Thread: TS over the internet - directly attach, or require a VPN?
View Single Post
  #8  
Old 01-05-2006, 07:15 AM
kiln
 
Posts: n/a
Default Re: TS over the internet - directly attach, or require a VPN?
Thanks for that response. What if the TS box is a dedicated unit at a
web host? IE, it's not really on a LAN, but is behind the web host's
firewall. I suppose that the unit could be considered to be on the web
hosts LAN, but it's not a regular corporate office LAN.

I think essentially you're saying that unless I am willing to have some
idiot rooting around on the TS box at will, and any lan it's connected
to, the formula should include TS properly configured, a firewall, and
vpn access. Is that right?

I'm not a network person so I don't have a lot of exposure. What's
interesting about this is that at the end of the day, a ts setup as
you've outlined would seem to be more secure than most websites that
deal with important matters (etrade, online banking etc), even if they
use https etc. No public websites use vpn/ip addresses. So it makes me
wonder, in my case, since there is no corporate lan at risk, is the vpn
needed? The server would contain data that is less sensitive than an
online bank.

In article <ezoqf.212576$tD4.7304@tornado.ohiordc.rr.com>,
void@nowhere.lan says...
> In article <MPG.1e1395672ccf39b3989999@msnews.microsoft.com>,
> kiln@brick-like.com says...
> > As I said I'm a newbie to the topic at hand, so I'm even not sure that
> > what you said doesn't match the OP's question. I've read many posts by
> > you (Jeff) where the primary message seems to be "don't ever expose your
> > TS/LAN directly on the internet". I often can't tell exactly what you
> > mean by that; and this response of yours makes it even more confusing.
> > What exactly do you consider a safe TS config for use on the internet?
>
> Any user outside of the OFFICE should FIRST connect via VPN and then
> access the company resources - simple answer.
>
> What this means is that no matter where you are, you need to VPN into
> the office and then through the VPN tunnel you would open a Remote
> Desktop session to the Terminal Server (still inside the company
> network). This means that the ONLY exposure is through the VPN ports to
> the VPN device in the office.
>
> I personally never terminate the VPN's at the Server, I terminate them
> at the Firewall Appliance and then have RULES that limit VPN users to
> specific ports/IP in the company.
>
>
Reply With Quote