How to makeTerminal Server 2008 more secure

Posted on 2009-06-29
Last Modified: 2012-05-07
How to makeTerminal Server 2008 more secure

Right now we have a Terminal Server, Terminal Server web and terminal server Licensing on the same box. In order for this set up to work we have to open port 443 and 3389 on the firewall to allow incoming  connection. I would like to create a terminal server gateway server to allow only https traffic into the gateway server and from this server accessing other terminal servers via RDP. What is the best method for this?? Build a new terminal server. Install terminal server and terminal server web on this machine and then configure it to talk to the existing terminal server?
Question by:moonzappa
  • 3
  • 2

Expert Comment

ID: 24739845
There are two ways to securely publish terminal service on Windows Server 2008, using TS remoteapp or TS gateway.  TS gateway gives you more flexibility.

Have a read throught these two links:
TS gateway step-by-stepy (
TS remoteapp step-by-step (

Author Comment

ID: 24739885
I am a little confused. I do have remote app installed but on the same box. So in order for the remote app to work i would still have to open port 3389 on the firewall to allow RDC to come into this server


Expert Comment

ID: 24739974
Sorry my mistake, the TS remote app should be used in conjunction with the publishing the app to a website in order for external user to access it via HTTPS.

I think TS gateway should be the preferred option for you. It is essentially a RDP wrapper that encapsulates RDP data into HTTPS tunnel.

Author Comment

ID: 24798113
Can you be more specific on what it the best approach for our environment.  Make a new TS server gateway server and terminal server web server. Then convert the existing terminal server into the application servers??


Accepted Solution

JohnmenZ earned 500 total points
ID: 24798969
You are correct, considering your network is small, the setup can be this way:

1st physical server: TS web access and TS gateway (share the same SSL certificate)
2nd physical server: TS server that runs applications

What you needed to do is:

1. Setup a new server with both TS web access and TS gateway roles installed by following the step by step guides above

2. Uninstall the TS web access role from the exising TS server, so that it becomes a TS server

I presume you don't have DMZ network, in which case TS web access / gateway server will talk to TS server directly without any firewall sitting in between.

There is a white paper that talks about how Microsoft implements TS technologies on Windows 2008 is quite useful, you may want to go throug it before commencing any work.

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now