Outsourcing Consulting News
SSL connections to Windows Terminal Services
via Remote Desktop Connection Protocol
The project was developed for a Provisional Networks company that was later bought by Quest Software providing comprehensive virtualization solutions and helping other companies build complex network environments easily accessible by employees from any location in the world and at the same time providing comprehensive security means to protect their intellectual property from unauthorized access. The project is a secure remote access gateway providing secure connections from Internet to computers and applications in remote LAN. According to requirements the solution (consisting of server side application and client access library) has the following functionality:
- Secure proxy channel for Windows Terminal Services access.
- Secure proxy channel for Broker Services access.
- Secure Web-IT proxy channel to control access to web-based resources.
The proposed solution provides connect proxy functionality to support connections to Windows Terminal Services via Remote Desktop Connection Protocol and HTTP redirect proxy for Web-IT and Broker Services access. All these three proxies can listen and accept client connections using the same IP address and TCP port at the same time. One of requirements for the access gateway is compatibility with Microsoft ISA 2006 Firewall which required wrapping RDP packets to HTTP(S) traffic. All proxies are configured independently with optional usage of SSL encryption, certificate authentication and RDP to HTTP wrapping for MS ISA compatibility. Access gateway supports both login/password and certificate based authentication. Comprehensive thread-safe logging subsystem was implemented for errors and performance bottlenecks diagnostics.
Secure remote access gateway consists of major 2 components:
Gateway server side component which is a multi-threaded proxy server running as Windows service with GUI-based management console implemented as Windows Control Panel applet.
Client side gateway access component is a proxy server with SSL support which is implemented as a DLL. The DLL performs low level network traffic interception, optionally encrypts it, wraps to HTTP and redirects to the gateway.
This way applications using client side access component can organize secure access to remote resources via gateway server side component.
Tools and Technologies
- C++ with Visual Studio 2005.
- STL, Winsock, WinCrypt API, MS SSPI SChannel API.
- Detours 1.5 library for client side implementation.
- Java based tests utilizing SSL JVM.
Secure remote access gateway is one of the key components of the virtualization solution provided by the customer to its clients. Very captious and at the same time reasonable requirements to system functionality, security, robustness and source code quality were completely fulfilled by the team of experienced developers in time.