Securing Windows Server RDS with ZeroTier
-
The caveat to this though, is that you either have to install ZT on every endpoint device (all servers and workstations/laptops) or create separate zones (I need a more correct word because of the implications of the term zone) that allows DNS to not have issues on the internal network.
-
@Dashrender said in Securing Windows Server RDS with ZeroTier:
The caveat to this though, is that you either have to install ZT on every endpoint device (all servers and workstations/laptops) or create separate zones (I need a more correct word because of the implications of the term zone) that allows DNS to not have issues on the internal network.
Actually you don't, in this case. The ZT can be used only between the "thin clients" and the RDS server.
-
@scottalanmiller And connects via IP address.
-
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
-
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.
-
@dafyre said in Securing Windows Server RDS with ZeroTier:
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.
You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.
-
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.
You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.
Not use the ZT Gateway... I think @scottalanmiller is just thinkg of installing ZT on the RDS Server, and ZT on the clients that need to access it... Then instead of setting up DNS and all of that, just telling the clients to connect to the ZT IP of the RDS server.
-
@dafyre said in Securing Windows Server RDS with ZeroTier:
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.
You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.
Not use the ZT Gateway... I think @scottalanmiller is just thinkg of installing ZT on the RDS Server, and ZT on the clients that need to access it... Then instead of setting up DNS and all of that, just telling the clients to connect to the ZT IP of the RDS server.
Exactly. Or an entry in the /etc/hosts file. Or you can even make a public entry for it with a private IP address. Lots of options.
-
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@Dashrender said in Securing Windows Server RDS with ZeroTier:
@dafyre said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller And connects via IP address.
exactly!
If you have thin clients on the local network and they use DNS to connect, the Thin Clients will have issues if they try to connect to the ZT address that could easily be provided by the DNS servers.
This is one of those scenarios where you have to decide if you want to go through that kind of hassle... or if it would be easier to configure the thin clients just to connect to a ZT IP address and be done.
You mean create a ZT gateway and have the TC connect to that? Why would you bother assuming the TCs are local to the server? Of course if the TC are remote, then you're probably really running from a PC of some sort and you just have ZT installed there.
No, nothing more than what is described. RDS cuts off the VPN side, it's a gateway of sorts. It's where you can break the VPN if you want.
-
@scottalanmiller said
ZeroTier is one of the easiest and most effective means of security RDS systems for a wide variety of deployment scenarios.
But not ready for deployment....yet.
Had lots of very hit and miss reliability issues with connecting to machines over RDP. Sometimes it works, sometimes it does not and the portal shows all machines as online and working every time.
-
@Dashrender, there are no DNS issues with something like this. You are conflating ZeroTier issues that occur when you put ZeroTier on a Windows Domain Controller with a simple VPN work around.
-
@Breffni-Potter said in Securing Windows Server RDS with ZeroTier:
@scottalanmiller said
ZeroTier is one of the easiest and most effective means of security RDS systems for a wide variety of deployment scenarios.
But not ready for deployment....yet.
Had lots of very hit and miss reliability issues with connecting to machines over RDP. Sometimes it works, sometimes it does not and the portal shows all machines as online and working every time.
I've not see any issues with RDP yet. What client versions were you running? Did you determine what was causing the issues? I've yet to see any networking blips with ZT.
-
@scottalanmiller said
I've not see any issues with RDP yet. What client versions were you running? Did you determine what was causing the issues? I've yet to see any networking blips with ZT.
Latest client versions (though we did get the whole network wiped out when ZT upgraded the controller without email alerts, so all devices lost connection a few weeks ago as the installed agents were too old....)
Nope, issue still unresolved. A feature request was for some kind of troubleshooting or error alerts in the client. Even pings were not working so it's not just an RDP related problem.
-
I had some weirdness with ZT this week. Wonder if it is similarly related.
-
I've not seen any weirdness, and I've still got some clients that are running 1.0.4.
-
Only the other night for me and it was all on one project so I'm not sure what it was, yet.