Monday, September 19, 2011

Terminal Services Gateway

We were looking for some solution where we can centralize every RDP session coming from outside (especially for vendor access), and we ended up with 2 choices: Citrix or Terminal Services Gateway (now known as Remote Desktop Services Gateway). Considering we already have licenses for Terminal Services, we are taking the latter. If you don't know what it is, here's a brief explanation.

Windows Server Terminal Services uses Remote Desktop Protocol (RDP) to enable the connections from clients to the terminal server, which uses port 3389. If you need to access a terminal server from outside the internal network (intranet), you have two options for doing so. You can either enable port 3389 through your firewall to specific servers (which isn’t a good idea), or, more commonly, clients connect to the corporate network via VPN, which can then enable the RDP session in a secure manner.

In general, technologies are moving away from requiring VPN connections. For example, remote procedure call (RPC) over HTTP Secure (HTTPS) is used for for Microsoft Exchange Server connections and Microsoft Office SharePoint Server and Microsoft Office Groove access. Windows Server 2008 includes Terminal Services (TS) Gateway, a new technology that allows secure RDP connections from outside a corporate intranet without requiring a VPN connection.

TS Gateway allows RDP traffic to be encapsulated in HTTPS. Essentially the client outside the network makes a configuration change on their Remote Desktop client to instruct the client to communicate via a TS Gateway. The RDP traffic on the client is encapsulated in HTTPS, encrypted using the TS Gateway’s Secure Sockets Layer (SSL) certificate, and sent to the TS Gateway. The TS Gateway extracts the RDP traffic from the HTTPS and forwards it on to the destination target. The Remote Desktop client sends responses via the TS Gateway in normal RDP, and once again the TS Gateway encapsulates the RDP in HTTPS and sends it back to the RDP client. The diagram below illustrates the TS Gateway communications process.


Configuring a system to use TS Gateway is simple. Note that the RDP target can be any Remote Desktop target—it doesn’t have to be a Server 2008 terminal server, and a system can connect to any target via the TS Gateway.

You would normally place the TS Gateway in your network’s demilitarized zone (DMZ). However, an alternative option is to place a Microsoft ISA Server system or other SSL terminator in the DMZ and place the TS Gateway in the internal network to perform the RDP encapsulation and extraction duties.

No comments:

Post a Comment