In turn, the Gateway/Web Access server will have the ability to make a connection via 3389 to your Remote Desktop Session Host, which is located on the internal network. Again, in the Enterprise, these roles would be deployed on a server inside a DMZ, and only listen on port 443. Secure Remote Desktop Architecture using a DMZĮnter the Remote Desktop Gateway & Web Access role.
From inside of that connection, you can then establish a (shielded) port 3389 Remote Desktop session. That secure, encrypted port is how your client computers will attach to the network.
Either way, we note that the correct architecture is to have only one port available externally on the firewall: port 443. Which is crazy.Ī much safer alternative is to close RDP access from outside the network, and make it accessible only from a secure protocol, such as SSL VPN on your firewall, or Microsoft’s own Remote Desktop Gateway service. Meaning that a person can just open the Remote Desktop client, and hit an external DNS name or IP address–finding themselves on an interactive desktop inside your network. What is typical in the small business is not only a complete lack of DMZ & internal network segmentation, but very often, a Remote Desktop connection is made available through the firewall right on port 3389. In the Enterprise, we’d most likely see RDS deployed using a “DMZ” or “Demilitarized Zone,” which is a special type of network, that usually contains some internet-accessible resources, and sometimes also has restricted access to other resources on the internal network.* This type of approach can help to limit attack surface on the perimeter of your network, and make it a bumpier ride for any would-be attackers trying to find a way in. Remote Desktop can be deployed in any number of different ways, and not all of them are created equally when it comes to security.
0 kommentar(er)
