Educause Security Discussion mailing list archives

Re: Remote Terminal Services / SharePoint Servers

From: "Bristol, Gary L." <gbristol () OU EDU>
Date: Thu, 11 Jan 2007 10:20:37 -0600

Yes, configuring each application to tunnel thru the ssh connection would be
a great increase in the support required, but what I was referring too was
rdp access to the users desktop which has the applications running on them.

RDP tunneling access is realitively easy.

We also have sever methods for acces, such as Cisco VPN and a SSL VPN.


-----Original Message-----
From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ]
Sent: Thursday, January 11, 2007 2:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Remote Terminal Services / SharePoint Servers

Bristol, Gary L. wrote:

Besides the use of  SSL VPN devices, which we have a couple flavors
of, another option that we use are SSH Bastion hosts.

I have several in place that provide different parts of the user
community access to the resources they need.
The Hosts are linux based and authenicate the users via Kerberos to
the Microsoft AD domain controllers.
This provides a very effective means of connecting securely and still
having the resources on the inside available to the users and isolated
from common off campus access, ie hackers.


We also operate ssh gateway machines (in our case protected by two factor
Auth) and it is used almost exclusively by systems administration staff and
the odd tech savy academic.  The thought of getting 'ordinary'
users to do this  make me rather nervous because of the support issues.
The big disadvantage that I see is that each service requires configuration
in the ssh client and then the user has to do something different with each
application that the want to use.  The big advantage of a decent VPN is that
once the connection is established it is largely transparent to the user.
Everything works just as if they are on campus
-- so long as they have a nice fast DSL connection.

Currently we use Cisco VPN which works OK for the most part.  I have the odd
problem with the Mac client which sometimes throws it toys out of the cot
declaring that it "cant initialise VPN system because there are no internet
connections"  at which point I give up on it and use SSH.

Russell

Attachment: smime.p7s
Description:

Current thread:

Remote Terminal Services / SharePoint Servers Dave Koontz (Jan 10)
- <Possible follow-ups>
- Re: Remote Terminal Services / SharePoint Servers Lovaas,Steven R (Jan 10)
- Re: Remote Terminal Services / SharePoint Servers Bristol, Gary L. (Jan 10)
- Re: Remote Terminal Services / SharePoint Servers Russell Fulton (Jan 11)
- Re: Remote Terminal Services / SharePoint Servers Bristol, Gary L. (Jan 11)
- Re: Remote Terminal Services / SharePoint Servers Vuong Phung (Jan 11)