And just to be pedantic, Terminal Services Gateway uses RDP over SLL from the gateway to the back end TS clients. You are confusing the *publishing of TSG to the internet* with TSG itself. When published via ISA, RDP is indeed tunneled over RPC/HTTPS. At the TSGateway, The RPC headers are stripped, and the TS Gateway contacts the back end TS server via RDP/SSL. You can contact Alex Balcanquall internally at MSFT (Product Manager) and he'll confirm this for you ;) t > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Friday, July 13, 2007 12:36 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > It's true that the client *can* connect, but not until the user has > acknowledged the popups that are produced whtn the cert isn't trusted, > fails to match the connection, etc. This is my point. > In fact, anyone programming against the TS COM will have to make sure > they handle this event properly. > > Correct - TSG is not "TS Server using SSL" - that's RDP over SSL (no > HTTP involved). > TSG OTOH, is RPC/HTTP - you'll have to web-publish it to see the URLs > used, but when you do, the /rpc/rpcproxy.dll?<servername>:3388 request > will clarify this for ya. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Friday, July 13, 2007 12:04 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > Actually, yes, it is *completely* wrong. But let's make sure we're not > letting you launch one of your famous misdirection threads ;) > > I'm not talking about TSG (Terminal Services Gateway). I'm talking > about Win2k3 Terminal Services configured to require TLS/SSL: The > client > does *not* have to trust the CA at all - it does not have to trust the > cert, the ca, or the entire chain for that matter, even though the > articles say it must. It doesn't. The client can connect anyway... > That's what is wrong with the articles. > > I'm asking if Longhorn terminal services will fix this natively. Tom's > point about using ISA's SSL Client Certificate Authorization for this > is > a great suggestion for TSG, but that is a different animal. > > t > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Friday, July 13, 2007 11:31 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > It's not completely wrong; "..the client must trust the root > > certificate > > authority.." actually means "the client must trust the CA that issues > > the TSG server certificate", but I agree that it's less than clear. > > > > Whether TSG will do this natively, I don't know (and kinda doubt), > but > > I > > can certainly ask. > > As with OL, the question is more client- than server-based; IIS and > any > > application that operates within it can use user cert auth, but so > far, > > no RPC/HTTP client is capable of responding to a server that requires > > user cert auth. > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Friday, July 13, 2007 10:41 AM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > While dude's article is clearly wrong, the MSFT KB's should be > amended > > as well. Saying "the client must trust the root certificate > authority" > > is simply incorrect and misleading. > > > > But, more to the core question, since the ts gateway is not the place > > to > > enforce this, are there plans in place for longhorn terminal services > > to > > support client certificate requirements like IIS does? > > > > t > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > Sent: Friday, July 13, 2007 10:26 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] Re: OT: Requiring client-side certs for RDP > > > > > > I just love it when "tribal knowledge" becomes "documented fact". > > > It's clear from the "article" that the author never tested any of > the > > > configuration or application statements he makes. > > > Even the dialog for his "attempt authentication" screenshot clearly > > > states "Authentication will confirm the identity of the remote > > computer > > > to which you connect" - NOT "Authentication will confirm the > identity > > > of > > > the user/machine **from which you connect**". > > > > > > In theory you *could* require user cert auth, but I don't know if > > the > > > TSG client will respond appropriately. Since TSG is "just" > RPC/HTTP, > > > it's rpcrt4.dll that handles the translation between RPC and HTTP > and > > > AFAIK, it only handles Basic and NTLM. > > > > > > Because TSG is RPC/HTTP, you can configure the /RPC vroot to > require > > > user certs and thus impose this requirement on your connecting > > clients > > > to test this theory. Of course, if you also share this vroot with > > > Exchange RPC/HTTP you'll break OL connections, since they can't > > handle > > > cert auth. > > > > > > -----Original Message----- > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- > > > bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thor (Hammer of God) > > > Sent: Friday, July 13, 2007 9:29 AM > > > To: isapros@xxxxxxxxxxxxx > > > Subject: [isapros] OT: Requiring client-side certs for RDP > > > > > > Greets: > > > > > > > > > > > > Windows Server 2003 SP1 allows one to configure > server-authentication > > > via certificate for RDP over TLS/SSL. The MSFT articles say > things > > > like "the client must trust the certificate" etc in their > > > client-configuration notes, and other articles specify that you can > > > control access to RDP by issuing self signed certs and controlling > > > distribution. > > > > > > > > > > > > This presents the illusion that one can limit connections to RDP on > a > > > Win2k3 server via this method. See: > > > > > > http://support.microsoft.com/kb/895433 > > > > > > > http://technet2.microsoft.com/windowsserver/en/Library/a92d8eb9-f53d- > > > 4e8 > > > 6-ac9b-29fd6146977b1033.mspx > > > > > > http://www.windowsecurity.com/articles/Secure-remote-desktop- > > > connections > > > -TLS-SSL-based-authentication.html > > > > > > > > > > > > Win2k3 Terminal Services allows one to require security levels, but > > > only > > > provides "server" authentication - it does not allow you to require > a > > > particular certification to be requested of the client (as IIS > does). > > > > > > > > > > > > Snips from the windowsecurity article compound this perception: > > > > > > <snip> > > > The threat becomes even bigger, when the server running Microsoft > > > Windows Terminal Services is accessible from the Internet through > an > > > RDP > > > connection on port 3389, even though you have an advanced firewall > > such > > > as ISA Server in front of it. A scenario that is common especially > > for > > > Microsoft Small Business Server users. > > > > > > The good news however, is that you can prevent these attacks. The > > > solution is certificate based computer authentication. If the > > computer > > > cannot authenticate itself by presenting a valid certificate to the > > > terminal server it is trying to connect to, then the RDP connection > > > will > > > be dropped before the user has a chance to attempt to log on. > > > > > > </snip> > > > > > > > > > > > > This is simply untrue. The client does not "present a valid > > > certificate" at all. It either trusts the server or not, and it is > > up > > > to the client to make that decision. While RDP clients 6 and below > > > only > > > allow "No auth, attempt, or require" which do provide the expected > > > behavior, updated or alternate clients (like Vista) allow you to > > > connect > > > anyway. > > > > > > > > > > > > This being said, does anyone know if the current longhorn/ts > gateway > > > features will actually allow enforcement of client certificates > such > > a > > > requiring client certs that are signed by particular authorities? > > > > > > > > > > > > Sorry for all the detail, but I wanted to avoid people saying > "Sure, > > > just require TLS for RDP". > > > > > > > > > > > > t > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > All mail to and from this domain is GFI-scanned. >