Is RD Gateway useful?
-
I know we've talked about RDP security before, but I'm bring it up again.
Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.
To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).
Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.
-
@flaxking said in Is RD Gateway useful?:
I know we've talked about RDP security before, but I'm bring it up again.
Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.
To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).
Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.
Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.
-
@bbigford said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I know we've talked about RDP security before, but I'm bring it up again.
Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.
To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).
Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.
Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.
Yes. Basically we want to host our application for some of our clients. We have a hosting partner that has been figuring out the details for our clients, but our clients have been requesting things outside of their experience so it has come back to us to figure out some of the implementation details.
So the networks will basically be a RDS server and a database server (not actually sure where they put AD). I'm trying to figure out the smoothest setup for our clients with the lowest cost.
I would be looking into Guacamole, but no one has requested a web client. But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect.
However, I simply don't have a grasp on what additional security it is going to provide. I assume it is going to sit at the same place on our hosting partner as the RDS server, just now the RDS host won't have a port exposed, the Gateway will. And if it was on the same server, what's the difference between the gateway port being exposed or the RDP port?
I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?
-
@flaxking said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I know we've talked about RDP security before, but I'm bring it up again.
Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.
To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).
Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.
Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.
Yes. Basically we want to host our application for some of our clients. We have a hosting partner that has been figuring out the details for our clients, but our clients have been requesting things outside of their experience so it has come back to us to figure out some of the implementation details.
So the networks will basically be a RDS server and a database server (not actually sure where they put AD). I'm trying to figure out the smoothest setup for our clients with the lowest cost.
I would be looking into Guacamole, but no one has requested a web client. But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect.
However, I simply don't have a grasp on what additional security it is going to provide. I assume it is going to sit at the same place on our hosting partner as the RDS server, just now the RDS host won't have a port exposed, the Gateway will. And if it was on the same server, what's the difference between the gateway port being exposed or the RDP port?
I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?
Honestly, you're all over the place.
You have some questions that need answered.
"I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?" -Security, as a proxy. That's the point. You're planning on exposing this to the outside; I would argue you absolutely need a gateway.
"However, I simply don't have a grasp on what additional security it is going to provide." -It's acting as a proxy, basically, that's the additional security.
"I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.
"But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect." -Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
-
@bbigford said in Is RD Gateway useful?:
-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.
-
@bbigford said in Is RD Gateway useful?:
-It's acting as a proxy, basically, that's the additional security.
What I'm looking for is more examples of concrete benefits of using RD Gateway as the proxy. For example:
RDP exposes login for root permissions, using RD Gateway means that one isn't providing that opportunity to the outside world via the directly exposed protocol. And if the RD Gateway is on a separate server, root login to that server doesn't have to accessible at all to the outside world.
When putting RD Gateway on a separate system, it can then go into the DMZ, leaving the RD Host on a more secure network. However, if it is a real DMZ then authentication needs to be figured out.
Using HTTPS for RDP means there are more tools that can be put in front of RD Gateway for additional security.
-
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
-
@bbigford said in Is RD Gateway useful?:
"I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.
Guac is a front end to RDS. It's not one or the other.
-
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
-
@flaxking said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.
It's free and brings the same kind of security, why rule it out?
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
Can't do it? Or just can't do it without additional licencing costs?
Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.
It's free and brings the same kind of security, why rule it out?
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Although if we do have a cheaper option available that's using Guacamole. Then it's easy to make it clear to the client that their specific demands are increasing the cost.
-
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
-
@travisdh1 said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.
-
@flaxking said in Is RD Gateway useful?:
@travisdh1 said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.
Guacamole IS a web client. You wouldn't deploy it otherwise. If your client wants to pay for the additional licensing even after having it explained that it enables nothing more than the alternative, then let them foot the bill and be done with it. It really is that simple.
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
Can't do it? Or just can't do it without additional licencing costs?
Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.
Can't do it, that shared model is not licensable from MS.
-
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
-
@scottalanmiller said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
"I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.
Guac is a front end to RDS. It's not one or the other.
Ah, I thought it could be stand alone. My mistake then.
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
Not even possible. Guacamole = web page, not RDP. That's what it is.
