Solved

TS Gateway - a few questions

Posted on 2009-05-05
6
994 Views
Last Modified: 2013-11-21
I've just learnt about TS Gateway feature in 2008, and this is sweet.

However, this also puzzled me - aren't RDP sessions already encrypted? - Isn't than using SSL over HTTP a double encryption?

And what about Smart Cards? That is easily implemented in Terminal Servers, and serves as authentication - so this TS G. is not actually a first preauthentification RDP solution.

Thank you.
0
Comment
Question by:mrmut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24317522

RDP sessions are encrypted, just like TSG sessions. The emphasis behind deploying a TSG is less on the authentication aspect and more on the server configuration and administration aspects:

- A dedicated TSG can (and in a large network, should) be located in the DMZ. This means the TSG acts as a pre-authentication, and you only need to open the more high-risk port 3389 between the TSG and the internal network.

- Centralised connection point. You no longer need a static IP for every machine on the LAN you need to open Remote Desktop to. Instead, you instruct all users to connect to the internal name of their PC and direct the connection via the TSG; this only requires one port and one static IP to be open for all remote sessions for the entire organization.

- Firewall concerns. Because TSG sessions use 443 between the initiating client and the TSG, for users who may connect into TS from a larger corporate network, it will be more likely they can initiate a connection; unlike port 3389, 443 is unlikely to be blocked as it is used for standard Internet HTTPS traffic.

Smart Card pre-authentication is another form of pre-authentication, but doesn't give any of the other benefits listed above. Without a TSG you'd still need to open ports direct to all the TS Servers, which uses IP addresses and so on.

-Matt
0
 

Author Closing Comment

by:mrmut
ID: 31578251
Thanks!
0
 
LVL 1

Expert Comment

by:jjoz
ID: 25167585
ok, does this means that TSG server must be joined to the domain or at least need to access LDAP to Domain Controller ?

Would that be a security problem later on down the track ?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 58

Expert Comment

by:tigermatt
ID: 25226552

"...does this means that TSG server must be joined to the domain or at least need to access LDAP to Domain Controller..."

If the TS Gateway will be authenticating users via Active Directory, it should ideally be located on the private network with port 443 open directly to it. You should *never* expose an Active Directory Domain Controller to your DMZ - my blog post at http://tigermatt.wordpress.com/2009/08/03/exchange-server-dmz/ explains why.

If the TS Gateway is located in the DMZ, you should perform authentication using local accounts. Port 3389 is then open to the Terminal Servers on the private network.

Either way, TS Gateway servers are predominantly available to act as a central connection point for connection to multiple Terminal Servers or workstations running RDP. The fact they work over port 443, so are considered by some to be more secure, does not necessarily make them secure - and you shouldn't throw standard security out of the window by placing a domain-joined machine into the DMZ.

-Matt
0
 
LVL 1

Expert Comment

by:jjoz
ID: 25227691
Hi Matt,

thanks for replying, so to be more precise here it is what I'm doing with multi home router/gateway deployment with no AD DS in the DMZ
 
 1. from the external world to DMZ: port 80 and 443 only
 2. from DMZ into the local network (both ways): 3389, 389, 88, 53, 135 only.
 
 so the above ports is the minimum to be open in the firewall/cisco router from my point of view,
 
 I'm actually thinking to disabling port 53 as it can expose my internal DNS to outside world.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 25254067

Opening 389 and the various other ports from the DMZ into the private network is precisely what you DON'T want to do. My blog post at http://tigermatt.wordpress.com/2009/08/03/exchange-server-dmz/, albeit written for Exchange in the DMZ, applies to this situation. If you want Active Directory integration on the TS Gateway, the best (and in my opinion, only) place for it is the private network. Put it in the DMZ and you open the ports, which reduces security.

Basically, don't ever put a domain joined machine into the DMZ. AD LDS should be used in the DMZ for security purposes, rather than locating a Domain Controller there or opening ports to the private network. Off hand, I don't think TS Gateway supports the use of AD LDS.

-Matt
0

Featured Post

Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question