Enhance TS Gateway Security with ISA Server 2006
Following on the success of Outlook Anywhere in Exchange Server 2007, Windows Server 2008 in turn delivers the capability to access your desktop from anywhere in a secure and controlled manner.
The new Terminal Server Gateway service (TS Gateway) in Windows Server 2008 offers the flexibility of Windows Terminal Server Services plus the ability to connect to a Terminal Server from anywhere over an HTTP connection. This service uses Remote Desktop Protocol (RDP) over HTTPS (SSL) to increase security while providing a single client interface for accessing Terminal Services resources.
This new TS Gateway service offers significant benefits to those who need to access their computers remotely:
- No need to establish a Virtual Private Network (VPN) session prior to connecting to internal resources using RDP.
- Enhanced security using Network Access Protection (NAP) and Windows Security Health Checks to control RDP connections.
- No need to open TCP port 3389 inbound to enable more secure Web publishing through firewalls.
You can use Microsoft Internet Security and Acceleration (ISA) Server 2006 to enhance the security of TS Gateway service while allowing external access to internal resources. You can set up an SSL-to-SSL bridging scenario in which ISA Server 2006 receives requests and passes them to the internal TS Gateway service, also using HTTPS. While bridging the request, the ISA firewall decrypts the SSL communications and performs application-layer inspection.
If the HTTP protocol stream passes inspection, then the communication is re-encrypted and forwarded to the Terminal Services proxy. If the protocol stream fails inspection, the connection is dropped.
Check out the details in the rest of this article that I wrote together with Yuri Diogenes for TechNet magazine.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer