Secure and easy terminal server connection

[Guest Andrea Caldarone]

Hi all,

 

we have developed a software that runs on a Windows 2003 Server. Our

customer use the software remotely by connecting via RDP to the server.

 

1) Our customers have often to re-configure their firewall because outgoing

comunication to TCP port 3389 are not allowed

 

2) Currently we authenticate users only with user/password and filtering

their IP addresses with our cisco firewall, so every time we have to

reconfigure its access-list: if a customer chages its connection we have to

reconfigure, or if we want to make a demo somewhere we have to

reconfigure...

 

We wanto to improve this situation.

Is it possible to authenticate with a certificare stored on a USB devide? We

don't wanto to use smart card because we don't wont to force our customer to

buy a smart card reader. What do you think about SSL tunnelig (granted with

our firewall) to avoid customer's firewall reconfiguration?

Every ideas are well accepted!

[Guest Sergey Kuzin[MSFT]]

Re: Secure and easy terminal server connection

 

Neither one is possible with Windows 2003 Server.

You can change the port number the server listens on and install a

certificate, but the protocol on the wire will not be entirely SSL (the

first packet is X.224 connect request).

A pure SSL connection is possible with Vista and above, though. You just

need to add "negotiate security layer:i:0" to the default.rdp file on the

client.

 

Thx,

Sergey.

 

--

This posting is provided "AS IS" with no warranties, and confers no rights.

"Andrea Caldarone" <software-livquist@3techsrl.com> wrote in message

news:u83W5AF0HHA.5980@TK2MSFTNGP04.phx.gbl...

> Hi all,

>

> we have developed a software that runs on a Windows 2003 Server. Our

> customer use the software remotely by connecting via RDP to the server.

>

> 1) Our customers have often to re-configure their firewall because

> outgoing comunication to TCP port 3389 are not allowed

>

> 2) Currently we authenticate users only with user/password and filtering

> their IP addresses with our cisco firewall, so every time we have to

> reconfigure its access-list: if a customer chages its connection we have

> to reconfigure, or if we want to make a demo somewhere we have to

> reconfigure...

>

> We wanto to improve this situation.

> Is it possible to authenticate with a certificare stored on a USB devide?

> We don't wanto to use smart card because we don't wont to force our

> customer to buy a smart card reader. What do you think about SSL tunnelig

> (granted with our firewall) to avoid customer's firewall reconfiguration?

> Every ideas are well accepted!

>

[Guest Helge Klein]

Re: Secure and easy terminal server connection

 

Andrea,

 

there are various third-party solutions that provide the SSL tunneling

functionality. Probably the most widely used is Citrix Secure Gateway

which comes with Citrix Presentation Server. It would, however,

require some version of Presentation Server (an add-on to Terminal

Services) on your server.

 

Helge

---------------------------

Please visit my blog at:

 

http://it-from-inside.blogspot.com

---------------------------

 

On 27 Jul., 15:14, "Andrea Caldarone" <software-livqu...@3techsrl.com>

wrote:

> Hi all,

>

> we have developed a software that runs on a Windows 2003 Server. Our

> customer use the software remotely by connecting via RDP to the server.

>

> 1) Our customers have often to re-configure their firewall because outgoing

> comunication to TCP port 3389 are not allowed

>

> 2) Currently we authenticate users only with user/password and filtering

> their IP addresses with our cisco firewall, so every time we have to

> reconfigure its access-list: if a customer chages its connection we have to

> reconfigure, or if we want to make a demo somewhere we have to

> reconfigure...

>

> We wanto to improve this situation.

> Is it possible to authenticate with a certificare stored on a USB devide? We

> don't wanto to use smart card because we don't wont to force our customer to

> buy a smart card reader. What do you think about SSL tunnelig (granted with

> our firewall) to avoid customer's firewall reconfiguration?

> Every ideas are well accepted!