[THIN] Re: Anywhere Access security

• From: "Lilley, Brian" <brian.lilley@xxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Tue, 13 Jul 2004 12:15:01 +0100

Hi Nick,

I believe that RDP over HTTP is fundamentally different.. the client is
basically wrapping the RDP protocol in HTTPS, and the web server is unpacking
and forwarding to the terminal server as RDP packets?

I can see that this solution would be mildly attractive for SME's....

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Nick Smith
Sent: 13 July 2004 11:57
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Anywhere Access security


Brian,
<Also making itup as he goes along>
As far as I understand it currently (Under HTTP), the HTTP bit is only
used to make the initial conenction and launch an ActiveX that uses RDP
directly. I think the ActiveX is essentially the core RDP client
withouht the nice GUI options (Like making drives available,
resolution,etc) - which can only be set at the Web end. 

Don't see why the HTTPS would be any different. 

Nick

-----Original Message-----
From: Lilley, Brian [mailto:brian.lilley@xxxxxxxx] 
Sent: 13 July 2004 11:55
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Anywhere Access security

I'm not sure about this one, making it up as I go along a bit...but.. if
HTTPS is a connectionless oriented protocol like HTTP???, does this mean
that the client would constantly be negotiating and establishing
connections, which it would then send a number of encapsulated RDP
packets in... and then drop this connection... and then continue doing
this every time data is transmitted to and from client/terminal
server... this would be horribly inefficient...
having said that though, who cares about size these days huh? whats a
couple of meg between MS programmers?



-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On
Behalf Of Nick Smith
Sent: 13 July 2004 11:30
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Anywhere Access security


Thanks Jeff,
These make some sense to me.
You may not be aware that TS already can initiate connections though a
browser .
In conclusion, though, are we agreed that this is *not* a way of making
RDP more secure than it currently is?

Nick
-----Original Message-----
From: Jeff Durbin [mailto:techlists@xxxxxxxxxxxxx]
Sent: 13 July 2004 10:58
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Anywhere Access security

The reasons for this would be the same as the reasons you'd have to
deploy
CSG:

- Not directly exposing the TS's themselves to the Internet
- Only exposing a single IP address for one or many TS's
- Access through a commonly open port (443)
- Eliminates the need for VPN
- Initiation of connection through a universal mechanism: the browser
(presumably this is how it will work with TS)

JD

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Rogers
> Sent: Tuesday, 13 July 2004 9:35 p.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Anywhere Access security
> 
> counter question, why have Citrix released secure gateway? :)
> 
> I don't really know why MS have released this, i presume just to 
> compete with Citrix and the fact that vpns arent the simplest of 
> things for users to get up and going i guess..
> 
> ooh, i guess it could also be useful for those who need access to rdp 
> in locked down locations? currently (i think) you can only hit rdp 
> servers directly, meaning the port has to be open to the internet.. We

> bandied about this earlier in the year and came to the concisive 
> conclusion that opening the ports directly may or may not present a 
> security risk now or in the future :) (although that was for Citrix 
> ports, but id imagine it holds true for TS too)
> 
> Andrew
> --o--
> 
> >>> nick@xxxxxxxxxxxxxxx 13/07/04 10:13:57 >>>
> Point taken,(And understood :)) regarding higher than 128-bit.
> 
> Ok, let's try the question another way; why are MS bothering to 
> release this  (And position it against VPNs) if it does not provide 
> more security than currently (The implication being that you currently
> *cannot* "allow users to securely access ... 
> Resources...without using VPN technology"). My bottom-line question
> is: is RDP currently not considered secure? By MS or anyone else?
> 
> Nick
> 
> 
> 
> -----Original Message-----
> From: Andrew Rogers [mailto:Andrew.Rogers@xxxxxxxxxxxxxxxxxx]
> Sent: 13 July 2004 09:16
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Anywhere Access security
> 
> Well, aside from me not being able to see where it says a VPN is more 
> secure, I do believe VPNs can go higher than 128bit encryption :)
> 
> So, uh, less than 3 syllables.. it done come from ms
> 
> Andrew
> --o--
> 
> >>> nick@xxxxxxxxxxxxxxx 13/07/04 08:41:16 >>>
> Quote from Brian's website
> (http://www.brianmadden.com/content/content.asp?id=192): 
> 
> "One of the new Terminal Services features is the ability for a 
> Windows Server to encapsulate and proxy RDP traffic over HTTPS 
> connections. The RDP over HTTPS proxy is part of what Microsoft calls 
> "Anywhere Access."
> Not to be confused with Citrix's "Access Infrastructure," 
> Microsoft's Anywhere Access will allow users to securely access 
> corporate resources over the public Internet without using VPN 
> software."
> 
> I'm now confused - and I would stress I am by no means a security 
> expert, *but* my understanding was that the RDP protocol - assuming 
> decent security levels on the client device - would automatically wrap

> everything in 128-bit encryption after the initial RDP handshake. So 
> I've always struggled to understand how VPN is inherently more secure 
> than that, except that you have to install complicated (For end users)

> client software to make it work.
> 
> How then, is this 'more secure'? Or to put it another way, how 
> insecure is RDP inherently?
> 
> For preference answers in words of less than 3 syllables...
> 
> Nick
> ********************************************************
> This weeks sponsor Emergent Online Thinssentials Utilities Using the 
> latest software, hardware, networking technologies, proven technical 
> expertise, proprietary software and best practices, EOL provides 
> custom-tailored solutions for each client's mission and specific 
> goals.
> http://www.go-eol.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode

> use the below link:
> http://thin.net/citrixlist.cfm
> 
> 
> 
> ********************************************************
> This weeks sponsor Emergent Online Thinssentials Utilities Using the 
> latest software, hardware, networking technologies, proven technical 
> expertise, proprietary software and best practices, EOL provides 
> custom-tailored solutions for each client's mission and specific 
> goals.
> http://www.go-eol.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode

> use the below link:
> http://thin.net/citrixlist.cfm
> 
> 
> ********************************************************
> This weeks sponsor Emergent Online Thinssentials Utilities Using the 
> latest software, hardware, networking technologies, proven technical 
> expertise, proprietary software and best practices, EOL provides 
> custom-tailored solutions for each client's mission and specific 
> goals.
> http://www.go-eol.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode

> use the below link:
> http://thin.net/citrixlist.cfm
> 
> 
> ********************************************************
> This weeks sponsor Emergent Online Thinssentials Utilities Using the 
> latest software, hardware, networking technologies, proven technical 
> expertise, proprietary software and best practices, EOL provides 
> custom-tailored solutions for each clients mission and specific 
> goals.
> http://www.go-eol.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode

> use the below link:
> http://thin.net/citrixlist.cfm
> 

********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities Using the
latest software, hardware, networking technologies, proven technical
expertise, proprietary software and best practices, EOL provides
custom-tailored solutions for each client's mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm


********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities Using the
latest software, hardware, networking technologies, proven technical
expertise, proprietary software and best practices, EOL provides
custom-tailored solutions for each client's mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm

========================================================================
======
This message is for the sole use of the intended recipient. If you
received this message in error please delete it and notify us. If this
message was misdirected, CSFB does not waive any confidentiality or
privilege. CSFB retains and monitors electronic communications sent
through its network.
Instructions transmitted over this system are not binding on CSFB until
they are confirmed by us. Message transmission is not guaranteed to be
secure.
========================================================================
======

********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities Using the
latest software, hardware, networking technologies, proven technical
expertise, proprietary software and best practices, EOL provides
custom-tailored solutions for each client's mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
http://thin.net/citrixlist.cfm


********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities
Using the latest software, hardware, networking technologies, proven technical
expertise, proprietary software and best practices, EOL provides
custom-tailored solutions for each client's mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

==============================================================================
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==============================================================================

********************************************************
This weeks sponsor Emergent Online Thinssentials Utilities
Using the latest software, hardware, networking technologies, proven technical 
expertise, proprietary software and best practices, EOL provides 
custom-tailored solutions for each client?s mission and specific goals.
http://www.go-eol.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts:

• » [THIN] Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security
• » [THIN] Re: Anywhere Access security

1. Home
2. thin
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---