Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Remote Desktop Services -  testing

Posted on 2010-09-15
4
Medium Priority
?
390 Views
Last Modified: 2013-11-21
I am testing an implementation of Remote Desktop services in to our network. I have installed the following components using two hyperv virtual servers. One server has the remote desktop session host installed and the RD Web access installed and configured. I have configured the other virtual server to act as the Remote desktop gateway.

I have a few questions regarding the setup and security of the implementation.

1.) I have read that you should seperate the RD Web access, RD Host and gateway roles all on to different servers? Is this correct? Or does only the gateway need to be hosted on a different server?

2.) Is it necessary for the rd gateway to be in front of the firewall? Or can I have it running behind the firewall with no security issues.

I do apologize if these are silly questions but I am very new to 2008. Most of my experience comes from 2003 and Terminal services is totally different (in my opinion) on 2k3. Thank you

Lacy
0
Comment
Question by:Llacy80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687871
1a) The RDS Gateway is designed to be an edge network device. You can put it in a perimeter network (DMZ) or on the Internal network if need be, but the purpose of it is to secure your RDS infrastructure when accessing externally. With that in mind yes it should be on a separate server.

1b) Whether or not you decide to separate the WebAccess and Session Host roles is largely determined by your projected resource demand. If you have a small office with limited users and resources than there is no reason to separate them. Doing so would only increase your administrative cost and provide no real benefit.

2) The RDS Gateway needs to be behind the firewall. The only port open for it should be HTTPS 443.
0
 
LVL 7

Expert Comment

by:oztrodamus
ID: 33687926
I just want to add if you decide one day to implement load balancing via a connection broker it is my understanding the WebAccess role should be installed on the connection broker server. However, I am not 100% on this.
0
 
LVL 4

Author Comment

by:Llacy80
ID: 33688022
oztrodamus,

Thanks for the response. I have a couple more questions regarding your reply and then I will accept the comment and give points.

1.) If I do put the gateway on the internal network (we dont have an ISA/forefront setup, only a SonicWall2040)..Will this be a huge security risk? This is the simplest solution for me but I am worried about the potential security issues.

2.) If I were to put the rds gateway in a DMZ. How would I eliminate multiple authentication screens since the server will not be joined to the domain & will it even be possible since we have a lower end firewall?

Thanks .

0
 
LVL 7

Accepted Solution

by:
oztrodamus earned 2000 total points
ID: 33688109
In general I don't think it matters which firewall you use. Please keep in mind I am not a security guru so don't take what I say in that regard as absolute. But in my opinion port 443 is port 443, and whatever security risks come with that are the fault of the protocol implementation not the firewall.

Why you would chose not to use a particular firewall, outside of features, is not to protect your organization from an attack on a port that is already open, but to protect the orgranization from an attack on a port that is not. If you're concerned about attacks regarding protcol implementation you need an IDS.

Placing a server in a DMZ does not prevent it from being a member of a domain. You need only open the ports required for authentication. The Microsoft article below should point you in the right direction.

http://technet.microsoft.com/en-us/library/bb727063.aspx

The below MSDN article explains SSO for WebAccess

http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question