Solved

How to makeTerminal Server 2008 more secure

Posted on 2009-06-29
5
547 Views
Last Modified: 2012-05-07
How to makeTerminal Server 2008 more secure

Right now we have a Terminal Server, Terminal Server web and terminal server Licensing on the same box. In order for this set up to work we have to open port 443 and 3389 on the firewall to allow incoming  connection. I would like to create a terminal server gateway server to allow only https traffic into the gateway server and from this server accessing other terminal servers via RDP. What is the best method for this?? Build a new terminal server. Install terminal server and terminal server web on this machine and then configure it to talk to the existing terminal server?
0
Comment
Question by:moonzappa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:JohnmenZ
ID: 24739845
There are two ways to securely publish terminal service on Windows Server 2008, using TS remoteapp or TS gateway.  TS gateway gives you more flexibility.

Have a read throught these two links:
TS gateway step-by-stepy (http://technet.microsoft.com/en-us/library/cc771530(WS.10).aspx)
TS remoteapp step-by-step (http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx)
0
 

Author Comment

by:moonzappa
ID: 24739885
I am a little confused. I do have remote app installed but on the same box. So in order for the remote app to work i would still have to open port 3389 on the firewall to allow RDC to come into this server

Huy
0
 
LVL 5

Expert Comment

by:JohnmenZ
ID: 24739974
Sorry my mistake, the TS remote app should be used in conjunction with the publishing the app to a website in order for external user to access it via HTTPS.

I think TS gateway should be the preferred option for you. It is essentially a RDP wrapper that encapsulates RDP data into HTTPS tunnel.
0
 

Author Comment

by:moonzappa
ID: 24798113
Can you be more specific on what it the best approach for our environment.  Make a new TS server gateway server and terminal server web server. Then convert the existing terminal server into the application servers??


Huy
0
 
LVL 5

Accepted Solution

by:
JohnmenZ earned 500 total points
ID: 24798969
You are correct, considering your network is small, the setup can be this way:

1st physical server: TS web access and TS gateway (share the same SSL certificate)
2nd physical server: TS server that runs applications

What you needed to do is:

1. Setup a new server with both TS web access and TS gateway roles installed by following the step by step guides above

2. Uninstall the TS web access role from the exising TS server, so that it becomes a TS server

I presume you don't have DMZ network, in which case TS web access / gateway server will talk to TS server directly without any firewall sitting in between.

There is a white paper that talks about how Microsoft implements TS technologies on Windows 2008 is quite useful, you may want to go throug it before commencing any work.
http://technet.microsoft.com/en-us/library/cc304366.aspx
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question