True enough... I thought that the communication would be channeled in some way. Does that mean that the only advantage of tsac is that you have to struggle with IIS? :-) > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Thursday, September 12, 2002 12:24 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: terminal service client > > > http://www.ISAserver.org > > > The statement "would run through an SSL session" is > absolutely untrue. Terminal Services operates on TCP-3389 (or > the port that you define), outside of any SSL session you > create to reach the TSAC page. It's one of the bugaboos that > catches the unwary every time. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/pages/author_index.asp?aut=3 > http://isatools.org > Read the books! > > ----- Original Message ----- > From: "Mark Hippenstiel" <mark@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, September 11, 2002 2:09 PM > Subject: [isalist] RE: terminal service client > > > http://www.ISAserver.org > > > There is a point in having to deal with IIS and some coding > to get it run, but it would run through a SSL connection and > be ways safer than just letting Terminal Services listen on > another port. Correct me if I'm wrong, but whoever would want > to mess around would test which services run on which port > anyway, no? In my understanding this wouldn't be a major > security enhancement. > > Therefore I personally would prefer using a VPN connection to > TS and go further from there as has already been said. The > following article gives > (little) insight on what is being encrypted in and around a terminal > session: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q275727 > > > Depending on what applications you run, you might want to > install some of the following scripts: > > http://www.microsoft.com/windows2000/techinfo/administration/t > erminal/ts > apcompat.asp > > > Mark > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Wednesday, September 11, 2002 3:23 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: terminal service client > > > http://www.ISAserver.org > > > The AX client requires either a web page to run within or you > get to write custom local code to use it. Plus, it doesn't > obey the same logoff restrictions that eh real clients does. > Personally, I don't recommend the TS AX client. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/pages/author_index.asp?aut=3 > http://isatools.org > Read the books! > > ----- Original Message ----- > From: Mark <mailto:mark@xxxxxxxxxxxx> Hippenstiel > To: [ISAserver.org Discussion List] <mailto:isalist@xxxxxxxxxxxxx> > Sent: Wednesday, September 11, 2002 12:07 AM > Subject: [isalist] RE: terminal service client > > http://www.ISAserver.org > > > Then how about using the TS active-x client on a non standard > port, over a secure channel? I can remember that this was > discussed here once. -----Original Message----- > From: John Haislet [mailto:jhaislet@xxxxxxxx] > Sent: Wednesday, September 11, 2002 6:22 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: terminal service client > > > http://www.ISAserver.org > > > My only concern is that its a HUGE risk if you don't know > every little in and out of TS and get everything setup just > right for maximum security. Call me paranoid, but TS is one > more think I would not want to have to worry about on a > server w/ a direct internet connection. > > John in Texas > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Tuesday, September 10, 2002 11:09 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: terminal service client > > > http://www.ISAserver.org > > > Hi John, > > But practically speaking, I think it would be difficult to > exploit the published Terminal Server. You can use high > encryption, create complex passwords for the Admin accounts, > rename the admin accounts, and make sure that the server > doesn't remember the last logged on user's name. So, I would > bet publishing a TS would be pretty safe. > > Do you think I might have missed something in this analysis? > > Thanks! > > Thomas W Shinder > <http://www.isaserver.org/shinder> www.isaserver.org/shinder > > > -----Original Message----- > From: John Haislet [mailto:jhaislet@xxxxxxxx] > Sent: Tuesday, September 10, 2002 10:48 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: terminal service client > > http://www.ISAserver.org > I personally would not do this. It really opens up a very > large security gap in the firewall and network for that > matter having these services accessible from the outside. > Terminal services were really designed to be used inside the > LAN, say from your office to the data center. I am not sure > on the details of making it work, but it should be pretty > easy to find what port(s) it uses. I also at a minimum would > recommend using VPN to access the server from the outside if > thats what you choose. > > John in Texas > -----Original Message----- > From: Achmad Mursalin [mailto:ach_m@xxxxxxxxx] > Sent: Tuesday, September 10, 2002 10:35 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] terminal service client > http://www.ISAserver.org Halo. my exchange server 2000 behind > ISA server 2000. I want to use terminal service client from > my home to remote server exchange and isa server. In exchange > server add ( terminal service, terminal service license) In > ISA server add ( terminal service, terminal service license ) > HOw to configure ISA server and exchange 2000 server so that > i can remote server. thanks. > > > _____ > > Yahoo! - We Remember > 9-11: A tribute to the more <http://dir.remember.yahoo.com/tribute> > than 3,000 lives lost > ------------------------------------------------------ You > are currently subscribed to this ISAserver.org Discussion > List as: jhaislet@xxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a > blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: jhaislet@xxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email > to $subst('Email.Unsub') >