Han, You said: > > In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL > > bridging? > > So to add to my ISA wish list: RDP over SSL bridging and RDP layer 7 > > filter. "Bridging" with respect to ISA implies HTTP; the ONLY protocol that ISA can "bridge". "RDP over SSL bridging" is meaningless, since SSL is session-layer, while HTTP and RDP are application-layer protocols. In either case, none of the SSL additions in WS03 SP1 change the fundamental aspects of the RDP protocol. -----Original Message----- From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] Sent: Tuesday, July 19, 2005 6:36 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Now would be a good time to disable inbound RDP (or change your port) http://www.ISAserver.org Hi Jim, Yes I know that SSL has nothing to do with HTTP. The way I understand the kb article is that you are able to use SSL for authetication _and_ encryption of a RDP session instead of the 'normal' encryption. Is it just me or is the kb article confusing? Han. > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Monday, July 18, 2005 7:12 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Now would be a good time to disable > inbound RDP (or change your port) > > http://www.ISAserver.org > > Hi Han, > > Actually, I won't be getting that fixed. > The article discusses how to change RDP services to use > certificate-based SSL encryption and server authentication. It says > nothing about changing how the RDP protocol itself operates. > > You're making the common, but mistaken assumption that SSL == HTTP. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > Sent: Sunday, July 17, 2005 23:32 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Now would be a good time to disable inbound RDP > (or change your port) > > http://www.ISAserver.org > > Ok ..... But why does kb895433 say 'to use Transport Layer Security > (TLS) to > authenticate the terminal server and to encrypt the data that is sent > between > the terminal server and the client computer' and 'You can use > Microsoft > Windows Server 2003 Service Pack 1 (SP1) together with Transport Layer > Security (TLS) version 1.0 to help increase terminal server > security by > using > TLS for server authentication and to encrypt terminal server > communications.' > and 'This article describes how to configure Windows Server > 2003 SP1 to > use > TLS 1.0 for server authentication to encrypt terminal server > communications.', etc.??? > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Monday, July 18, 2005 00:15 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Now would be a good time to disable > > inbound RDP (or change your port) > > > > http://www.ISAserver.org > > > > Sorry; this is not true. > > The SP1 addition only provides for SSL authentication. > > The remote desktop protocol is still happening over RDP. > > > > Even if you could tunnel RDP over HTTP, you'd still have to > deal with > > the RDP encryption within the HTTP traffic (just like RPC/HTTP). > > > > ISA still can't see it. > > > > -----Original Message----- > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > Sent: Sunday, July 17, 2005 8:51 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Now would be a good time to disable > inbound RDP > > (or change your port) > > > > http://www.ISAserver.org > > > > In W2K3 SP1 it actually can be SSL. But can't we have RDP over SSL > > bridging? > > So to add to my ISA wish list: RDP over SSL bridging and RDP layer 7 > > filter. > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Sunday, July 17, 2005 17:09 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Now would be a good time to disable > > > inbound RDP (or change your port) > > > > > > http://www.ISAserver.org > > > > > > Problem: > > > - RDP is encrypted, just like SSL. > > > Without getting into the actual underpinnings of EDP (I'd > > have to kill > > > you), you'd have to remember that an application filter > > would have to > > > act in much the same way as an actual server/client pair > (thing MMS, > > > RTSP). > > > > > > This is also why FTPS isn't very functional across an ISA. > > > > > > -----Original Message----- > > > From: Han Valk [mailto:Han.Valk@xxxxxxxxxxxxxxx] > > > Sent: Sunday, July 17, 2005 7:43 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Now would be a good time to disable > > inbound RDP > > > (or change your port) > > > > > > http://www.ISAserver.org > > > > > > And wouldn't it be great if we had a layer 7 RDP filter for ISA?! > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > > Sent: Sunday, July 17, 2005 07:38 > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Now would be a good time to disable > > > > inbound RDP (or change your port) > > > > > > > > http://www.ISAserver.org > > > > > > > > Timmy can gloat now... > > > > :-) > > > > > > > > Now is a good time to make use of ISA 2004's ability to > > perform PAT. > > > > http://go.microsoft.com/fwlink/?LinkId=50422 > > > > > > > > Jim > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > World of Windows Networking: http://www.windowsnetworking.com > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: han.valk@xxxxxxxxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: han.valk@xxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: han.valk@xxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: han.valk@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.