Recently I have had to secure our Terminal server due to PCI compliance issues. There is a well-known vulnerability in RDP on Windows 2003 that has forced me to either secure Term Services via SSL/TLS or go to a product like Citrix. Since we have only one Server in the organization like this I would like to avoid having to go to Citrix. I have been able to configure the Terminal Server to use SSL/TLS encryption with the RDP Client (The one that is installed on a users machine). The issue I am having and even Microsoft Support does not seem able to answer for me is how to I configure the TSWeb client to use SSL and high encryption?
Heres the deal: I installed a server certificate on the term server. No Problems there. I then use the terminal services configuration snap-in to change the settings on the RDP-tcp connection. I set the Security Layer to SSL and the Encryption Level to High. OK. When I launch the RDP client on a machine outside the firewall, across the internet and connect to the server it works flawlessley (Aside from the self-signed cert error - but I can fix that no problem).
The issue is that we also use TSweb (Term Services Web Client) on this box. Now the "normal" RDP client works just great with this configuration. When you attempt to connect to the server via the http://servername.ourdomain.com/tsweb
method An error pops up saying that the client cannot negotiate a connection because authentication has not been configured.
I know WHY this is happening. I never configured the TsWeb client to use SSL or High Encryption. What I do not know is how to do this. Microsoft wants to tell me that it's an IIS issue however I have the server configured to acceess the TSweb client over 443 as well all that does is server the connection page over SSL - it has nothing to do with the TSweb client connecting over 3389 using TLS/SSL. I thought that maybe there is a line of VBScript in the default.htm file within the tsweb directory that might force this but I have been unablre to find ANY documentaion on this. Any help you give me on how to force the Web CLient to Use SSL/TLS would be greatly appreciated. Even if you can just confirn that it is not in fact possible I can at least move on to a different solution. Thanks in advance.