In article <OZGSPqdEGHA.2912@tk2msftngp13.phx.gbl>,
w2k@onthemove.freeuk.com says...
> A good topic for discussion!
>
> We used to use VPN (before we implemented Terminal Server) and now we don't.
> Instead we open a (non-standard) port on the firewall and use
> port-forwarding to point incoming traffic from specific, permitted client
> computers and users (both must be correctly identified) to port 3389 on the
> TS.
>
> The reason that we ended up dropping VPN was that we had no control over the
> remote computers. When they become compromised and VPN to the network then
> we had endless problems with the compromised machines being part of the LAN.

If you didn't have control then you didn't have your firewall setup
properly.

We use VPN to the Firewall Appliance, not the server, and then a
firewall rule that permits ONLY 3389 to the Terminal Server or 3389 to
their work computer, nothing else.

This means that users with compromised machines don't expose their home
computers to any more than your solution, BUT they have a double
authentication method, first the firewall, then the RD connection to the
server/workstation and neither have the same user/password.

I would never expose RD/TS directly to the Internet.

--

spam999free@rrohio.com
remove 999 in order to email me