@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

If using Window's RDP client in addition to Guacamole is still a requirement

Not even possible. Guacamole = web page, not RDP. That's what it is.

Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

Why can't you just make people use Guac?

Really, I think that is the best solution. But this isn't really my project, and trying to take it that direction might be overstepping the line. Plus it would also probably end up making me the one who has to deploy it and maintain it, which isn't really my role right now.

@travisdh1 said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

If using Window's RDP client in addition to Guacamole is still a requirement

Not even possible. Guacamole = web page, not RDP. That's what it is.

Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

RDP already includes lots of security features, like the integrated VPN I mentioned earlier.

Guacamole is the only thing exposed too the public network, and that can be secured like any other web service.

RDP would never be exposed too anything but the private network, and is already secure enough that exposing it to a public network shouldn't be a problem.

Where do you see the need for additional security?

Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

If using Window's RDP client in addition to Guacamole is still a requirement

Not even possible. Guacamole = web page, not RDP. That's what it is.

Right, what I was trying to say there is that I couldn't only use Guacamole and thus would still have the consideration of securing RDP

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

Why would you need to secure RDP in addition to Guacamole? Guac doesn't expose RDP.

If using Window's RDP client in addition to Guacamole is still a requirement

@travisdh1 said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

This is a very confusing statement to me. RDP connections include a VPN tunnel, and any web based SSL/TLS is just an on-demand VPN tunnel. So where do you need additional security beyond what is already provided?

By secure rdp connections, I meant try to make the rds host more secure by having a gateway service on the edge, separate from the RDS host. As far as I know, Guacamole can only accomplish this if you're using Guacamole for a the web client. If you want to use the native Windows RDP client, RD Gateway would still have to be deployed in order to still have the same level of separation.

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

@bbigford said in Is RD Gateway useful?:

-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?

Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.

It's free and brings the same kind of security, why rule it out?

Well, some of our clients are familiar with RDP and specifically want to use RDP in the ways they are familiar with. So I don't think it makes sense to go down the Guacamole route, if you also have to secure rdp connections not using a web client.

Although if we do have a cheaper option available that's using Guacamole. Then it's easy to make it clear to the client that their specific demands are increasing the cost.

@scottalanmiller said in Is RD Gateway useful?:

@flaxking said in Is RD Gateway useful?:

I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)

Can't do that with MS products. LIcensing doesn't allow that.

Can't do it? Or just can't do it without additional licencing costs?

Either way it's a good point. Licencing was not in my initial consideration, and it probably makes this idea impractical, since cost is a concern.

I'm wondering if maybe we would be able to devise some kind of RD Gateway that would serve all of our clients? Set up AD specifically for RD Gateway and then somehow set up trust relationships for each of our client's individual AD? (their AD specific for our application in this hosted environment)

@bbigford said in Is RD Gateway useful?:

-It's acting as a proxy, basically, that's the additional security.

What I'm looking for is more examples of concrete benefits of using RD Gateway as the proxy. For example:

RDP exposes login for root permissions, using RD Gateway means that one isn't providing that opportunity to the outside world via the directly exposed protocol. And if the RD Gateway is on a separate server, root login to that server doesn't have to accessible at all to the outside world.

When putting RD Gateway on a separate system, it can then go into the DMZ, leaving the RD Host on a more secure network. However, if it is a real DMZ then authentication needs to be figured out.

Using HTTPS for RDP means there are more tools that can be put in front of RD Gateway for additional security.

@bbigford said in Is RD Gateway useful?:

-Are you concerned with cost, or functionality? Getting lost in this area as you had randomly thrown in Guacamole so I can't tell if you're going for cost or functionality as the bottom line because both have their strengths. What are you more familiar with, Linux or Windows Server?

Let's just forget I mentioned Guacamole, as it doesn't completely meet our needs. What we're looking for is a good balance of cost and security.