SSL Gateway

Objective

The objective of the SSL Gateway is to deliver a secure Remote Desktop session between any location in the world and an AADS Terminal Server. The term “secure” implies:

• Strong SSL encryption is used in order to avoid “listening” on the connection. The RDP-protocol in itself is already encrypted, but a SSL encryption beneath the RDP connection, using strong certificates, will do a much better job.
• Identification of both the client and the server. The SSL Gateway gives an Administrator the possibility to deliver specific Client Builds with an included certificate, which can only connect to 1 or more AADS Terminal Servers. Also, the Administrator can “withdraw” a Client certificate, such that the client can not connect any more.
  

Specifications

• The Certificates generated by the SSL Gateway are based on RSA, 4096 bits.
• Encryption Cipher: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384, TLSv1.3
  • Optional, because of "old" Client Devices: Encryption Cipher: ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2
• Both the Client and the Server do verify each other certificate.
• The SSL Gateway can be used in an AADS Farm.

About the SSL Certificates

• Using AADS Maintenance & Control, the AADServer generates all SSL Certificates.
• Each AADServer in the world generates its own unique SSL Server and Client Certificates.
• There is NO dependency on any other party in the world who sells, distributes, verifies or signs SSL Certificates.
• The encryption between the Clients and the Server is end-to-end encryption and includes verification about which Client is connecting with which Server.
• Nobody / nothing else in the world can decrypt the communication between your AADServer and your AADS Clients using the SSL Gateway.
  • This includes AADS WorldWide. We can not decrypt in any way the SSL connection between the AADServer of a customer and the Clients devices of a customer.

For example, when it is about SSL Certificates and browsers, the problem can exist that, if a so called SSL Certificate Signing Authority is compromised or abused, the encryption between the browser and the webserver can be decrypted by a third party or hacker:

• Wikipedia: CA compromise

The problem of a "Certificate authority compromise" does not exist when using the AADS SSL Gateway, because the AADServer is completely independent when it is about the SSL Certificates. Nobody / nothing can decrypt the SSL Connection, except the AADServer and the Client PC's.

Example 1: Stand Alone AADS Terminal Server

• The company has a connection with the internet. This connection is reachable by the domain name www.example.com
• The client using the home PC connects using www.example.com:3443.
• The Firewall does forward incoming connections for port 3443 to the AADS Terminal Server.
• The AADS Terminal Server is running the SSL Gateway on port 3443.
• It is a stand-alone AADS Terminal Server; there is no AADS Farm.

Example 2: AADS Farm with 3 Terminal Servers and 2 internet connections

• The company has 2 connections with the internet.
  • When a client tries to connect to www.example.com:3444, the connection goes through the Firewall 1.
  • When a client connects using www.example.com:3445, the connection goes through the Firewall 2.
• The client at the Home PC can use either www.example.com:3444 or www.example.com:3445
  • By offering client 2 connection addresses, and having 2 connections with the internet, the company can offer the client redundancy for the connection to the AADS Farm.
• Firewall 1 forwards port 3444 to the SSL Gateway on AADS Terminal Server 1.
• Firewall 2 forwards port 3445 to the SSL Gateway on AADS Terminal Server 2.
• The SSL Gateways on both AADS Terminal Server 1 and 2 will handle the correct forwarding to the appropriate AADS Terminal Server in the Farm, based on the Load Balancing Parameters.
• AADS Terminal Server 3 does not run the SSL Gateway.