Llacy80
asked on
Remote Desktop Services - testing
I am testing an implementation of Remote Desktop services in to our network. I have installed the following components using two hyperv virtual servers. One server has the remote desktop session host installed and the RD Web access installed and configured. I have configured the other virtual server to act as the Remote desktop gateway.
I have a few questions regarding the setup and security of the implementation.
1.) I have read that you should seperate the RD Web access, RD Host and gateway roles all on to different servers? Is this correct? Or does only the gateway need to be hosted on a different server?
2.) Is it necessary for the rd gateway to be in front of the firewall? Or can I have it running behind the firewall with no security issues.
I do apologize if these are silly questions but I am very new to 2008. Most of my experience comes from 2003 and Terminal services is totally different (in my opinion) on 2k3. Thank you
Lacy
I have a few questions regarding the setup and security of the implementation.
1.) I have read that you should seperate the RD Web access, RD Host and gateway roles all on to different servers? Is this correct? Or does only the gateway need to be hosted on a different server?
2.) Is it necessary for the rd gateway to be in front of the firewall? Or can I have it running behind the firewall with no security issues.
I do apologize if these are silly questions but I am very new to 2008. Most of my experience comes from 2003 and Terminal services is totally different (in my opinion) on 2k3. Thank you
Lacy
I just want to add if you decide one day to implement load balancing via a connection broker it is my understanding the WebAccess role should be installed on the connection broker server. However, I am not 100% on this.
ASKER
oztrodamus,
Thanks for the response. I have a couple more questions regarding your reply and then I will accept the comment and give points.
1.) If I do put the gateway on the internal network (we dont have an ISA/forefront setup, only a SonicWall2040)..Will this be a huge security risk? This is the simplest solution for me but I am worried about the potential security issues.
2.) If I were to put the rds gateway in a DMZ. How would I eliminate multiple authentication screens since the server will not be joined to the domain & will it even be possible since we have a lower end firewall?
Thanks .
Thanks for the response. I have a couple more questions regarding your reply and then I will accept the comment and give points.
1.) If I do put the gateway on the internal network (we dont have an ISA/forefront setup, only a SonicWall2040)..Will this be a huge security risk? This is the simplest solution for me but I am worried about the potential security issues.
2.) If I were to put the rds gateway in a DMZ. How would I eliminate multiple authentication screens since the server will not be joined to the domain & will it even be possible since we have a lower end firewall?
Thanks .
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1b) Whether or not you decide to separate the WebAccess and Session Host roles is largely determined by your projected resource demand. If you have a small office with limited users and resources than there is no reason to separate them. Doing so would only increase your administrative cost and provide no real benefit.
2) The RDS Gateway needs to be behind the firewall. The only port open for it should be HTTPS 443.