New Feature: RDP over SSL with Windows Server 2003 SP1

Release Candidate 2 for Windows Server 2003 SP1 is available to test from microsoft.com, which means RTM can't be that far away!

A new feature in SP1 (at least, present in the RC2 build of SP1) that's been causing some confusion is RDP over SSL - a new option for Terminal Services that should provide server authentication for TS sessions, preventing MITM (man in the middle) attacks while providing a new option for encryption.

Up front - RDP over SSL is not a firewall traversal technology. It doesn't mean you're using Web protocols to do RDP. To rephrase, it's not "RDP over HTTP", it's "RDP with TLS authentication and encryption over TCP" - it still happens over TCP port 3389, as RDP usually does.

For the screenshot at left, I don't have a server certificate installed on my test VM at the moment, but I'm told that when you do, the SSL options become available.

This led to a few questions on how you server publish RDP/SSL with ISA Server, and the answer is: Exactly as you'd publish RDP normally with an ISA Server - using Server Publishing (ISA 2000 version is here).

Essentially, ISA creates an opaque TCP connection between the client and the server, and the encryption and authentication occurs directly between client and server in a manner that ISA can't inspect (except at the IP traffic level).