I have a few servers and desktops running on the cloud, some on Azure and some on AWS. I frequently need to RDP into these boxes. But it is not always possible if I am inside a firewall. Simple port redirection does not fool those firewalls. The SSL traffic is allowed almost in any organization. So, one of the best options is to tunnel the RDP inside the guise of SSL.
I found the following article very useful.
RDP SSL tunneling with stunnel
In fact, I recommend you proceed as outlined above in the article.
I've provided my comments as I use Windows on both ends (Server as well as client).
On the Server
1. Install stunnel
2. Provide necessary details to create the server-side certificate (stunnel.pem)
3. Make the changes to the configuration file as below:
; Debugging stuff (may be useful for troubleshooting)
debug = info
output = stunnel.log
; Microsoft CryptoAPI engine allows for authentication with private keys
; stored in the Windows certificate store
; Each section using this feature also needs the "engineId = capi" option
;engine = capi
; TLS front-end to a web server
[https]
accept = 443
connect = 3389
cert = stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0
On all the gateways / firewalls
1. Make sure that the traffic flows through and through on port 443 from client to server. Open necessary ports (or forward ports as necessary) along the way.
On the Client
1. Install Cygwin which comes with stunnel and socat
2. Create the certificate (again follow the instructions from the original article as I'll not repeat it here)
3. Make the changes to the configuration file as below:
; debug = 7
;foreground = yes
output = /etc/stunnel/tunnel.log
cert = /etc/stunnel/stunnel.pem
options = NO_SSLv2
[rdp]
client = yes
accept = 127.0.0.1:3399
connect = 127.0.0.1:81
4. On the Cygwin shell, run stunnel
5. And then run socat as follows:
socat -d -d TCP-LISTEN:81,reuseaddr,fork PROXY:<FQDN OF YOUR CORPORATE PROXY SERVER>:<FQDN OF YOUR REMOTE SERVER>:443,resolve,proxyport=<YOUR CORPORATE PROXY PORT>,proxyauth=<YOUR CORPORATE USERNAME>:<YOUR CORPORATE PASSWORD>
Traffic Flow
Here is the traffic flow:
1. You RDP to 127.0.0.1:3399
2. Your client stunnel which is listening at port 3389 encapsulates the RDP traffic in SSL and forwards to port 81 on the client
3. Your client socat which is listening at port 81 forwards the traffic to port 443 on the remote server while authenticating to the corporate proxy using your corporate username and password
4. Traffic flows through all the hops that you have between the client and server
5. Traffic lands on port 443 on the remote server where the server stunnel is listening at port 443
6. The server decapsulates the RDP traffic and forwards it to port 3389 on the server
Believe me, it works and there is no delay. I've tested it myself and can vouch for it. In fact, I am blogging this post from my desktop on Azure while behind a thick firewall. Happy RDPing.
