Is RD Gateway useful?
-
@bbigford said in Is RD Gateway useful?:
-It's acting as a proxy, basically, that's the additional security.
What I'm looking for is more examples of concrete benefits of using RD Gateway as the proxy. For example:
RDP exposes login for root permissions, using RD Gateway means that one isn't providing that opportunity to the outside world via the directly exposed protocol. And if the RD Gateway is on a separate server, root login to that server doesn't have to accessible at all to the outside world.
When putting RD Gateway on a separate system, it can then go into the DMZ, leaving the RD Host on a more secure network. However, if it is a real DMZ then authentication needs to be figured out.
Using HTTPS for RDP means there are more tools that can be put in front of RD Gateway for additional security.
-
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
-
@bbigford said in Is RD Gateway useful?:
"I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.
Guac is a front end to RDS. It's not one or the other.
-
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
-
@flaxking said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.
It's free and brings the same kind of security, why rule it out?
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
Can't do it? Or just can't do it without additional licencing costs?
Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?
Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.
It's free and brings the same kind of security, why rule it out?
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Although if we do have a cheaper option available that's using Guacamole. Then it's easy to make it clear to the client that their specific demands are increasing the cost.
-
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
-
@travisdh1 said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.
-
@flaxking said in Is RD Gateway useful?:
@travisdh1 said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?
By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.
Guacamole IS a web client. You wouldn't deploy it otherwise. If your client wants to pay for the additional licensing even after having it explained that it enables nothing more than the alternative, then let them foot the bill and be done with it. It really is that simple.
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)
Can't do that with MS products. LIcensing doesn't allow that.
Can't do it? Or just can't do it without additional licencing costs?
Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.
Can't do it, that shared model is not licensable from MS.
-
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
-
@scottalanmiller said in Is RD Gateway useful?:
@bbigford said in Is RD Gateway useful?:
"I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.
Guac is a front end to RDS. It's not one or the other.
Ah, I thought it could be stand alone. My mistake then.
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
Not even possible. Guacamole = web page, not RDP. That's what it is.
-
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
Not even possible. Guacamole = web page, not RDP. That's what it is.
Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP
-
I like RDGateway. I'd set it up -- even if there was only one system behind it. It keeps 3389 off the internet, lol.
But seriously speaking, it does add some extra features that make it easier to set up more than one server behind it and not have to get fun with the port forwards.
-
@dafyre said in Is RD Gateway useful?:
I like RDGateway. I'd set it up -- even if there was only one system behind it. It keeps 3389 off the internet, lol.
But seriously speaking, it does add some extra features that make it easier to set up more than one server behind it and not have to get fun with the port forwards.
I deployed RDGateway to access 2 systems. One was for the general terminal server. The other was for our ERP partner to access our ERP server for support and configurations.
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
Not even possible. Guacamole = web page, not RDP. That's what it is.
Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP
RDP already includes lots of security features, like the integrated VPN I mentioned earlier.
Guacamole is the only thing exposed too the public network, and that can be secured like any other web service.
RDP would never be exposed too anything but the private network, and is already secure enough that exposing it to a public network shouldn't be a problem.
Where do you see the need for additional security?
-
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
@scottalanmiller said in Is RD Gateway useful?:
@flaxking said in Is RD Gateway useful?:
Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.
Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.
If using Window's RDP client in addition to Guacamole is still a requirement
Not even possible. Guacamole = web page, not RDP. That's what it is.
Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP
Why can't you just make people use Guac?
