We help IT Professionals succeed at work.

TS gateway - block connections

timbrigham
timbrigham used Ask the Experts™
on
I have a TS 2008 machine which publishes a few RemoteApps via web access.

My problem is that if I the gateway is manually entered into a client connection I can gain access to the complete desktop. Is there any way to stop this from occurring?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
What do you mean exactly? Do you have TS Gateway installed plus TS Web? For TS Gateway all you need is port TCP 443 going from the outside to the machine where TS Gateway is running. No need to open TCP 3389 (RDP). If they go to the Gateway IP and get a desktop it means TCP 3389 is open and directed to the TS, what you do not need.

Cláudio Rodrigues
Citrix CTP

Author

Commented:
tsmvp / Claudio, thanks.

I should have made this clearer.

What I have is a TS machine which hosts a single application which needs to be accessible via the web. It provides the TS, web access, licensing, gateway and network access protection roles. The only inbound connection from the outside is HTTPS.

By going to the advanced tab on the local remote desktop client and specifying the RD gateway settings it is possible to gain full desktop access.
Did you set the 2008 TS to only allow RemoteApps?

Cláudio Rodrigues
Microsoft MVP - RDS
Citrix CTP

Author

Commented:
Where is this setting you are referring to?
The only one that I am aware of is the checkbox under RemoteApp Deployment Settings which hides the web interface. This is already disabled.
Top Expert 2010
Commented:

Author

Commented:
digitap, that doesn't apply in my situation, unfortunately.

My digging shows that software restriction policies are a good candidate for what I want to accomplish. It can block explorer.exe to kill full remote desktop access and can be configured to only allow the specific whiltelisted applications my server provides. http://riosec.com/protecting-windows-remoteapp-servers 

Top Expert 2010
Commented:
That option looks viable.  Too bad they don't have a better way of controlling this.  I mean, they intend RemoteApp to function differently from a standard RDP session.  I've seen this in the way login scripts are launched when using RemoteApp.  I should say AREN'T launched.  When users would launch a remote app, they wouldn't get drive mappings or printers.  I had to write a VB app that would perform those function THEN launch the intended remote app.  I publish the VB script as the remote app.  It worked great, but it was missing functionality within a remoteapp deployment.

Same goes with your scenario.
Top Expert 2010

Commented:
thanks for the points!