Whitepaper: Remove Vendor Monitoringwww.observeit-sys.com
remote access deployment, in which all remoteconnections go through one or more terminal orcitrix gateway servers. All vendors and remoteadministrators will initiate an remote desktopRDP/ICA Session to these servers, where they willbe authenticated and, if authorized, granted accessto either the entire desktop, or to a subset of published applications that are to be used formanagement purposes.The first component of such a solution is the actualremote access mechanism. Here, we have a fewoptions to consider. The decision on what remoteaccess solution to chose is closely related tosecurity concerns, corporate policy, budget andnumber of concurrent connections.Using regular RDP connections from the externalworld through your corporate Firewall is probablythe easiest option to deploy. However, it is also themost unsecure method when compared to theother options. RDP packets travel across theInternet as regular packets, and unless the built-inencryption capabilities of Terminal Server are alsoemployed, this will not provide adequate securityfor the connection. Furthermore, unless usingsome sort of remote access control mechanism(such as a Firewall that has authenticationcapabilities), the only barrier that will prevent amalicious user from entering the network is theTerminal Server Windows Authentication prompt.
Securing the Remote AccessSessions
In order to add an additional layer of security tosuch connections, we will need to deploy some sortof remote access solution prior to the actualconnection to the Terminal Server itself. Optionsfor securing remote access include:
IPSec, L2TP or PPTP-based VPN connectionsthrough Microsoft Windows Server 2003/2008RRAS, by using Microsoft ISA Server, or byusing leading 3rd-party solutions fromvendors such as Cisco and CheckpointSSL VPN connections by using appliances such asJuniper SSL VPN, Cisco SSL VPN, Check PointConnectra and others, or by using MicrosoftWindows Server 2008 SSTP
Microsoft Windows Server 2008 TS GatewayconnectionsThe benefits of using VPN-type remote accessinclude the fact that the connection is stronglyencrypted, adding extra security encapsulation toeach packet. VPN enables the protection againstunauthorized access because prior to gainingaccess to the actual remote management gateway,users are forced to authenticate themselves withtheir credentials or token, and only then they willbe granted access to the gateway. On the otherside, in most VPN products, an additional cost is