Announcement

Collapse
No announcement yet.

enforce remote users to use SSL for RDP to TS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • enforce remote users to use SSL for RDP to TS

    I've setup in a test lab 2 terminal servers. using selfSSL i've created SSL certs for each ts servers.

    When i connect from a remote client using RDP 6.0.6000, it will prompt me to install the certificate and then my connection is encrypted with SSL.

    the problem is, if the RDP client sets to "Always connect, even if authenitcation fails", the client is still able to connect and log into the TS server.

    is there any way i can enforce the client to use the setting, "warn me if authentication fails"?

    the remote client is not a domain user, I was hoping something on the backend can be enabled.

    I've already set the TS servers setting to "high" encryption and using "ssl".

    is this achievable?


    Thanks,

  • #2
    Re: enforce remote users to use SSL for RDP to TS

    Did you use:

    http://technet2.microsoft.com/Window....mspx?mfr=true

    ?
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: enforce remote users to use SSL for RDP to TS

      Thanks

      yes, I did going through the document

      1. I have set each terminal server in my session directory farm with the following:

      security layer = SSL

      encryption = high

      certifiate = the one that i created.

      i exported the certificate when i ran selfSSL from one ts server. Then imported that same cert to all the terminal servers using the certifcates snap-in.

      2. for the client settings, using RDP 6.0, if i put the authentication settings to;

      warn me or do not connect, then everythiing works as planned as long as i install the certiicate under the trusted root ca certicates store on the client machine.

      however if i put, connect me "anyways even if authentication fails", i can still get in, but the connection is not SSL encrypted.

      aside from distributing a custom .rdp file or hardcoding users registry (i can do this for domain members, but hard for offsite guests). I had thought with the settings set to SSL and HIGH, the TS server was suppose to reject any connections not meeting those criteria. However this seems to be not working that way if the RDP setting is set to : connect anyways even if authentication fails


      so i'm not sure what i'm missing ..

      Comment


      • #4
        Re: enforce remote users to use SSL for RDP to TS

        Did you set Set the Security layer to Negotiate?! This will allow users to connect even if the SSL failed...
        Also, the Client can verity that the server is trusted but the server cant verity that the client is trusted.
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment


        • #5
          Re: enforce remote users to use SSL for RDP to TS

          "Did you set Set the Security layer to Negotiate?! This will allow users to connect even if the SSL failed..."

          I set this to SSL and not negotiate. I was hoping that the server would reject the connection if it didn't have the certificate, I didn't want to the server to allow people to connect if they did not install the certificate. Basically I want only SSL connection or none at all.


          "Also, the Client can verity that the server is trusted but the server cant verity that the client is trusted."

          I think this is my problem here. Perhaps I was misunderstanding the purpose of the SSL / High authenication/encryption settings. I was hoping that the server would reject if the client did not meet those settings (i.e: have my certificate and using SSL to connect with high encryption). However if the server cannot verify, then i'll really just have to "trust" my users that if they want to have their communications encrypted with SSL, they have to use my custom .rdp file i give them and follow my instructions.
          if not then their communication with the ts server will be SSL-less.

          am i getting this right?

          Thanks btw for your responses.

          Comment


          • #6
            Re: enforce remote users to use SSL for RDP to TS

            You can do a small trick:

            Create IPSEC filter with certifcate authentication for TCP 3389 target, source Any.
            This will give you some basic pre-authentication.
            Best Regards,

            Yuval Sinay

            LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

            Comment


            • #7
              Re: enforce remote users to use SSL for RDP to TS

              hmm that is an interesting trick.

              i'll give that a try and see how it goes

              Thanks!

              Comment

              Working...
              X