Jump to content

Secure Terminal Server Access Over Internet

Guest MS Poster

By Guest MS Poster
in Windows NT Server

 Share

Recommended Posts

Guest MS Poster

Guest MS Poster

Posted
Posted

Hello:

 

I am new to TS and am trying to get some clarity on connecting external users.

 

I understand that I can have users connect to the corporate network using

a VPN and then connect to the TS. We currently have a corporate policy that

prevents users from connecting to the VPN from personal or home computers.

While this could be changed, we would prefer to not have to manage users

loading the VPN client (Cisco) on their personal machines.

 

It seems then that I can have users connect directly using the RD client

or use the TS Web Connection. Either way, it seems I will need to open 3389

directly to the Internet. This seems dubious. Is there a way to encrypt that

connection? Can I tunnel it through a SSH connection (and if so can you point

me to some documentation for setting this up)? I have seen that the web connection

can be set to use HTTPS but that only deals with initiating the session --

TS traffic still runs over open 3389.

 

Any insight much appreciated. Finding clear answers to this (especially on

the MS site) is very difficult.

 

Thanks.

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Sooner Al [MVP]

Guest Sooner Al [MVP]

Posted
Posted

Re: Secure Terminal Server Access Over Internet

 

"MS Poster" <spamaway@nospam.com> wrote in message

news:b3173d7cc348c9eb428795faec@msnews.microsoft.com...

> Hello:

>

> I am new to TS and am trying to get some clarity on connecting external

> users.

>

> I understand that I can have users connect to the corporate network using

> a VPN and then connect to the TS. We currently have a corporate policy

> that prevents users from connecting to the VPN from personal or home

> computers. While this could be changed, we would prefer to not have to

> manage users loading the VPN client (Cisco) on their personal machines.

> It seems then that I can have users connect directly using the RD client

> or use the TS Web Connection. Either way, it seems I will need to open

> 3389 directly to the Internet. This seems dubious. Is there a way to

> encrypt that connection? Can I tunnel it through a SSH connection (and if

> so can you point me to some documentation for setting this up)? I have

> seen that the web connection can be set to use HTTPS but that only deals

> with initiating the session --

> TS traffic still runs over open 3389.

>

> Any insight much appreciated. Finding clear answers to this (especially on

> the MS site) is very difficult.

>

> Thanks.

>

>

 

The Remote Desktop connection is natively encrypted.

 

I use Remote Desktop through a SSH tunnel to access my home PCs. In my case

I use the Tunnelier SSH client (free for personal use). The nice thing about

Tunnelier is you can configure it to automatically launch a Remote Desktop

session to one computer once the SSH tunnel is connected and disconnect the

SSH tunnel once the Remote Desktop session is completed.

 

http://www.bitvise.com/tunnelier.html

 

http://www.bitvise.com/tunnelier-license

 

This is how I setup Tunnelier to access my home network. It would/should be

similar in a server environment.

 

http://theillustratednetwork.mvps.org/Ssh/Configure-Tunnelier.html

 

An old page (no longer maintained) for doing something similar with PuTTY.

 

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

 

Others can speak to using SSH in a server (ie. W2K3/W2K for example)

environment. FWIW, I use the copSSH as my SSH server package of choice on a

Vista Ultimate desktop.

 

--

 

Al Jarvi (MS-MVP Windows Networking)

 

Please post *ALL* questions and replies to the news group for the

mutual benefit of all of us...

The MS-MVP Program - http://mvp.support.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no

rights...

How to ask a question

http://support.microsoft.com/KB/555375

Guest MS Poster

Guest MS Poster

Posted
Posted

Re: Secure Terminal Server Access Over Internet

 

Hello Sooner Al [MVP],

Thanks, Al. this is very informative. I was actually recently considering

Bitvise's FTP server as well.

 

A few questions:

 

- I have read before that the RD session is already encrypted. If that is

the case, why bother with further tunnelling as well? Is it high encryption?

 

- Would the copSSH server need to run on the TS server?

 

thanks.

 

>>

> The Remote Desktop connection is natively encrypted.

>

> I use Remote Desktop through a SSH tunnel to access my home PCs. In my

> case I use the Tunnelier SSH client (free for personal use). The nice

> thing about Tunnelier is you can configure it to automatically launch

> a Remote Desktop session to one computer once the SSH tunnel is

> connected and disconnect the SSH tunnel once the Remote Desktop

> session is completed.

>

> http://www.bitvise.com/tunnelier.html

>

> http://www.bitvise.com/tunnelier-license

>

> This is how I setup Tunnelier to access my home network. It

> would/should be similar in a server environment.

>

> http://theillustratednetwork.mvps.org/Ssh/Configure-Tunnelier.html

>

> An old page (no longer maintained) for doing something similar with

> PuTTY.

>

> http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

>

> Others can speak to using SSH in a server (ie. W2K3/W2K for example)

> environment. FWIW, I use the copSSH as my SSH server package of choice

> on a Vista Ultimate desktop.

>

> Please post *ALL* questions and replies to the news group for the

> mutual benefit of all of us...

> The MS-MVP Program - http://mvp.support.microsoft.com

> This posting is provided "AS IS" with no warranties, and confers no

> rights...

> How to ask a question

> http://support.microsoft.com/KB/555375

Guest Sooner Al [MVP]

Guest Sooner Al [MVP]

Posted
Posted

Re: Secure Terminal Server Access Over Internet

 

"MS Poster" <spamaway@nospam.com> wrote in message

news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...

> Hello Sooner Al [MVP],

> Thanks, Al. this is very informative. I was actually recently considering

> Bitvise's FTP server as well.

>

> A few questions:

>

> - I have read before that the RD session is already encrypted. If that is

> the case, why bother with further tunnelling as well? Is it high

> encryption?

>

> - Would the copSSH server need to run on the TS server?

> thanks.

>

>

>

 

Speaking from a home user only standpoint I use a SSH tunnel for a couple of

reasons...

 

* I can use a private/public key pair protected by a strong password for

authentication on my SSH server versus using a password only (strong or

otherwise) if I just accessed my desktops using Remote Desktop.

 

* I can access any of the PCs on my home LAN using Remote Desktop by only

opening one hole in my firewall/router versus multiple holes if I used a

different listening port for each PC Remote Desktop session.

 

You should be able to put the SSH server on any computer/server and access

the TS Server through the tunnel.

 

I have not looked at using the Bitvise WinSSHD server since copSSH provides

the same functionality (ie. SSH server, SFTP, SOCKS proxy, etc...etc) plus

it free. The latter reason (ie. free) is the main one...:-)

 

http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12&MMN_position=22:22

 

--

 

Al Jarvi (MS-MVP Windows Networking)

 

Please post *ALL* questions and replies to the news group for the

mutual benefit of all of us...

The MS-MVP Program - http://mvp.support.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no

rights...

How to ask a question

http://support.microsoft.com/KB/555375

Guest MS Poster

Guest MS Poster

Posted
Posted

Re: Secure Terminal Server Access Over Internet

 

Thanks. Looks like I've got some weekend fun :-) (scary, eh?)

 

Hello Sooner Al [MVP],

> "MS Poster" <spamaway@nospam.com> wrote in message

> news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...

>

>> Hello Sooner Al [MVP],

>> Thanks, Al. this is very informative. I was actually recently

>> considering

>> Bitvise's FTP server as well.

>> A few questions:

>>

>> - I have read before that the RD session is already encrypted. If

>> that is the case, why bother with further tunnelling as well? Is it

>> high encryption?

>>

>> - Would the copSSH server need to run on the TS server? thanks.

>>

> Speaking from a home user only standpoint I use a SSH tunnel for a

> couple of reasons...

>

> * I can use a private/public key pair protected by a strong password

> for authentication on my SSH server versus using a password only

> (strong or otherwise) if I just accessed my desktops using Remote

> Desktop.

>

> * I can access any of the PCs on my home LAN using Remote Desktop by

> only opening one hole in my firewall/router versus multiple holes if I

> used a different listening port for each PC Remote Desktop session.

>

> You should be able to put the SSH server on any computer/server and

> access the TS Server through the tunnel.

>

> I have not looked at using the Bitvise WinSSHD server since copSSH

> provides the same functionality (ie. SSH server, SFTP, SOCKS proxy,

> etc...etc) plus it free. The latter reason (ie. free) is the main

> one...:-)

>

> http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=vi

> ew_page&PAGE_id=12&MMN_position=22:22

>

> Please post *ALL* questions and replies to the news group for the

> mutual benefit of all of us...

> The MS-MVP Program - http://mvp.support.microsoft.com

> This posting is provided "AS IS" with no warranties, and confers no

> rights...

> How to ask a question

> http://support.microsoft.com/KB/555375

Guest Sooner Al [MVP]

Guest Sooner Al [MVP]

Posted
Posted

Re: Secure Terminal Server Access Over Internet

 

"MS Poster" <spamaway@nospam.com> wrote in message

news:b3173d7cd0d8c9eb5bf14b0b26@msnews.microsoft.com...

> Thanks. Looks like I've got some weekend fun :-) (scary, eh?)

>

> Hello Sooner Al [MVP],

>

>> "MS Poster" <spamaway@nospam.com> wrote in message

>> news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...

>>

>>> Hello Sooner Al [MVP],

>>> Thanks, Al. this is very informative. I was actually recently

>>> considering

>>> Bitvise's FTP server as well.

>>> A few questions:

>>>

>>> - I have read before that the RD session is already encrypted. If

>>> that is the case, why bother with further tunnelling as well? Is it

>>> high encryption?

>>>

>>> - Would the copSSH server need to run on the TS server? thanks.

>>>

>> Speaking from a home user only standpoint I use a SSH tunnel for a

>> couple of reasons...

>>

>> * I can use a private/public key pair protected by a strong password

>> for authentication on my SSH server versus using a password only

>> (strong or otherwise) if I just accessed my desktops using Remote

>> Desktop.

>>

>> * I can access any of the PCs on my home LAN using Remote Desktop by

>> only opening one hole in my firewall/router versus multiple holes if I

>> used a different listening port for each PC Remote Desktop session.

>>

>> You should be able to put the SSH server on any computer/server and

>> access the TS Server through the tunnel.

>>

>> I have not looked at using the Bitvise WinSSHD server since copSSH

>> provides the same functionality (ie. SSH server, SFTP, SOCKS proxy,

>> etc...etc) plus it free. The latter reason (ie. free) is the main

>> one...:-)

>>

>> http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=vi

>> ew_page&PAGE_id=12&MMN_position=22:22

>>

>> Please post *ALL* questions and replies to the news group for the

>> mutual benefit of all of us...

>> The MS-MVP Program - http://mvp.support.microsoft.com

>> This posting is provided "AS IS" with no warranties, and confers no

>> rights...

>> How to ask a question

>> http://support.microsoft.com/KB/555375

>

>

 

Nah... Sounds like fun...

 

FWIW, here are some thoughts on securing my copSSH server including creating

user key pairs with Tunnelier or PuTTY.

 

http://theillustratednetwork.mvps.org/Ssh/SecureYourcopSSHServer-Vista.html

 

Also, please note that I *do not* work in a server (ie. W2K3/W2K)

environment so I will be of limited help beyond some of the basics I pointed

you to. I'm an old retired guy that strictly works in a small office/home

office (SoHo) workgroup environment. I only hang out here because I can

learn a lot from the TS experts (MVPs, MS folks and others)...

 

Good luck...and have fun...

 

--

 

Al Jarvi (MS-MVP Windows Networking)

 

Please post *ALL* questions and replies to the news group for the

mutual benefit of all of us...

The MS-MVP Program - http://mvp.support.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no

rights...

How to ask a question

http://support.microsoft.com/KB/555375

 Share
Go to topic listing
×
×
  • Create New...