Is RD Gateway useful?



  • I know we've talked about RDP security before, but I'm bring it up again.

    Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.

    To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).

    Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.



  • @flaxking said in Is RD Gateway useful?:

    I know we've talked about RDP security before, but I'm bring it up again.

    Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.

    To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).

    Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.

    Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.



  • @bbigford said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    I know we've talked about RDP security before, but I'm bring it up again.

    Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.

    To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).

    Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.

    Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.

    Yes. Basically we want to host our application for some of our clients. We have a hosting partner that has been figuring out the details for our clients, but our clients have been requesting things outside of their experience so it has come back to us to figure out some of the implementation details.

    So the networks will basically be a RDS server and a database server (not actually sure where they put AD). I'm trying to figure out the smoothest setup for our clients with the lowest cost.

    I would be looking into Guacamole, but no one has requested a web client. But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect.

    However, I simply don't have a grasp on what additional security it is going to provide. I assume it is going to sit at the same place on our hosting partner as the RDS server, just now the RDS host won't have a port exposed, the Gateway will. And if it was on the same server, what's the difference between the gateway port being exposed or the RDP port?

    I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?



  • @flaxking said in Is RD Gateway useful?:

    @bbigford said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    I know we've talked about RDP security before, but I'm bring it up again.

    Is there a use case for RD Gateway in a single RDS server setup? (assuming we don't want to use the html5 web client) In this scenario it would be installed on the same server.

    To me it seems like it would be only really be useful if it was on the edge separate from the RDS host server. RDP can be already be configured to only use TLS (though it looks like TLS 1.0 is the highest it uses).

    Or am I missing something here? Is there something else that makes RD Gateway inherently more secure? I'm not too interested in the additional resource access configurations.

    Are you going to use it external and configure your registrar to use something like remote.domain.com? If not then there is no purpose for it in your case. If you are, then it would give you better security if you did place it at the edge.

    Yes. Basically we want to host our application for some of our clients. We have a hosting partner that has been figuring out the details for our clients, but our clients have been requesting things outside of their experience so it has come back to us to figure out some of the implementation details.

    So the networks will basically be a RDS server and a database server (not actually sure where they put AD). I'm trying to figure out the smoothest setup for our clients with the lowest cost.

    I would be looking into Guacamole, but no one has requested a web client. But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect.

    However, I simply don't have a grasp on what additional security it is going to provide. I assume it is going to sit at the same place on our hosting partner as the RDS server, just now the RDS host won't have a port exposed, the Gateway will. And if it was on the same server, what's the difference between the gateway port being exposed or the RDP port?

    I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?

    Honestly, you're all over the place.

    You have some questions that need answered.

    "I mean, if it actually sat on edge infrastructure, I see the use. But otherwise, what's the point?" -Security, as a proxy. That's the point. You're planning on exposing this to the outside; I would argue you absolutely need a gateway.

    "However, I simply don't have a grasp on what additional security it is going to provide." -It's acting as a proxy, basically, that's the additional security.

    "I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.

    "But presumably, our partner will be using Datacenter, so maybe an additional Windows Server for RD Gateway wouldn't be the cost increase for our clients that I would expect." -Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?



  • @bbigford said in Is RD Gateway useful?:

    -Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?

    Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.



  • @bbigford said in Is RD Gateway useful?:

    -It's acting as a proxy, basically, that's the additional security.

    What I'm looking for is more examples of concrete benefits of using RD Gateway as the proxy. For example:

    RDP exposes login for root permissions, using RD Gateway means that one isn't providing that opportunity to the outside world via the directly exposed protocol. And if the RD Gateway is on a separate server, root login to that server doesn't have to accessible at all to the outside world.

    When putting RD Gateway on a separate system, it can then go into the DMZ, leaving the RD Host on a more secure network. However, if it is a real DMZ then authentication needs to be figured out.

    Using HTTPS for RDP means there are more tools that can be put in front of RD Gateway for additional security.



  • I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)



  • @bbigford said in Is RD Gateway useful?:

    "I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.

    Guac is a front end to RDS. It's not one or the other.



  • @flaxking said in Is RD Gateway useful?:

    I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)

    Can't do that with MS products. LIcensing doesn't allow that.



  • @flaxking said in Is RD Gateway useful?:

    @bbigford said in Is RD Gateway useful?:

    -Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?

    Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.

    It's free and brings the same kind of security, why rule it out?



  • @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)

    Can't do that with MS products. LIcensing doesn't allow that.

    Can't do it? Or just can't do it without additional licencing costs?

    Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.



  • @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @bbigford said in Is RD Gateway useful?:

    -Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?

    Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.

    It's free and brings the same kind of security, why rule it out?

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Although if we do have a cheaper option available that's using Guacamole. Then it's easy to make it clear to the client that their specific demands are increasing the cost.



  • @flaxking said in Is RD Gateway useful?:

    So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?



  • @travisdh1 said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?

    By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.



  • @flaxking said in Is RD Gateway useful?:

    @travisdh1 said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?

    By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.

    Guacamole IS a web client. You wouldn't deploy it otherwise. If your client wants to pay for the additional licensing even after having it explained that it enables nothing more than the alternative, then let them foot the bill and be done with it. It really is that simple.



  • @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)

    Can't do that with MS products. LIcensing doesn't allow that.

    Can't do it? Or just can't do it without additional licencing costs?

    Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.

    Can't do it, that shared model is not licensable from MS.



  • @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.



  • @scottalanmiller said in Is RD Gateway useful?:

    @bbigford said in Is RD Gateway useful?:

    "I would be looking into Guacamole, but no one has requested a web client." -What does that have to do with anything? Do you want to use Guacamole, or Windows Server RDS? Now is the time you should pick one.

    Guac is a front end to RDS. It's not one or the other.

    Ah, I thought it could be stand alone. My mistake then.



  • @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement



  • @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.



  • @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP



  • I like RDGateway. I'd set it up -- even if there was only one system behind it. It keeps 3389 off the internet, lol.

    But seriously speaking, it does add some extra features that make it easier to set up more than one server behind it and not have to get fun with the port forwards.



  • @dafyre said in Is RD Gateway useful?:

    I like RDGateway. I'd set it up -- even if there was only one system behind it. It keeps 3389 off the internet, lol.

    But seriously speaking, it does add some extra features that make it easier to set up more than one server behind it and not have to get fun with the port forwards.

    I deployed RDGateway to access 2 systems. One was for the general terminal server. The other was for our ERP partner to access our ERP server for support and configurations.



  • @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    RDP already includes lots of security features, like the integrated VPN I mentioned earlier.

    Guacamole is the only thing exposed too the public network, and that can be secured like any other web service.

    RDP would never be exposed too anything but the private network, and is already secure enough that exposing it to a public network shouldn't be a problem.

    Where do you see the need for additional security?



  • @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    Why can't you just make people use Guac?



  • @travisdh1 said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    RDP already includes lots of security features, like the integrated VPN I mentioned earlier.

    Guacamole is the only thing exposed too the public network, and that can be secured like any other web service.

    RDP would never be exposed too anything but the private network, and is already secure enough that exposing it to a public network shouldn't be a problem.

    Where do you see the need for additional security?

    Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

    Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.



  • @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    Why can't you just make people use Guac?

    Really, I think that is the best solution. But this isn't really my project, and trying to take it that direction might be overstepping the line. Plus it would also probably end up making me the one who has to deploy it and maintain it, which isn't really my role right now.



  • @flaxking said in Is RD Gateway useful?:

    @travisdh1 said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    RDP already includes lots of security features, like the integrated VPN I mentioned earlier.

    Guacamole is the only thing exposed too the public network, and that can be secured like any other web service.

    RDP would never be exposed too anything but the private network, and is already secure enough that exposing it to a public network shouldn't be a problem.

    Where do you see the need for additional security?

    Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

    I'd only allow connections via HTTPS, HTTP wouldn't even be exposed. Securing things is really that simple. Adding anything else is a business decision.

    You can add on lots of stuff after that however you want, but just HTTPS should be sufficient. Even for PCI/HIPPA/ETC.



  • @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    @scottalanmiller said in Is RD Gateway useful?:

    @flaxking said in Is RD Gateway useful?:

    Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

    Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

    If using Window's RDP client in addition to Guacamole is still a requirement

    Not even possible. Guacamole = web page, not RDP. That's what it is.

    Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

    Why can't you just make people use Guac?

    Really, I think that is the best solution. But this isn't really my project, and trying to take it that direction might be overstepping the line. Plus it would also probably end up making me the one who has to deploy it and maintain it, which isn't really my role right now.

    Then just spend the fortune for RDS Gateways and be done with it.



  • @flaxking said in Is RD Gateway useful?:

    Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

    Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.

    You can add RDPGuard to the RDS server too.

    Although, like @travisdh1 stated, put HTTPS in front and your all good. I use an SSL-VPN myself.