I'm looking for some advice on improving remote access for a client. They currently have an open Remote Desktop gateway on port 443 without multi-factor authentication. After users log in, they download a .rdp file to connect using the standard mstsc client. This setup exposes port 3389 for all users in the continental US, and we even allow temporary access from entire countries, which feels risky and needs to be changed.
We're considering Microsoft Remote Desktop via the HTML5 web client, but it's been frustratingly lacking features like multi-monitor support, and it's laggy. A Microsoft rep informed me that this client will soon be out of support, and they suggest migrating to the Windows App, which seems to be a better option.
Cost is a significant concern, so I'm thinking that we might keep mstsc for users, potentially complemented by a client VPN solution (like GlobalProtect), but that would involve extra setup and training for users on personal devices. How would you recommend tackling this dilemma?
Also, here's a note from Microsoft about the upcoming end of support for the Remote Desktop client, including the HTML5 version: the standalone installer will not receive security updates after March 27, 2026.
6 Answers
Implementing a VPN for your users is a must. If you're using Entra, check out SonicWall CSE. It’ll keep your RDP connections secure without exposing ports.
You really shouldn't have port 3389 open like that, since the RD Gateway is meant to tunnel everything over port 443. It’s essential to lock down any unnecessary ports for security.
Have you looked into using a Citrix Netscaler? There's a free version available, and it includes MFA integration. Might be a solid solution for your remote access needs.
I suggest checking out Parallels RAS. It's cheaper than Citrix and can seamlessly replace your current RD Gateway. Plus, it has built-in MFA, which saves you from paying for an extra service.
I completely agree! I implemented this recently, and it made everything so much easier.
Don't forget to consider Apache Guacamole! It's free, supports MFA, and offers solid remote access solutions. Pair it with a Web Application Firewall like Cloudflare for added security.
Remember, the HTML5 client itself isn't reaching end of support—it's the standalone installer. MSTSC is still valid. Setting up Azure Application Proxy can help secure your connections too.
Totally agree! Adding multi-factor authentication to your RD Gateway is crucial. It may cost a bit upfront, but it's worth safeguarding access.