Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

TS Gateway - a few questions

Posted on 2009-05-05
6
Medium Priority
?
1,000 Views
Last Modified: 2013-11-21
I've just learnt about TS Gateway feature in 2008, and this is sweet.

However, this also puzzled me - aren't RDP sessions already encrypted? - Isn't than using SSL over HTTP a double encryption?

And what about Smart Cards? That is easily implemented in Terminal Servers, and serves as authentication - so this TS G. is not actually a first preauthentification RDP solution.

Thank you.
0
Comment
Question by:mrmut
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 2000 total points
ID: 24317522

RDP sessions are encrypted, just like TSG sessions. The emphasis behind deploying a TSG is less on the authentication aspect and more on the server configuration and administration aspects:

- A dedicated TSG can (and in a large network, should) be located in the DMZ. This means the TSG acts as a pre-authentication, and you only need to open the more high-risk port 3389 between the TSG and the internal network.

- Centralised connection point. You no longer need a static IP for every machine on the LAN you need to open Remote Desktop to. Instead, you instruct all users to connect to the internal name of their PC and direct the connection via the TSG; this only requires one port and one static IP to be open for all remote sessions for the entire organization.

- Firewall concerns. Because TSG sessions use 443 between the initiating client and the TSG, for users who may connect into TS from a larger corporate network, it will be more likely they can initiate a connection; unlike port 3389, 443 is unlikely to be blocked as it is used for standard Internet HTTPS traffic.

Smart Card pre-authentication is another form of pre-authentication, but doesn't give any of the other benefits listed above. Without a TSG you'd still need to open ports direct to all the TS Servers, which uses IP addresses and so on.

-Matt
0
 

Author Closing Comment

by:mrmut
ID: 31578251
Thanks!
0
 
LVL 1

Expert Comment

by:jjoz
ID: 25167585
ok, does this means that TSG server must be joined to the domain or at least need to access LDAP to Domain Controller ?

Would that be a security problem later on down the track ?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 58

Expert Comment

by:tigermatt
ID: 25226552

"...does this means that TSG server must be joined to the domain or at least need to access LDAP to Domain Controller..."

If the TS Gateway will be authenticating users via Active Directory, it should ideally be located on the private network with port 443 open directly to it. You should *never* expose an Active Directory Domain Controller to your DMZ - my blog post at http://tigermatt.wordpress.com/2009/08/03/exchange-server-dmz/ explains why.

If the TS Gateway is located in the DMZ, you should perform authentication using local accounts. Port 3389 is then open to the Terminal Servers on the private network.

Either way, TS Gateway servers are predominantly available to act as a central connection point for connection to multiple Terminal Servers or workstations running RDP. The fact they work over port 443, so are considered by some to be more secure, does not necessarily make them secure - and you shouldn't throw standard security out of the window by placing a domain-joined machine into the DMZ.

-Matt
0
 
LVL 1

Expert Comment

by:jjoz
ID: 25227691
Hi Matt,

thanks for replying, so to be more precise here it is what I'm doing with multi home router/gateway deployment with no AD DS in the DMZ
 
 1. from the external world to DMZ: port 80 and 443 only
 2. from DMZ into the local network (both ways): 3389, 389, 88, 53, 135 only.
 
 so the above ports is the minimum to be open in the firewall/cisco router from my point of view,
 
 I'm actually thinking to disabling port 53 as it can expose my internal DNS to outside world.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 25254067

Opening 389 and the various other ports from the DMZ into the private network is precisely what you DON'T want to do. My blog post at http://tigermatt.wordpress.com/2009/08/03/exchange-server-dmz/, albeit written for Exchange in the DMZ, applies to this situation. If you want Active Directory integration on the TS Gateway, the best (and in my opinion, only) place for it is the private network. Put it in the DMZ and you open the ports, which reduces security.

Basically, don't ever put a domain joined machine into the DMZ. AD LDS should be used in the DMZ for security purposes, rather than locating a Domain Controller there or opening ports to the private network. Off hand, I don't think TS Gateway supports the use of AD LDS.

-Matt
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question