Re: Connectting to a computer when there is more than one behind a
- From: JAMiE132 <JAMiE132@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 26 Apr 2009 14:27:01 -0700
Perhaps I wasnt entirely clear yesterday. To enable access through a
firewall you would need to allow access inbound to the specific port on the
firewall device. In this case it would be port 3389. You would then create a
static address translation route to a specific client on 3389 aka port
forwarding.
i.e on cisco PIX firewall 501 (I have one at home very inexpensive device
allows for 10 vpn connections using cisco secure vpn client or microsofts vpn
client)
static (inside,outside) tcp interface 3389 192.168.0.3 3389 netmask
255.255.255.255 0 0
A VPN would open up the entire network to traffic. This may not be a
desirable security risk. Connecting to just an RDP session opens only that
machine (and whatever internal resource the logged-in account can access
from it).
I am not sure your knowledge of VPNs and security as a whole; however I and
any security officer I know would never recommend opening 3389 to an internal
network via the internet. The difference of using RDP and VPN is security.
VPN can be tied down more then an RDP session. One example would be split
tunneling as this would isolate the client except for the traffic that is
going down the vpn tunnel, another feature would be routing rules.
Using a VPN would also require a two-step process to connect.
One to 'dial' the VPN and then another to connect to the internal host.
Using port forwarding would require only one step, a connection to the
machine:portnumber
A two step process to log on is far better and secure then just typing in a
IP address or DNS name into any rdp client, on any machine, from anywhere
around the world and having access to the microsoft gina aka the windows
logon screen.
My environment requires 2 factor authentication before even logging onto a
domain based workstation/server. Therefore there are three steps, much better
security.
I am aware that this case is not on that scale; however I will still advice
anyone that needs network connectivity between two locations over the
internet to use some sort of VPN access rather than making rdp accessible
over the internet. Regardless if this is just to connect to a home network.
"Bill Kearney" wrote:
.As already stated by the others you could your static routes to a specific
client
No, you would not use a static route. That's something else, entirely
different.
What's involved are port forwarding settings.
and if you have more than one client that you want to RDP on the LAN
you can change the port used to establish an RDP connection; however I
think
VPN would be a better solution and will also enable you to monitor the
access
to the LAN.
A VPN would open up the entire network to traffic. This may not be a
desirable security risk. Connecting to just an RDP session opens only that
machine (and whatever internal resource the logged-in account can access
from it). Using a VPN would also require a two-step process to connect.
One to 'dial' the VPN and then another to connect to the internal host.
Using port forwarding would require only one step, a connection to the
machine:portnumber.
That and setting up a VPN in RRAS is a non-trivial process.
-Bill Kearney
- References:
- Prev by Date: Re: Connectting to a computer when there is more than one behind a rou
- Next by Date: Remote Desktop not working
- Previous by thread: Re: Connectting to a computer when there is more than one behind a rou
- Next by thread: Re: Connectting to a computer when there is more than one behind a rou
- Index(es):
Relevant Pages
|
