Terminal Services Explained

Question

Can someone cleanly delineate the following services/roles for me? I'm lost in the MS TechNet explanations.

• Terminal Services Web Access
• Terminal Services Gateway
• Terminal Services Remote App

What are the pros/cons of each, especially from a security standpoint? If I just connect to a remote server over port 3389 using my Remote Desktop Client, what is Microsoft-speak for that? Does it fit into any of the above categorizations? Is the main draw of TS Web Access versus a direct connection using RDC over 3389 just that one can use TLS encryption while the other uses RC4?

Answer 1

•Terminal Services Web Access:

main benefit:

With TS Web Access, a user does not have to start the Remote Desktop Connection (RDC) client to start a RemoteApp program. Instead, they access the Web page, and then click a program icon. For details see Terminal Services Web Access (TS Web Access)

•Terminal Services Gateway

main benefit:

TS Gateway transmits all RDP traffic (that typically would have been sent over port 3389) to port 443 by using an HTTPS tunnel. This also means that all traffic between the client and TS Gateway is encrypted while in transit over the Internet.

See Terminal Services Gateway (TS Gateway)

•Terminal Services Remote App

main benefit:

Users can run programs from a terminal server and have the same experience as if the programs were running on the end user's local computer, including resizable windows, drag-and-drop support between multiple monitors, and notification icons in the notification area

See Terminal Services RemoteApp (TS RemoteApp)

What are the pros/cons of each, especially from a security standpoint?

Each of these technologies provides different functionality so it depends on your business requirement. They don't compete so it's not a this or that choice, you could implement them all if you have the need for the functionality provided. Security wise all of these technologies are or can be encrypted.

If I just connect to a remote server over port 3389 using my Remote Desktop Client, what is Microsoft-speak for that?

Remote desktop

Does it fit into any of the above categorizations?

Only in the context that it's a remote connection, if you wanted to connect over the internet than you would also use TS gateway, or web access depending on how you wanted to present the connection.

Is the main draw of TS Web Access versus a direct connection using RDC over 3389 just that one can use TLS encryption while the other uses RC4?

RDP can be encrypted via TLS see Configure Server Authentication and Encryption Levels ,so the draw of web access is ...(wait for it)... web access. You still need the client installed, but with web access I can give you a secure webpage of links to connect to either a full desktop or just a remoteapp. Note that remote desktop alone will only give you a full desktop.

Answer 2

Here is a real world use case for Terminal Services Gateway, to give you an idea of how it can be used:

My company has a wide variety of users who require remote access to our head office network. Rather than give every employee a laptop with VPN client software, we set up TS Gateway with a specific access policy. It states "Users of this group (remoteaccess) can access computers of this group".

So now John Doe leaves his office computer on, goes home and from his personal computer runs Remote Desktop. He enters the TS Gateway name in advanced options, and types his office computer name as the computer to connect to. He can then log in and work as if he was in the office.

This in itself isn't different from Remote Desktop, until you have a second user remoting in from home. Now you can use the same TS Gateway name, and specify a different office computer, and they can remote in. With Remote Desktop alone, you would have to have separate public IP's with the RDC port forwarded to the specific office desktop.

Only port 443 has to be forwarded to the TS Gateway server from the firewall, and any user can remote into their own desktop at work.

This is also useful for our pandemic planning, where a sick user can remote in from home to their office computer and continue to work if necessary.

Answer 3

If you just create a firewall rule for tcp/3389 to your terminal server farm, you don't need the TS Gateway. If your remote users run the RDC Client and know the address to connect, you don't need TS Web Access. TS Gateway is typically for larger organizations with traditional perimeter networks and stricter security requirements. TS Web Access is intended to provide a friendlier front end for users or business requirements where you have many different farms/applications and you don't want your users to have to know/manage the details of how to connect to each one.

TS Remote App is comparable to the Citrix "published application". Users do not get a full desktop, they only run an application in a "seamless window". It actually looks only like the application window, no RDC window. One downside to this is using RDP remote control/shadowing - that doesn't work with RemoteApp.

You can use TLS encryption with any of the configurations.

The TLS/certificate security is primarily intended to verify the authenticity of the server to the client, and generate a symmetric key for the RDP stream encryption. It is not used to provide an access control measure to restrict access only to specific RDP clients. It is not overwhelmingly "more secure" than the proprietary RDP encryption, but since it is based on a standard the encryption keys can be changed when the certificate changes. Some people prefer standards-based cryptography over proprietary solutions.