Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Secure RDP publishing
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Secure RDP publishing - 3.Dec.2006 6:32:48 PM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Is there a way to securely publish a TS machine in ISA 2006? The MS documents say:"With ISA Server 2006, you can more securely publish Windows Server 2003 Terminal Server using SSL technology." (http://www.microsoft.com/isaserver/prodinfo/features.mspx)
In what way can and ISA 2006 do this? How does that differ from other firewalls?
I'm aware that 2003 SP1 supports SSL for RDP, and I've tries it, and it works well, except that anyone can still try to connect using username/password.
I've red Shinders suggestion on publishing a TSweb and publish a rule allowing port 3389 to your TS but I don't see the point with the webpage. A user with a client could just connect directly to the published TS, right? Or did I miss something?
What I would like is to make a publishing rule that authenticates the user BEFORE gaining access to the RDP itself, sort of like a web publishing rule can do.(Pre-authentication in the ISA server). Is that even possible, or is the Feature info on ISA 2006 a bit "Spiced up"? =)
Regards
/Patric
|
|
|
|
|
RE: Secure RDP publishing - 1.Jan.2007 10:17:41 PM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Hey Tom,
How can you get SSL OWA and Terminal SSL working at the same time on ISA 2006??
I created certificates and imported to ISA but how do you configure the listener?
Regards,
Sunny.C
|
|
|
|
|
RE: Secure RDP publishing - 2.Jan.2007 11:00:25 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Sunny,
what do you mean with Terminal SSL? Assuming you mean http://support.microsoft.com/kb/895433 than keep in mind that SSL/TLS is *not* the same as HTTPS. In this case the protocol is still RDP but protected by TLS. In other words, you still stuck with a server publishing rule and therefore no pre-authentication at the ISA is possible.
However, keep en eye open at TS Gateway in Longhorn. This uses the same technology as Outlook anywhere, that means RPC/HTTPS. For more info, check out http://www.microsoft.com/windowsserver/longhorn/default.mspx.
HTH,
Stefaan
|
|
|
|
|
RE: Secure RDP publishing - 2.Jan.2007 4:52:06 PM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Yes i meant Terminal server access using TLS.
My question is if both the OWA and TS as both listening for port 443 requests,
how do you separate the two?
I can not get it working as the both listeners need to publish different public names,
such as ts.domain.com and mail.domain.com.
How do you get around this?
|
|
|
|
|
RE: Secure RDP publishing - 2.Jan.2007 5:27:30 PM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
So what access you recommend?
I dont think it is possible to get both SSL OWA and TS working at the same time because of certificates that need to go with the listener. Is this right?
WHat you suggest i can do to secure TS?
|
|
|
|
|
RE: Secure RDP publishing - 2.Jan.2007 5:41:57 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Sunny,
as said before you have to use a server publishing rule! So, no web listener and certificate on ISA is needed at all.
HTH,
Stefaan
|
|
|
|
|
RE: Secure RDP publishing - 2.Jan.2007 6:44:40 PM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
If i do it that way then that would mean that it's unsecure.
What can i do to harden it up besides changing ports and having a ristricted access list??? Is there a way on securing using accounts??
|
|
|
|
|
RE: Secure RDP publishing - 3.Jan.2007 2:20:45 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
I belive you're asking if there is a way to make a more secure publish of an TS than standard "port forwarding", and I'm afraid the answer is no. ISA 2006 does not offer anything special when it comes to publishing a TS and I'm afraid. (which was my original question in this thread). MS has been a bit overenthusiastic when mentioning this in their "what's new" sections about ISA 2006.
There is possible for the client however to require pre-authentication (the TLS things you've probably been reading) but this is just to make sure that the server you are connecting to really is the correct server. So it's not a server side security feature so to speak.
I really hope that the secure gateway feature will be released for 2003 as well, but i doubt it.
R
/Patric
|
|
|
|
|
RE: Secure RDP publishing - 3.Jan.2007 2:27:53 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
hmmm so i guess the only thing we can do to tighten the security a little is change ports and keep a tight access list.
Tom?
|
|
|
|
|
RE: Secure RDP publishing - 7.Jan.2007 9:18:24 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
If there's a way to accomplish what you need to do without RDP, I'd recommend that. RDP is the worst solution, from a security standpoint, possible.
Think about it -- you're given complete machine access to anyone who can log on -- not just a service or a exec, but the entire machine. Ug.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Secure RDP publishing - 7.Jan.2007 4:43:18 PM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Yes i am aware of the security risk but that is what is wanted by the managers,
they have been using it that ways for years and they dont want it changed.
I have enforced high level passwords, changed ports and locked down the terminal server as much as i can.
I might see if i can talk them into using IPsec VPN before using RDP, that would be the best solution in this senario right?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
