Solved

RD WEb Windows 2008R2

Posted on 2013-12-19
5
1,252 Views
Last Modified: 2014-01-14
I am looking to configure RDweb.  I have two questions can I configure RDWeb SSL if we have one public IP address that points to our internal Exchange.  Can I change the SSL listening port and use port forwarding.  Second Question is on our Sonicwall Do I have to open up RDP from Wan interface so users can RDP to there computer?

Thanks in advance..
0
Comment
Question by:mbaez2009
  • 2
  • 2
5 Comments
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39731536
Hi mbaez2009,

...can I configure RDWeb SSL if we have one public IP address that points to our internal Exchange.  Can I change the SSL listening port and use port forwarding.
Apart from the certificate, are you going to be publishing a Full Desktop or a RemoteApp? Keep in mind that when publishing a Full Desktop using RD Web Access you cannot get rid of the security warning and you will not be able to make it SSO.

This is explained here: http://microsoftplatform.blogspot.com/2011/05/rd-webaccess-and-unknown-publisher.html

Furthermore, this explains even more about RDS and certificates in general: http://blog.kristinlgriffin.com/2010/08/minimum-certificate-requirements-for.html

You could do a wildcard for the SSL too.

...on our Sonicwall Do I have to open up RDP from Wan interface so users can RDP to there computer?
If you use RDWeb and RD Gateway then all you need is TCP port 443.  If you only use RDWeb then you would need TCP port 443 for RDWeb and TCP port 3389 (by default) for RDP, but I'd recommend installing RD Gateway if you have not already done so because with that installed traffic flows through 443 rather than 3389, which is a widely known networking attack vulnerability (not recommended to open 3389 ever!). Here are some guides for installing RD Gateway:

Here are a list of ports used in an RDS deployment: http://social.technet.microsoft.com/wiki/contents/articles/16164.what-ports-are-used-by-a-rds-deployment.aspx This means again if you use RD Gateway REWeb will operate over TS Gateway on port 443, which will be the only port needing to be forwarded.

Provided that you have different servers for Exchange and RDWeb, you can forward a different port, say 444, on your external IP to 443 on the internal IP of your RDWeb box. This allows you to leave 443 on the external IP forwarding to 443 on the internal IP of your Exchange box.

This only requires a single external IP. The only difference is when connecting to your RDWeb gateway (from outside) the URL will have to specify the external port number that you chose when creating the second NAT rule:
1.1.1.1:443 = <internal_IP1>:443  (NAT Policy for Exchange)
1.1.1.1:444 = <internal_IP2>:443  (NAT Policy for RDWeb)
Let me know how it goes!
0
 

Author Comment

by:mbaez2009
ID: 39731758
I will be using it for bot RDweb and apps.  Where should I put the Gateway Server.  I setup the session host on a terminal Server.
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 39732406
Ideally you would go for 2012 R2 instead of 2008 R2 as RDP in general is WAY WAY better and the setup WAY easier.
My home setup for example uses RD Web Access and RD Gateway on the same machine, with only port TCP 443 opened from the external interface to the internal IP of that particular server.
In total I have three machines (VMs).
- Domain Controller and RD Connection Broker on VM1.
- RD Web Access and RD Gateway on VM2.
- RD Session Host on VM3.
Wildcard certificate used (single certificate so I can use on all VMs).
Clients can connect to anywhere over port 443 (iOS, Android, Mac, Windows 7/8/8.1).

CR
0
 

Author Comment

by:mbaez2009
ID: 39732456
Ok Thanks I have to different clients to implement so I will play with both.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39738999
Any updates?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now