2K8 Terminal Services, force client authentication
We have a standalone terminal server that domain users outside of the network use to access company resources. Is it possible for the server to authenticate the client by using certificates? Basically I don't want just anyone attempting to rdp into the ts box, they would have to have the certificate installed on their client machine before connecting so that the server can authenticate them. Thoughts?
Comments
-
newt.chapman Member Posts: 34 ■■□□□□□□□□Configuring Terminal Servers for Server Authentication to Prevent
NLA with TLS/SSL or NLA with NTLM
Would that work? -
crrussell3 Member Posts: 561There really is no way you can prevent someone from attempting to access Remote Desktop unless you require VPN to access it.MCTS: Windows Vista, Configuration
MCTS: Windows WS08 Active Directory, Configuration -
phoeneous Member Posts: 2,333 ■■■■■■■□□□newt.chapman wrote: »Configuring Terminal Servers for Server Authentication to Prevent
NLA with TLS/SSL or NLA with NTLM
Would that work?
We already employ that method. Like crrussell3, we are trying to prevent just anyone from attempting to rdp into the box. I wonder if Citrix offers this solution. -
Bloogen Member Posts: 180 ■■■□□□□□□□What about implementing NPS/NAP with an RDS Gateway?
You should be able to force authentication and other connection or health rules before the connection to the RDS Session Hosts. -
newt.chapman Member Posts: 34 ■■□□□□□□□□Do the computers you want to give access to have static IP's? If so then couldn't you make a whitelist of IP's allowed to use RDP.
remote desktop - How can I allow RDP access to a Windows 2008R2 server from one IP? - Server Fault
That should work perfectly if I understand the question right.. -
phoeneous Member Posts: 2,333 ■■■■■■■□□□newt.chapman wrote: »Do the computers you want to give access to have static IP's? If so then couldn't you make a whitelist of IP's allowed to use RDP.
remote desktop - How can I allow RDP access to a Windows 2008R2 server from one IP? - Server Fault
That should work perfectly if I understand the question right..
No. These are personal desktops/laptops/tablets/smartphones at the end users home. Pseudo-byod. -
Zartanasaurus Member Posts: 2,008 ■■■■■■■■■□I've never done this personally, but you can publish RDP via Forefront UAG 2010. I don't know what the experience will be and what the caveats are, but it's technically possible. I implemented UAG at my current employer, so if you have any troubles getting it setup as a test, I may be able to help.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8%