I'd like to create a single point of entry to our network from the outside and to be able to publish/set up some kind of routing system to access devices/services within.
I'm looking at I suppose an ISA style set up but whether this will do what I'm after I don't know; and I'd like some best practice.
Things it needs to allow me to do:
1) Single login (authenticated against AD) through some kind of webpage/applet?
2) Allow RDP to 'any' internal IP or have a list of boxes to choose from.
3) Allow HTTP access to 'any' internal IP or have a list of sites/services to choose from.
I guess really a VPN solution might be easier, but I'm just wondering whether there is some means of achieving this?
I'm imagining it'd need to create some kind of port redirect if I had say 3 open ports on the firewall it could dynamically ssh tunnel or something?
Or would it just be easier to have a box running ISA with Terminal Services web connector to RDP to itself and from there to wherever?
Many thanks for your time.
Microsoft Windows 2008 TS Gateway, HTTPS page, so you don't have to worry about NAT\Firewall to the end user, you only also need to open\forward port 443 on your firewall.
Wow, that sounds like the ticket!
If you want to make it a little more shiny for users TSWeb Access lets you run applications as though they're local, rather than having a second desktop. They're still running on the server and have normal access to the network, but appear on your own desktop.
RemoteApps.... looks a cool feature. Might be good to allow staff a copy of office at home, without giving them the CD. Yes, you Office license allows you a copy at home and at work. This would be a nice way to limit it to current staff only.
Server 2008 TS Gateway will do the job just fine.
Currently our IT Support team members use Remote Desktop to access their office workstations while at home, rather than using a VPN, directly RDP'ing to the workstations was just easy and simple.
However, I have always worried about the level of security of RDP traffic through our primary Internet connection. So when we started to roll out 2008 boxes in the server farm I decided to setup a TS Gateway Server just for a play around - Now we all use it by standard!
Basically the RDP packet payload is encapsulated in SSH then bundled into an SSL session, essentially making the Remote Desktop session impossible to listen to on the wire :) Plus it gives the added bonus of allowing anyone with an external workstation that has port 443 access to the Internet can remote into their office machine (providing the client has the latest version of the MS RDP application).
Native RDP without going through any form of security / encryption is being closed down within Northants, hence Kim's look at other methods.
Now all I need to do is to dig out which schools are using native RDP, find out which servers they are going to (some might actually be connecting directly to DCs or the MIS box) and give them some advice / example of how other local / national schools are doing things.
TS Gateway works well....
I would just go all out with either a VPN (we use TMG for ours) - that way you will have full seamless remote access to your network (has been a big hit with out teaching staff).
That or have a look at Forefront UAG - it gives you that 'web portal' like experiance you have described.