terminal services WAN security

I have a few questions about terminal services. I have been using pcanywhere when I need to remote into our servers through the internet. I would like to use terminals services but I was wondering about security. Everywhere I have read its being claimed that terminal services is very secure to use through the internet. What kind of encryption does terminal services use?

I have a sonicwall with VPN capabilities. I was going to use vpn to gain LAN through the internet and then use terminal services for remote desktop (just for ease of use for multiple terminal server computers) would this be more secure than just using port forwarding and opening up the firewall for terminal services on port 3389.

Also what about licensing? From what  I can understand on Microsoft's website it says that if I have 50 server 2000 cals then this allows me to run 50 client terminal services?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Hi illtbagu,
As far as licencing, you are allowed two  concurrent connections to EACH server for remote administration.

Pete LongTechnical ConsultantCommented:
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

illtbaguAuthor Commented:
I got the port part if you noticed in my opening post :)
I was just wondering about any security issues there are with terminal services? including using terminal services over the WAN (internet). Only myself and 1 other will be using this service, and we will only be using it for remote desktop. Also on the windows NT machine I have Im not seeing this as a option to add or remove from the windows NT setup under add remove program files like in server 2000. how can I get my hands on terminal services for NT. Is this something that gets installed during the initial install of NT.

Also 1 other thing. I tried to install terminal server under add remove windows 2000 components on 1 of the server 2000 machines running service pack 3 and its asking for the service pack 3 disk. I do not have the disk. when i browsed for the files its asking for they are not all on the machine. how can i get this installed.

Pete LongTechnical ConsultantCommented:
>>machine. how can i get this installed.
You need to find the i386 directory and point it at that either on the CD of another server, I always copy the i386 directory to my servers C:\ drive to negate this problem

>>I was just wondering about any security issues

Well opening any port on the firewall is a security risk, but bear in mind by default only admins can log on, as long as you keep it like this you should be OK, you can let individual users log in for remote administration but I usually do this on a user to user basis

> Everywhere I have read its being claimed that terminal services is very secure to use through the internet

Nothing is secure on internet, that is as exposed as you can get.

Try this for list of ports for supporting users other than yourself:

> Microsoft's website it says that if I have 50 server 2000 cals then this allows me to run 50 client terminal services?

OK, and remember that is above and beyond any desktop licensing, not to mention the applications themselves, which would be what? eMail?
> I have a sonicwall with VPN capabilities...

If you have access to a VPN, then use it. There is no comparison - don't open the ports.

> what about licensing...

There are two types of licenses for Windows 2000: regular CALs and those for Terminal Services. If you plan to only use TS for remote administration, it's a moot point. The TS licenses only apply to non-administrator accounts or if you need more than two people to log in at a time. Just make sure to pick the remote administration mode when setting it up.

> on the windows NT machine...

For NT you would have to have a special version of NT. If TS isn't already there, you won't be able to add it. Stick with pcANYWHERE.

> its asking for the service pack 3 disk...

Either follow PetLong's advice above or re-download the service pack from Microsoft. Also, SP4 has been out for a long time. Now might be a good time to install it.

Hi Iltbagu.  
To answer you questions, no, term server is not a secure method of sending information over the internet.  
What MS reccommends is wrapping your term server session in IPSec to encrypt the connection:
All the best,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
illtbaguAuthor Commented:
John or anyone for that matter help,

I created and assigned the new policy using Microsoft's suggestion like john had suggested, but it seems that only 1 policy can be assigned at a time. When I assigned the new policy I created it turned off any existing policy that might have been assigned. As of right now there is 4 policies
client (respond only)
secure server (requires security)
server (request security)
and the 1 I created secure terminal service connection

How can I tell what policies were previously assigned if any. Why can I only assign 1 policy.

I use Sonicwall VPN and TS also.  If you are tunneled, then you are secure.  I use remote desktop when I'm off-site.  If I don't have access to the VPN key, I use the live addy that NAT's to my TS box.  You can also use TSWeb, which is really cool, too.  
If you run your 2000 or newer box in Administration mode, you can TS in with one session for remote administration which I am almost certain only requires a 2000 Server CAL, not a TS CAL.  
What ports are needed through a firewall to get licenses from a license server?



Can U give me some clear details on setting up the VPN on sonicwall, what client do U use? what is "live addy"? sorry if these questions are obvious but i'm very new to VPN's. I'm trying to set up a sonicwall VPN to 2003 server for Terminal services running a single app for three remote users. I am purchasing terminal licences.

Thanks for your time
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.