Secure Terminal Server Access Over Internet

  • Thread starter Thread starter MS Poster
  • Start date Start date
M

MS Poster

Guest
Hello:

I am new to TS and am trying to get some clarity on connecting external users.

I understand that I can have users connect to the corporate network using
a VPN and then connect to the TS. We currently have a corporate policy that
prevents users from connecting to the VPN from personal or home computers.
While this could be changed, we would prefer to not have to manage users
loading the VPN client (Cisco) on their personal machines.

It seems then that I can have users connect directly using the RD client
or use the TS Web Connection. Either way, it seems I will need to open 3389
directly to the Internet. This seems dubious. Is there a way to encrypt that
connection? Can I tunnel it through a SSH connection (and if so can you point
me to some documentation for setting this up)? I have seen that the web connection
can be set to use HTTPS but that only deals with initiating the session --
TS traffic still runs over open 3389.

Any insight much appreciated. Finding clear answers to this (especially on
the MS site) is very difficult.

Thanks.
 
Re: Secure Terminal Server Access Over Internet

"MS Poster" <spamaway@nospam.com> wrote in message
news:b3173d7cc348c9eb428795faec@msnews.microsoft.com...
> Hello:
>
> I am new to TS and am trying to get some clarity on connecting external
> users.
>
> I understand that I can have users connect to the corporate network using
> a VPN and then connect to the TS. We currently have a corporate policy
> that prevents users from connecting to the VPN from personal or home
> computers. While this could be changed, we would prefer to not have to
> manage users loading the VPN client (Cisco) on their personal machines.
> It seems then that I can have users connect directly using the RD client
> or use the TS Web Connection. Either way, it seems I will need to open
> 3389 directly to the Internet. This seems dubious. Is there a way to
> encrypt that connection? Can I tunnel it through a SSH connection (and if
> so can you point me to some documentation for setting this up)? I have
> seen that the web connection can be set to use HTTPS but that only deals
> with initiating the session --
> TS traffic still runs over open 3389.
>
> Any insight much appreciated. Finding clear answers to this (especially on
> the MS site) is very difficult.
>
> Thanks.
>
>

The Remote Desktop connection is natively encrypted.

I use Remote Desktop through a SSH tunnel to access my home PCs. In my case
I use the Tunnelier SSH client (free for personal use). The nice thing about
Tunnelier is you can configure it to automatically launch a Remote Desktop
session to one computer once the SSH tunnel is connected and disconnect the
SSH tunnel once the Remote Desktop session is completed.

http://www.bitvise.com/tunnelier.html

http://www.bitvise.com/tunnelier-license

This is how I setup Tunnelier to access my home network. It would/should be
similar in a server environment.

http://theillustratednetwork.mvps.org/Ssh/Configure-Tunnelier.html

An old page (no longer maintained) for doing something similar with PuTTY.

http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

Others can speak to using SSH in a server (ie. W2K3/W2K for example)
environment. FWIW, I use the copSSH as my SSH server package of choice on a
Vista Ultimate desktop.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Re: Secure Terminal Server Access Over Internet

Hello Sooner Al [MVP],
Thanks, Al. this is very informative. I was actually recently considering
Bitvise's FTP server as well.

A few questions:

- I have read before that the RD session is already encrypted. If that is
the case, why bother with further tunnelling as well? Is it high encryption?

- Would the copSSH server need to run on the TS server?

thanks.


>>
> The Remote Desktop connection is natively encrypted.
>
> I use Remote Desktop through a SSH tunnel to access my home PCs. In my
> case I use the Tunnelier SSH client (free for personal use). The nice
> thing about Tunnelier is you can configure it to automatically launch
> a Remote Desktop session to one computer once the SSH tunnel is
> connected and disconnect the SSH tunnel once the Remote Desktop
> session is completed.
>
> http://www.bitvise.com/tunnelier.html
>
> http://www.bitvise.com/tunnelier-license
>
> This is how I setup Tunnelier to access my home network. It
> would/should be similar in a server environment.
>
> http://theillustratednetwork.mvps.org/Ssh/Configure-Tunnelier.html
>
> An old page (no longer maintained) for doing something similar with
> PuTTY.
>
> http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html
>
> Others can speak to using SSH in a server (ie. W2K3/W2K for example)
> environment. FWIW, I use the copSSH as my SSH server package of choice
> on a Vista Ultimate desktop.
>
> Please post *ALL* questions and replies to the news group for the
> mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no
> rights...
> How to ask a question
> http://support.microsoft.com/KB/555375
 
Re: Secure Terminal Server Access Over Internet

"MS Poster" <spamaway@nospam.com> wrote in message
news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...
> Hello Sooner Al [MVP],
> Thanks, Al. this is very informative. I was actually recently considering
> Bitvise's FTP server as well.
>
> A few questions:
>
> - I have read before that the RD session is already encrypted. If that is
> the case, why bother with further tunnelling as well? Is it high
> encryption?
>
> - Would the copSSH server need to run on the TS server?
> thanks.
>
>
>

Speaking from a home user only standpoint I use a SSH tunnel for a couple of
reasons...

* I can use a private/public key pair protected by a strong password for
authentication on my SSH server versus using a password only (strong or
otherwise) if I just accessed my desktops using Remote Desktop.

* I can access any of the PCs on my home LAN using Remote Desktop by only
opening one hole in my firewall/router versus multiple holes if I used a
different listening port for each PC Remote Desktop session.

You should be able to put the SSH server on any computer/server and access
the TS Server through the tunnel.

I have not looked at using the Bitvise WinSSHD server since copSSH provides
the same functionality (ie. SSH server, SFTP, SOCKS proxy, etc...etc) plus
it free. The latter reason (ie. free) is the main one...:-)

http://www.itefix.no/phpws/index.ph...er_op=view_page&PAGE_id=12&MMN_position=22:22

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Re: Secure Terminal Server Access Over Internet

Thanks. Looks like I've got some weekend fun :-) (scary, eh?)

Hello Sooner Al [MVP],

> "MS Poster" <spamaway@nospam.com> wrote in message
> news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...
>
>> Hello Sooner Al [MVP],
>> Thanks, Al. this is very informative. I was actually recently
>> considering
>> Bitvise's FTP server as well.
>> A few questions:
>>
>> - I have read before that the RD session is already encrypted. If
>> that is the case, why bother with further tunnelling as well? Is it
>> high encryption?
>>
>> - Would the copSSH server need to run on the TS server? thanks.
>>
> Speaking from a home user only standpoint I use a SSH tunnel for a
> couple of reasons...
>
> * I can use a private/public key pair protected by a strong password
> for authentication on my SSH server versus using a password only
> (strong or otherwise) if I just accessed my desktops using Remote
> Desktop.
>
> * I can access any of the PCs on my home LAN using Remote Desktop by
> only opening one hole in my firewall/router versus multiple holes if I
> used a different listening port for each PC Remote Desktop session.
>
> You should be able to put the SSH server on any computer/server and
> access the TS Server through the tunnel.
>
> I have not looked at using the Bitvise WinSSHD server since copSSH
> provides the same functionality (ie. SSH server, SFTP, SOCKS proxy,
> etc...etc) plus it free. The latter reason (ie. free) is the main
> one...:-)
>
> http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=vi
> ew_page&PAGE_id=12&MMN_position=22:22
>
> Please post *ALL* questions and replies to the news group for the
> mutual benefit of all of us...
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no
> rights...
> How to ask a question
> http://support.microsoft.com/KB/555375
 
Re: Secure Terminal Server Access Over Internet

"MS Poster" <spamaway@nospam.com> wrote in message
news:b3173d7cd0d8c9eb5bf14b0b26@msnews.microsoft.com...
> Thanks. Looks like I've got some weekend fun :-) (scary, eh?)
>
> Hello Sooner Al [MVP],
>
>> "MS Poster" <spamaway@nospam.com> wrote in message
>> news:b3173d7ccbf8c9eb52b916c26c@msnews.microsoft.com...
>>
>>> Hello Sooner Al [MVP],
>>> Thanks, Al. this is very informative. I was actually recently
>>> considering
>>> Bitvise's FTP server as well.
>>> A few questions:
>>>
>>> - I have read before that the RD session is already encrypted. If
>>> that is the case, why bother with further tunnelling as well? Is it
>>> high encryption?
>>>
>>> - Would the copSSH server need to run on the TS server? thanks.
>>>
>> Speaking from a home user only standpoint I use a SSH tunnel for a
>> couple of reasons...
>>
>> * I can use a private/public key pair protected by a strong password
>> for authentication on my SSH server versus using a password only
>> (strong or otherwise) if I just accessed my desktops using Remote
>> Desktop.
>>
>> * I can access any of the PCs on my home LAN using Remote Desktop by
>> only opening one hole in my firewall/router versus multiple holes if I
>> used a different listening port for each PC Remote Desktop session.
>>
>> You should be able to put the SSH server on any computer/server and
>> access the TS Server through the tunnel.
>>
>> I have not looked at using the Bitvise WinSSHD server since copSSH
>> provides the same functionality (ie. SSH server, SFTP, SOCKS proxy,
>> etc...etc) plus it free. The latter reason (ie. free) is the main
>> one...:-)
>>
>> http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=vi
>> ew_page&PAGE_id=12&MMN_position=22:22
>>
>> Please post *ALL* questions and replies to the news group for the
>> mutual benefit of all of us...
>> The MS-MVP Program - http://mvp.support.microsoft.com
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights...
>> How to ask a question
>> http://support.microsoft.com/KB/555375
>
>

Nah... Sounds like fun...

FWIW, here are some thoughts on securing my copSSH server including creating
user key pairs with Tunnelier or PuTTY.

http://theillustratednetwork.mvps.org/Ssh/SecureYourcopSSHServer-Vista.html

Also, please note that I *do not* work in a server (ie. W2K3/W2K)
environment so I will be of limited help beyond some of the basics I pointed
you to. I'm an old retired guy that strictly works in a small office/home
office (SoHo) workgroup environment. I only hang out here because I can
learn a lot from the TS experts (MVPs, MS folks and others)...

Good luck...and have fun...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Back
Top