RDP without VPN


#1

We currently use DUO for our RDP connections, directly and without VPN (Port open on firewall). Have never had an issue.

We purposefully don’t want VPN because we don’t need network level access and we don’t want people’s potentially infected remote computers on our networks. Then there’s the added inconvenience of managing muti-platform VPN clients and potentially additional credentials.

However, most traditional IT people suggest that adding VPN would be safer.
It’s definitely an extra layer but given the issues I mention above, the minuses seem to outweigh the pluses.
How are people doing this? Anyone care to comment?


#2

MS RD Gateway was made for this. It accepts the incoming RDP connection over HTTPS/443 instead of the regular RDP TCP/UDP port(s) 3389, so incoming client traffic is encrypted.


#3

I used it too without vpn however I do used below setup to add additional security:

  1. change rdp default port from 3389 to something else
  2. enable OS firewall and only allow connections from certain range of IP to limit exposure
  3. use live account to login that is mapped to a local account
  4. I use automated script to block IPs from unknown connection attempts if any or even if it just an attempted port scan

Good Luck!


#4

Hello - we’re also using Duo with RDP.

I ran into some problems when changing the rdp port on a Windows 7 machine. All went as expected until the call to Duo was supposed to happen. It never did and the attempted session hung. RDP on 3389 works fine with Duo. Did you run into anything like that? Any hints?

Thanks!


#5

I’d take a peak at your firewall settings. I know the Microsoft OS firewall does not update the RDP port when it is changed in the registry.


#6

Thank you so much for responding. Yes - I have definitely made that mistake in the past but didn’t this time. :slight_smile: I sniffed the traffic and found all the back and forth doing fine - but all stopped just after the mouse click that should have had the host make a call to Duo.

The DNS call to find Duo never gets made nor is there further traffic.

But, since it sounds like others are doing this just fine, there must be something I’m doing wrong in my setup.


#7

You can try enabling debug logs for advanced troubleshooting.


#8

Once again, thank you. I will go read up on that.


#9

http://www.rethinkit.com/script-change-your-rdp-port-and-firewall-settings/