Re: Allowing terminal server access to all internally, but only to a select few externally.
- From: seedofconspiracy <seedofconspiracy@xxxxxxxxx>
- Date: 8 May 2007 14:54:26 -0700
Thanks very much for both responses. Soo, that's a great idea!
I have however figured out a way to get this to work using a pre-
authentication scheme with my Sonicwall Pro 2040. Essentially, the
access control line that allows access to the terminal server via the
WAN interface was modified to allow only a specific user group. That
user group is mirrord from Active Directory via the LDAP setup in the
firewall. Authorized users now go to a webpage where they
authenticate with their AD credentials. The firewall then opens the
access control line which allows them to now connect to the terminal
server. Only those in the user group assigned to the access control
line can authenticate to this webpage.
It's an extra step, but it works, and seems much more secure than
having open access to the terminal server!
On May 8, 5:14 pm, "Soo Kuan Teo [MSFT]"
<sooku...@xxxxxxxxxxxxxxxxxxxx> wrote:
Alex,
I personally haven't done this before, but the following may work for you,
essentially to have 2 nic in your server, and use different connections for
internal and external access:
1. Have 2 nics install on your Terminal server machine, nic1, nic2.
2. use tscc.msc to have the default RDP-Tcp connections to use nic1, create
a new connections say Rdp-Tcp-Ext and set it to use nic2.
3. Create a new local user group say 'TS Internet Users', add those users
you want to allow to use Terminal Services externally to this group
4. goto local security policy(secpol.msc)->security settings->local
policies->user rights assignment, add 'TS Internet Users' to policies 'Allow
log on locally' and 'Allow log on through Terminal Services'
5 use tscc.msc permissions tab to delete 'Remote Desktop Users' from
Rdp-Tcp-Ext connection.
6 use tscc.msc permissions tab to add 'TS Internet Users' to Rdp-Tcp-Ext
connection.
Thanks
Soo Kuan
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"seedofconspiracy" <seedofconspir...@xxxxxxxxx> wrote in message
news:1178642467.944672.138680@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
Out current setup includes one terminal server which all users need
access to internally. However, I need to be able to restrict access
to only a select few accounts when accessing the server externally.
Currently, anyone that knows the public IP of the terminal server, and
has a domain account can RDP directly to the server and login. The
terminal server is behind a Sonicwall Pro 2040 firewall which is set
to allow the external connection from all IPs. I cannot use VPN. I
cannot restrict access based on IP (as the select few that need access
from an external location could be coming from any ip, i.e. hotel,
airport, starbucks, etc.).
Any ideas? Thanks!
-Alex- Hide quoted text -
- Show quoted text -
.
- References:
- Allowing terminal server access to all internally, but only to a select few externally.
- From: seedofconspiracy
- Re: Allowing terminal server access to all internally, but only to a select few externally.
- From: Soo Kuan Teo [MSFT]
- Allowing terminal server access to all internally, but only to a select few externally.
- Prev by Date: Re: Allowing terminal server access to all internally, but only to a select few externally.
- Next by Date: Re: Root directory full of hex named folders
- Previous by thread: Re: Allowing terminal server access to all internally, but only to a select few externally.
- Next by thread: ts+citrix troubleshotting
- Index(es):
Relevant Pages
|
Loading
