Remote Desktop lets users control their desktop computer remotely. It’s a simple concept that, properly implemented, can have a dramatic impact on your organization’s productivity so that staff can work from home — even if they don’t have a mobile computer.
Until Microsoft Windows Server 2008, the network connection itself has been the biggest challenge. Your private network probably uses private Internet Protocol addresses, which prevent users from connecting directly to their desktop computers from the Internet. Even if you offered users a virtual private network connection, many firewalls block VPNs.
To work around these limits, Windows Server 2008 introduces the Terminal Services (TS) Gateway role, which acts as a proxy server between the Internet and your internal network. As illustrated, the Remote Desktop client uses encrypted Hypertext Transfer Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway authenticates the user (via either a password or a smart card), verifies that the user is authorized to connect to the destination computer and then uses Remote Desktop Protocol (RDP) to complete the connection on your private network.
Because clients use HTTPS to connect to the TS Gateway, the TS Gateway will need an SSL certificate — just like an electronic-commerce Web server. To simplify the configuration of the Remote Desktop clients, purchase an SSL certificate from one of the many public certificate authorities (CAs) that Windows trusts by default (a search for “ssl certificate” will turn up several available for less than $20 per year). When configuring the SSL certificate, specify the full host name that clients will use to connect to the TS Gateway from the Internet. If the host name doesn’t match what the users enter in the Remote Desktop Client, the server authentication will fail.
Although you can use a temporary or internal SSL certificate for testing purposes, client computers must trust the certificate’s CA. Because many remote access scenarios involve computers that aren’t members of your Active Directory domain (such as home computers), only SSL certificates issued by trusted public CAs will work by default.
To add the Terminal Services Role to Windows Server 2008, follow these steps:
Later, you can use the Server Manager console to modify the CAPs or RAPs by clicking the roles\terminal services\ts gateway manager\computer_name\policies node.
If necessary, configure your firewall to allow incoming HTTPS connections to your TS Gateway on TCP port 443. Additionally, the TS Gateway must be able to communicate to Remote Desktop servers using TCP port 3389.
You must configure the Remote Desktop Client with the IP address of the TS gateway before connecting to a Remote Desktop server on your internal network. To configure the Remote Desktop Client, follow these steps:
To connect to the server, open the RDP file, and click Connect. If prompted, provide credentials for both the TS Gateway and the Remote Desktop server. In a few seconds, you should have complete control over the Remote Desktop server.
If your employees have computers at home and broadband Internet connections, you can allow them to use Remote Desktop to control their desktop computers at work. Instantly, the users gain access to their files, applications, printers and other network resources on your internal network as if they were sitting at their desks. There’s no fussing with firewalls or VPNs either — all users need to do is double-click an RDP file you provide.