Announcement

Collapse
No announcement yet.

TS Gateway Replaces VPN Server?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TS Gateway Replaces VPN Server?

    I'm still in the process of planning our secure remote access solution, and originally had a VPN server to handle authentication and authorization.

    Since users would be limited to TS web access, and not be using RDP to other systems, do I really need the VPN server or is that role handled by the TS gateway?

    I definately want 2-factor authentication for the user - Smart cards, SecureID, or some such - so would my choices be better using VPN?

    I do not want to allow regular network access to any system on the protected network. This way I can ensure that documents being worked on remotely cannot be saved locally.

  • #2
    Re: TS Gateway Replaces VPN Server?

    Hi,

    You don't need a VPN server with TS gateway role. TS gateway uses RDP over https. You can use Authorization policies to better control the access.
    For more info have a look at this training video I've come across: http://edge.technet.com/Media/No-VPN...ys-No-Problem/

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: TS Gateway Replaces VPN Server?

      If your concern is only about security and you want to implement it i would recommend to go for IAS & IPSec.
      Best Regards ,
      Manish Nadkarni

      Comment


      • #4
        Re: TS Gateway Replaces VPN Server?

        Originally posted by virus View Post
        If your concern is only about security and you want to implement it i would recommend to go for IAS & IPSec.
        TS Gateway is a windows 2008 feature. In windows 2008, IAS has been replaced by NPS.
        Also I don't think you could use IPSec with TS Gateway.
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: TS Gateway Replaces VPN Server?

          TS Gateway is "proxy" for RDP connection. The IPSEC should be use for authntication to the domain and Radius for example.
          However, you can use Juniper SSL VPN etc. so do a some tests to find the correct system.
          Best Regards,

          Yuval Sinay

          LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

          Comment


          • #6
            Re: TS Gateway Replaces VPN Server?

            Thanks to all the replies. That screencast was useful information.

            Thinking on it some more, if I use TS Gateway then that allows me to RDP, via the Gateway over HTTPS, to the resources defined in the RAP, assuming the login I use is in the CAP.

            However, I don't want to allow remote desktop to a real server but to an instanced VM based on a template.

            Similiar to RemoteApp via TS Web Access, where the TS creates a session to run the app within for each user.

            Is this possible?

            Comment


            • #7
              Re: TS Gateway Replaces VPN Server?

              1. You can use Web Gateway to publish application.

              2. For publishing VM... I guess that you need a VDI solution Review Microsoft Med 2 Infrastructure).
              Best Regards,

              Yuval Sinay

              LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

              Comment


              • #8
                Re: TS Gateway Replaces VPN Server?

                And there I was, thinking I was getting a handle on things.

                MED-V seems like a good solution, but mixing it with TS is making my head spin.

                Essentially, the MED-V client is the TS farm, which has now become a HyperV farm.

                I'd also like to use OTP for client login. This ensures that corporate user names / passwords are not being typed into PC's outside the corporate infrastructure.

                There are other difficulties as well, such as ensuring that employees who are allowed remote access have RDP 6.1 installed, and whatever else is needed on the client PC.

                Not an easy thing to do as most people using a PC at home do the bare minimum of maintenance. We can't even guarantee they have anti-virus installed.

                One solution is to use NAP, and deny connections to those whose PC security isn't up to scratch.

                Of course, they may not even use a PC but use a Mac instead. I have no idea if Mac's support RDP 6.1, or if TS Web Access would work.

                If anyone can point me towards resources for implementing zero-footprint secure remote access, it'd be appreciated.

                Comment


                • #9
                  Re: TS Gateway Replaces VPN Server?

                  I've read through the TechNet article "Configuring the TS Gateway OTP Scenario"

                  http://technet.microsoft.com/en-us/l.../cc731249.aspx

                  Which identifies that I need clients to authenticate with ISA server before passing that authentication through to the TS Gateway.

                  If I have a perimeter network, I believe the TS GW/WA server goes in the DMZ but I haven't been able to determine where the RADIUS and TS servers would go.

                  Any suggestions?

                  Comment


                  • #10
                    Re: TS Gateway Replaces VPN Server?

                    Well.. Most of the companies install the Radius in special VLAN and allow it to have limited access to the Active Directory.

                    To improve the security, some of them implement IPSEC from the TS Gateway to the Radius and from the Radius to the Active Directory.

                    High level security can be add a new forest for using for OTP authentication and then do a second authentication to the Active Directory (You can also use IPSEC to improve the total sessions security of course).

                    The main question is what device will do the authentication... Microsoft provides two solution (ISA and TS Gateway it self).

                    I can recommanded you to check third party solution like Juniper SA 2500...
                    Best Regards,

                    Yuval Sinay

                    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

                    Comment

                    Working...
                    X