RODC + Remote Desktop Gateway + Remote Desktop Authentication Certificate

有趣又古怪嘅buildup。
係用嘅benifits 絕對有,自己用Mac係有用VPN同冇,電力耐用明顯有增加.

整體Concept非常簡單。 RDP over SSL,即係可以代表替唔需要VPN.

Microsoft 有三個做法,但係自己覺得用RODC Extend隻AD點都會有用。clip_image010_thumb

 

 

 

 

 

 

Deploy RODC 絕對唔難,
Pre-config 定RODC Machine account 同放夠用嘅Port就一定join到。

但係Member server join就開始奇怪。 自己嘅做法係先係RODC用command gen好file,之後再係target server load返個file.

Provision – File Generation / File Load

djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos

當全部setup好,就剩下Add Role, 非常簡單。 只係allow authorize user group用就完成.

係setup 完成後,再進一步諗再將Trust Network入面所以有機RemoteDesktop Auth 嘅 Self-Signed Cert 轉成internalCA  sign

同樣地, Trust Zone轉好易, 但係DMZ入面嘅Member Server亦需要更多procedure, 需要安裝Certificate Enrollment Web Services(Username Password), 新嘅Certificate Template for DMZ,同最後需要command手動轉Remote Desktop Listener Cert

Reference:

Remote Desktop Gateway

https://blogs.technet.microsoft.com/enterprisemobility/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules/

http://www.lemonbits.com/2014/06/20/installing-standalone-remote-desktop-gateway-on-the-windows-server-2012-r2-without-complete-remote-desktop-services-infrastructure/

RODC Setup

https://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx#run_join_script

Offline Join

https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx

Trusted Remote Desktop Auth Certificate

https://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html

Certificate Enrollment Web Services

https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/

Remote Desktop Listener Certificate

https://support.microsoft.com/en-us/kb/3042780