Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Blogs

New Feature: RDP over SSL with Windows Server 2003 SP1

  • Comments 14
  • Likes

Release Candidate 2 for Windows Server 2003 SP1 is available to test from microsoft.com, which means RTM can't be that far away!

A new feature in SP1 (at least, present in the RC2 build of SP1) that's been causing some confusion is RDP over SSL - a new option for Terminal Services that should provide server authentication for TS sessions, preventing MITM (man in the middle) attacks while providing a new option for encryption.

Up front - RDP over SSL is not a firewall traversal technology. It doesn't mean you're using Web protocols to do RDP. To rephrase, it's not "RDP over HTTP", it's "RDP with TLS authentication and encryption over TCP" - it still happens over TCP port 3389, as RDP usually does.

For the screenshot at left, I don't have a server certificate installed on my test VM at the moment, but I'm told that when you do, the SSL options become available.

This led to a few questions on how you server publish RDP/SSL with ISA Server, and the answer is: Exactly as you'd publish RDP normally with an ISA Server - using Server Publishing (ISA 2000 version is here).

Essentially, ISA creates an opaque TCP connection between the client and the server, and the encryption and authentication occurs directly between client and server in a manner that ISA can't inspect (except at the IP traffic level).

 

 

Comments
  • Screenshot at http://thelazyadmin.com/images/rdpssl.jpg

    Works well in my test enviro, no changes to my ISA 2004 server, thanks MS :)

  • Thanks Rod - for a Lazy Admin, you sure provide a lot of (what looks like) screenshot effort! :)

  • Screenshots are my middle name, but seriously IMO it makes it soooo much easier to SHOW someone than to tell them :)

    What's that saying about pictures and 1000 words :)

  • How did you import/install the certificate????

  • My guess: If you're using an MS CA, if you select the option to "Store certificate in Local Machine store", it'll import to the right place.

    If you're not using Web Enrollment, or you're using a certificate from a third party CA (suitable for (eg, having intended purposes that include) Server Authentication), you can use the Certificates MMC snap-in, targeted at the Local Machine or Computer store, rather than the current user.

  • -----BEGIN NEW CERTIFICATE REQUEST-----
    MIICxzCCAnECAQAwcTELMAkGA1UEBhMCQ08xETAPBgNVBAgTCENPTE9NQklBMQ8w
    DQYDVQQHEwZCT0dPVEExEjAQBgNVBAoTCUZPTkRFQ09PUDERMA8GA1UECxMIU0lT
    VEVNQVMxFzAVBgNVBAMeDgBmAGQAXwBjAG8AbwBwMFwwDQYJKoZIhvcNAQEBBQAD
    SwAwSAJBALSBjWPGpx7l7zjpqGXapzrbbYtn2CL5uVGHwMZ8siNCjxiX78XtMMgs
    w9s5pwsBroFhNa+1bGKuwcEwo1wF2dECAwEAAaCCAZkwGgYKKwYBBAGCNw0CAzEM
    Fgo1LjIuMzc5MC4yMHsGCisGAQQBgjcCAQ4xbTBrMA4GA1UdDwEB/wQEAwIE8DBE
    BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
    BwYFKw4DAgcwCgYIKoZIhvcNAwcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwgf0GCisG
    AQQBgjcNAgIxge4wgesCAQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAA
    UwBDAGgAYQBuAG4AZQBsACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAA
    cgBvAHYAaQBkAGUAcgOBiQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAMA0GCSqGSIb3DQEBBQUAA0EAF1YB9rodO0Gb1MSHFZPHFWutV9U0
    qJD0lYClKGvi7vVOpwM3bwXZ2FezkB1V71wijJJT9mK9pUU+tMSVhYagig==
    -----END NEW CERTIFICATE REQUEST-----

  • Gotta say - kudos for the most interesting item left in a comment :)

  • I've heard this feature will be left out until longhorn. Is this true?

  • *WARNING* some speculation included.

    As far as I can tell, no, that's not the case.

    RDP using SSL *encryption* and *authentication* support, as described above, was in the RC2 build of Windows 2003 SP1. As I've noted, this is not TS-through-firewalls, or TS-through-Web-Protocols, it's more of an RDP protocol upgrade.

    As we're at RC2 already, I'd guess a cut this late would be unlikely.

  • It is great to see it there, as indications I had seen pointed to it not being included in SP1.

    Wouldn't a change in the authentication/encryption require an updated RDP client as well?? (Is there an updated RDP client included with 2003 SP1 RC2, and if so, does it have any new options regarding SSL)

  • I'd expect so; away from home with no access to VPCs at the moment, so can't check.

  • I did some googling, and found a posting covering 2003 SP1 new features. Included are step by step instructions for the client and server setup for this feature. There is a new RDP client in 2003, which supports SSL authentication. Once I installed that, it worked great. (Only works on 2000 and XP though) Check it out at:

    http://www.flexbeta.net/forums/index.php?showtopic=2299

  • As it turns out, despite what is indicated in the above posting, the new client seems to work with SSL encryption on Windows 98 just fine.

  • PingBack from http://www.keyongtech.com/2961154-rdp-over-ssl-question