Article ID: 939324 - View products that this article applies to.
This article describes the options that you have to help secure the connectivity between the remote Microsoft SoftGrid desktop client and the SoftGrid virtual application server. Some of these options are briefly described in other Microsoft Knowledge Base articles. However, the descriptions of some elements, such as VPN connectivity, are not included in other articles. This article describes the available remote connectivity options together with the advantages and the disadvantages for each option.
SoftGrid desktop clientsFor SoftGrid desktop clients, you can use one of the following options to provide an encrypted connection:
Transport Layer Security (TLS) for SoftGrid environmentsYou can use TLS to help secure the communication between the SoftGrid desktop client and the SoftGrid virtual application server. For more information about how to enable secure connections, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/930870/ )How to enable secure connections in Microsoft SoftGrid
AdvantagesThe following are advantages of this method:
DisadvantagesIf you configure an internal certification authority (CA), the root certificate must be added to the root publisher's list of all remote SoftGrid desktop clients. This can be a major obstacle when you have SoftGrid desktop clients that never connect to the centralized site. In this case, the SoftGrid desktop clients cannot automatically download the CA certificate. To work around this issue, you can use a public third-party certificate on the SoftGrid virtual application servers.
TLS also increases the demand on the resources of the SoftGrid virtual application server. This increase in demand may affect server performance. Therefore, you must factor in this increase when you perform capacity planning.
Additionally, a firewall device or firewall software may be part of the network environment. Therefore, you may have to configure the device or the software to enable port traffic for the SoftGrid environment. For more information about SoftGrid networking, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/932017/ )Introduction to SoftGrid networking
VPN connectivity to the SoftGrid virtual application serverThe SoftGrid desktop clients can also use a VPN connection to connect to the SoftGrid virtual application server.
AdvantagesThe encrypted connection between the SoftGrid desktop clients and the SoftGrid virtual application server does not use certificates. No additional configuration of high-end ports is required at the SoftGrid desktop client or at the SoftGrid virtual application server. More information about this configuration is available in the "Use RTSP, RTP and RTSP" section of the Microsoft Knowledge Base article 932017.
The VPN server or the firewall can pre-authenticate SoftGrid desktop clients before they connect to the SoftGrid virtual application server. Remote SoftGrid desktop clients are required to log on only one time to access network resources in the following scenarios:
DisadvantagesThis method requires that you have a VPN concentrator or a VPN switch at the server site to enable remote connections. Additionally, if the VPN server or the firewall is not part of the internal domain, SoftGrid desktop clients may have to authenticate multiple times. The number of times that SoftGrid desktop clients have to authenticate depends on the authentication method that you use.
SoftGrid Terminal Services clientsFor SoftGrid Terminal Services clients, you can use a VPN connection to connect to the SoftGrid virtual application server.
VPN connectivity to the SoftGrid virtual application serverRemote SoftGrid Terminal Services clients can use a VPN connection to connect to the SoftGrid virtual application server.
AdvantagesRemote SoftGrid Terminal Services clients can be thin clients. Therefore, SoftGrid clients can access the SoftGrid virtual application servers and the SoftGrid applications through RDP clients or through browsers that use Terminal Services advanced client (TSAC) for Windows clients.
This method requires little to no configuration on the firewall. However, the firewall configuration does require that the port for Terminal Services connectivity be opened. If the Terminal Services server is Windows-based, you can use the instructions in the following Microsoft Knowledge Base article to publish Terminal Services on non-standard ports for additional security:
(http://support.microsoft.com/kb/555031/ )How can I add a new RDP listening port to Windows 2000/2003 Terminal Server?
DisadvantagesIn a Terminal Services deployment, the computing and the networking are concentrated at the Terminal Services servers. Therefore, more Terminal Services servers may be required to equal the performance levels of the SoftGrid desktop clients.