Thread: TS over the internet - directly attach, or require a VPN?
View Single Post
  #2  
Old 01-05-2006, 05:04 AM
Leythos
 
Posts: n/a
Default Re: TS over the internet - directly attach, or require a VPN?
In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
Bill_Fields@azb.uscourts.gov says...
> Hello.
>
> I have a customer who is having all kinds of problems w/ their current VPN
> connection. They're wondering if it would be acceptable to drop using the
> VPN altogether and just open the necessary port(s) on their firewall to
> allow Terminal Server connections. They do not need LAN access over the
> internet, just terminal server connections.
>
> My initial reaction was "you always use a VPN, that's the secure way of
> doing things", but since the TS client uses an encrypted connection, doesn't
> that generally give enough protection against sniffing?
>
> Comments? Obviously, I'm not a security expert...

If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
trust Microsoft to not have any unknown exploits, if you don't mind
everyone and their brother being able to attempt a RD connection to your
server, then it's fine to expose it.

As a matter of security, we install a Firewall that also acts as a VPN
endpoint and then only create accounts for Users that require VPN
access, and don't integrate the Firewall with the AD structure - they
get one user/password for the firewall and it's not the same as their
domain users/password. Once they VPN into the network, the firewall rule
for their firewall user, is permitted only TCP3389 to a single IP
(either the Terminal Server or their desktop in the office). We never
expose the LAN directly.

--

spam999free@rrohio.com
remove 999 in order to email me
Reply With Quote