It's Official! Microsoft is Adding an RDP over HTTPS Proxy to Windows

Note: This article has been updated since it was first published. Originally, I stated that Bear Paw would be part of R2.

Note: This article has been updated since it was first published. Originally, I stated that Bear Paw would be part of R2. I said this because Microsoft announced that RDP over HTTP would be part of R2, so I assumed that functionality was part of Bear Paw and that Bear Paw would be part of R2. That assumption was wrong. Officially, Microsoft has not yet chosen a release date for Bear Paw.

At TechEd this week, Microsoft revealed several details of the “R2” update to Windows Server 2003, scheduled to be released sometime next year. R2 is the codename for a massive update to Windows Server 2003 that will include several new features, including branch server deployment, Windows SharePoint Services, and Active Directory Federation Services. R2 will be built on Windows Server 2003 Service Pack 1, which will be released later this year.

One of the new Terminal Services features is the ability for a Windows Server to encapsulate and proxy RDP traffic over HTTPS connections. The RDP over HTTPS proxy is part of what Microsoft calls “Anywhere Access.” Not to be confused with Citrix’s “Access Infrastructure,” Microsoft’s Anywhere Access will allow users to securely access corporate resources over the public Internet without using VPN software.

This capability is already available today for users connecting to Microsoft Exchange 2003 Servers from Outlook 2003 clients. In this case, the Exchange/Outlook connection uses Windows Server 2003’s built-in RPC proxy. Essentially, standard RPC traffic is wrapped in HTTPS at the client. A Windows 2003 IIS server receives the HTTPS packets, pulls out the RPC data, and forwards the packets off to the Exchange server. This allows users to have “full” Outlook RPC-based connectivity using standard SSL-encrypted HTTPS traffic.

For the Anywhere Access component of R2, Microsoft is expanding the RPC proxy’s capabilities so that it can also support SMB file shares and RDP Terminal Server sessions. This will allow users to securely connect to a Terminal Server across the Internet and is a direct threat to Citrix’s MetaFrame Secure Gateway product.

Similar to Citrix, Microsoft is beginning to ramp up the “solution” messaging, focusing on how an Anywhere Access strategy can allow users to be productive while outside the office from any device (since VPN client software is not needed).

Join the conversation

34 comments

Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by Stuart Souter on May 28, 2004
Citrix Secure Gateway is a cool product. If I was Citrix I would be worried about this. The statement "Microsoft’s Anywhere Access will allow users to securely access corporate resources over the public Internet without using VPN software" is pretty much exactly what Citrix say Metaframe Secure Access Manager does. If I was Citrix I would be worried about this too, especially as they are trying to really get people into this product. With excessive licensing costs for Metafarme XP, their bread and butter....what are Citrix doing to stay cutting edge and ahead of the competition ???
Cancel
This message was originally posted by an anonymous visitor on May 28, 2004
Come on - IIS in the DMZ is still a huge problem. No enterprise company who is serious about security would want that. Of course, CSG has the same issue and so by Microsoft adding this feature it does obviate the need for CSG and MSAM; but, not a true secure SSL VPN gateway running on a hardened Linux/Unix box. Citrix needs to beef up their CSG product quickly to accomodate this or their value add for MSAM will go down considerably compared to the new MS solution.
Cancel
This message was originally posted by Berdt on May 28, 2004
In my opinion the ICA protocol is still superior compared to the RDP protocol.
Cancel
This message was originally posted by an anonymous visitor on May 28, 2004
This is typical of Microsoft. To wait for a market to be defined, and then take over with force. They are pushing hard into security and access market, and already putting a number of pieces together. Citrix is the immediate target. Then a piece of Checkpoint and Cisco!? As long as they can maintain their hold on user's PC, they can grab a good share of this market.
Cancel
This message was originally posted by Ron Oglesby on May 28, 2004
I can name TONS. CSG doesn't HAVE to run on windows (and it doesnt run on IIS, the WI does generally and that doesnt have to either if you want to get picky) in either case I can name a number of Fortune 100 and even Fortuen 30 companies that run IIS and CSG in their DMZs. I can name one company in particuylar that has TONS of them and alweays has. Of course they are serious about security AND a MS shop. they just take care of business. Like any product IIS can get hacked. If you have a no nothing admin putting it together. But I sure can get into a linux/unix box that a no nothing admin setup too. Now what I think Citrix should do is expand the WI/CSG into web proxying to internal webservers etc. Of course they are doing that now and charging for it (MSAM), but instead of trying to tie it to their own portal they should integrate a security and access product into LOTS of other peoples portals with their portal as just one of the options.
Cancel
This message was originally posted by an anonymous visitor on May 28, 2004
MSAM and Secure Gateway used WITH MSAM is the product that will be developed further. My guess is that we will see a end-of-life of WI and CSG. Meaning, you have to pay for the upcoming features that will give you Access.
Cancel
This message was originally posted by an anonymous visitor on May 28, 2004
http://www.winsupersite.com/showcase/muglia_winserver.asp

Scroll down 3/4 of the page and you see Microsoft senior vice president Bob Muglia's statement.
Cancel
This message was originally posted by an anonymous visitor on May 29, 2004
If all you need is to give access to incoming RDP, why not SSH (with RSA) and
port forwarding? All it takes is a 5-minute install of Cygwin (openssh package)
plus a custom BAT script on the clients, and generating those RSA keys.
This has the same crypo strength, if not greater, than most typical VPN solutions, with the only disadvantage that it will work just for a few TCP ports (go IPSec if you need the full IP enchilada).


Gosh, I think I should re-package this in a shiny box and sell it for $$$.
Cancel
This message was originally posted by Berdt on May 31, 2004
SSH is great, I am using it myself to log on in a secure manner by tunneling RDP connections. But SSH isn't userfriendly enough. Besides that, SSH tunneling trough proxy servers isn't always possible.
Cancel
This message was originally posted by Brian Madden on June 5, 2004
I can't answer many of the questions, but I can let you know that you will be able to control access to this RDP over HTTPS proxy via AD groups. I say this because this is the same proxy that's currently used for RPC over HTTP, which is based on IIS. Therefore, you could apply group permissions to the IIS virtual server itself to specify who has access.
Cancel
This message was originally posted by an anonymous visitor on June 5, 2004
Questions, questions. Will this support complex DMZ configurations? Is this enterprise ready? Is IIS trusted in the majority of companies DMZs? Is there a capability to display 'Published Applications' through an NFuse/Web Interface style web page? Or is this functionality limited to an RDP desktop? Can we use a Java Client with this technology? Will Citrix bring out a Linux version of Secure Gateway to kill this stone dead? These are some questions. I have all sorts of other security questions that I won't bore you with. :)
My opinion is that this may gnaw at the heels of Citrix business, but isn't Terminal Services doing that already? I won't dump citrix on the strength of what MS claims. Usually these kinds of 'features' (remember MS Load Balancing?) have never lived up to expectations.
Cancel
This message was originally posted by Mark Dutton on June 4, 2004
I may be wrong here, but I am pretty sure there is no way to limit access to user access to a Microsoft network based on internal / external access other than via a dialin access tick box. This is a problem. What of a company that wants to allow remote access to some users, but not others, regardless of time? The advantage of a VPN is that it can be used to allow authentication to a subset of users on a domain. We use VPN access to allow management to access the corporate network while leaving normal users locked out. I have no experience with the Citrix gateway products, but I am sure there is no mechanism in Windows to create a security group based on the physical connection type. Maybe ISA can control this, but I find this to be a pig's ear piece of software and I prefer to do all my firewalling, VPN, proxy, etc with appliance based products, which probably means sticking to good old PPTP logons.
Cancel
This message was originally posted by an anonymous visitor on June 13, 2004
Tunnelling RDP over SSH is fine, but CygWin's architecture, if it can be called that, is a joke, and about as secure as Windows 95. If your system has more than one user, and you care about security, CygWin is useless. Fortunately, there are alternatives, like WinSSHD from BitVise (which is reasonably cheap), or OpenSSH on the Interix subsystem in MS Services for UNIX 3.5 (which is free).
Cancel
This message was originally posted by an anonymous visitor on August 4, 2004
They are very good at getting halfway into something, but not being the leader in it. A perfect example is their wireless router stuff. Built one, then quit the industry. They will always be an Operating System company meaning Desktop OS and Server OS. Whether we want to admit it or not, they do it well. The rest they just dibble in. After the nightmare of TS Licensing in Windows 2003...I don't trust that Microsoft will all of a sudden figure it out. Citrix is in a much better position to quickly change how they do things than Microsoft. They are a much smaller company and quicker to react to changes in the world. At this point, they would have to really knock my socks off to even get me to consider dropping Citrix for their solution. Citrix just works way too good right now. IMO of course:-)
Cancel
This message was originally posted by an anonymous visitor on August 9, 2004
Citrix is great, but way too expensive. For a long time now Microsoft have been eating up more and more of their market. Running a <i>published application</I> the Microsoft way would be next i would expect.

If I were Citrix I'd lower prices and try to get into some smaller businesses (Secure Access manager) while they still can ...
Cancel
This message was originally posted by an anonymous visitor on August 9, 2004
SELL! But honestly, they have stayed in business much longer than I thought so maybe they have a bit of fight left in them. But then my message is: DIVERSIFY!
Cancel
This message was originally posted by an anonymous visitor on September 2, 2004
I have the most recent beta SP1 for Windows 2003 Server. Can I install it from there? If so, how?
Cancel
This message was originally posted by Chris Totten on November 17, 2004
If Citrix get beaten by anyone with a product that is *nearly* as good - but much cheaper, then they deserve to be very successful. I don't hold any loyality to any company be it Microsoft or Citrix and will go with whoever builds the best product for the most reasonable price and if that is MS then so be it. I looked at another Citrix product recently GoToAssist and it is excellent - easily the best of breed for helpdesk remote control, but the prices were just crazy so no thanks.

Roll on a Citrix beater - teach them a valuable lesson - if you charge too much people will see an opportunity and go for you by the throat. So be it.
Cancel
now the beast is awakening and only wants what is due. It's only a matter of time before MS is _allowed_ to incorporate every single feature of ICA into RDP. Deals are deals, I'm sure you all understand...
Cancel
Check out WiSSH at http://www.wissh.com. It takes care of the unfriendly aspect of SSH and makes it very easy for all end users to handle.
Cancel
You can use two physical network adapters in your terminal server. Set up both interfaces inside your network. Since Terminal server lets you set access permissions per interface, you need to allow your "external users" access to interface 1 and your "internal users" access to interface 2. Then you create a NAT on your firewall to allow access from the Internet to interface 1. Set up external DNS so that access to the server points to interface 1 via the NAT rule on your firewall and internal DNS points to interface 2. I have this set up for our company and it works great. Everyone has access to the server internally and only a few people externally. For added security you can then use third party products/gateways to proxy the connection over SSL, SSH, etc.

Troy
Cancel
Hi!
I really hope this thread isn't closed already.

Is RDP over HTTP really such a big issue?
My company is developing a software that makes a customers server-side software available for home-offices through HTTPS. On the client-side a transparent proxy is used and on the server-side an extension to the IIS. I'm sure, it could be redesigned to tunnel the rdp traffic as well.

Best regards, Juergen
Cancel
HI Jurgen. So what program are yoru company making?
Cancel
Hi!

Indeed, we've already started "rdp over http" as a new project based on the former project.

The goal is to provide a means to access MS terminal servers in a secured way via HTTPS from firewalled environments with nearly no negative impact on the end users.

We will deliver two components:

- server component:
A single .dll that needs to be installed into the corporate IIS. It will be accessible by http on a specific url and the communication will be secured by ssl. The installation is a matter of "click next" :)
This component serves as a gateway to the terminal server (externally it communicates with our client component via https, LAN internally it communicates with the terminal server via rdp).

- client component:
The client looks exactly like the standard terminal server client with two additional text fields:
local web proxy, iis gateway.

The iis gateway is the dns name of the corporate IIS.
The localweb proxy is for clients that may not connect from their LAN to the internet without using a web proxy.

The end user has to provide these informations and can use the terminal server client as usual.

From his perspective it doesn't matter if he connects from an unprotected environment to a terminal server thats located directly in the internet or if he connects from a highly protected environment to a terminal server thats located in a LAN behind a firewall.

Are you interested in such a software?
The project doesn't have the highest priority at the moment but because we can reuse most of the former projects code, I'm rather sure we'll soon be able to provide a _beta_ release.

I'm not sure what Brian thinks about publishing this sort of information in this forum.
Brian, please tell me if you don't want me to "advertise" here.

If you need more information you can send me an email (Juergen.Petri@LMIS.de).
Please use RDP-OVER-HTTP as the subject because I currently have some problems with an eager spam killer ;-)

Best regards,
Juergen
Cancel
We developed generic technology back in early 2001 that allowed us to tunnel ICA traffic over firewalls / proxies - before there was a CSG. It allowed Citrx applications to be available with just a browser and the citrix ICA client or the java client. When Windows XP came on the scene we made some minor changes and we had remote users connected to their computers from home. The tunnel stuff used Unix for DMZ server components. Unix in the DMZ is an important aspect to any solution. I believe that Windows will eventually get to be a DMZ class OS but at the moment it still has some ways to go.
Cancel
I agree. Running an IIS server available against the internet is asking for problems. Check out http://www.wissh.com for tunneling RDP over SSH, which is much more secure.
Cancel
Hello!

It would be a great product, if You could develop such a RDP over HTTPS component without using a third party address for a tunnel!!!

Even You could sell Your component at a good price. I'm of course telling that, cause I need such a tool!

Best reagrds,
hope You will succeed,
Hanno

Cancel
Dear Jurgen. Microsofts SSL gateway site to site access is not new at all. Juniper (formally known as Netscreen) uses is 4000 SSL gateway platform in order to provide internet users access to the corporate network via SSL. Actually, what happens is simular as VPN client software access because the client has to download a small JAVE applet.
Cancel
If you look for a great alternative for gotoassist, i recently discovered remotepass (www.remotepass.com) : very low prices and works over https so you can use through any proxy server and firewall ...
Cancel
How about ORIGINAL: Guest

This message was originally posted by Chris Totten on November 17, 2004
If Citrix get beaten by anyone with a product that is *nearly* as good - but much cheaper, then they deserve to be very successful. I don't hold any loyality to any company be it Microsoft or Citrix and will go with whoever builds the best product for the most reasonable price and if that is MS then so be it. I looked at another Citrix product recently GoToAssist and it is excellent - easily the best of breed for helpdesk remote control, but the prices were just crazy so no thanks.

Roll on a Citrix beater - teach them a valuable lesson - if you charge too much people will see an opportunity and go for you by the throat. So be it.

Cancel
why doesn't MS just come out with a proxy dll for the terminal (remote desktop) "server" running on your XP prof. machine and add the same functionality to their remote desktop client.

The modified client could then talk RDP/http(s) to the server proxy on port 80/443 which would then proxy data to the real remote desktop server port.

But of course who would then buy freaking $30,000 license for W2K.

Plus it would make life too easy.

Tim
Cancel

why doesn't MS just come out with a proxy dll for the terminal (remote desktop) "server" running on your XP prof. machine and add the same functionality to their remote desktop client. 
But of course who would then buy freaking $30,000 license for W2K.

 
 
 ---------- To RDP Access Multiple Machines Behind a Router -------------------------------------------
 
Here is how, change RDP port number in registry and add port forward in router to each individual machine.
 
Step 1. Change RDP port in Computers at office
Modify using regedit or (copy text below to a .reg file, a text document renamed to RDP_Port), then merge on remote computers);

Windows Registry Editor Version 5.00

"PortNumber"=dword:3390

 
Step 2. Create additional port forward rules in modem/router at office
Machine A WAN IP: 212.153.125.32:3390 -> 192.168.0.13:3390
Machine B WAN IP: 212.153.125.32:3391 -> 192.168.0.14:3391
Machine C WAN IP: 212.153.125.32:3392 -> 192.168.0.15:3392
Machine D WAN IP: 212.153.125.32:3393 -> 192.168.0.16:3393
 
Step 3. Simple Remote access using normal RDP application from home
Start->Programs->Accessories->Communication->  Remote Desktop Connection
    Computer: 212.153.125.32:3393 <-Port refelects desired machine.
    User Name: RemoteName
    Password: RemotePassword
 
Works on XP, Svr2003, Vista & from Mac RDP client 
David
Cancel
This does work, but is not very scalable, as it requires a manual configuration at the firewall and on each TS box you spin up.  Additionally, one can not assume that these ports will always be open for remote users, i.e. users trying to connect from another corporate netwrk, hotel, airport...  some people block all porst except those that they define, i.e. 80 & 443.
 
Longhorn Server Terminal Server includes an RDP over HTTPS Terminal Server Gateway to tunnel RDP Traffic over port 443.  If you can't wait another year, you can get this functionality from 2X LoadBalancer, Citrix Secure Gateway or Access Gateway, Provision Networks Management Framework Enterprise, AEP Networks NSP...
 
http://www.sessioncomputing.com/add-on.htm#security
 
http://www.msterminalservices.org/articles/Overview-Longhorn-Servers-Terminal-Service-Gateway-Part1.html
Cancel

Of course it is, as is everything else that isn't Microsoft...I'm so sick of reading crap like this, hackers make MS products better everyday, competition makes them release cooler and easier products to manage and use, and you absolutely cannot beat the TCO on an MS product...hands down. I don't care if they rule the world...as long as they keep giving me the products I need, at an affordable price, and that don't require some genious UNIX veteran at $40/hr to manage!

I think that all this anti MS propaganda is perpetuated by aging hackers that want the world to think their still a viable commodity..

Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close