Configuring Terminal Services to Use SSL

  

Microsoft provides SSL encryption for Terminal Services in Windows Server 2003 SP1, which can implement the following two functions based on SSL (TLS 1.0):

  • Provide server authentication for the terminal server to the RDP client;

  • Encryption and communication with the RDP client.


    When the SSL encryption function of the terminal server is enabled, when the RDP client initiates a connection to the terminal server, the terminal server will present the server certificate configured for use to the RDP client, and the RDP client will check Whether the CA that issued this server certificate is in the list of trusted root certificate authorities. If it exists, use this server certificate for subsequent RDP encrypted communication. If it does not exist, it will be processed according to the configuration of the RDP client. You can choose to continue and The terminal server connects or rejects the connection.

    To use the SSL encryption function of the terminal server, the following requirements are required for the terminal server:

    • The version of the terminal server component must be RDP 5.2 or above, that is, the operation The operating system must be Windows Server 2003 SP1 or later;

    • must have a valid server authentication certificate;


      and for the RDP client The following requirements:

      • The client operating system must be Windows 2000, Windows XP or Windows Server 2003;

      • The RDP client connection component version of the client must be RDP 5.2 or higher, which must be the RDP client connection component included in Windows Server 2003 SP1 and later; if the terminal server requires SSL encryption and the client's RDP client connection component version is lower than RDP 5.2, the RDP client cannot Make a connection;

      • If the CA that issued the server certificate used by the terminal server is not in the list of CAs trusted by the RDP client, the RDP client will get an error when connecting to the terminal server, but you can Choose whether to continue to connect .



        Configure Terminal Server to Use SSL Encryption

        First, we need to apply for a valid one on the terminal server (that is, the CA that issued this certificate must The server authentication certificate is located in the list of trusted root certificate authorities in the terminal server. I will not describe it in detail during this specific application process. The terminal server is configured below.

        Click Start, point to All Programs, click Terminal Services Configuration in the Administrative Tools,

        '600')this.width='600';">


        In the pop-up Terminal Services Configuration Connection dialog box, right-click RDP-Tcp in the right detail panel and select Properties;

        Then on the RDP-Tcp Properties dialog box that pops up, click on the General page. Edit button;

        '600')this.width='600';">


        On the Select Certificate dialog, select the corresponding server authentication certificate , then click OK;

        '600')this.width='600';">


        After configuring the server authentication certificate, you can use SSL Encryption function. Select SSL in the security layer bar, then click OK;

        '600')this.width='600';">


        Terminal at this time The server configuration is complete and SSL (TLS 1.0) will be used for encrypted communication.



        Configure RDP client to use SSL encryption

        For the operating system to customers before the end of 2003 SP1 Windows Server, uses SSL to encrypt the RDP communications First, you must install the RDP client connection component of the RDP 5.2 version. The installation file for this component is located in the %systemdrivesystem32clientstsclientwin32 directory on the Windows Server 2003 SP1 operating system. You only need to copy the msrdpcli.msi file to the RDP client and run the installation. You can also download this file by clicking this link.

        After the installation is complete, click Start, select Remote Desktop Connection in all programs, and then select whether to use SSL (TLS 1.0) based server authentication on the Security tab:

        '600' )this.width='600';">


        • No authentication: RDP client does not require terminal server for server authentication, when using this option The behavior of the RDP client connection component is the same as that of the earlier version of the RDP client connection component. It is applicable to scenarios where the terminal server does not use SSL encryption. If the terminal server is configured to use SSL encryption, the terminal server refuses to connect. ;

        • Trying to authenticate: The RDP client tries to request but does not have to require the terminal server for server authentication if the terminal server is not configured to use SSL encryption or to issue server authentication for the terminal server The CA of the certificate is not located in the list of trusted root certificate authorities of the RDP client computer. The RDP client connection component will prompt you, but you can also choose to continue the connection. ;

        • Require authentication: The RDP client must require the terminal server for server authentication if the terminal server is not configured to use SSL encryption or the CA that issued the server authentication certificate used by the terminal server and The RDP client connection component refuses to connect in the list of trusted root certificate authorities that are not on the RDP client computer. Note that if the RDP client is connected to the destination (server name or IP address) and terminal If the public name of the server authentication certificate used on the server is inconsistent, the RDP client component will consider that the connected terminal server cannot be authenticated and will refuse to connect.


          After successfully using SSL for RDP connection, in full screen mode, there will be a small lock flag on the prompt bar at the top of the screen, which means that the SSL encrypted connection is used. Click it to view the server authentication certificate configured by the terminal server.

          '600')this.width='600';">



Copyright © Windows knowledge All Rights Reserved