Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 

Options to Secure Access to your Terminal Server Environment

Terminal Server environment are often used to provide access to applications for end-users when they are not in the office. Nowadays such external access is mostly provided using the Internet connection of the end user directly. Logically a connection using the Internet should be secured so it's guaranteed that the data is not comprised. That this should be arranged is not the case in any project; however the way the result is accomplished differs per customer. In this article I will discuss the available solutions and my experiences with those solutions.

Software Based

The first possibility is to use a software base solution to create an encrypted connection between the Terminal Server environment and the end users device. In this article I will focus on Citrix and Microsoft Terminal Server concepts, however this software based solution is available in most SBC products available. It depends on the manufacturer how this is accomplished exactly.

Citrix Software SSL solution

The Citrix software solution is available for a long time and is not development anymore by Citrix since they released the Citrix Access Gateway (described later on this article). The product called Citrix Secure Gateway however is still updated to support new releases of Citrix XenApp. It's not a separate product, so it can be installed when you have purchased Citrix XenApp (the source can be found on the component CD delivered with Citrix XenApp).

The product uses the Citrix Web Interface to enumerate the applications and is the intermediary between the Citrix XenApp servers and the End-User arranging that the ICA protocol is encapsulated into SSL connection. Advantages of the product are the pretty easy installation steps, no additional costs, the possibility to combine the Web Interface (WI) and the Secure Gateway (CSG) on one machine and creating a fault tolerant/load balancing environment by using round robin (or other technique). Disadvantages are the development stop of Citrix and some companies do not allow a Windows based machine in their DMZ.

Before Citrix released the Access Gateway I used this product at several customers, where it was doing his job perfectly. It's a simple but reliable solution and actually it's a pity that Citrix stopped the development. However by changing the license mechanism for the Access Gateway the hardware base solutions is a better alternative.

Microsoft Software SSL solution

Microsoft lacked a secure solution for a pretty long time. With the release of Windows 2008 the SLL encapsulation solution was finally delivered as a role. With the Windows 2008 R2 the SSL solution is renamed to RD (Remote Desktop) Gateway. The role provides a similar functionality as the Citrix Secure Gateway interacting between the end user and the RD Hosts. It also works together with the RD Web Access. Because the RD Web Access has fewer features this also has his responses to features available on the view within the RD Gateway (from an end-user perspective). The installation and configuration are both doable and the same load balancing/fault tolerance techniques can be applied to the Microsoft solution. Just like the CSG the disadvantage is that's it's logically based on Windows and that's not always allowed in DMZ environments.

I don't have production experiences with the RD Gateway, but what I tested in a demo environment it's working fine. If you have production experiences don't hesitate to react via the comments component at the end of this article. Microsoft also offers similar functionality with the ForeFront Unified Access Gateway, which you can read more about at the Microsoft Hardware SSL solution topic in this article further on.

Hardware based

Besides the software based solution there are also hardware appliances that offer the possibility to encrypt the RDP/ICA traffic into SSL. Just like the software based options both Citrix and Microsoft offer such a product, while there are also 3rd party suppliers offering such functionality in their hardware VPN/SSL appliance.

Citrix Hardware SSL solution

When Citrix introduced the Citrix Access Gateway (CAG) many people where skeptic. The CSG was working fine and then you needed to purchases additional licenses to connect end users to the Citrix farm via the Access Gateway. With the latest release of the Access Gateway that license requirement has been removed, only for the (Advanced) Access Control you will need additional licenses. This is logical because the Access Control offers additional functionality like accessing intranet websites and data folder directly without setting up an ICA session and adds additional security possibilities when setting up a full VPN. The CAG still uses the Web Interface to build up the list of applications of the end user. Personally I find the CAG installation not really straightforward. The Installation and configuration can be a little confusing (and frustrating) the first time, but when you are familiar with the product it's not complicated. The big advantage of the CAG is the possibility to use it for more connections (VPN SSL) and to extend to with the Access Control option. Also using the appliance makes it possible to add the functionality into DMZ where Windows is not allowed.

I use the CAG at several customers. In the beginning it was not that stable, but nowadays its running fine. With the Access Control we still see some strange things happen in a while and the behavior during configuration is sometimes unexpected. Now no additional licenses are required anymore, you only need to purchase the device. With CAG you also have full Citrix support, so I advise my customers to use the CAG when possible.

"Microsoft" Hardware SSL solution

Microsoft has also the ForeFront Unified Access Gateway product that is available as a software product and can be installed on Windows 2008 R2. However the product is also available as a Unified Access Gateway appliance by several manufacturers (see this list) which converts the product in a hardware based solution. I don't have any experiences with the product and the appliances so I can to write much about this possibility except it's available. If you have experiences don't hesitate to contact me and I will add to this article.

3rd Party Hardware SSL solution

The last possibility in this article is the third party hardware SSL solution. Within this category all appliances fall that offer Citrix XenApp and/or Microsoft RDS support and are based on their own system (so don't based on the Microsoft UAG appliance solution). Most known network companies have such functionality like Cisco, Juniper, F5 and many more. Basically you have a feature in the appliance where you can configure that RDP and/or ICA traffic communication is allowed and should be tunneled into the SSL stream. It depends on the implementation with the appliance how this is done and what is exactly offered. Some system can only support the slower and less featured Java Client or the configuration from an administrator is a limited.

I have seen several implementations with a third party appliance and the basic functionality is working fine, but I find troubleshooting more difficult. Mostly two parties are involved (Citrix administrators and the network department) and most appliance do not offer much troubleshooting possibilities and logging. Also bot the user- as the administrators experience is less featured and more "old-style".


In this article I described the possibilities to deliver a secured access to your Citrix XenApp or Microsoft RDS servers. Mainly there are two flavors: a software based solution or a hardware based solution. Both parties offer their own solutions for both flavors, where also a third party appliance can be used. Now it's clear which options are available you can select the solution which fits the best in your organization. You should definitely test the solutions within your own organization, this article is just the first step in selectin