Brian Madden Logo
Your independent source for application and desktop virtualization.
Blogs » Original Blogs on BrianMadden.com » Brian Madden » It's Official! Microsoft is Adding an RDP over HTTPS Proxy to Windows
Marketplace

advertisement
Brian Madden's Blog

Syndication

Recent Posts

Tags

View more

Archives

It's Official! Microsoft is Adding an RDP over HTTPS Proxy to Windows

Written on May 31 2004
Filed under: , , , ,
15,826 views, 34 comments

by Brian Madden

Note: This article has been updated since it was first published. Originally, I stated that Bear Paw would be part of R2. I said this because Microsoft announced that RDP over HTTP would be part of R2, so I assumed that functionality was part of Bear Paw and that Bear Paw would be part of R2. That assumption was wrong. Officially, Microsoft has not yet chosen a release date for Bear Paw.

At TechEd this week, Microsoft revealed several details of the “R2” update to Windows Server 2003, scheduled to be released sometime next year. R2 is the codename for a massive update to Windows Server 2003 that will include several new features, including branch server deployment, Windows SharePoint Services, and Active Directory Federation Services. R2 will be built on Windows Server 2003 Service Pack 1, which will be released later this year.

One of the new Terminal Services features is the ability for a Windows Server to encapsulate and proxy RDP traffic over HTTPS connections. The RDP over HTTPS proxy is part of what Microsoft calls “Anywhere Access.” Not to be confused with Citrix’s “Access Infrastructure,” Microsoft’s Anywhere Access will allow users to securely access corporate resources over the public Internet without using VPN software.

This capability is already available today for users connecting to Microsoft Exchange 2003 Servers from Outlook 2003 clients. In this case, the Exchange/Outlook connection uses Windows Server 2003’s built-in RPC proxy. Essentially, standard RPC traffic is wrapped in HTTPS at the client. A Windows 2003 IIS server receives the HTTPS packets, pulls out the RPC data, and forwards the packets off to the Exchange server. This allows users to have “full” Outlook RPC-based connectivity using standard SSL-encrypted HTTPS traffic.

For the Anywhere Access component of R2, Microsoft is expanding the RPC proxy’s capabilities so that it can also support SMB file shares and RDP Terminal Server sessions. This will allow users to securely connect to a Terminal Server across the Internet and is a direct threat to Citrix’s MetaFrame Secure Gateway product.

Similar to Citrix, Microsoft is beginning to ramp up the “solution” messaging, focusing on how an Anywhere Access strategy can allow users to be productive while outside the office from any device (since VPN client software is not needed).

Comments

Guest wrote Oh Dear
on 12-12-2004 1:22 PM
This message was originally posted by Stuart Souter on May 28, 2004
Citrix Secure Gateway is a cool product. If I was Citrix I would be worried about this. The statement "Microsoft’s Anywhere Access will allow users to securely access corporate resources over the public Internet without using VPN software" is pretty much exactly what Citrix say Metaframe Secure Access Manager does. If I was Citrix I would be worried about this too, especially as they are trying to really get people into this product. With excessive licensing costs for Metafarme XP, their bread and butter....what are Citrix doing to stay cutting edge and ahead of the competition ???
Guest wrote ICA is still unbeatable
on 12-12-2004 1:22 PM
This message was originally posted by Berdt on May 28, 2004
In my opinion the ICA protocol is still superior compared to the RDP protocol.
Guest wrote HTTPS does not compare to SSL VPN solutions
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on May 28, 2004
Come on - IIS in the DMZ is still a huge problem. No enterprise company who is serious about security would want that. Of course, CSG has the same issue and so by Microsoft adding this feature it does obviate the need for CSG and MSAM; but, not a true secure SSL VPN gateway running on a hardened Linux/Unix box. Citrix needs to beef up their CSG product quickly to accomodate this or their value add for MSAM will go down considerably compared to the new MS solution.
Guest wrote Microsoft will gobble up VPNs
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on May 28, 2004
This is typical of Microsoft. To wait for a market to be defined, and then take over with force. They are pushing hard into security and access market, and already putting a number of pieces together. Citrix is the immediate target. Then a piece of Checkpoint and Cisco!? As long as they can maintain their hold on user's PC, they can grab a good share of this market.
Guest wrote No Enterprise serious about security huh?
on 12-12-2004 1:22 PM
This message was originally posted by Ron Oglesby on May 28, 2004
I can name TONS. CSG doesn't HAVE to run on windows (and it doesnt run on IIS, the WI does generally and that doesnt have to either if you want to get picky) in either case I can name a number of Fortune 100 and even Fortuen 30 companies that run IIS and CSG in their DMZs. I can name one company in particuylar that has TONS of them and alweays has. Of course they are serious about security AND a MS shop. they just take care of business. Like any product IIS can get hacked. If you have a no nothing admin putting it together. But I sure can get into a linux/unix box that a no nothing admin setup too. Now what I think Citrix should do is expand the WI/CSG into web proxying to internal webservers etc. Of course they are doing that now and charging for it (MSAM), but instead of trying to tie it to their own portal they should integrate a security and access product into LOTS of other peoples portals with their portal as just one of the options.
Guest wrote WI and CSG are done
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on May 28, 2004
MSAM and Secure Gateway used WITH MSAM is the product that will be developed further. My guess is that we will see a end-of-life of WI and CSG. Meaning, you have to pay for the upcoming features that will give you Access.
Guest wrote Here is a better source to confirm
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on May 28, 2004
http://www.winsupersite.com/showcase/muglia_winserver.asp

Scroll down 3/4 of the page and you see Microsoft senior vice president Bob Muglia's statement.
Guest wrote A KISS approach
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on May 29, 2004
If all you need is to give access to incoming RDP, why not SSH (with RSA) and
port forwarding? All it takes is a 5-minute install of Cygwin (openssh package)
plus a custom BAT script on the clients, and generating those RSA keys.
This has the same crypo strength, if not greater, than most typical VPN solutions, with the only disadvantage that it will work just for a few TCP ports (go IPSec if you need the full IP enchilada).


Gosh, I think I should re-package this in a shiny box and sell it for $$$.
Guest wrote SSH is great, BUT
on 12-12-2004 1:22 PM
This message was originally posted by Berdt on May 31, 2004
SSH is great, I am using it myself to log on in a secure manner by tunneling RDP connections. But SSH isn't userfriendly enough. Besides that, SSH tunneling trough proxy servers isn't always possible.
Guest wrote None of this is too good unless Microsoft improves Active Directory
on 12-12-2004 1:22 PM
This message was originally posted by Mark Dutton on June 4, 2004
I may be wrong here, but I am pretty sure there is no way to limit access to user access to a Microsoft network based on internal / external access other than via a dialin access tick box. This is a problem. What of a company that wants to allow remote access to some users, but not others, regardless of time? The advantage of a VPN is that it can be used to allow authentication to a subset of users on a domain. We use VPN access to allow management to access the corporate network while leaving normal users locked out. I have no experience with the Citrix gateway products, but I am sure there is no mechanism in Windows to create a security group based on the physical connection type. Maybe ISA can control this, but I find this to be a pig's ear piece of software and I prefer to do all my firewalling, VPN, proxy, etc with appliance based products, which probably means sticking to good old PPTP logons.
Guest wrote Lots of FUD, Lack of detail!!!!
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on June 5, 2004
Questions, questions. Will this support complex DMZ configurations? Is this enterprise ready? Is IIS trusted in the majority of companies DMZs? Is there a capability to display 'Published Applications' through an NFuse/Web Interface style web page? Or is this functionality limited to an RDP desktop? Can we use a Java Client with this technology? Will Citrix bring out a Linux version of Secure Gateway to kill this stone dead? These are some questions. I have all sorts of other security questions that I won't bore you with. :)
My opinion is that this may gnaw at the heels of Citrix business, but isn't Terminal Services doing that already? I won't dump citrix on the strength of what MS claims. Usually these kinds of 'features' (remember MS Load Balancing?) have never lived up to expectations.
Guest wrote Group-Based Access
on 12-12-2004 1:22 PM
This message was originally posted by Brian Madden on June 5, 2004
I can't answer many of the questions, but I can let you know that you will be able to control access to this RDP over HTTPS proxy via AD groups. I say this because this is the same proxy that's currently used for RPC over HTTP, which is based on IIS. Therefore, you could apply group permissions to the IIS virtual server itself to specify who has access.
Guest wrote SSH is fine, but CygWin is architecturally insecure
on 12-12-2004 1:22 PM
This message was originally posted by an anonymous visitor on June 13, 2004
Tunnelling RDP over SSH is fine, but CygWin's architecture, if it can be called that, is a joke, and about as secure as Windows 95. If your system has more than one user, and you care about security, CygWin is useless. Fortunately, there are alternatives, like WinSSHD from BitVise (which is reasonably cheap), or OpenSSH on the Interix subsystem in MS Services for UNIX 3.5 (which is free).
Guest wrote Microsoft has it's hands in everything
on 12-12-2004 1:31 PM
This message was originally posted by an anonymous visitor on August 4, 2004
They are very good at getting halfway into something, but not being the leader in it. A perfect example is their wireless router stuff. Built one, then quit the industry. They will always be an Operating System company meaning Desktop OS and Server OS. Whether we want to admit it or not, they do it well. The rest they just dibble in. After the nightmare of TS Licensing in Windows 2003...I don't trust that Microsoft will all of a sudden figure it out. Citrix is in a much better position to quickly change how they do things than Microsoft. They are a much smaller company and quicker to react to changes in the world. At this point, they would have to really knock my socks off to even get me to consider dropping Citrix for their solution. Citrix just works way too good right now. IMO of course:-)
Guest wrote Citrix is good, but expensive
on 12-12-2004 1:31 PM
This message was originally posted by an anonymous visitor on August 9, 2004
Citrix is great, but way too expensive. For a long time now Microsoft have been eating up more and more of their market. Running a <i>published application</I> the Microsoft way would be next i would expect.

If I were Citrix I'd lower prices and try to get into some smaller businesses (Secure Access manager) while they still can ...
Guest wrote As much as I like Citrix...
on 12-12-2004 1:31 PM
This message was originally posted by an anonymous visitor on August 9, 2004
SELL! But honestly, they have stayed in business much longer than I thought so maybe they have a bit of fight left in them. But then my message is: DIVERSIFY!
Guest wrote How to setup RDP with SSL?
on 12-12-2004 1:49 PM
This message was originally posted by an anonymous visitor on September 2, 2004
I have the most recent beta SP1 for Windows 2003 Server. Can I install it from there? If so, how?
Guest wrote Citrix is just too expensive - tough is they lose out
on 12-12-2004 1:57 PM
This message was originally posted by Chris Totten on November 17, 2004
If Citrix get beaten by anyone with a product that is *nearly* as good - but much cheaper, then they deserve to be very successful. I don't hold any loyality to any company be it Microsoft or Citrix and will go with whoever builds the best product for the most reasonable price and if that is MS then so be it. I looked at another Citrix product recently GoToAssist and it is excellent - easily the best of breed for helpdesk remote control, but the prices were just crazy so no thanks.

Roll on a Citrix beater - teach them a valuable lesson - if you charge too much people will see an opportunity and go for you by the throat. So be it.
Guest wrote Citrix signed the pact with the beast...
on 12-23-2004 6:44 PM
now the beast is awakening and only wants what is due. It's only a matter of time before MS is _allowed_ to incorporate every single feature of ICA into RDP. Deals are deals, I'm sure you all understand...
Guest wrote Re: SSH is great, BUT
on 02-25-2005 5:34 PM
Check out WiSSH at http://www.wissh.com. It takes care of the unfriendly aspect of SSH and makes it very easy for all end users to handle.
Guest wrote Re: None of this is too good unless Microsoft improves Active Directory
on 03-08-2005 7:09 PM
You can use two physical network adapters in your terminal server. Set up both interfaces inside your network. Since Terminal server lets you set access permissions per interface, you need to allow your "external users" access to interface 1 and your "internal users" access to interface 2. Then you create a NAT on your firewall to allow access from the Internet to interface 1. Set up external DNS so that access to the server points to interface 1 via the NAT rule on your firewall and internal DNS points to interface 2. I have this set up for our company and it works great. Everyone has access to the server internally and only a few people externally. For added security you can then use third party products/gateways to proxy the connection over SSL, SSH, etc.

Troy