Solved

Terminal Services & Remote Desktop Web Connection - How Do I use These Together?

Posted on 2004-09-02
18
1,794 Views
Last Modified: 2008-01-09
As the "network guy" for a small office I was recently asked by some of the older, more fussy users to expand remote services such as Outlook Web Access and VPN to something even easier.... along the lines of GoToMyPC. What they like about GoToMyPC is that all you have to do is put in a URL, user name, and password and you're right on your PC and everything is nice and familiar.

I've looked at GoToMyPC corporate and it looks pretty okay to me from a security standpoint... so I haven't ruled it out. It seems a tad expensive... so I wanted to explore built-in aternatives that may or may not do the same thing... which brought me to Remote Desktop Web Connection in Windows XP.

So it seems as if Remote Desktop Web Connection might do just as good a job as GoToMyPC... I'm just uncertain as to what I need to get the job done.

I've looked at Microsoft's article http://www.microsoft.com/windowsxp/using/networking/expert/northrup_03may16.mspx  and it did explain a good deal about the technology. What I don't like about this solution it is the fact that users would have to remember an IP address instead of something as simple as GoToMyPC or our Outlook Web Access address.

Anyway... here's my questions:

1. Is this the best way to emulate something like GoToMyPC? - Is there some Terminal Server/Microsoft add-on that already exists (besides Remote Desktop Web Connection)?

2. If I currently only have Remote Desktop enabled on our corporate file server/DC (server 2003 standard OS) so that I can occassionaly fix things when away from the office, and do not have a true Terminal Server running - am I correct in assuming that I will have to buy terminal server licenses to allow more than one PC to connect to Remote Desktop Web Connection? Otherwise, how would traffic on port 3389 route correctly... currently our firewall only allows traffic to be routed to one IP and then from there a server would have to take over routing for multiple PCs - right?  

3. Is there a guide I should be looking at for deploying terminal services that also includes instruction on Remote Desktop Web connection on multiple PCs?

Hopefully this makes sense... I might be jumping to conclusions as far as how these technologies may or may not work together. Our environment here is as follows: All clients use Windows XP Pro SP2; DC/File Server is running Server 2003 standard; Mail server is running Exchange 2003 standard on Server 2003 standard; Blackberry Small Bus. Server running on a desktop configured as a server with Server 2003 standard. No ISA or RADIUS... just a plain ole firewall appliance protecting the whole shabang (Symantec VPN 100). This is a 10 user office.  

Thanks in advance for the advice....

- Phil
0
Comment
Question by:philodendrin
  • 7
  • 4
  • 3
  • +2
18 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 11969072
Hi,

Here goes..

1. Don't know how GoToMyPC works, but according to you explanation above, i would say yes..

2. Yes indeed, you will need to install Terminal Services and buy CAL's (Client Access License) at about $ 200 a piece. This is the old TS in Application Mode. Remote Desktop Connection can handle up to two concurrent connection, TS can handle as much as you have licenses. So you don't need a router or anything like that. If a computer connects using port 3389, the TS server sets up a new connection on another port, so the 3389 port is free for another user.. So your firewall is still good to go..

3. Yes, the link you added is a good guide..

Just a small note. You don't need to remember the ip address of the server. Just make sure to give your external ip address that NAT's to your internal Terminal Server, a good descriptive name. You will need to remember what port to use for the web client
0
 
LVL 11

Expert Comment

by:Eric
ID: 11974349
Why do you want terminal services licenses?  I think he wants each user to connect to their own machine correct?  if so this does not have tod o with server licenses.  Winxp has 1 builtin license for RD.  (sp2 :( yikes enable remote desktop in the bultin firewall)

the tricky part is this:
having it correctly send the connection to the correct destination.  there are two ways I ahve used.
They depend on your security setup and vpn accessability.
1) associate a IP address w/ each user.  Use NAT to send the specific IP to an internal client.  (for security i recomend filtering IP's)
2) use VPn, then just RDP to the clients private IP.

Another option is tsweb.  They connect to IIS server www.domain.com/tsweb
where they can log on to any heap on the network via terminal.  However windows update nuked this... i have been to lazy to read the knowledge base articles to see how to fix it.  but I know there is a way to get microsoft tsweb working agian.
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11978291
1. NO
2.  Yes.  It is possible to change the default port that a terminal services connection connects to and listens on via the registry but that is a pain in the A$$ depending on the # of users.
3.  You need to consider Printing.  Terminal Services might be a real pain in the butt when it comes to configuring printing.

If you don't mind configureing the firewall then PCAnywhere works great for remote desktop control.  It is fast, as is Terminal Services.  RealVNC is an option but there is no remote printing and it is slower.  The good news is the cost.  

VPN would be great it it suits your users needs.  If they want to run applications on their desktops or if they keep their files there GASP! Then it's not going to help much.

0
 
LVL 11

Expert Comment

by:Eric
ID: 11985124
VPN they can access files on their desktop with remote desktop.. it was not an alternate, I was recommending VPN + remote desktop for simplification and security.  It involves no punching holes in firewall.  Citrix solves all printing woes, and im told 2003 server also does now but have no used it.  With citrix printers can automatically be mapped to the local client or remote printer.  its a walk in the park.
Citrix comes at a cost however... I find it worth it, but will re-evaluate with 2003 terminal services.


PCanywhere cost money.  Remote desktop is free.  VNC has some serious security concerns, but is free.  A pretty good temporary remote assistance tool, but would not use it for a normal tool.

Just my 2 cents
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11985184
Haven't used Citrix but TS should map printers automagically too.  The reality is it just doesn't without a lot of administrative effort depending on your printers.  These are definitely not apple to apples.  Basically, remote control or terminal emulation.  Then, as an old boss of mine used to say...Cheap, Fast, Good.  Pick Two! (And in the case of remote control sometimes only one.)

A user will not be happy with VNC.  It takes a lot of patience.
PCAnywhere is the best tool in my opinion for Remote Control.  Fast and good but it costs.
Terminal Services has some nice things about it but like I say printing sucks and file transfer is non-existent.

There are things that can be done for the holes that are punched in the firewall.  Actually, all of these require hole punching.  
Here are some Temrinal Services Links...
http://www.brianmadden.com/content/content.asp?ID=62
http://hem.fyristorg.com/vera/IT/
Good luck!
0
 
LVL 11

Expert Comment

by:Eric
ID: 11986203
VPN does not require punching any holes.

TSweb and nfuse also do not. You can use a web host on a DMZ and even add SSL to the mix on top of it.

nfuse is the citrix interface simular to tsweb.  Just FYI citrix automatically maps any printer local to the client (asks you the first time you connect if you want to)

I have used direct TS maping but I restricted per IP address for added security.  Problem with holes is any vulerability comes out with the host of that services your hosed :(
0
 
LVL 4

Expert Comment

by:jonnietexas
ID: 11986231
Hmmm, I didn't bring up VPN.  But it does require significant configuration.  Probably more than a firewall setting would.  Unless the Citrix server or TS was on the box that housed the firewall that it would require a configuration change to the firewall.  For instance Port forwarding for TSweb.  The firewall has to be instructed what to do with the request.  You are correct.  Any servcie that you use must be maintained.  If you don't patch it then you get what you deserve.  Anyway, we're pissing in the wind and I believe saying much the same thing.  He's got choices and each choice has a cost whether financial, security, or difficulty.  Strangely he has been quiet on the subject.  hehe.
0
 
LVL 11

Expert Comment

by:Eric
ID: 11987235
heh,
that happens alot (being quiet on the subject)

That seems to always be the foudation of all IT debats... money :(    Its easy to look back when we were a smaller company and say why did we not have that type of security... but then its seemed so overkill...  of coarse the internet has gone to hell since then :/

we went with a watchguard firebox x700.. and love it.   50U hardware VPN... can't beat it.  Buts I guess its all relative to your budget.

You could do a software VPN using RRAS, but then your again counting on your NT heaps to be all patched... and as seen in the past, microsoft is not always the first one to know about a vulnerability.

And to use a tsweb server again you would need a firewall with a 3rd interface or two firewalls...   hopfully you have that, but if not more $$$.



0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:jonnietexas
ID: 11987366
A 50U Hardware VPN. Jesus!  I use iptables!  ;)  Does the job and is free.  Of course, I consult for small companies.  I'll try to use a combination of really bizarre passwords, encryption and non-standard ports to throw off the script kiddies.  (Security by Obscurity).  Most people just aren't going to try that hard if your door isn't wide open OR if they are coming for you specifically.  That monster must have const some $$$
0
 
LVL 11

Expert Comment

by:Eric
ID: 11991049
nah 1500 to 1800 i think.  best purchase i ever made, used to run freebsd with NATD and IPfirewall.  (simular to iptables)

you have a yearly maintenence cost if you want upgrades, free support etc.. but i use it so its worth it.

Im not a unix guru so it was not ideal for me.  I had a buddy that has to help me load it initialy.  not idea for bussiness application :)  (needing help that is)
0
 

Author Comment

by:philodendrin
ID: 11998518
I've been doing my best to research some of the suggestions brought up here before I make you guys regurgitate the specifics... hence the perception that I'm being quiet.

So far, this seems like a possible solution... "associate an IP address w/ each user.  Use NAT to send the specific IP to an internal client.  (for security i recomend filtering IP's)"  If you wouldn't mind... can you explain a little further. Right now they get their IP via DHCP... are you suggesting some type of virtual IP that would associate the computer name with the IP (is this what you mean by Use NAT?)?  You've lost me. I'm missing something here. Where would I start configuring this?

I think you're trying to help get me around the firewall only allowing one IP address routing to port 3389.... but, I don't get it.

Also... as far as the registry edit to change the default port from 3389 to X...  wouldn't it not work when the user downloads and runs the Active X control that's looking to route thru port 3389?
 
TSweb sounds like it might work. I can talk them into buying TS licenses on an as-needed basis... but still don't know what problems will arise, if any, if I install Terminal Server and TSWeb on the firm's main file server/DC. Why would I need such a sophisticated firewall?

I'm clueless as far as what you guys are talking about with IP tables... a bit out of my realm.

I've looked at VNC... my users have a hard time using dial-up networking, I doubt very seriously they'd be able to use VNC.

I do use PC Anywhere to transfer files and control the three servers we have in place.... I have version 11, but I haven't noticed any option to set up or control anything via a Web interface... and this is what's being asked for. I suppose I could set up something on an FTP server that would start an installation package... but if the user is at a machine at a cafe or hotel that he doesn't have administrative rights to... it's not going to install. The Active X control used for Remote Desktop Web Connection might not work either... but, I can't control every factor.

So, what do you think?... I'm willing to go the TSweb route if it's not too cumbersome for the server, but if it is possible to use Remote Desktop Web connection with multiple PCs and no add'l TS licenses... I'll try that... if you guys can help me with some instructions or examples.

As for printing... yeah... I know I'll probably have to work at getting the right drivers associated on the server, and even then, I'm sure down the line someone will try to print from a Win98 machine and the driver file won't be on the server. Citrix/nfuse does do a killer job with this... but, it's just too expensive for an office where no more than 2 people will ever attempt TS-like emulation.  

Thanks for everything so far...

- Phil

 



 



 
0
 
LVL 11

Expert Comment

by:Eric
ID: 11998742
ok,
What type of internet access do you have?  How many IP addresses (public) are at your disposal?  
What type of firewall are we dealing with here?  Do you configure it or a Internet service provider?

the problem is, say you want 2 machines to run remote desktop.  To the internet your entire organization is one public IP address assuming your firewall runs NAT (meaning your network uses private IP addresss such as 192.168.x.x  or 10.x.x.x)  So both your remote clients are configured to connect to your firewalls external public IP address.  However the firewall can only do 1 thing with 1 port.   You can configure a firewall to forward everything on port 3389 to a specific inernal IP address.  But thats it. it will not know if its user x or user y trying to connect to pc x or pc y.. it only knows to forward all port 3389 to a specific IP.

That being said, now all internet traffic friendly or pure evil will be passed to this win XP heap.  so if a vulnerability exists and the machine is not patched, it could be compromised.  Thats why i said.. add an extra rule that only allows a handful of IP addresses to attach to port 3389.

The result, being.
IF port 3389 is triggered _AND_ source host is an accepted IP address forward to specified host.  

filtering IP addresses Is just an added level of security, nothing to do with accomplishing your task directly.

Understanding the 1 IP - 1 Port - 1 internal host thing I just described....if you have mulitple public IP addresses..assign them to the same external interface.  Then when making your forwarding rules, make public IP 1  forward to internnal host 1, and public Ip2 forward to internal host 2.  
ex:  (pretend 65.0.0.1 is your firewals gateway, and 65.0.0.2 is yoru first useable IP.)
65.0.0.2:3389 --NAT-->192.168.0.10:3389      (.0.10 = internal xp RDP client 1)
65.0.0.3:3389 --NAT-->192.168.10.11:3389    (.0.11 = internal xp RDP client 2)


Client side:  client 1 is configured to connect to public ip 1, client 2 is configured to connect to public ip 2.

This is all assuming your using NAT as described above... hopfully you are after i typed all this :)
0
 

Author Comment

by:philodendrin
ID: 12001852
Ok... well, thanks for explaining what you were talking about, "ecszone". It makes perfect sense now.

Considering the fact that I only have 1 public IP address that I can use and my firewall can only be configured for use with 1 public IP address... there's not a lot I can do (from what you're telling me) without installing Terminal Server. I suppose I should have mentioned earlier that the office has T1 service with only one public IP address, and yes, our firewall - a Symantec VPN 100 appliance - is using NAT.

I don't think it will be cheaper to buy another firewall and add a second public IP rather than just configure terminal server. But, I'll look into the cost of both.  

Also, I'm still confused as to whether or not it would be best to run TSWeb or try and make remote desktop Web connection work with multiple clients. Anyone have an opinion?




 
0
 
LVL 11

Expert Comment

by:Eric
ID: 12003160
Try an get tsweb running.  Its free.  you can connect up to two users for free "administrative mode"  Do not enable application mode.

once tsweb is running connect to
localdomain.com/tsweb

if you get a script errors at bottom in status bar, search mskb... there is a fix.  I have not botherd to take it that far because I am fortunate enough ot have citrix.

now if you get that working with the servers, im willing to be it will work with any RDP server. IE a winxp remote desktop.
you will logon to the web site, then it will give you a chance to plug in a server name or ip.
if you put a client machine that is setup for remote desktop, it just may work!  now your using the tsweb interface to connect to any client .. and the client can specify which one they want.  Make sure dns is working for client machines.. users tend to have a better chance at a name vs. ip address :)
0
 
LVL 1

Accepted Solution

by:
emilbus20 earned 50 total points
ID: 12020249
hey check out www.enkoo.com
They may have the answers you need that is simple and fairly priced.
Im still waiting to order the trial version for my small 30 user office, so I cant give you hands on experience but from the demos and reviews it seems to be a simple yet effective product. Hope this helps.
0
 

Author Comment

by:philodendrin
ID: 12021785
Thanks, emilbus20... that is indeed an interesting product and very cheap, considering what you're getting.

I'll bring it up as an alternative for sure...

- Phil
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now