RE: Securing Remote access for RDP (Terminal Services)

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 23 Nov 2005 11:50:12 -0600

Hey Tim,

RE: #1 -- you sure about that? ISA Server 2004 has a "port stealing"
feature that makes this not required. It might have been the case for
ISA Server 2000, but not now. I have it working now without having to
make changes to the Terminal Services configuration and can publish
internal RDP servers and the RDP server on the ISA firewall.

Next week,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Tuesday, November 22, 2005 7:31 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Securing Remote access for RDP 
> (Terminal Services)
> 
> http://www.ISAserver.org
> 
> I know Doc already replied, but to specifically answer the 
> last question, 
> Yes, the TSAC client will use the server publishing RDP rule 
> to communicate 
> with the terminal server.   The client is (apparently) using the Web 
> Publishing rule to access the TSAC itself, then, once the 
> TSAC is loaded 
> into the client's memory, the client will connect to the 
> server using RDP.
> 
> A couple of Q's-
> 
> 1) You don't have RDP bound to the external interface on the 
> ISA server 
> itself, right?  By default, in Terminal Server Configuration, 
> any server 
> with Remote Desktop enabled will bind RDP to all available 
> interfaces.  If 
> you are publishing RDP on the ISA Box, the external interface 
> of the ISA 
> itself can't be bound to RDP.  If you do indeed have Remote 
> Desktop enabled 
> on the ISA box, go into Terminal Server Configuration, right 
> click on the 
> RDP protocol, go to properties, select the Network Adapters 
> tab, and select 
> the internal adapter you wish to use to bind RDP to.   Then 
> you can publish 
> RDP from the external interface to the internal box while 
> still allowing RDP 
> connections on the ISA's internal interface.
> 
> 2) The TSAC client can directly hit the external interface of 
> the ISA box 
> with RDP (3389) right?  Some people tend to think that the 
> TSAC does some 
> sort of RDP proxying - it provides the client with the 
> ActiveX control- the 
> client must still be able to hit the ISA box directly...  Can 
> you connect 
> with the default RDP client on the client box? (mstsc.exe)
> 
> t
> 
> 
> 
> ----- Original Message ----- 
> From: "Raji Arulambalam" <rajia@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, November 22, 2005 3:52 PM
> Subject: [isalist] RE: Securing Remote access for RDP 
> (Terminal Services)
> 
> 
> http://www.ISAserver.org
> 
> Hi
> 
> I followed as described in article KB895433 for using 
> certificate based
> authentication for RDP clients.
> This worked fine, but I came to grief when I tried to access the
> Terminal Server via the TSAC web client. I got the error message that
> the server was unavailable giving 3 different reasons.
> I have both Web and Server publishing rules for the IIS and terminal
> servers.
> Does the TSAC client use the server published (RDP)rule to communicate
> with the Terminal server?
> 
> The ISA server 2000 was setup as using To's article
> http://www.isaserver.org/tutorials/Publishing_Terminal_Service
> s_and_the_
> TSAC_Client__Updated.html
> 
> How do I get both working?
> 
> RajiA
> 
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Tuesday, 22 November 2005 11:41 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Securing Remote access for RDP
> > (Terminal Services)
> >
> > http://www.ISAserver.org
> >
> > To be specific, one can indeed use SSL for RDP connections.
> > Win2k3 allows specifying certificate-based TLS authentication
> > at the server by installing a valid cert, specifying SSL as
> > the security layer, and then choosing what encryption level
> > you want, all the way to 140 bit FIPS as described in
> > KB895433.  But this, as you pointed out, has nothing to do
> > with ISA other than publishing RDP.
> >
> > t
> >
> Email disclaimer: This email and any attachments are 
> confidential. If you 
> are not the intended recipient, do not copy, disclose or use 
> the contents in 
> any way. If you receive this message in error, please let us 
> know by return 
> email and then destroy the message. Environment Bay of Plenty is not 
> responsible for any changes made to this message and/or any 
> attachments 
> after sending.
> ******************************************************
> This e-mail has been checked for viruses and no viruses were detected.
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: 
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)
• » RE: Securing Remote access for RDP (Terminal Services)

1. Home
2. isalist
3. Archive
4. 11-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---