workstation.
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 13.Jan.2007 6:00:02 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Bob,
what I'm missing in directly publishing the Remote Desktop service is a strong authenticated link. In my opinion that should be an absolute requirement for such a high level of inbound access.
Currently the only way to accomplish that with ISA Server for the RDP protocol is a Remote Access VPN solution. However, stay tuned for new possibilities in the near future:
HTH,
Stefaan
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 13.Jan.2007 4:22:19 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Thanks for batting this back and forth, it has been driving me crazy for a while now.
If you take an additional step and virtualize all of your workstations on ESX server, this could be a "desktop everywhere" solution. When in the office they could use light weight PCs to rdp to the virtual workstation and then use home PCs to RDP to the virtual workstations.....
The last issue to sort out would be how to allow 10 users (example) to access their 10 workstations with only 5 external IPs! (Note I do some of this by launching remote desktop sessions via Citrix form an external source).
Bob
< Message edited by BobW -- 13.Jan.2007 4:28:02 PM >
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 13.Jan.2007 6:17:30 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Bob,
quote:
The last issue to sort out would be how to allow 10 users (example) to access their 10 workstations with only 5 external IPs!
That's exactly the problem the TS Gateway in Longhorn will solve. With one public IP address you will be able to access an unlimited number of hosts as long as they speak RDP, thus as well Terminal/Citrix servers as workstation with the Remote Desktop active. Moreover, the beauty of the TS Gateway is that only the TS Gateway itself *must* run on Longhorn.
Now, will that solve my requirement for a strong authenticated link? According to my findings with the TS Gateway beta 2 release it won't. If you want two-factor authentication we will have to wait for the integration of the Whale IAG stuff in ISA Server or use something like the Citrix Secure Access Gateway.
HTH,
Stefaan
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 13.Jan.2007 6:34:43 PM
|
|
|
BobW
Posts: 200
Joined: 27.Mar.2002
Status: offline
|
Never take a break from these forums do you!
My next concern re: the Longhorn solution....licensing....Terminal server licensing is an expensive (and complicated) proposition.
Thanks agian,
Bob
|
|
|
|
|
RE: Remote desktop publishing-Opinions please - 14.Jan.2007 8:11:29 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Bob,
I don't know much about licensing but I do know that Terminal Server is much cheaper than Citrix. On the other hand, because the TS Gateway seems to be a part of the OS/IIS (it uses the same RPC over HTTPS proxy as used by Outlook Anywhere), I wouldn't be surprised that the TS Gateway itself will be for free.
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
