Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SSL-RDP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> SSL-RDP Page: [1]
Login
Message << Older Topic   Newer Topic >>
SSL-RDP - 9.May2006 7:56:56 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		We would like to publish a terminal services pc using SSL over RDP.  IS there a way to publish this and bridge the connection so that RDP can be inspected at the ISA server and then SSL from the ISA server to the Terminal services pc?  Or is this type of configuration and based on the inherit properties of SSL over RDP only supported by Tunneling the connection?

Thanks in advance!

Shawn
Post #: 1
RE: SSL-RDP - 9.May2006 9:38:28 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

are you talking about http://support.microsoft.com/?id=895433 when you say 'SSL over RDP'?  

HTH,
Stefaan

(in reply to excnn)
Post #: 2
RE: SSL-RDP - 9.May2006 10:02:59 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Stefaan,

Yes, that would be the one.  It is supported on 2003 sp1 and requires 2000 or xp client and Remore Desktop client 5.2 (Very version specific.)  It also requires a valid certificate.  We have set it up in lab, here, and wonder what the config would be like to publish this and make it very secure using ISA 2004.  I am fond of the idea of inspecting what is going on inside the tunnel, rather than explicit trust.  Maybe I am overly concerned based on what the RDP packets really contain...

But, you never know.

Shawn

(in reply to spouseele)
Post #: 3
RE: SSL-RDP - 9.May2006 10:10:11 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

OK, just what I thought!

In that case ISA can't add an extra layer of security because everything is encrypted *and* it is not HTTPS. In other words, you need to create a server publishing rule and use the RDP Server protocol (TCP port 3389 inbound) in that rule.

HTH,
Stefaan

(in reply to excnn)
Post #: 4
RE: SSL-RDP - 10.May2006 2:58:59 AM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Stefaan,

It would still be possible to create a listener on port 9000 and specify that port in the Remote Desktop client.  Then point that to the standard port of 3389 of the TS server, correct?

Shawn

(in reply to spouseele)
Post #: 5
RE: SSL-RDP - 10.May2006 4:07:57 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		Ye - that would work fine.

Or you could have ISA listen on 9000, and then redirect to 9000 if the Server Pub Rule and RDP Listener on the published server were configured correctly.

(in reply to excnn)
Post #: 6
RE: SSL-RDP - 10.May2006 3:41:38 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Please explain what would be the best practice for where to place the TS server?  Would it be in a perimeter network, or would it be advisable to forward to TLS packets to a TS server inside the LAN network?  For all the applications and all the servers required for operation of the TS server as a remote desktop, there would have to be many rules set for access from the perimeter network into the LAN network.  How is this any less or more secure than forwarding directly into the network?

Thanks,
Shawn

(in reply to ClintD)
Post #: 7
RE: SSL-RDP - 10.May2006 8:05:09 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

I would server publish the internal TS server but make sure I have a strong authentication solution on the TS itself.

BTW --- It's a shame that Microsoft doesn't want to develop a secure RDP access gateway module for the ISA server with a strong pre-authentication on the ISA server.

HTH,
Stefaan

(in reply to excnn)
Post #: 8
RE: SSL-RDP - 10.May2006 8:08:30 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Stefaan,

I agree and thank you for your help.  I wonder, if ISA 2006 will support such a configuration?

I wonder.

Again,
Thanks,
Shawn

(in reply to spouseele)
Post #: 9
RE: SSL-RDP - 10.May2006 8:32:21 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

as far as I know it's *not* in ISA 2006 either. I think it has something to do with the deal between Microsoft and Citrix...

HTH,
Stefaan

(in reply to excnn)
Post #: 10
RE: SSL-RDP - 11.May2006 1:54:21 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Stefaan,

IS there a way to force authentication with the ISA server using RSA Secure ID before allowing the TLS pachets to reach to TS server.  Force two levels of authentication?

Thanks,
Shawn

(in reply to spouseele)
Post #: 11
RE: SSL-RDP - 11.May2006 2:28:17 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Shawn,

nope, not possible! Keep in mind that SSL/TLS is *not* the same as HTTPS...  

What functionality you and I ask for could be called 'RDP over HTTPS', similar to 'RPC over HTTPS'. In that case it would be possible to perform pre-authentication at the ISA server.

HTH,
Stefaan

(in reply to excnn)
Post #: 12
RE: SSL-RDP - 11.May2006 2:40:59 PM   
excnn

 

Posts: 7
Joined: 9.May2006
Status: offline 		Stefaan,

Darn!

Thanks,
Shawn

I keep trying to reinvent the wheel.

(in reply to spouseele)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Server Publishing >> SSL-RDP Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts