Accessing Windows Terminal Server Through a Firewall
In this article you will learn how to setup access to your Windows NT 4.0 or 2000 Terminal Server through a firewall. You can use the techniques shown here to provide access to your Terminal Server across the Internet for your remote users. You also could setup a firewall internally in front of your Terminal Server network to tightly control who can access them.
For those who are new to firewall technology, you need to understand a few basic concepts before the material in this article will make sense. Firewalls can be thought of as guardians put between an unsecure network, such as the Internet, and the secure network you want to protect. As guardians, their main role is to tightly control what can be accessed on the secure network from the outside. To do this they control two things, what internal TCP/IP devices can be reached from the outside and also what TCP/IP ports on those devices can be accessed.
How Terminal Server Access Works Across the Internet
To better understand how TCP/IP ports work and how they relate to firewalls, take a look at Figure 1. In this figure, you have a remote Terminal Server client attempting to open a Terminal Server session across the Internet with the corporate Terminal Server. A port has been opened in the firewall to let Terminal Server traffic through from the Internet.
When the Terminal Server client first contacts the Terminal Server, it sends out a packet whose destination port number is 3389 and whose destination IP address is the public IP address of the Terminal Server itself. If you had a network sniffer, you could view this packet and see this destination port number and destination IP address.
The firewall sees this packet and lets it through because the port for the internal Terminal Server (port 3389) has been opened on the firewall by the firewall administrator. If this port was not opened, the firewall would drop the packet, and the user would get a message on the client software saying that the server cannot be found.
Figure 1 Terminal Server connection from Internet.
When the Terminal Server receives this packet, it sees that the destination port number is 3389, so it knows that this packet should be sent internally to the Terminal Service. The Terminal Service running on the Terminal Server interprets this packet as a connection request and then sends a packet back out to the client to start the connection. After the initial "handshake" between the Terminal Server client and server, a session is now established on the server for the client. The server then sends the logon prompt display to the client, so that the logon process can begin.
In reality, even though you are going through a firewall, this connection process is almost exactly the same as the process for connecting to the Terminal Server on the LAN. You can think of the Internet as just an "extension" to your LAN. The advantage of the Internet, of course, is that this "extension" extends throughout the world, thus providing access to your Terminal Server from wherever your users might be.
The disadvantage of the Internet is that access is so widespread for any device you provide access to, that stringent security must be set up. As an administrator, this means that not only is it important to design the system with a high level of security, but also important security procedures must be followed, such as always ensuring you have the latest level of patches on your servers and that they are locked down properly.