Terminal Server / WAN question

Every company that I have worked for in the past required a VPN connection
to RDP into their servers from remote connections. Either remote offices,
or from home. I just recently changed jobs and they "don't" require any
kind of VPN connection to Remote Desktop into one of their terminal servers.
They RDP in from remote offices and I can even RDP in from home, no VPN
connection required.

I'm not a router/security expert so I don't know the answer to this; Is
this a common practice? It seems like a security risk to me. Is it?

TIA

Hello,

Seems that there is a Public IP hosted on the server which is not a
best practice of course because you are always exposed to the Internet and
any one.

TS listens on 3389 and this number can be changed on TS Server. However, you
have different problem with your solution. Users are authenticated on TS
Gateway and for that you need the TS Gateway to be joined to the domain. If
you make TS Gateway a workgroup machine to put it between two firewalls(DMZ),
then the domain users can't be authenticated on the Gateway. Therefore, if
you see the Step-by step guide the recommendation is put TS Gateway just
behind the edge device (e.g. ISA). Read the step by step guide:
http://go.microsoft.com/fwlink/?LinkID=85872



TS Web access is the one which gets hit first and TS Gateway is not in
picture until then. When the application is invoked on TS Web access page,
the traffic starts going through the TS Gateway. Therefore TS Web access has
to be internet facing.

You can put both on the same server if the load is less. If you are
expecting more than few hundred simultaneous connections then put them on
different servers.

Thanks

That guide is very good.

This paragraph here really explains well how TS is considered secure, when
VPN isn't used to secure the connection:
"In earlier versions of Windows Server, security measures prevented remote
users from connecting to internal network resources across firewalls and
NATs. This is because port 3389, the port used for RDP connections, is
typically blocked for network security purposes. TS Gateway transmits RDP
traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport
Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to
enable Internet connectivity, TS Gateway takes advantage of this network
design to provide remote access connectivity across multiple firewalls."

But I'm wondering if that information also applies to Terminal Server on
Windows Server 2003.
I looked for a 2003 comparable page and found this:
http://technet2.microsoft.com/window....mspx?mfr=true
But unfortunately that doesn't mention anything about TS.

Anyone know if TS 2003 transmits RDP traffic to port 443?





"Syed Khairuddin" <(E-Mail Removed)> wrote in message
news:598AAA80-92D4-4CB4-AA74-(E-Mail Removed)...
>
> Hello,
>
> Seems that there is a Public IP hosted on the server which is not a
> best practice of course because you are always exposed to the Internet and
> any one.
>
> TS listens on 3389 and this number can be changed on TS Server. However,
> you
> have different problem with your solution. Users are authenticated on TS
> Gateway and for that you need the TS Gateway to be joined to the domain.
> If
> you make TS Gateway a workgroup machine to put it between two
> firewalls(DMZ),
> then the domain users can't be authenticated on the Gateway. Therefore, if
> you see the Step-by step guide the recommendation is put TS Gateway just
> behind the edge device (e.g. ISA). Read the step by step guide:
> http://go.microsoft.com/fwlink/?LinkID=85872
>
>
>
> TS Web access is the one which gets hit first and TS Gateway is not in
> picture until then. When the application is invoked on TS Web access page,
> the traffic starts going through the TS Gateway. Therefore TS Web access
> has
> to be internet facing.
>
> You can put both on the same server if the load is less. If you are
> expecting more than few hundred simultaneous connections then put them on
> different servers.
>
> Thanks