Terminal Services and Remote Access
This weekend, I was browsing the web and I came across an interesting MSIT Whitepaper on using Terminal Services for remote access and new components of Windows Server 2008 Terminal Services. In TS2008, Microsoft developed really neat new features which make Terminal Services a viable solution for remote access. In fact, I think these new services make TS far more attractive than an ordinary VPN; it’s significantly more secure, too.
As part of Server 2008, Microsoft built new TS components. First, I want to start with TS Gateway. TS Gateway allows you to send RDP traffic over HTTPS. A TS Gateway server relays the RDP traffic to its destination inside the network. This is really neat; you don’t have to poke a billion holes in your firewall to have remote access to your computers nor do you need to establish a full VPN connection.
However, it gets better… There’s another component, TSRemoteApp which allows you to encapsulate applications in Terminal Services. That is, you can send an app without the background environment over TS. It appears as a window on the client computer without a second explorer interface, etc. In fact, it will match the client’s theme if you install the Desktop Experience plugin on the server. That’s incredibly cool because then you can have apps that people can access from home without having to wait for them to load over a VPN connection, which is generally pretty slow, given the speed of most people’s DSL. Even better is that you save bandwidth because TS uses less bandwidth than transferring whatever application.
This has some amazing security benefits. One, it takes the security of the client PC mostly out of the picture. You don’t really have to worry about an infected client because the scope of potential damage is significantly reduced; i.e., the infected client does not become part of the network through VPN, it’s avenues of infection are significantly limited. This also has majoer confidentiality benefits. If you have confidential information that you need protected, that stays on the server this way. Employees/volunteers can access the files from home, but you’re free to lock them to the terminal server. They no longer would be copied to someone’s home PC for editing, etc.
This can also integrate with some new rights management features of Active Directory. It also is fully integrated with AD DS. Users logon to the server using their AD username and password. Permissions are managed by AD and group policy, etc. It also integrates with AD CS and Rights Management.
It also will relay RDP traffic to properly configured workstations. That is, an end user could connect securely, through TS Gateway to the PC on his or her desk and work as if he or she were sitting at his or her desk. There’s no need to make a VPN connection, nor expose the network to potential viruses on the end user’s home PC, the user can work seamlessly with RemoteApp or RDPing into his or her desk PC.
To tie this all together, there’s another component, TS Web Access which provides access to all these resources in a nice, easy to use web interface. You logon to the ASP.NET app, that is TS WebAccess, with your AD username and password and you have access to all your RemoteApp apps, your desk PC, (server manager, if you’re an admin), etc.
All in all, I need a little more time to play with this before I try implementing it, but it definitely looks promising as a way of controlling access to enterprise resources but still allowing end users to work from home. Way to go Microsoft!