On Wed, Jun 3, 2009 at 20:14, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx> wrote:
Interesting. ÂIt looks like what we're striving for: Âthe ability to connect
remotely in a _secure_ manner without needing a VPN.

There's a myriad of ways to achieve this.

TS Gateway + Access to desktop works, doesn't have much additional
cost (besides an SSL cert for the TSGW), but it's very inflexible,
requires all clients to be running 24/7, and is not optimal from a
security standpoint.

A better way would be to add a server running terminal services - if
you have quite a bit of money, you can throw in citrix additional to
the basic app publishing Microsoft provides. We're using Citrix for
all our remote access needs using the Citrix Secure Gateway, which is
basically Citrix's version of TSGW (and much older than the TSGW).

From the Terminal Server, you can publish applications. Remember that
terminal servers are not "install server, install apps". You need to
ensure application support for all applications you want to run on the
TS. In some cases, this might require you to run legacy operating
systems such as Windows Server 2003 32bit, introducing a significant
scalibity problem. I've deployed several WS08 x64 terminal servers,
but much care needs to be taken to ensure application compatibility.
On current hardware, it's easily possible to run 50-200 concurrent
session on a single, physical TS.

Additional possibilites include the use of SSL-VPN, which may or may
not really be a "VPN" - for example, some vendors consider TSGW or the
Citrix Secure Gateway a form of SSL-VPN. There are plenty of SSL-VPN
appliances out there - for example, the SonicWALL NSA series now offer
builtin SSL-VPN. There are other vendors catering to smaller
businesses with very flexible products that aren't as expensive as
using Cisco, Checkpoint or Juniper.

From what I read on TS Gateway I can't quite ascertain, does it need to be
on a dedicated server? ÂCan it be on the domain controller?

DCs should always be dedicated machines, with no additional roles. In
smaller shops, running WINS/DHCP on them might make sense, but i would
never put a TSGW - a service that's exposed directly to the internet -
on a DC. You can though, there's no technical reason why it wouldn't
work, and for extremely small shops, it's how Microsoft's SBS product
does it.

In the end, it depends on what you exactly want to achieve, what your
budget is, and what your requirements are. TSGW is included in the OS
cost and might already be enough to solve your business needs.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.