Ease of Remote Desktop enabling through ASA / ISA
Often we recieve support requests where users want to access their workstations from outside the LAN, either via VPN or simply via a web browser. We often have to create tunnels within our ASA/PIX to allow user to come in to their workstations for genuine purposes, sometimes to let some experts install software and at other's they just want to pick up a file they desperately need.
I was wondering if there is an easy solution that would help us accomplish this procedure, without the involvement of of Network administrator but with adequate security and change management control in place? Something, where a helpdesk administrator can have a dashboard where he/she just clicks on the user's workstation IP, and an automatic NAT gets accomplished and RDP gets enabled with port 3389 passed through the firewall.
The solution can be either ASA/PIX based or ISA based.
I read an article here, but I wonder if it's relevant in our scenario:
http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part1.html
Pls advise!!
I was wondering if there is an easy solution that would help us accomplish this procedure, without the involvement of of Network administrator but with adequate security and change management control in place? Something, where a helpdesk administrator can have a dashboard where he/she just clicks on the user's workstation IP, and an automatic NAT gets accomplished and RDP gets enabled with port 3389 passed through the firewall.
The solution can be either ASA/PIX based or ISA based.
I read an article here, but I wonder if it's relevant in our scenario:
http://www.isaserver.org/tutorials/Publishing-Remote-Desktop-Web-Connection-Sites-ISA-Firewall-Part1.html
Pls advise!!
Keith Alabaster
There are a couple of ways of doing this - but personally my favourite is using TSWEB which I publish as a service through the external device. This can be done through the ASA or the ISA server.
ASKER
Using remote Desktop web connection is fine as a choice. Now, how do you efficiently manage and control it? Do you allow every user to come in to their desktops? Do you do it only on the need basis? Is the control with your Helpdesk guys or network admins?
I open it up for all users but use Hard token/RADIUS/RSA authentication to prove that the person making the connection is authorised to access the service. This way I don't have to mess with the equivalent of a lookup table for user/ip address association. The service is open to all after the user 'proves' they are authorised to use it. The TSweb service then lets them get to the box they want.
ASKER
Keith...did you take your radius to DMZ? Is your radius authenticating with AD at the backend? If it does, are your switches/routers/desktops etc, also using Radius as a 802.1x supplicant?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks :)