Re: remote desktop over https w/out ts gateway?


"Vera Noest [MVP]" <Vera.Noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:Xns9C2E7439EA995veranoesthemutforsse@xxxxxxxxxxxxxxxx
I'm not sure that I follow your setup.

Let me explain...the only access I have to the remote location currently is via RD/3389, which I have open on the firewall.

I'm trying to set up TSGateway so I can close that port, but I can't close it until I have verified TSGateway is working.

I can just close the port and then see if I can connect on 443, but I thought there might be a way to test it without manually shutting down the ports.


Have a look at the drawing here, it explains very clearly which
ports are supposed to be open in which firewall:

Terminal Services Gateway Overview
http://blogs.technet.com/askperf/archive/2008/02/26/ws2008-
terminal-services-gateway-overview.aspx

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

"geekyguy" <geeky@xxxxxxx> wrote on 18 jun 2009:

OK, thanks...I went through this step-through and have one
question.

I set up TSGateway on the remote server while connected through
Remote Desktop <g>. The remote server is part of a non-public
namespace that I created (e.g. myserver.mydomain.local).
Currently I connect just by specifying the public IP of the
server, and I have 3389 open on the firewall at the remote
location.

After configuring TSGateway on that server using a self-signed
cert, and following the instructions to add the cert to my
Trusted Root Certs on my client, I tried to connect using RD and
the IP address and got in.

I then added a DNS entry to my local DNS with the non-public
namespace name, like "myTSGateway.mydomain.local" pointing to
the public IP address of the remote server, and when I tried to
connect by that name I was prompted to reauthenticate with a
valid domain admin login/pwd (I left TSGateway set up with the
default "Administrators" group as the only allowed group).

...but in TSGateway monitor on the server, I don't see an active
gateway connection, so I presume I'm just connecting on
3389?...OK, I just netstat'd the local box and it shows the
connection on 3389...

Is there any way to "force" the RD connection over HTTPS, short
of blocking 3389 on the firewall?


"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns9C2DDB731442Everanoesthemutforsse@xxxxxxxxxxxxxxxx
TS Gateway is available in Windows Server 2008, no need to wait
for R2.

Windows Server 2008 TS Gateway Server Step-by-Step Guide
http://technet2.microsoft.com/WindowsServer2008/en/library/722f3
aa8 -2f22-462f-bcc6-72ad31713ddd1033.mspx

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"geekyguy" <geeky@xxxxxxx> wrote on 17 jun 2009 in
microsoft.public.windows.terminal_services:

Hi All: I have a webserver (2003 web edition) in a 2008 domain
in a remote colo facility, and I have remote desktop enabled
on the webserver.

During a PCI Compliance scan, this port being open is
considered a serious enough vulnerability to fail
certification, and the recommended solution is to route RD
over https. After googling around a bit, I found a lot of
information about using TS Gateway to do this, but it seems
like TS Gateway is only available in 2008 R2, which still
isn't RTM yet? I don't have a test server at the remote
location to try to install R2 RC on, and my understanding is
if I did install it, I'd have to do a reinstall of the OS when
RTM is available.

Is there any other way to secure RD other than TS Gateway?

If not, I suppose I could block 3389 at the network firewall
for the webserver, and then RD onto a different server on that
LAN and then onto the webserver, but aside from the additional
steps involved, that's kinda cheating <g>

.

Relevant Pages

  • Re: More on Remote Desktop
    ... Also note that if you use the default listening port for Remote Desktop there is no need to append ... >> point it to the Static IP of the internal server. ... >> firewall to get between your clients and server on your own LAN. ... >> mine setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • SecurityFocus Microsoft Newsletter #152
    ... MICROSOFT VULNERABILITY SUMMARY ... Real Networks Helix Universal Server Remote Buffer Overflow ... ... NEW PRODUCTS FOR MICROSOFT PLATFORMS ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
    (Focus-Microsoft)
  • Re: Reinstalling Terminal Server (ADMIN MODE) Windows 2003
    ... This Server is running Windows 2003 Server with SP1 with all critical ... The firewall is not enabled. ... Remote Desktop Disconnected ... I had tried installing "terminal Services" - multiuser at one point and I ...
    (microsoft.public.windows.terminal_services)
  • Re: Remote Access
    ... the firewall again then. ... How were you remotely accessing the server, ... There is no SSL remote management running on the firewall the only ... I am using a Netgear DGFV338. ...
    (microsoft.public.windows.server.sbs)