Is there a way to securely publish a TS machine in ISA 2006? The MS documents say:"With ISA Server 2006, you can more securely publish Windows Server 2003 Terminal Server using SSL technology." (http://www.microsoft.com/isaserver/prodinfo/features.mspx)
In what way can and ISA 2006 do this? How does that differ from other firewalls?
I'm aware that 2003 SP1 supports SSL for RDP, and I've tries it, and it works well, except that anyone can still try to connect using username/password.
I've red Shinders suggestion on publishing a TSweb and publish a rule allowing port 3389 to your TS but I don't see the point with the webpage. A user with a client could just connect directly to the published TS, right? Or did I miss something?
What I would like is to make a publishing rule that authenticates the user BEFORE gaining access to the RDP itself, sort of like a web publishing rule can do.(Pre-authentication in the ISA server). Is that even possible, or is the Feature info on ISA 2006 a bit "Spiced up"? =)
Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Hey Tom,
How can you get SSL OWA and Terminal SSL working at the same time on ISA 2006?? I created certificates and imported to ISA but how do you configure the listener?
what do you mean with Terminal SSL? Assuming you mean http://support.microsoft.com/kb/895433 than keep in mind that SSL/TLS is *not* the same as HTTPS. In this case the protocol is still RDP but protected by TLS. In other words, you still stuck with a server publishing rule and therefore no pre-authentication at the ISA is possible.
Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Yes i meant Terminal server access using TLS. My question is if both the OWA and TS as both listening for port 443 requests, how do you separate the two? I can not get it working as the both listeners need to publish different public names, such as ts.domain.com and mail.domain.com. How do you get around this?
Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
So what access you recommend? I dont think it is possible to get both SSL OWA and TS working at the same time because of certificates that need to go with the listener. Is this right? WHat you suggest i can do to secure TS?
Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
If i do it that way then that would mean that it's unsecure. What can i do to harden it up besides changing ports and having a ristricted access list??? Is there a way on securing using accounts??
I belive you're asking if there is a way to make a more secure publish of an TS than standard "port forwarding", and I'm afraid the answer is no. ISA 2006 does not offer anything special when it comes to publishing a TS and I'm afraid. (which was my original question in this thread). MS has been a bit overenthusiastic when mentioning this in their "what's new" sections about ISA 2006.
There is possible for the client however to require pre-authentication (the TLS things you've probably been reading) but this is just to make sure that the server you are connecting to really is the correct server. So it's not a server side security feature so to speak.
I really hope that the secure gateway feature will be released for 2003 as well, but i doubt it.
changing the default RDP port won't help you much because that is security through obscurity!
The best way to protect the access is to use a VPN technology. If that isn't possibly than the second best option is to enforce TLS and require SmartCard logon on the TS.
Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Yes i am aware of the security risk but that is what is wanted by the managers, they have been using it that ways for years and they dont want it changed. I have enforced high level passwords, changed ports and locked down the terminal server as much as i can. I might see if i can talk them into using IPsec VPN before using RDP, that would be the best solution in this senario right?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Secure RDP publishing 
Secure RDP publishing - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread