Secure and easy terminal server connection

[Andrea Caldarone]

Hi all,

we have developed a software that runs on a Windows 2003 Server. Our
customer use the software remotely by connecting via RDP to the server.

1) Our customers have often to re-configure their firewall because outgoing
comunication to TCP port 3389 are not allowed

2) Currently we authenticate users only with user/password and filtering
their IP addresses with our cisco firewall, so every time we have to
reconfigure its access-list: if a customer chages its connection we have to
reconfigure, or if we want to make a demo somewhere we have to
reconfigure...

We wanto to improve this situation.
Is it possible to authenticate with a certificare stored on a USB devide? We
don't wanto to use smart card because we don't wont to force our customer to
buy a smart card reader. What do you think about SSL tunnelig (granted with
our firewall) to avoid customer's firewall reconfiguration?
Every ideas are well accepted!

 

[Sergey Kuzin[MSFT]]

Neither one is possible with Windows 2003 Server.
You can change the port number the server listens on and install a
certificate, but the protocol on the wire will not be entirely SSL (the
first packet is X.224 connect request).
A pure SSL connection is possible with Vista and above, though. You just
need to add "negotiate security layer:i:0" to the default.rdp file on the
client.

Thx,
Sergey.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Andrea Caldarone" <software-livquist@3techsrl.com> wrote in message
news:u83W5AF0HHA.5980@TK2MSFTNGP04.phx.gbl...
> Hi all,
>
> we have developed a software that runs on a Windows 2003 Server. Our
> customer use the software remotely by connecting via RDP to the server.
>
> 1) Our customers have often to re-configure their firewall because
> outgoing comunication to TCP port 3389 are not allowed
>
> 2) Currently we authenticate users only with user/password and filtering
> their IP addresses with our cisco firewall, so every time we have to
> reconfigure its access-list: if a customer chages its connection we have
> to reconfigure, or if we want to make a demo somewhere we have to
> reconfigure...
>
> We wanto to improve this situation.
> Is it possible to authenticate with a certificare stored on a USB devide?
> We don't wanto to use smart card because we don't wont to force our
> customer to buy a smart card reader. What do you think about SSL tunnelig
> (granted with our firewall) to avoid customer's firewall reconfiguration?
> Every ideas are well accepted!
>

 

[Helge Klein]

Andrea,

there are various third-party solutions that provide the SSL tunneling
functionality. Probably the most widely used is Citrix Secure Gateway
which comes with Citrix Presentation Server. It would, however,
require some version of Presentation Server (an add-on to Terminal
Services) on your server.

Helge
---------------------------
Please visit my blog at:

http://it-from-inside.blogspot.com
---------------------------

On 27 Jul., 15:14, "Andrea Caldarone" <software-livqu...@3techsrl.com>
wrote:
> Hi all,
>
> we have developed a software that runs on a Windows 2003 Server. Our
> customer use the software remotely by connecting via RDP to the server.
>
> 1) Our customers have often to re-configure their firewall because outgoing
> comunication to TCP port 3389 are not allowed
>
> 2) Currently we authenticate users only with user/password and filtering
> their IP addresses with our cisco firewall, so every time we have to
> reconfigure its access-list: if a customer chages its connection we have to
> reconfigure, or if we want to make a demo somewhere we have to
> reconfigure...
>
> We wanto to improve this situation.
> Is it possible to authenticate with a certificare stored on a USB devide? We
> don't wanto to use smart card because we don't wont to force our customer to
> buy a smart card reader. What do you think about SSL tunnelig (granted with
> our firewall) to avoid customer's firewall reconfiguration?
> Every ideas are well accepted!