New Feature: RDP over SSL with Windows Server 2003 SP1

Release Candidate 2 for Windows Server 2003 SP1 is available to test from, which means RTM can’t be that far away!

A new feature in SP1 (at least, present in the RC2 build of SP1) that’s been causing some confusion is RDP over SSL – a new option for Terminal Services that should provide server authentication for TS sessions, preventing MITM (man in the middle) attacks while providing a new option for encryption.

Up front – RDP over SSL is not a firewall traversal technology. It doesn’t mean you’re using Web protocols to do RDP. To rephrase, it’s not “RDP over HTTP”, it’s “RDP with TLS authentication and encryption over TCP” – it still happens over TCP port 3389, as RDP usually does.

For the screenshot at left, I don’t have a server certificate installed on my test VM at the moment, but I’m told that when you do, the SSL options become available.

This led to a few questions on how you server publish RDP/SSL with ISA Server, and the answer is: Exactly as you’d publish RDP normally with an ISA Server – using Server Publishing (ISA 2000 version is here).

Essentially, ISA creates an opaque TCP connection between the client and the server, and the encryption and authentication occurs directly between client and server in a manner that ISA can’t inspect (except at the IP traffic level).



Comments (14)

  1. rod says:

    Screenshot at

    Works well in my test enviro, no changes to my ISA 2004 server, thanks MS 🙂

  2. Tristank says:

    Thanks Rod – for a Lazy Admin, you sure provide a lot of (what looks like) screenshot effort! 🙂

  3. rod says:

    Screenshots are my middle name, but seriously IMO it makes it soooo much easier to SHOW someone than to tell them 🙂

    What’s that saying about pictures and 1000 words 🙂

  4. dolled says:

    How did you import/install the certificate????

  5. Tristank says:

    My guess: If you’re using an MS CA, if you select the option to "Store certificate in Local Machine store", it’ll import to the right place.

    If you’re not using Web Enrollment, or you’re using a certificate from a third party CA (suitable for (eg, having intended purposes that include) Server Authentication), you can use the Certificates MMC snap-in, targeted at the Local Machine or Computer store, rather than the current user.

  6. rodrigo says:


















  7. Tristank says:

    Gotta say – kudos for the most interesting item left in a comment 🙂

  8. kdavis says:

    I’ve heard this feature will be left out until longhorn. Is this true?

  9. Tristank says:

    *WARNING* some speculation included.

    As far as I can tell, no, that’s not the case.

    RDP using SSL *encryption* and *authentication* support, as described above, was in the RC2 build of Windows 2003 SP1. As I’ve noted, this is not TS-through-firewalls, or TS-through-Web-Protocols, it’s more of an RDP protocol upgrade.

    As we’re at RC2 already, I’d guess a cut this late would be unlikely.

  10. smoutc says:

    It is great to see it there, as indications I had seen pointed to it not being included in SP1.

    Wouldn’t a change in the authentication/encryption require an updated RDP client as well?? (Is there an updated RDP client included with 2003 SP1 RC2, and if so, does it have any new options regarding SSL)

  11. Tristank says:

    I’d expect so; away from home with no access to VPCs at the moment, so can’t check.

  12. smoutc says:

    I did some googling, and found a posting covering 2003 SP1 new features. Included are step by step instructions for the client and server setup for this feature. There is a new RDP client in 2003, which supports SSL authentication. Once I installed that, it worked great. (Only works on 2000 and XP though) Check it out at:

  13. smoutc says:

    As it turns out, despite what is indicated in the above posting, the new client seems to work with SSL encryption on Windows 98 just fine.