Comments on TS08 v Citirx xenapp essentials please

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi all,

I'm in the process of testing out the new terminal services features vs citrix xenapp essentials as I would like to get rid of our VPN connections (users use these to work remotely which is making me uneasy).
I've noticed that the new version of terminal services now includes some citrix like features such as publishing apps to a web page, so this may be a cheaper alternative to xenapp.

Also has anybody actually used xenapp essentials or TS08 to allow users to work remotely and are there any gotcha's or things they don't tell you about in the glossy litrature. I've administered xenapp 4.5 and below before in my last job so I'm expecting essentials just to be a cut down version of that but as usual any war-worn comments on the products would be helpful before getting into bed with either product.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What would you be using on the perimeter? UAG? TMG? TS08 has RemoteApp and the TS Gateway that really look good (I use RemoteApp to publish DPM to my infrastructure users). SSL VPN's are becoming a lot more common but obviously that's going to require PKI to be implemented correctly.

 

In my mind the TSGW would sit in the DMZ for users to connect to would it not (abit like xenapps SG and WI roles), I want to get rid of VPN's because of all those lovely viruses and spyware that are no doubt sitting on the networks of our users to who dial in by vpn. I know that remoteapp or citrix would not stop keylogging but it would stop creating effectively network bridging between our network and completely unknown ones.

 

Personally speaking I would use something like UAG (Unified Access Gateway) to sit in the DMZ and pass it through to the TS.

 

Dales, I'm a fan of SSL-VPN devices as they work over 443 so you will not have to open anymore ports on your firewall. You won't need a PKI infrastructure just an Public SSL Certificate for the A record (like OWA).

On the SSL-VPN devices you can configure these with 2 Factor Authentication to a Radius Server for extra protection and then publish applications to the SSL-VPN like Terminal Server or OWA.

The SSL-VPN would sit on the DMZ and you would only allow access from the SSL-VPN IP and Ports to the necessary server.

So it would look something like this:

User > SSL-VPN Login Two Factor Authentication > DMZ > LAN Terminal Server or OWA

You could also look at SSTP, but you will need Server 2008 and a Public SSL. You would then put in place the NPS policies saying that the client machines have to have AV and Windows Firewall turned on etc otherwise they cannot connect.