Can TS Gateway run on the same Server as TS itself ?

  • Thread starter Thread starter zaz
  • Start date Start date
Z

zaz

Guest
We have a small network with under 30 users and only 10 external staff want
to implement a TS with TS Gateway for external SSL connections and to save us
having to open up port 3389 to the internet in general. It seems overkill to
use 2 servers to do this so ... is it possible to run TS Gateway on the same
server as the actual Terminal Server itself?
We are thinking of this to save the need for a 2nd TS gateway server when
just one well specified server will do the job.
I understand that we would have to open the TS up to the internet on port
443, but for a small user this seems acceptable assuming we
configure/patch/harden the server properly.
Thank in advance :>
 
Re: Can TS Gateway run on the same Server as TS itself ?

It can but it would be security risk. The whole idea of TSGateway is to act
as a man in the middle for TS in the DMZ while the terminal server is in the
protected networks. By doing what you plan on, your exposing the internal
network which seems risky considering the small requirements of TSGateway
which would easily run on a workstation class machine.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"zaz" <bramblewood@noemail.noemail> wrote in message
news:28EAFF81-C279-43D1-80BA-FB7D0E2AB9E7@microsoft.com...
> We have a small network with under 30 users and only 10 external staff
> want
> to implement a TS with TS Gateway for external SSL connections and to save
> us
> having to open up port 3389 to the internet in general. It seems overkill
> to
> use 2 servers to do this so ... is it possible to run TS Gateway on the
> same
> server as the actual Terminal Server itself?
> We are thinking of this to save the need for a 2nd TS gateway server when
> just one well specified server will do the job.
> I understand that we would have to open the TS up to the internet on port
> 443, but for a small user this seems acceptable assuming we
> configure/patch/harden the server properly.
> Thank in advance :>
>
 
Re: Can TS Gateway run on the same Server as TS itself ?

zaz wrote:
> We have a small network with under 30 users and only 10 external staff want
> to implement a TS with TS Gateway for external SSL connections and to save us
> having to open up port 3389 to the internet in general. It seems overkill to
> use 2 servers to do this so ... is it possible to run TS Gateway on the same
> server as the actual Terminal Server itself?
> We are thinking of this to save the need for a 2nd TS gateway server when
> just one well specified server will do the job.
> I understand that we would have to open the TS up to the internet on port
> 443, but for a small user this seems acceptable assuming we
> configure/patch/harden the server properly.
> Thank in advance :>
>

I second Jeff's reply.

As an alternative, you can install an SSL-VPN to proxy the RDP
session.

moncho
 
Re: Can TS Gateway run on the same Server as TS itself ?

Jeff,

Thank you for your response, I do see your point but surely doing this would
be no more of a security risk than publishing webmail on port 443 a single
SBS server (something that MS seems to support by configuring this "out of
the box") ?

Zaz.

"Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
news:eA8Pes4FJHA.1000@TK2MSFTNGP05.phx.gbl...
> It can but it would be security risk. The whole idea of TSGateway is to
> act as a man in the middle for TS in the DMZ while the terminal server is
> in the protected networks. By doing what you plan on, your exposing the
> internal network which seems risky considering the small requirements of
> TSGateway which would easily run on a workstation class machine.
>
> --
> Jeff Pitsch
> Microsoft MVP - Terminal Services
>
> "zaz" <bramblewood@noemail.noemail> wrote in message
> news:28EAFF81-C279-43D1-80BA-FB7D0E2AB9E7@microsoft.com...
>> We have a small network with under 30 users and only 10 external staff
>> want
>> to implement a TS with TS Gateway for external SSL connections and to
>> save us
>> having to open up port 3389 to the internet in general. It seems overkill
>> to
>> use 2 servers to do this so ... is it possible to run TS Gateway on the
>> same
>> server as the actual Terminal Server itself?
>> We are thinking of this to save the need for a 2nd TS gateway server when
>> just one well specified server will do the job.
>> I understand that we would have to open the TS up to the internet on port
>> 443, but for a small user this seems acceptable assuming we
>> configure/patch/harden the server properly.
>> Thank in advance :>
>>
>
>
 
Re: Can TS Gateway run on the same Server as TS itself ?

Just because you can doesn't mean you should. I don't agree with what MSFT
does with SBS either. It is a security risk and even worse risk on a SBS
box because of all the info it holds.

--
Jeff Pitsch
Microsoft MVP - Terminal Services

"zaz" <bramblewood@noemail.noemail> wrote in message
news:OFgMeNCGJHA.2456@TK2MSFTNGP06.phx.gbl...
> Jeff,
>
> Thank you for your response, I do see your point but surely doing this
> would be no more of a security risk than publishing webmail on port 443 a
> single SBS server (something that MS seems to support by configuring this
> "out of the box") ?
>
> Zaz.
>
> "Jeff Pitsch" <jeff@jeffpitschconsulting.com> wrote in message
> news:eA8Pes4FJHA.1000@TK2MSFTNGP05.phx.gbl...
>> It can but it would be security risk. The whole idea of TSGateway is to
>> act as a man in the middle for TS in the DMZ while the terminal server is
>> in the protected networks. By doing what you plan on, your exposing the
>> internal network which seems risky considering the small requirements of
>> TSGateway which would easily run on a workstation class machine.
>>
>> --
>> Jeff Pitsch
>> Microsoft MVP - Terminal Services
>>
>> "zaz" <bramblewood@noemail.noemail> wrote in message
>> news:28EAFF81-C279-43D1-80BA-FB7D0E2AB9E7@microsoft.com...
>>> We have a small network with under 30 users and only 10 external staff
>>> want
>>> to implement a TS with TS Gateway for external SSL connections and to
>>> save us
>>> having to open up port 3389 to the internet in general. It seems
>>> overkill to
>>> use 2 servers to do this so ... is it possible to run TS Gateway on the
>>> same
>>> server as the actual Terminal Server itself?
>>> We are thinking of this to save the need for a 2nd TS gateway server
>>> when
>>> just one well specified server will do the job.
>>> I understand that we would have to open the TS up to the internet on
>>> port
>>> 443, but for a small user this seems acceptable assuming we
>>> configure/patch/harden the server properly.
>>> Thank in advance :>
>>>
>>
>>
>
>
 

Similar threads

N
The missing Server Hello in TLS handshake
Replies
0
Views
311
Nedim
N
N
The request is not supported (0x80070032)
Replies
0
Views
510
Nedim
N
C
The most important new Xbox accessory costs almost as much as the console itself
Replies
0
Views
86
Chris Smith
C
C
Microsoft revealed what it’ll cost to run Windows 365 on your iPad
Replies
0
Views
71
Chris Smith
C
M
Checking the FTP Sub status logged can help find the cause of problems.
Replies
0
Views
323
michno
M
Back
Top