Internet Related/Filtering/Firewall Thread, External Terminal Services in Technical; I would like to know how many schools offer external access to a terminal server if you could let me ...
10th October 2011, 09:16 PM #1
External Terminal Services
I would like to know how many schools offer external access to a terminal server if you could let me know that would be great.
Basically I have worked in a secondary school (but in a different LEA to where I am now) which offered a terminal server to both staff and students - this was the case for all secondarys in this LEA. This system worked very well and like any of the machines onsite was locked down by group policy to prevent things like the command prompt from being opened, etc.
I have been in roll as an ICT Manager in a new school (in a different LEA) since 1st August and would like to introduce this facility for our staff and students to use. I have put in a change request to get port 3389 opened and routed to the terminal server which is set up and ready to go, but have now had this plan thrown out of the window by the LEA network team, as apparently this will be a huge security risk for the whole of the secondary schools network within the LEA. I have been told that I can use a SSL VPN.
We already have an SSL VPN, which is fine for myself and the rest of the technical team, but with regard to letting staff or pupils use this - it is a big no no as its just too complex and confusing for them.
So basically I'm polling how many of you have access to a external terminal server from outside of your school and which lea does your school fall within?
I'm trying to build up an argument to go back to LEA with. They have suggested buying a different VPN which is less complex and will cost £3,500 - but my argument is why should the school have to pay out for something we can do by just opening a port on the firewall? We have recently become an academy so are not obligied to stick with the LEAs internet connection, so this is a threat that I am considering using - your thoughs \ suggestions and feedback are most welcome.
10th October 2011, 09:22 PM #2
We do but buy using third part software so that everything is run via port 443 (https) rather then via port 3389. This is done by using SSL Explorer (now open vpn als) but there is also Home Access Plus which does similar things i believe.
10th October 2011, 09:23 PM #3
You want a remote desktop gateway which will give your users access to RD servers via port 443. This is assuming server 2008 r2 setup. This should satisfy security requirements.
We don't use it as we use sun/oracle global desktop provided by the lea but it is what I would do in your situation.
Thanks to ChrisH from:
eddyc (10th October 2011)
10th October 2011, 09:49 PM #4
I'll certainly give this a shot - hopefully they will be happy with this.
Originally Posted by ChrisH
10th October 2011, 10:02 PM #5
I am not sure I am convinced about their opening a port onto your server being a danger to the entire infrastructure, but I can appreciate their not being crazy about the idea. A halfway house could be implementing Terminal Server over SSL, which will require an additional server at your end (sat inbetween the TS and the Internet), but the users will still be able to use a bog-standard RDP file to connect.
Here's a good guide:
Last edited by theriver; 10th October 2011 at 10:10 PM.
Reason: Duplication. Not very good at multita OH LOOK a kitten on the TV!
10th October 2011, 10:09 PM #6
Thats what an RD gateway does pretty much.
Originally Posted by theriver
10th October 2011, 10:12 PM #7
Yup, I didn't explain that very well!
8th December 2011, 02:26 PM #8
- Rep Power
I'm following this guide as it meets my requirements for the time being. I'm struggling to get my head round the certificates part as it will not allow me to select an Online Certification Authority. What type of certificate do I need and where do I get it from? A couple of websites I've looked at provide SSL certificates but appear to be for websites rather than a Remote Desktop Gateway. Can anyone shed any light on this?
Originally Posted by theriver
12th December 2011, 10:08 AM #9
You need a normal SSL certificate.
You publish the gateway and it is this that people connect to externally, for example to https://gateway.myschool.org.uk, this just needs to have a standard SSL certificate because it is using port 443.
We use a wildcard here for all our secure sites including external connections to ur gateway.
12th December 2011, 03:33 PM #10
- Rep Power
Thanks for the reply. What do you mean by wildcard?
Originally Posted by Achandler
12th December 2011, 03:37 PM #11
Wildcard SSl certifcates are for a similar variable *.domain.org.uk
Therefore you can use it to secure multiple sites, we use our for the terminal server, the webmail etc.
14th January 2012, 04:45 PM #12
We had this sytem setup when I worked at a University. We had to remove this because we were using Microsoft Office and in the Microsoft licensing agreement, any machine which you use Office on (wether it is installed on the PC or not) requires a license of Office for that machine. E.g. Teacher uses Office on a PC at home, school has EES or Campus this is fine but a teacher could use the terminal server on say a webcafe machine without an office license, this would be a breach of MS licensing. This may have changed in the license agreement as this was a while ago and personally I would argue that if they have a login and you have an agreement then they would be covered anyway. Good idea though, I want to put SIMS on TS for Mac users. At my school all staff have laptops and we have a VPN with a 25 user license.
By steve_nfi in forum Thin Client and Virtual Machines
Last Post: 13th May 2011, 11:36 PM
Last Post: 1st September 2009, 09:17 PM
Last Post: 1st June 2006, 11:37 AM
By Dos_Box in forum Windows
Last Post: 25th May 2006, 02:26 PM
By Norphy in forum Thin Client and Virtual Machines
Last Post: 12th May 2006, 12:53 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)