Terminal Services Encyption??

[c1utch]

I've been told that if I implement a Terminal Server, that I should have it behind a firewall and have my remote offices access it via a VPN connection. I know that's probably the most secure option, however, using the VPN seems to be restricting me slightly (won't go into details to keep it short). I noticed that within the RDP-Tcp connection properties (within TS Configuration on the TS) that there is an encryption setting on the General tab. Could I give my Term. Server an external IP address at the firewall level and use NAT to redirect traffic to it and just eliminate the VPN all together?? In other words, could I use this encryption in place of the VPN?

Chris

 

[knuts]

what kind of firewall do you have? Can you publish your terminal server through you firewall? I don't think the incription will work through nat. I could be wrong.

 

[c1utch]

We are using a Sonicwall SOHO3. We are currently using NAT for our VPN and Echange servers, so I don't see why it wouldn't work. Just not sure about how secure the TS encryption is.

Chris

 

[MattWray]

According to this article, the encryption is not very strong.

https://testzone.secunia.com/advisories/7118/

They suggest using TS over VPN as well....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

http://www.sss-steel.com

 

[packdragon]

We use terminal services through a VPN to access our servers from home. So far I have encountered no restrictions. What are you experiencing? Maybe some of the knowledgable folks here can help you with your VPN if you post the specifics of your restrictions.

- Zoe, that's ZOH-EEE, get it right please
- Just a little ol' MCP at Solien Technology
-

http://www.solien.com

 

[c1utch]

Thanks Packdragon for the offer. The restrictions had to do with printing to printers that are not directly connected to the client PC's, rather using IP addresses. The client side vpn is using a PPTP protocol. The vpn at these off sites are initiated by an SMC broadband router. I noticed that the vpn tunnel had restricted a lot of our user's bandwidth (dsl or cable connections) when trying to connect to our domain. Term. Services would be a great solution over this current method, however one of the fallbacks is our corp. office (where the DC is located) can't see any of the devices on any of our remote sites...the vpn is only one way. Our remote sites can ping the DC, Exchange server and any workstations on the corp. office LAN. Any devices on the Corp. office's LAN cannot ping the remote office devices...only the single VPN IP at the SMC broadband router. Its a limitation caused by the SMC router. Works great as a vpn appliance and firewall. So, to make a long story short...I was trying to get these IP printers at these off site locations to be redirected in TS. Local printers worked fine, but the IP ones did not. Even if I tried to set them up manually, I could not get them to redirect the print jobs. Upon posting this original question and now is when I found the solution.
On the client side, you install the printer locally. Within the add printer wizard you select local printer, then select Create a new port and select TCP/IP port. Enter the IP address of the printer, then enter the port name as LPT2...or LPT3. Continue with the printer wizard and select the propper drivers. When you log on to TS, the printer is created like it should be, however the printer port on the server side is not LPT2 like you named it on the client end. Rather its a PRN port from the client computer. The weird thing is I've been searching for this answer for almost a week and couldn't find it very easy. This solution was a combination of sever posts I found on this and other sites...includeing Micro$oft's. In fact, Microsoft readily admits you can't print to IP printer within TS. They tell you that you "might" be able to do what I do, but its not supported. Typical answer from Billy Bob. Thanks again packdragon.

Chris