Secure RDP publishing (Full Version)

All Forums >> [ISA 2006 Publishing] >> Server Publishing


patos -> Secure RDP publishing (3.Dec.2006 6:32:48 PM)

Is there a way to securely publish a TS machine in ISA 2006? The MS documents say:"With ISA Server 2006, you can more securely publish Windows Server 2003 Terminal Server using SSL technology." (

In what way can and ISA 2006 do this? How does that differ from other firewalls?

I'm aware that 2003 SP1 supports SSL for RDP, and I've tries it, and it works well, except that anyone can still try to connect using username/password.

I've red Shinders suggestion on publishing a TSweb and publish a rule allowing port 3389 to your TS but I don't see the point with the webpage. A user with a client could just connect directly to the published TS, right? Or did I miss something?

What I would like is to make a publishing rule that authenticates the user BEFORE gaining access to the RDP itself, sort of like a web publishing rule can do.(Pre-authentication in the ISA server). Is that even possible, or is the Feature info on ISA 2006 a bit "Spiced up"? =)



tshinder -> RE: Secure RDP publishing (7.Dec.2006 7:34:26 PM)

Hi Patric,



Sunny.C -> RE: Secure RDP publishing (1.Jan.2007 10:17:41 PM)

Hey Tom,

How can you get SSL OWA and Terminal SSL working at the same time on ISA 2006??
I created certificates and imported to ISA but how do you configure the listener?


tshinder -> RE: Secure RDP publishing (2.Jan.2007 10:59:58 AM)

What's "terminal SSL"?


spouseele -> RE: Secure RDP publishing (2.Jan.2007 11:00:25 AM)

Hi Sunny,

what do you mean with Terminal SSL? Assuming you mean than keep in mind that SSL/TLS is *not* the same as HTTPS. In this case the protocol is still RDP but protected by TLS. In other words, you still stuck with a server publishing rule and therefore no pre-authentication at the ISA is possible.

However, keep en eye open at TS Gateway in Longhorn. This uses the same technology as Outlook anywhere, that means RPC/HTTPS. For more info, check out


Sunny.C -> RE: Secure RDP publishing (2.Jan.2007 4:52:06 PM)

Yes i meant Terminal server access using TLS.
My question is if both the OWA and TS as both listening for port 443 requests,
how do you separate the two?
I can not get it working as the both listeners need to publish different public names,
such as and
How do you get around this?

spouseele -> RE: Secure RDP publishing (2.Jan.2007 5:04:15 PM)

Hi Sunny,

even if you use TLS to authenticate the server, the protocol used is still RDP, therefore TCP port 3389 by default. [;)]


Sunny.C -> RE: Secure RDP publishing (2.Jan.2007 5:27:30 PM)

So what access you recommend?
I dont think it is possible to get both SSL OWA and TS working at the same time because of certificates that need to go with the listener. Is this right?
WHat you suggest i can do to secure TS?

spouseele -> RE: Secure RDP publishing (2.Jan.2007 5:41:57 PM)

Hi Sunny,

as said before you have to use a server publishing rule! So, no web listener and certificate on ISA is needed at all.


Sunny.C -> RE: Secure RDP publishing (2.Jan.2007 6:44:40 PM)

If i do it that way then that would mean that it's unsecure. 
What can i do to harden it up besides changing ports and having a ristricted access list??? Is there a way on securing using accounts??

patos -> RE: Secure RDP publishing (3.Jan.2007 2:20:45 AM)

I belive you're asking if there is a way to make a more secure publish of an TS than standard "port forwarding", and I'm afraid the answer is no. ISA 2006 does not offer anything special when it comes to publishing a TS and I'm afraid. (which was my original question in this thread). MS has been a bit overenthusiastic when mentioning this in their "what's new" sections about ISA 2006.

There is possible for the client however to require pre-authentication (the TLS things you've probably been reading) but this is just to make sure that the server you are connecting to really is the correct server. So it's not a server side security feature so to speak.

I really hope that the secure gateway feature will be released for 2003 as well, but i doubt it.


Sunny.C -> RE: Secure RDP publishing (3.Jan.2007 2:27:53 AM)

hmmm so i guess the only thing we can do to tighten the security a little is change ports and keep a tight access list.

spouseele -> RE: Secure RDP publishing (3.Jan.2007 3:41:33 PM)

Hi Sunny,

changing the default RDP port won't help you much because that is security through obscurity! [8D]

The best way to protect the access is to use a VPN technology. If that isn't possibly than the second best option is to enforce TLS and require SmartCard logon on the TS.


Sunny.C -> RE: Secure RDP publishing (5.Jan.2007 1:29:48 AM)

hmmm i was thinking more along the vpn line but i think it will be to hard for my users as they are all retail stores with young females.[8D]

tshinder -> RE: Secure RDP publishing (7.Jan.2007 9:18:24 AM)

If there's a way to accomplish what you need to do without RDP, I'd recommend that. RDP is the worst solution, from a security standpoint, possible.

Think about it -- you're given complete machine access to anyone who can log on -- not just a service or a exec, but the entire machine. Ug.


Sunny.C -> RE: Secure RDP publishing (7.Jan.2007 4:43:18 PM)

Yes i am aware of the security risk but that is what is wanted by the managers,
they have been using it that ways for years and they dont want it changed.
I have enforced high level passwords, changed ports and locked down the terminal server as much as i can.
I might see if i can talk them into using IPsec VPN before using RDP, that would be the best solution in this senario right?

Page: [1]