Securing TSWeb Client using SSL/TLS

Hi,

Recently I have had to secure our Terminal server due to PCI compliance issues.  There is a well-known vulnerability in RDP on Windows 2003 that has forced me to either secure Term Services via SSL/TLS or go to a product like Citrix.  Since we have only one Server in the organization like this I would like to avoid having to go to Citrix.  I have been able to configure the Terminal Server to use SSL/TLS encryption with the RDP Client (The one that is installed on a users machine).  The issue I am having and even Microsoft Support does not seem able to answer for me is how to I configure the TSWeb client to use SSL and high encryption?

Heres the deal: I installed a server certificate on the term server.  No Problems there.  I then use the terminal services configuration snap-in to change the settings on the RDP-tcp connection.  I set the Security Layer to SSL and the Encryption Level to High.  OK.  When I launch the RDP client on a machine outside the firewall, across the internet and connect to the server it works flawlessley (Aside from the self-signed cert error - but I can fix that no problem).

The issue is that we also use TSweb (Term Services Web Client) on this box.  Now the "normal" RDP client works just great with this configuration.  When you attempt to connect to the server via the http://servername.ourdomain.com/tsweb method An error pops up saying that the client cannot negotiate a connection because authentication has not been configured.

I know WHY this is happening.  I never configured the TsWeb client to use SSL or High Encryption.  What I do not know is how to do this.  Microsoft wants to tell me that it's an IIS issue however I have the server configured to acceess the TSweb client over 443 as well all that does is server the connection page over SSL - it has nothing to do with the TSweb client connecting over 3389 using TLS/SSL.  I thought that maybe there is a line of VBScript in the default.htm file within the tsweb directory that might force this but I have been unablre to find ANY documentaion on this.  Any help you give me on how to force the Web CLient to Use SSL/TLS would be greatly appreciated.  Even if you can just confirn that it is not in fact possible I can at least move on to a different solution.  Thanks in advance.
jms220Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gemartiCommented:
Not sure I can help you but I notice that you are trying to connect to a the tsweb page over port 443 using http://servername.ourdomain.com/tsweb. If you are using port 443 shouldn't you be using https://servername.ourdomain.com/tsweb?


https uses port 443
http uses port 80

0
PowerITCommented:
This is indeed not possible on 2003 server. See here why: http://uksbsguy.com/forums/p/1988/5830.aspx

However, Microsoft did realise this was a security risk. So they resolved it in 2008 server. You can tunnel RDP through SSL (HTTPS) when using TS Gateway in 2008 server (called RD Gateway in 2008R2). That would solve your problem for PCI-compliance.

kr, J.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jms220Author Commented:
Thank You.  At least now I know for certain.  I'm building a 2008 R2 replacement as we speak
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.