+ Post New Thread
Results 1 to 12 of 12
Internet Related/Filtering/Firewall Thread, External Terminal Services in Technical; ...
  1. #1
    eddyc's Avatar
    Join Date
    Aug 2008
    Location
    Bristol
    Posts
    438
    Thank Post
    99
    Thanked 47 Times in 43 Posts
    Rep Power
    22

    External Terminal Services

    I would like to know how many schools offer external access to a terminal server if you could let me know that would be great.

    Basically I have worked in a secondary school (but in a different LEA to where I am now) which offered a terminal server to both staff and students - this was the case for all secondarys in this LEA. This system worked very well and like any of the machines onsite was locked down by group policy to prevent things like the command prompt from being opened, etc.

    I have been in roll as an ICT Manager in a new school (in a different LEA) since 1st August and would like to introduce this facility for our staff and students to use. I have put in a change request to get port 3389 opened and routed to the terminal server which is set up and ready to go, but have now had this plan thrown out of the window by the LEA network team, as apparently this will be a huge security risk for the whole of the secondary schools network within the LEA. I have been told that I can use a SSL VPN.

    We already have an SSL VPN, which is fine for myself and the rest of the technical team, but with regard to letting staff or pupils use this - it is a big no no as its just too complex and confusing for them.

    So basically I'm polling how many of you have access to a external terminal server from outside of your school and which lea does your school fall within?

    I'm trying to build up an argument to go back to LEA with. They have suggested buying a different VPN which is less complex and will cost £3,500 - but my argument is why should the school have to pay out for something we can do by just opening a port on the firewall? We have recently become an academy so are not obligied to stick with the LEAs internet connection, so this is a threat that I am considering using - your thoughs \ suggestions and feedback are most welcome.

  2. #2

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,816
    Thank Post
    272
    Thanked 1,138 Times in 1,034 Posts
    Rep Power
    350
    We do but buy using third part software so that everything is run via port 443 (https) rather then via port 3389. This is done by using SSL Explorer (now open vpn als) but there is also Home Access Plus which does similar things i believe.

  3. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,013
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    You want a remote desktop gateway which will give your users access to RD servers via port 443. This is assuming server 2008 r2 setup. This should satisfy security requirements.
    We don't use it as we use sun/oracle global desktop provided by the lea but it is what I would do in your situation.

  4. Thanks to ChrisH from:

    eddyc (10th October 2011)

  5. #4
    eddyc's Avatar
    Join Date
    Aug 2008
    Location
    Bristol
    Posts
    438
    Thank Post
    99
    Thanked 47 Times in 43 Posts
    Rep Power
    22
    Quote Originally Posted by ChrisH View Post
    You want a remote desktop gateway which will give your users access to RD servers via port 443. This is assuming server 2008 r2 setup. This should satisfy security requirements.
    We don't use it as we use sun/oracle global desktop provided by the lea but it is what I would do in your situation.
    I'll certainly give this a shot - hopefully they will be happy with this.

  6. #5

    Join Date
    Apr 2006
    Posts
    389
    Thank Post
    23
    Thanked 95 Times in 61 Posts
    Rep Power
    45
    I am not sure I am convinced about their opening a port onto your server being a danger to the entire infrastructure, but I can appreciate their not being crazy about the idea. A halfway house could be implementing Terminal Server over SSL, which will require an additional server at your end (sat inbetween the TS and the Internet), but the users will still be able to use a bog-standard RDP file to connect.

    Here's a good guide:

    http://www.windowsecurity.com/articl...way-Part1.html
    Last edited by theriver; 10th October 2011 at 09:10 PM. Reason: Duplication. Not very good at multita OH LOOK a kitten on the TV!

  7. #6
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,013
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    Quote Originally Posted by theriver View Post
    I am not sure I am convinced about their opening a port onto your server being a danger to the entire infrastructure, but I can appreciate their not being crazy about the idea. A halfway house could be implementing Terminal Server over SSL, which will require an additional server at your end (sat inbetween the TS and the Internet), but the users will still be able to use a bog-standard RDP file to connect.
    Thats what an RD gateway does pretty much.

  8. #7

    Join Date
    Apr 2006
    Posts
    389
    Thank Post
    23
    Thanked 95 Times in 61 Posts
    Rep Power
    45
    Yup, I didn't explain that very well!

  9. #8

    Join Date
    Jun 2011
    Posts
    10
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by theriver View Post
    I am not sure I am convinced about their opening a port onto your server being a danger to the entire infrastructure, but I can appreciate their not being crazy about the idea. A halfway house could be implementing Terminal Server over SSL, which will require an additional server at your end (sat inbetween the TS and the Internet), but the users will still be able to use a bog-standard RDP file to connect.

    Here's a good guide:

    Configuring the Windows Server 2008 Terminal Services Gateway (Part 1)
    I'm following this guide as it meets my requirements for the time being. I'm struggling to get my head round the certificates part as it will not allow me to select an Online Certification Authority. What type of certificate do I need and where do I get it from? A couple of websites I've looked at provide SSL certificates but appear to be for websites rather than a Remote Desktop Gateway. Can anyone shed any light on this?

  10. #9

    Join Date
    Nov 2009
    Location
    Manchester
    Posts
    1,064
    Thank Post
    6
    Thanked 207 Times in 187 Posts
    Rep Power
    53
    You need a normal SSL certificate.

    You publish the gateway and it is this that people connect to externally, for example to https://gateway.myschool.org.uk, this just needs to have a standard SSL certificate because it is using port 443.

    We use a wildcard here for all our secure sites including external connections to ur gateway.

  11. #10

    Join Date
    Jun 2011
    Posts
    10
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Achandler View Post
    You need a normal SSL certificate.

    You publish the gateway and it is this that people connect to externally, for example to https://gateway.myschool.org.uk, this just needs to have a standard SSL certificate because it is using port 443.

    We use a wildcard here for all our secure sites including external connections to ur gateway.
    Thanks for the reply. What do you mean by wildcard?

  12. #11

    Join Date
    Nov 2009
    Location
    Manchester
    Posts
    1,064
    Thank Post
    6
    Thanked 207 Times in 187 Posts
    Rep Power
    53
    Wildcard SSl certifcates are for a similar variable *.domain.org.uk

    Therefore you can use it to secure multiple sites, we use our for the terminal server, the webmail etc.

  13. #12
    jimmy_2k's Avatar
    Join Date
    Jun 2009
    Location
    Bristol
    Posts
    191
    Thank Post
    4
    Thanked 9 Times in 9 Posts
    Rep Power
    12
    We had this sytem setup when I worked at a University. We had to remove this because we were using Microsoft Office and in the Microsoft licensing agreement, any machine which you use Office on (wether it is installed on the PC or not) requires a license of Office for that machine. E.g. Teacher uses Office on a PC at home, school has EES or Campus this is fine but a teacher could use the terminal server on say a webcafe machine without an office license, this would be a breach of MS licensing. This may have changed in the license agreement as this was a while ago and personally I would argue that if they have a login and you have an agreement then they would be covered anyway. Good idea though, I want to put SIMS on TS for Mac users. At my school all staff have laptops and we have a VPN with a 25 user license.

SHARE:
+ Post New Thread

Similar Threads

  1. Terminal service external IP
    By steve_nfi in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 13th May 2011, 10:36 PM
  2. Mac Terminal Services
    By StuartC in forum Mac
    Replies: 5
    Last Post: 1st September 2009, 08:17 PM
  3. Terminal Services
    By faza in forum Windows
    Replies: 15
    Last Post: 1st June 2006, 10:37 AM
  4. Terminal Services +USB
    By Dos_Box in forum Windows
    Replies: 4
    Last Post: 25th May 2006, 01:26 PM
  5. Autograph on Terminal Services
    By Norphy in forum Thin Client and Virtual Machines
    Replies: 9
    Last Post: 12th May 2006, 11:53 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •