How to makeTerminal Server 2008 more secure

How to makeTerminal Server 2008 more secure

Right now we have a Terminal Server, Terminal Server web and terminal server Licensing on the same box. In order for this set up to work we have to open port 443 and 3389 on the firewall to allow incoming  connection. I would like to create a terminal server gateway server to allow only https traffic into the gateway server and from this server accessing other terminal servers via RDP. What is the best method for this?? Build a new terminal server. Install terminal server and terminal server web on this machine and then configure it to talk to the existing terminal server?
moonzappaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnmenZCommented:
There are two ways to securely publish terminal service on Windows Server 2008, using TS remoteapp or TS gateway.  TS gateway gives you more flexibility.

Have a read throught these two links:
TS gateway step-by-stepy (http://technet.microsoft.com/en-us/library/cc771530(WS.10).aspx)
TS remoteapp step-by-step (http://technet.microsoft.com/en-us/library/cc730673(WS.10).aspx)
0
moonzappaAuthor Commented:
I am a little confused. I do have remote app installed but on the same box. So in order for the remote app to work i would still have to open port 3389 on the firewall to allow RDC to come into this server

Huy
0
JohnmenZCommented:
Sorry my mistake, the TS remote app should be used in conjunction with the publishing the app to a website in order for external user to access it via HTTPS.

I think TS gateway should be the preferred option for you. It is essentially a RDP wrapper that encapsulates RDP data into HTTPS tunnel.
0
moonzappaAuthor Commented:
Can you be more specific on what it the best approach for our environment.  Make a new TS server gateway server and terminal server web server. Then convert the existing terminal server into the application servers??


Huy
0
JohnmenZCommented:
You are correct, considering your network is small, the setup can be this way:

1st physical server: TS web access and TS gateway (share the same SSL certificate)
2nd physical server: TS server that runs applications

What you needed to do is:

1. Setup a new server with both TS web access and TS gateway roles installed by following the step by step guides above

2. Uninstall the TS web access role from the exising TS server, so that it becomes a TS server

I presume you don't have DMZ network, in which case TS web access / gateway server will talk to TS server directly without any firewall sitting in between.

There is a white paper that talks about how Microsoft implements TS technologies on Windows 2008 is quite useful, you may want to go throug it before commencing any work.
http://technet.microsoft.com/en-us/library/cc304366.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.