Architecting Resilient TS Plus Environments for Remote Workforces

Overview

Delivering remote applications seamlessly requires more than just opening an RDP port. In a modern Managed Service Provider (MSP) landscape, exposing internal servers directly to the internet is a critical security failure.

This guide breaks down the architecture required to build a highly available, secure TS Plus environment that guarantees uptime while strictly controlling access via a centralized gateway and external MFA.

The Architecture

A resilient TS Plus deployment separates the access layer from the execution layer. This ensures that a spike in user traffic or a targeted attack on the gateway does not crash the underlying application servers.

1. The Web Access Gateway: Acts as the single entry point. It hosts the SSL certificate, serves the HTML5 web portal, and brokers incoming connections.
2. The Server Farm: Two or more application servers hosting the actual software. They do not have public IP addresses and are completely isolated from the internet.
3. The Load Balancer: Integrated within the TS Plus Gateway, it distributes user sessions across the server farm based on CPU and memory utilization, ensuring no single node is overwhelmed.

Infrastructure Lockdown (PowerShell)

Once the Gateway is handling traffic, you must enforce network-level isolation on the application servers. This PowerShell script locks down the Windows Firewall on the internal farm servers, ensuring they only accept RDP connections originating from the trusted Gateway IP.

<#
.SYNOPSIS
    Isolates TS Plus Application Servers to Gateway Traffic Only.
.DESCRIPTION
    Disables default RDP rules and creates a strict allow-list rule for the TS Plus Gateway.
#>

$GatewayIP = "10.0.50.10" # Replace with your internal TS Plus Gateway IP

Write-Host "Locking down RDP access to Gateway ($GatewayIP)..."

# 1. Disable Default RDP Rules (Inbound)
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Where-Object Direction -eq "Inbound" | Disable-NetFirewallRule
Write-Host "[-] Default RDP rules disabled."

# 2. Create Strict Allow Rule for Gateway
New-NetFirewallRule -DisplayName "TS Plus - Allow Gateway RDP" `
                    -Direction Inbound `
                    -Action Allow `
                    -Protocol TCP `
                    -LocalPort 3389 `
                    -RemoteAddress $GatewayIP `
                    -Profile Domain,Private `
                    -Description "Strictly allow RDP from TS Plus Gateway only."

Write-Host "[✓] Firewall isolation complete. Server is now inaccessible via direct external RDP."