Nick Holland wrote:
as stated, you can't do what you want to do the way you propose doing it.
To be specific, if you want to have multiple sites behind one IP address and one port, you need an application proxy. With http, you can do this with host headers and a reverse http proxy. You can't do this with RDP (Remote Desktop) because the RDP protocol doesn't know what the target host name is.
Do you REALLY want remote desktop sitting live on the 'net? That's one heck of a hole to punch in your firewall. If
More to the point, you do not want to remotely access WinXP machines across the Internet; see http://www.oxid.it/downloads/rdp-gbu.pdf, all versions of XP and Server 2003 pre-SP2 use a well-known "private" key to encrypt the data, so a man-in-the-middle attack is trivial. Server 2003 SP2 allows you to load a signed certificate, so if you set up a CA and use the RDP 6.0 client you can avoid the MITM problem. I'm not sure how this interacts with rdesktop.
(Download Cain & Abel from oxid.it if you want to scare your PHB.)
1) authpf:
I'd avoid this in this case, it does nothing to prevent MITM attacks once the authpf session is established.
2) SSH tunnels:
Personally, I'd go for the tunnels.
Agreed. At least with ssh tunnels you avoid the possibility of a MITM attack once the user connects the first time and saves the key. Putty's warnings are suitably dire if the key changes unexpectedly.
Fortunately, Longhorn/Server 2008 has solutions to most of these problems, but you have to both pay $$ and sell your soul.
