Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Services: Alternatives

Status
Not open for further replies.
Stevehewitt

Stevehewitt

IS-IT--Management
Jun 7, 2001
2,075
GB
Hi Guys,

I have ruled out VPN's, and due to the size of the company remote desktoping isn't manageable either.

I've look at Terminal Services, and whilst it's great, the problem is that end users will essentially need to be able to connect to their desktops and our environment is very distributed. (Development house, source code is managed centrally but actualy development is done locally)

Anyone knows of a product where a user externally can say go to a URL (remote.company.com), click a button and the user has to authenticate. Once authenticated the website creates a RDP session to the relevant workstation. (With user/computer mappings in a database or config file)

Thanks,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Sort by date Sort by votes
Not sure why you ruled out VPN's because i think its your best option. The issue i see with your idea is you can only NAT or forward a port in this case 3389 to one machine per public IP. So... unless you have a huge block of public IPs this just wouldnt be possible. I guess you could setup each pc to listen on a different port for RDP but this sounds like a support nightmare. I would reevaluate the VPN option if you want each user to RDP to their own desktop pc.

Hope this helps,

RoadKi11
 
Upvote 0 Downvote
Thanks for the advice.

The issue with VPN is that whilst I know who is authenticating, I don't know what is on the client. Some users would be working from home - e.g. not a corporate desktop/laptop and could be running anything.

I wouldn't allow someone off the street to plug any old machine they happen to have on them into my network switches - so I'm taking the same approach for VPN's.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Well i know with cisco vpns you can lock down the permitted traffic that passes through the VPN. In your case i would only allow traffic on port 3389, this would accomplish what you want with the security that you demand.

RoadKi11
 
Upvote 0 Downvote
Hmm,

We're not using Cisco boxes as the end-point but a Windows 2003 box.

Maybe I could look at using IP filters to only allow 3389.
Interesting Idea!

Anyone got any experience with VPN's and IP filters on a Win2k3 box? (I believe NAP works using IP Filters too)

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
But a VPN means that as soon as a machine authenticates, the business is responsible for everything on that machine, including licensing. If the connecting machine is a corporate laptop, it's not an issue. But - if it's a personally owned desktop owned by someone with teenage P2P junkies.......

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -
 
Upvote 0 Downvote
Is that strictly true? In that once a machine is connected it's the businesses responsiblity?


I agree with the last part; which is why I don't like VPN's...!

If there's any other suggestions, solutions or products then they are more than welcome! (I'm outta ideas!)

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
I'd further investigate the idea of using Terminal Services. It will allow for greater administrative control. You can distribute applications any way you see fit, giving access to specified users by the use of groups.

Is there a reason why a user would need to RDP into THEIR workstation, rather than using Server Terminal Services? The use of redirects and shares would give them all the data they need to access.

Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
Will TSweb not provide the ability to connect to an internet facing server and then forward the RDP request to the relevant station? I haven't used it like this myself but i was under the impression this was possible.





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Upvote 0 Downvote
I agree, and that was my ideal solution - however we are a development house and the development model is very distributed.
E.G. Some development is done using Microsoft Content Management Server, whilst some is done using ASP, some in VS 2003, others in VS 2005.
On top of the acutal IDE, there's also special components such as ASPEncrypt, plug-in's and custom web services that are specific to a particuar project. This means that we cannot use Terminal Services.

So whilst I would love to use Terminal Services, the business model simply doesn't fit!!!

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Hi porkchopexpress,

Not too sure I follow?

Thought TSWeb only allows connections to an externally facing server? Thought it was just an ActiveX implementation of the remote desktop client?

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Three suggestions:

1. NAC or NAP - NAP is a new feature in Longhorn, so if you want to go with that, you'll have to wait. NAC is a new feature on some cisco and other major vendor networking equipment. Both are designed to quarentine clients until they are verified as being appropriately patched and running current antivirus software.

2. Create a subnet (must be using a sufficiently capable router or managed switch) that acts like a DMZ. All VPN clients would connect to the VPN Server that was located in the subnet. Then the router would be configured to ONLY allow RDP traffic (and maybe DNS) to pass through to the rest of the network.

3. Use NAT with RDP. For example, for one client I setup NAT so that <external-IP>:60<last IP octet> connects to the user's machine. For example, the router translates any request going to 40042 as being destined for 192.168.1.42 on port 3389. Now when a user connects, he must remember to connect to 40+the last 3 of his IP Address (or 400+the last 2 if it only has 2 digits.

4. Change your company's work style. (Working locally on machines is a sure way to lose dozens or hundreds of hours of work when that system fails - or if you backup the workstations, that's a great way to cause your backups to take lengthy times and/or use excessive space. In either case, it's inefficient at best). Tell users if they want remote access, they need to move their files to a server based location and then they can work off the terminal server.

5. Use "gotomypc" or similar service - also likely to get VERY expensive if you have more than a couple of people doing this.

Frankly, 1 and 2 are probably your best solutions - but they could be costly to implement.

 
Upvote 0 Downvote
I just thought it sounded like what you asked for. We us TSweb on an IIS server within our network, we connect to the webpage at that URL and it asks you what box you want to RDP to then you authenticate. It still uses RDP though.

Anyone knows of a product where a user externally can say go to a URL (remote.company.com), click a button and the user has to authenticate. Once authenticated the website creates a RDP session to the relevant workstation.
Click to expand...





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Upvote 0 Downvote
Not sure if this will help at all, but our company just purchased a Netgear SSL312 SSL/VPN for like $250 - allows 25 remote users CLIENTLESS remote access to internal machines. The Netgear device has almost any client software on it you could need, including RDP, VNC, ICA, and others...

It's awesome if you ask me, they access the device via remote.domain.com by using Internet Explorer - put in their Active Directory username/pwd, authenticate, and are given RDP shortcuts to the machines they need to connect to.
 
Upvote 0 Downvote
Jetro Platforms

sits over TS and can provide access from almost any device to almost anything inside the network


website isn't up to much but their tech ppl are
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
268
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Terminal Server issues doing anything network related after RDPing into
Replies
3
Views
132
DrB0b
DrB0b
UnpluggedFE
  • Locked
  • Question
Terminal Server Farm Desktop Shortcuts
Replies
1
Views
76
gbaughma
gbaughma
AndyH1
  • Locked
  • Question
Login and Reporting Services and sessions issue
Replies
0
Views
54
AndyH1
AndyH1
dduuhh
  • Locked
  • Question
Server 2012 R2 Terminal Server
Replies
0
Views
53
dduuhh
dduuhh

Part and Inventory Search

Sponsor

Back
Top