Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to makeTerminal Server 2008 more secure

Posted on 2009-06-29
Medium Priority
Last Modified: 2012-05-07
How to makeTerminal Server 2008 more secure

Right now we have a Terminal Server, Terminal Server web and terminal server Licensing on the same box. In order for this set up to work we have to open port 443 and 3389 on the firewall to allow incoming  connection. I would like to create a terminal server gateway server to allow only https traffic into the gateway server and from this server accessing other terminal servers via RDP. What is the best method for this?? Build a new terminal server. Install terminal server and terminal server web on this machine and then configure it to talk to the existing terminal server?
Question by:moonzappa
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2

Expert Comment

ID: 24739845
There are two ways to securely publish terminal service on Windows Server 2008, using TS remoteapp or TS gateway.  TS gateway gives you more flexibility.

Have a read throught these two links:
TS gateway step-by-stepy (http://technet.microsoft.com/en-us/library/cc771530(WS.10).aspx)
TS remoteapp step-by-step (http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx)

Author Comment

ID: 24739885
I am a little confused. I do have remote app installed but on the same box. So in order for the remote app to work i would still have to open port 3389 on the firewall to allow RDC to come into this server


Expert Comment

ID: 24739974
Sorry my mistake, the TS remote app should be used in conjunction with the publishing the app to a website in order for external user to access it via HTTPS.

I think TS gateway should be the preferred option for you. It is essentially a RDP wrapper that encapsulates RDP data into HTTPS tunnel.

Author Comment

ID: 24798113
Can you be more specific on what it the best approach for our environment.  Make a new TS server gateway server and terminal server web server. Then convert the existing terminal server into the application servers??


Accepted Solution

JohnmenZ earned 2000 total points
ID: 24798969
You are correct, considering your network is small, the setup can be this way:

1st physical server: TS web access and TS gateway (share the same SSL certificate)
2nd physical server: TS server that runs applications

What you needed to do is:

1. Setup a new server with both TS web access and TS gateway roles installed by following the step by step guides above

2. Uninstall the TS web access role from the exising TS server, so that it becomes a TS server

I presume you don't have DMZ network, in which case TS web access / gateway server will talk to TS server directly without any firewall sitting in between.

There is a white paper that talks about how Microsoft implements TS technologies on Windows 2008 is quite useful, you may want to go throug it before commencing any work.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question