- Vmware view versus MS terminal server
Surely you only allow port 3389 connectivity to IP’s on the VPN lan to the TS server?
That way you know that providing that so long as you’re using SSL VPN to get to it, you’re sorted, and is pretty much what most people do.
However, if you want to tighten up the authentication to the RDS server you have three choices:
“You can enhance the security of RD Session Host sessions by using Secure Sockets Layer (SSL) Transport Layer Security (TLS 1.0) for server authentication and to encrypt RD Session Host communications. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security.
The three available security layers are:
– SSL (TLS 1.0) SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.
– Negotiate The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. This is the default setting.
– RDP Security Layer Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.”
Personally, I’d be happy with two form factor SSL VPN access only for users whom need to get to the RDS servers.
ps might be worth telling us what infrastructure you’re using (i.e. W2k8, etc).Posted 5 years ago
If you’re using Win XP clients to connect to a W2k8 server, update to the latest Remote Desktop client software on the client and then you can force a requirement to use Network Level Authentication on the Remote Desktop properties on the server. W7 has it installed by default.
Two form factor is your first port of call; once someones into your network, no amount of security helps. Start on the outside and move in.Posted 5 years ago
I’m not worried about network attacks as the priphery is quite secure I am worried about allowiing users on there own PC’s to access (via a secure tunnel) a TS session and then malware/viruses etc bridging (if thats the correct term) between the host infected PC and the TS session and ultimately the host TS server.Posted 5 years agoFuzzyWuzzyMember
Depends on what policies you implement as well, if you’re allowing file copies up to the TS server then yeah you need to be careful. What are you trying to present to the users? If it’s just an application then it’s easy to secure MS RDS/TS (or equally use Citrix XenApp etc.). If you need to give them a usable hosted desktop then that’s different and VMware View or Xen Desktop would be worth looking at – it’s not cheap to implement though (assuming they want decent performance and resilience!). How many users are you talking about?Posted 5 years ago
We need to present a number of applications so a hosted desktop would be preferable.Posted 5 years ago
Probably talking around 25 concurrent users.
Performance and resiliance would be a function of their own internet connectivity and the hosted infrastructure in our data centre which is Equalogic based so shouldnt be a bottleneck.
TBH with 2+K concurrent Zendesktop licenses and 30K students and staff usign the system for 8 years we’ve never had a single instance of malware travelling over and RDS connection. Yes allowing file copies is an issue from client devices, but we don’t allow that and also disable redirection of client devices.Posted 5 years ago
As soon as you present the user to anything internally via your tunnel, you need to manage the client for compromised issues.
Your remote servers are the least of your worries in that case.
I’m presuming you’re segregating the subnet for VPN users away from the internal LANs/subnets?
NAP is your friend in this instance, it is specifically built for this purpose, forcing a user to wait and be checked against policy before allowing access to resources.Posted 5 years ago
you need to manage the client for compromised issues.
Thats really my issue. We have hundreds of users who access our systems remotely via devices provided by the UK IT team and are patched, secured and locked down etc. However this group insist that providing a hundred users with laptops would be an unnecessary expense. (it may be the only option but I want to explore this first)Posted 5 years ago
This means we have no real control over the integrity of the remote device. This means I have to assume it is infected etc.
I have no real concern over the integrity of the user at the keyboard.
In this case, I would seriously consider building your business case around two angles:
1. More tin to manage the infrastructure required to cover the unmanaged clients, via NAP, or a more specific IDS or TDS box/system which sits behind the VPN and in front of the internal network in order to manage ALL traffic going in and out (commonly know as defence in depth) OR
2. Buy laptops, and manage the rollout with GPO and WDS to make your life easier.
That said, looks like they’re not being really very sympathetic to the real requirements here – it’s a hornets nest.
I’m presuming you have no requirements for IL3 and upwards or encryption, because if you do, your life has just become hell.
The RDS authentication is the last thing you’re needing to worry about at the moment. If the user jumps through all the hoops to GET to the RDS server, you’ll be fairly confident it’ll be safe.Posted 5 years ago
This is a very randon and esoteric question and there is a wealth of info on the interweb but I am struggling to get an answer to my specific query so here goes:
We have a number of users in one division of our business that need to access systems using their own devices (mainly PC’s) we have secure desktop tunneling however accessing MS Terminal server is insecure and I am concerned that we have little control over the stability/security of users home devices and malware/viruses etc can infect the TS client/server.Posted 5 years ago
I think Vmware view will resolve this however interested if anyone has experience of this?scuttlerMember
As others have said it’s a question of what ‘channels’ you allow between the client and the infrastructure that use the RDS/View (PCoIP) protocols. These are typically the graphical display itself, keyboard+mouse, something for clipboard support, drive mapping (to allow files to be copied to/from the infrastructure), printing and potentially some USB control. It’s things like drive mapping and USB that present the biggest security risk so with these disabled (you need to be sure you can enforce it on the server and/or have the granularity to enable it only where necessary) you’re reducing the risk to your infrastructure.
The other concerns are things like malware that record keystrokes and screenshots. On an infrected client these will be able to ‘steal’ some data regardless of the fact that the device is not directly on the infrastructure. As such you should be careful of what you allow users to do in the RDS/View infrastructure. One way to address this is the use of a remote access solution to front-end it all that has some form of client-checking for AV software, patches. This should give you ‘some’ assurance that the unowned device has some level of protection on it.Posted 5 years ago
The topic ‘Vmware view versus MS terminal server’ is closed to new replies.