Options that provide encrypted connections between SoftGrid desktop clients and SoftGrid virtual application servers

This article describes the options that you have to help secure the connectivity between the remote Microsoft SoftGrid desktop client and the SoftGrid virtual application server. Some of these options are briefly described in other Microsoft Knowledge Base articles. However, the descriptions of some elements, such as VPN connectivity, are not included in other articles. This article describes the available remote connectivity options together with the advantages and the disadvantages for each option.

SoftGrid desktop clients

For SoftGrid desktop clients, you can use one of the following options to provide an encrypted connection:

• Transport Layer Security for SoftGrid environments
• VPN connectivity to the SoftGrid virtual application server

Transport Layer Security (TLS) for SoftGrid environments

You can use TLS to help secure the communication between the SoftGrid desktop client and the SoftGrid virtual application server. For more information about how to enable secure connections, click the following article number to view the article in the Microsoft Knowledge Base:

Advantages

The following are advantages of this method:

• It is independent of edge-level security devices, such as firewalls.
• It takes advantage of industry standard practices.
• It requires standard TLS configuration on the edge-level security devices.

Disadvantages

If you configure an internal certification authority (CA), the root certificate must be added to the root publisher's list of all remote SoftGrid desktop clients. This can be a major obstacle when you have SoftGrid desktop clients that never connect to the centralized site. In this case, the SoftGrid desktop clients cannot automatically download the CA certificate. To work around this issue, you can use a public third-party certificate on the SoftGrid virtual application servers.

TLS also increases the demand on the resources of the SoftGrid virtual application server. This increase in demand may affect server performance. Therefore, you must factor in this increase when you perform capacity planning.

Additionally, a firewall device or firewall software may be part of the network environment. Therefore, you may have to configure the device or the software to enable port traffic for the SoftGrid environment. For more information about SoftGrid networking, click the following article number to view the article in the Microsoft Knowledge Base:

VPN connectivity to the SoftGrid virtual application server

The SoftGrid desktop clients can also use a VPN connection to connect to the SoftGrid virtual application server.

Advantages

The encrypted connection between the SoftGrid desktop clients and the SoftGrid virtual application server does not use certificates. No additional configuration of high-end ports is required at the SoftGrid desktop client or at the SoftGrid virtual application server. More information about this configuration is available in the "Use RTSP, RTP and RTSP" section of the Microsoft Knowledge Base article 932017.

The VPN server or the firewall can pre-authenticate SoftGrid desktop clients before they connect to the SoftGrid virtual application server. Remote SoftGrid desktop clients are required to log on only one time to access network resources in the following scenarios:

• The VPN server or the firewall is part of the internal domain.
• The VPN server or the firewall can perform pass through authentication.

A VPN connection can work with all operating systems that support industry standard VPN protocols such as PPTP or L2TP. If you use Microsoft ISA Server as the VPN server or the firewall, you can enable additional security by using Quarantine control. You can also use access policies to control access to resources on the internal network.

Disadvantages

This method requires that you have a VPN concentrator or a VPN switch at the server site to enable remote connections. Additionally, if the VPN server or the firewall is not part of the internal domain, SoftGrid desktop clients may have to authenticate multiple times. The number of times that SoftGrid desktop clients have to authenticate depends on the authentication method that you use.

SoftGrid Terminal Services clients

For SoftGrid Terminal Services clients, you can use a VPN connection to connect to the SoftGrid virtual application server.

VPN connectivity to the SoftGrid virtual application server

Remote SoftGrid Terminal Services clients can use a VPN connection to connect to the SoftGrid virtual application server.

Advantages

Remote SoftGrid Terminal Services clients can be thin clients. Therefore, SoftGrid clients can access the SoftGrid virtual application servers and the SoftGrid applications through RDP clients or through browsers that use Terminal Services advanced client (TSAC) for Windows clients.

This method requires little to no configuration on the firewall. However, the firewall configuration does require that the port for Terminal Services connectivity be opened. If the Terminal Services server is Windows-based, you can use the instructions in the following Microsoft Knowledge Base article to publish Terminal Services on non-standard ports for additional security:

Disadvantages

In a Terminal Services deployment, the computing and the networking are concentrated at the Terminal Services servers. Therefore, more Terminal Services servers may be required to equal the performance levels of the SoftGrid desktop clients.