- How Terminal Server Access Works Across the Internet
- Using a Firewall to Control Access to the Inside
- Domain Logon Through a Firewall
- About This Article
Using a Firewall to Control Access to the Inside
There are two approaches to providing access to your Terminal Servers through a firewall. The first is to have your Terminal Server or servers directly attached to your internal network as shown previously in Figure 1. In this scenario, you open the appropriate ports in the firewall to each of these internal servers that you need access to from the Internet. This solution is very easy to implement; however, after a user has access to the Terminal Server, the user has unfettered access to your internal network because they are on your internal network.
The second scenario is shown in Figure 2. In this scenario, you put your Terminal Servers on a special secure network called a demilitarized zone (DMZ) using a tertiary port on the main firewall or by setting up a second firewall between your Terminal Servers and the internal network. The advantage of this approach is that not only can you control access to the server from the Internet, but also you can tightly control what internal devices users can reach once they are logged onto the DMZ Terminal Server. This setup is highly preferred for most environments. One other advantage of this approach is that you will be able to log access and possibly alert on suspicious activities, if you are using an intrusion detection system with your firewall.
Figure 2 More secure access to Terminal Servers.
The disadvantages of this approach are a higher level of complexity and a higher cost. You will need to determine the port numbers and IP addresses of all the internal resources that users on the Terminal Server need access to, and then lock down the firewall so that they have access only to these resources. This can make the firewall policy list rather large and can decrease firewall performance. In addition, this solution will likely lead to higher costs because your firewall platform might need more processor resources, and you might need to purchase and install intrusion detection software.