Re: Terminal server and http
- From: Patrick Rouse <PatrickRouse@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 9 May 2006 19:44:02 -0700
The easiest and most secure way to do this is to drop in a SSL VPN device
like AEP Networks NSP (aka Netilla) or Array Networks SPX SSL VPN Access
Gateway. Both of these have a built-in web interface for publishing
applications, optional load balancing (for multiple terminal servers) and of
course tunnel RDP or ICA over SSL, so you don't have to worry about the
client being able to communicate over port 3389.
AEP's also has a built-in PDF Universal Printer Driver and support for
secondary authentication. These things take a few minutes to setup, and you
just give clients a URL to make the connection.
http://www.sessioncomputing.com/add-on.htm#security
--
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.sessioncomputing.com
"m.piceni@xxxxxxxxxxxxxxxx" wrote:
Hi Eric,.
1) by default yes, but you can change it
If you use TsWeb control, you can simply modify the default.htm page in this
way:
- locate the sub "BtnConnect"
- Add the following line just before the MsRdpClient.Connect:
MsRdpClient.AdvancedSettings2.RdpPort = "80"
That's all.
Of course you cannot use an IP address where you also have a Web Server
because port 80 must be free. Otherwise you can use any other standard port
(i.e. 21 or 25).
You then have to change the defaul port also on the firewall behind the
Terminal Server that must map the incoming requests on port 80 to port 3389.
This action depends on the firewall you're using. If the firewall can't do
this, you can change the port directly on the TS. Take a look at this:
http://support.microsoft.com/kb/187623/en-us
2) You don't need any third party software, just a text editor to modify the
default.htm
3) Very right. If you need to give TS access over the Internet secure as
much as possible your TS Server. Absolutely block administrator access
trough TS (local policy on the Server) and leave the access only to the
users that need it. Use strong passwords for TS enabled users and force them
to change password often. If possilble don't put the Server inside corporate
network, but on the DMZ.
If you use Windows Server 2003 SP1 or later, you can also setup a secure RDP
connection, to reduce the risk of intrusions on open connections. In this
case, you need to modify again the default.htm and add also this line:
MsRdpClient.AdvancedSettings.AuthenticationLevel = "1"
You'll need the latest version of the TsWeb ActiveX (5.2).
You also need to enable the encryption on the Server using Terminal Services
Configuration snapin. Take a look at this:
http://support.microsoft.com/kb/895433/en-us
hope this helps.
Massimo.
"ontsnapt" <ontsnapt@xxxxxxxxxxx> ha scritto nel messaggio
news:eYcmOb3cGHA.636@xxxxxxxxxxxxxxxxxxxxxxx
Today we discussed the fact that terminal server uses port 3389. Some of
our clients block that port in their firewall. So they are not able to
connect to our terminal server.
They advised us to have a look at enabling tsweb and use http port 80 http
or better https.
1) Reading a lot of articles I can only conclude that port 3389 is always
used. When loging in with tsweb after activation of the activeX and as
soon as the username / password appears port 3389 is used.
Is this correct?
2) Using only port 80 and disable port 3389 is possible when installing a
product like tunnel2 or wait till microsoft adds rdp over https.
Is this correct?
3) An other thing we discussed is how secure is port 3389? When someone
knows that port 3389 is open on a firewall how easy is it to hack the
machine? Is that just a matter of seconds?
Thanks in advance,
Eric
- References:
- Terminal server and http
- From: ontsnapt
- Re: Terminal server and http
- From: m.piceni
- Terminal server and http
- Prev by Date: Re: Citrix OR Provison Networks
- Next by Date: Re: Group Policy
- Previous by thread: Re: Terminal server and http
- Next by thread: Application that prints directly to LPT2
- Index(es):
Relevant Pages
|
