Hi all: How can I configure the 2XApplication server, so that the users are only able to use the published application, and they are not allow to use Remote Desktop Connection to connect to the 2XApplicationServer ? I've tried to block the port 3389 on the server, but the 2X client still can use RDC to launch the remote desktop. Any idea ? Thanks JCVoon
I think I have same question. How to prevent user to access whole desktop? What's the use of setting group/user permissions to published applications if user can still connect to remote desktop via standard Windows RDP client and get access to the full desktop? Have I missed the point? Thank's for any hint.
You can change the RDP port to say port 3390 and configure 2x Application Server to connect with this port. Nixu
I think it will not work because of the procedure I explained below, but let me try. Actually, I reviewed this forum and couldn't find any answer to my simple question. It is quite important not give the users a full desktop, because they might make a "mesh" of the server and desktop. This is pretty much the reason of existence of Citrix. I installed 2x AppServer on Win2003 server with Terminal Server installed. Then I published few application via 2x. Now, using 2x client I can launch those applications remotely from XP machine. However, I am still able to get connected to remote desktop via Windows RDP client and launch ANY application on server. Even if I block everything on server except for port 80 via Windows firewall I still can see the whole server desktop (though I cannot connect using Windows RDP client). For example, I published Notepad on server, launched it remotely, then used menu File->Open to see filesystem. Then it's possible to launch remote Explorer by right click on any folder. This action makes full remote desktop visible (even in case of blocked RDP port 3389). I don't understand such security model of published applications...
This is not good workaround because user still is able to connect to server desktop using Windows RDP client using connection string like 192.168.200.4:3390 in your example.
> (though I cannot connect using Windows RDP client). Do you have any idea which additional port i should block other than port 3389 >For example, I published Notepad on server, launched it remotely, then >used menu File->Open to see filesystem. Then it's possible to launch >remote Explorer by right click on any folder. This action makes full >emote desktop visible (even in case of blocked RDP port 3389). I think you can control this by setting the group policy on the server, but i don't now how to tell win2003 server to apply that policy on the terminal service user only, it apply to all user include the administrator. If any one know how, please let me know. Thanks
Using Citrix or 2X to present published applications should not be your form of securing your terminal servers since there are many in roads to the terminal server from various programs. All terminal servers in your farm should have either local or domain group policies applied to them which will lock out the features you do not want the user to have access to them i.e. hidding/restricting access to hard drive letters, removing all or some desktop items, removing all or some startmenu items, restricting of launching certain applications by executable name. By not allowing this to be accessable on the server, it will give you much more security. Now to your point of wanting to restrict access to a full desktop. That gets tricky since 2x uses the same protocol. In Citrix this is easier because they use ICA and you can then set permissions on the RDP protocol that will not allow access or only access to administrators if you want. So the next best thing might be to apply group policies on the terminal server(s) that restrict the desktop, drives, startmenu etc.... This would pretty much make the full desktop unusable, but would not restrict the use of the application publishing. You can deny the policy for domain admins or any other group that might need the full desktop. If you mixed this technique with the port change as mentioned in a previous post, you really could really make the full screen rdp useless as well as lock down your terminal servers. Rob
We have worked around all this by applying a Software Restriction Policy, to a OU which contains the Terminall servers. You just need to block EXPLORER.EXE. This needs to be under the User Configuration. Then under the computer configuration, you need to enable LOOP BACK for the policy to be applied. Also you then set the permission of this GPO to only apply to those users who you dont want the abilty to run the full desktop. So for Admins it works fine. for ordinary users, they get an error when they try loggin in using RDP. Hope this helps.
