Options

2K8 Terminal Services, force client authentication

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
in Off-Topic
We have a standalone terminal server that domain users outside of the network use to access company resources. Is it possible for the server to authenticate the client by using certificates? Basically I don't want just anyone attempting to rdp into the ts box, they would have to have the certificate installed on their client machine before connecting so that the server can authenticate them. Thoughts?
· Share on FacebookShare on Twitter

Comments

  • Options
    newt.chapmannewt.chapman Member Posts: 34 ■■□□□□□□□□
    Configuring Terminal Servers for Server Authentication to Prevent

    NLA with TLS/SSL or NLA with NTLM

    Would that work?
    · Share on FacebookShare on Twitter
  • Options
    crrussell3crrussell3 Member Posts: 561
    There really is no way you can prevent someone from attempting to access Remote Desktop unless you require VPN to access it.
    MCTS: Windows Vista, Configuration
    MCTS: Windows WS08 Active Directory, Configuration
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    newt.chapman wrote: »
    Configuring Terminal Servers for Server Authentication to Prevent

    NLA with TLS/SSL or NLA with NTLM

    Would that work?

    We already employ that method. Like crrussell3, we are trying to prevent just anyone from attempting to rdp into the box. I wonder if Citrix offers this solution.
    · Share on FacebookShare on Twitter
  • Options
    BloogenBloogen Member Posts: 180 ■■■□□□□□□□
    What about implementing NPS/NAP with an RDS Gateway?

    You should be able to force authentication and other connection or health rules before the connection to the RDS Session Hosts.
    NeilBryan.ca
    · Share on FacebookShare on Twitter
  • Options
    newt.chapmannewt.chapman Member Posts: 34 ■■□□□□□□□□
    Do the computers you want to give access to have static IP's? If so then couldn't you make a whitelist of IP's allowed to use RDP.

    remote desktop - How can I allow RDP access to a Windows 2008R2 server from one IP? - Server Fault

    That should work perfectly if I understand the question right..
    · Share on FacebookShare on Twitter
  • Options
    phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    newt.chapman wrote: »
    Do the computers you want to give access to have static IP's? If so then couldn't you make a whitelist of IP's allowed to use RDP.

    remote desktop - How can I allow RDP access to a Windows 2008R2 server from one IP? - Server Fault

    That should work perfectly if I understand the question right..

    No. These are personal desktops/laptops/tablets/smartphones at the end users home. Pseudo-byod.
    · Share on FacebookShare on Twitter
  • Options
    ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    I've never done this personally, but you can publish RDP via Forefront UAG 2010. I don't know what the experience will be and what the caveats are, but it's technically possible. I implemented UAG at my current employer, so if you have any troubles getting it setup as a test, I may be able to help.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
    · Share on FacebookShare on Twitter
Sign In or Register to comment.