Educause Security Discussion
mailing list archives
Re: Remote Terminal Services / SharePoint Servers
From: "Bristol, Gary L." <gbristol () OU EDU>
Date: Thu, 11 Jan 2007 10:20:37 -0600
Yes, configuring each application to tunnel thru the ssh connection would be
a great increase in the support required, but what I was referring too was
rdp access to the users desktop which has the applications running on them.
RDP tunneling access is realitively easy.
We also have sever methods for acces, such as Cisco VPN and a SSL VPN.
From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ]
Sent: Thursday, January 11, 2007 2:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Remote Terminal Services / SharePoint Servers
Bristol, Gary L. wrote:
Besides the use of SSL VPN devices, which we have a couple flavors
of, another option that we use are SSH Bastion hosts.
I have several in place that provide different parts of the user
community access to the resources they need.
The Hosts are linux based and authenicate the users via Kerberos to
the Microsoft AD domain controllers.
This provides a very effective means of connecting securely and still
having the resources on the inside available to the users and isolated
from common off campus access, ie hackers.
We also operate ssh gateway machines (in our case protected by two factor
Auth) and it is used almost exclusively by systems administration staff and
the odd tech savy academic. The thought of getting 'ordinary'
users to do this make me rather nervous because of the support issues.
The big disadvantage that I see is that each service requires configuration
in the ssh client and then the user has to do something different with each
application that the want to use. The big advantage of a decent VPN is that
once the connection is established it is largely transparent to the user.
Everything works just as if they are on campus
-- so long as they have a nice fast DSL connection.
Currently we use Cisco VPN which works OK for the most part. I have the odd
problem with the Mac client which sometimes throws it toys out of the cot
declaring that it "cant initialise VPN system because there are no internet
connections" at which point I give up on it and use SSH.