Re: Terminal Server / WAN question

That guide is very good.

This paragraph here really explains well how TS is considered secure, when VPN isn't used to secure the connection:
"In earlier versions of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls."

But I'm wondering if that information also applies to Terminal Server on Windows Server 2003.
I looked for a 2003 comparable page and found this:
http://technet2.microsoft.com/windowsserver/en/library/e3d396dd-c141-432b-9e69-50f597061e471033.mspx?mfr=true
But unfortunately that doesn't mention anything about TS.

Anyone know if TS 2003 transmits RDP traffic to port 443?





"Syed Khairuddin" <syed@xxxxxxxxxxxxxx> wrote in message news:598AAA80-92D4-4CB4-AA74-FB7D8106C34B@xxxxxxxxxxxxxxxx

Hello,

Seems that there is a Public IP hosted on the server which is not a
best practice of course because you are always exposed to the Internet and
any one.

TS listens on 3389 and this number can be changed on TS Server. However, you
have different problem with your solution. Users are authenticated on TS
Gateway and for that you need the TS Gateway to be joined to the domain. If
you make TS Gateway a workgroup machine to put it between two firewalls(DMZ),
then the domain users can't be authenticated on the Gateway. Therefore, if
you see the Step-by step guide the recommendation is put TS Gateway just
behind the edge device (e.g. ISA). Read the step by step guide:
http://go.microsoft.com/fwlink/?LinkID=85872



TS Web access is the one which gets hit first and TS Gateway is not in
picture until then. When the application is invoked on TS Web access page,
the traffic starts going through the TS Gateway. Therefore TS Web access has
to be internet facing.

You can put both on the same server if the load is less. If you are
expecting more than few hundred simultaneous connections then put them on
different servers.

Thanks

.

Relevant Pages

  • Re: discovering a service behind a nated network
    ... you could use nmap or some other port scanning program ... > SSH onto the firewall and try to access the server from there, ... > works then it could be the translation on the gateway device not working ... > Network Security Specialist ...
    (Security-Basics)
  • Re: network programming: how does s.accept() work?
    ... The program you contact at Google is a server. ... so, the server will usually assign a new port, say 56399, specifically ... connections to a server remain on the same port, ... sockets is what identifies them. ...
    (comp.lang.python)
  • Nimda.E/unknown memory resident, internet-aware processes
    ... a client's NT 4.0 server was infected with what appeared to be ... network traffic and saw several suspect connections. ... one other connection to port 2787. ... along with about 500 other compromised systems on just that one IRC server. ...
    (Incidents)
  • Re: Linux Gateway/Firewall
    ... > gateway to the internal ip of the Linux server and this hasnt done the ... > to determine what port requests comming to a port that is closed are ... which have no business on the internet. ...
    (comp.os.linux.networking)
  • Re: iptables newbie question
    ... so it's not a dedicated server. ... > merely want to limit connections on that port ONLY to the e-mail server ... do you want to be able to establish connections out to ... The same sort of thing happens for any request you make - dns, ntp, web, ...
    (comp.os.linux.security)