Download - Konfiguracija Terminal SERVERA
-
Chapter2:ConfiguringTerminalServicesTheTerminalServices(TS)serverroleenablesuserstoconnecttotheserverandrunspecificgraphicalapplications,ortousethefullWindowsdesktop.Thiscapabilityisusefulinavarietyofscenarios,forexample,tocentralizeadministrationofapplications;toexercisegreatercontroloverwhatusersareabletodowithanapplication;toenableusersofanyoftheplatformthatsupporttheremotedesktopwebclienttoaccessaWindowsdesktoporWindowsbasedapplications.TScanlowersupportcostsbecauseyouonlyhavetomaintainandupgradetheapplicationonafewserversratherthanhundredsorthousandsofendusercomputers.ItcanfacilitatenewtypesofsolutionssuchasallowingmobileuserstosecurelyaccessaWindowsdesktopthatislocatedonthecorporatenetworkusingnothingmorethanawebbrowser.Inthischapteryouwilllearnto:
ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp). ConfigureTerminalServicesGateway. ConfigureTerminalServicesloadbalancing. ConfigureandmonitorTerminalServicesresources. ConfigureTerminalServiceslicensing. ConfigureTerminalServicesclientconnections. ConfigureTerminalServicesserveroptions.
ConfigureWindowsServer2008TerminalServicesRemoteApp(TSRemoteApp)TSRemoteAppprogramsappeartoberunningontheenduserscomputer:eachhasitsownresizeablewindowandeachappearsasanitemontheTaskbar,buttheyareactuallyrunningonaTSserver.TheuserdoesnothaveaccesstothefullWindowsdesktopontheTSserver,justspecificapplications.TheapplicationscanbeaccessedthroughthefullTSclientorusingtheActiveXbasedclientthatrunswithinawebbrowser.InstallingTerminalServicesThereare5TSroleservices,itisveryimportantthatyouunderstandthefunctionofeachandhowtheyinteractwithoneanother.OnlytheTerminalServerroleserviceisrequiredtoenablebasicRemoteAppfunctionalitybutinstallallfiveonaserverinyourpracticelabalongwithanydependentserverroles.Thefiveroleservicesare:
TerminalServerTScorefunctionalityisprovidedbythisroleserviceincludingtheabilitytohostmultipleWindowsdesktopsessionsforremoteusers.
TSLicensingUsedforinstalling,issuing,andmonitoringtheclientaccesslicenses(CALs)thatarerequiredforeachuserordevicetoconnecttoaterminalserver.
TSSessionBrokerProvidessessionloadbalancingacrossafarmofTSservers,ensuresthatclientsarereconnectedtotheirexistingsessionafterabriefinterruption.
TSGatewayEnablesauthorizedusersworkingremotelytoconnecttoTSserversonthecorporatenetwork.ThisroleservicerequirestheWebServerandNetworkPolicyandAccessServicesserverroles.
TSWebAccessEnablesuserstoaccessTSthroughawebsiteusingawebbrowserandtheActiveXbasedTSclientThisroleservicerequirestheWebServerserverrole.
Theinstallationwizardwillpromptyoutoprovidealotofinformation,proceedthroughthewizardasfollows:1. OntheSpecifyAuthenticationMethodforTerminalServerpageoftheinstallationwizardspecifyRequireNetworkLevel
AuthenticationandclickNext.ThisprovidesahigherlevelofsecuritybyrequiringTSclientstoauthenticatesoonerduringtheprocessofestablishingaconnectiontotheTSserver.ThisrequiresthattheclientsberunningRemoteDesktopConnection(RDC)6.0andanoperatingsystem(OS)thatsupportstheCredentialSecuritySupportProvider(CredSSP)protocol,whichmeansWindowsVistaandWindowsServer2008orWindowsXPwithServicePack3.
2. OntheSpecifyLicensingModepageselectConfigureLaterandclickNext.UnderstandingTSlicensingisanimportantpartofpreparingfortheexam,thereforeitscoveredinitsownsectionlaterinthechapter.
3. Acceptthedefaultsforthenexttwopagesofthewizard,ontheChooseaServerAuthenticationCertificateforSSLEncryptionselectChooseanexistingcertificateforSSLEncryptionifoneisavailable,otherwisechoseCreateaselfsignedcertificateforSSLEncryption,clickNext.
4. OntheCreateAuthorizationPolicyforTSGatewaypagespecifythatyouwillcreatethepolicieslater,authorizationpolicieswillbecoveredlaterinthischapter.
5. Acceptthedefaultsfortheremainingpagesofthewizardandcompletetheinstallation.Atthispointyoumayneedtorestarttheserver.
ForaproductionTSserveryouwouldnowinstalltheapplicationsthatenduserswillbeabletorun,youcanforegothatprocessinyourpracticelab.ConfiguringRemoteAppProgramsShortcutstotheTSmanagementtoolswerecreatedinafoldercalledTerminalServiceswascreatedintheAdministrativeToolsfolder.Fortherestofthechapter,whenIwillaskyoutolaunchanyoftheTStoolsIwillnotspecifythefoldernameiftheshortcutislocatedintheTerminalServicesfolder.ToaddapplicationstotheRemoteAppprogramslistopenTSRemoteAppManager,anddothefollowing:
1. ClickAddRemoteAppProgramsintheActionspane,andclickNextwhenthewizardlaunches.2. SincewehavenotaddedanyenduserapplicationsselectCalculatorandWordpadfromthelistofprogramsandclickNext.3. ClickFinishtocompletethewizard.
Nowyouhavetodecidehowtomaketheprogramsavailabletousers.YoucanrightclickoneachintheRemoteAppProgramslisttoseeseveraloptions,asshowninfigure1:
ShowinTSWebAccesstohavetheapplicationslistedontheTSWebAccesswebsite. Create.rdpFiletogenerateashortcuttotheRDCclientapplicationthatincludesconnectioninformation.Whenauseropensthe
shortcuttheRDCclientwillconnecttotheTSserverandopentheRemoteAppprogram.RemoteDesktopProtocol(RDP)isthenetworkprotocolusedforTScommunication.Youcandistributethe.rdpfilebypostingonasharednetworkfolderorcopyingittoeachuserscomputer.
CreateWindowsInstallerPackagewillalsocreateashortcuttotheRDCclientwiththenecessaryconnectionsettings,however,whenthepackageisinstalledafewotherchangescanbemadesuchasaddingashortcuttotheStartmenu.Youcandistributethepackageusinggrouppolicyorwhateversoftwaremanagementprogramyouuse.
-
Figure1:ConfiguringRemoteAppDeployment.
ConfiguringTerminalServicesWebAccessRightclickeachprogramandspecifyShowinTSWebAccess,thenopenTSWebAccessAdministration.Thereare3tabsvisible:TheRemoteAppProgramstabcontainsthelistofavailableprograms,clickingononelaunchesthebrowserbasedTSclient.TheRemoteDesktoptabcanbeusedtolaunchthebrowserbasedTSclientwithaccesstoafullWindowsdesktop,iftheTSserverisconfiguredtoallowthattypeofconnection.TheConfigurationTabisusedtospecifywhichTSservertheTSWebAccessserverwillconnectto.NotethatiftheTSWebAccessandTSserverhostingtheRemoteAppprogramsareseparatesystemsthenyoumustaddthecomputeraccountoftheformertotheTSWebAccessComputerssecuritygrouponthelater.WhenuserswhodonothaveadministrativeprivilegesconnecttotheTSWebAccessservertheywillonlyseethefirsttwotabs,asshowninfigure2.ThedefaultURLsarehttp:///tsandhttps:///ts,whereisthefullyqualifieddomainname(FQDN)oftheTSWebAccessserver.
Figure2:ConnectingtoaTSWebAccesswebsite.
TechNetVirtualLabs:TerminalServicesandVirtualizationComingTogetherFordecadessoftwarecompanieshavegivenawayevaluationversionsoftheirproductstohelpshowpotentialcustomersthevalueoftheirsolutions.Microsofthasbeendoingthistoo,manufacturingDVDsandpackagingtheminslimcardboardenvelopesnotterriblyexpensive,Ithinkitshardertoactuallygetthediscsintothehandsoftherightpeople.Evenwhenaninfluentialpersonhasthediscthereislittlecertaintythatshewillspendanhourormoreinstallingandconfiguringtheproductsothatshecanevaluateit.Microsofthastwoprogramsthathelptoovercometheseissues.
-
TechNetVirtualHardDisks(VHDs)arepreconfiguredvirtualmachinesthatyoucandownloadandlaunchwithinVirtualPCorHyperV,itsagreatwaytofamiliarizeyourselfwithMicrosoftslatestsoftwaresolutions.VHDsareavailableformanyMicrosoftproducts,thedrawbackisthatthedownloadsareverylarge.Ittakesmeadayortwotodownloadmultigigabytefiles.TechNetVirtualLabsiseveneasiertouse,youmerelyselectascenarioandthenaccesstheserversremotelyusingyourwebbrowser.Whathappensinthebackgroundintriguesme.IwasneverinvolvedindesigningorbuildinganyofthevirtuallabssoIdonotknowpreciselywhattheunderlyingarchitectureisbutitseasytodeducethemajorelements.TryoneoutandyouwillseewhatImean.AfteryousignupforyourfirstlabyouarepromptedtoinstallanActiveXcontrol,thenyouwaitafewminuteswhileyourlabisbeingbuilt.IsuspectthatapreconfiguredVHDiscopiedforyouruse,andthenlaunchedonaserverrunningHyperV,andthatyouconnecttoyourownpersonalvirtualmachineusinganActiveXRDPclientthathasbeencustomizedforTechNet.WhenyoufinishyourVHDisdeleted,nomatterhowbadlyyouhackupyourlabitwillnotimpactotherpeopleaccessingthesite.Takealookatbothoftheseprogramsforyourself:
TechNetVirtualHardDisks. TechNetVirtualLabs.
ConfigureTerminalServicesGatewayTheTSGatewayisdesignedsinglepurposeSecureSocketLayer(SSL)VirtualPrivateNetwork(VPN)thatcanbeusedtograntremoteuserssecureaccesstoTSservers.UsersconnectusingwhateverRDCclienttheyprefer,theRDPtrafficisencapsulatedinHypertextTransportProtocol(HTTP),whichisprotectedbySSL/TransportLayerSecurity(TLS).TSGatewaysincreasesecuritybyensuringclientsonlyhaveaccesstothespecificTSserverstheyrequirefortheirjobwithouttheneedtoconfigurefullVPNconnectivity.AcertificatemustbeinstalledontheTSGatewayServer,itisusedforSSL/TLS,youprobablyhaveaselfsignedcertificateinstalledinyourpracticelab,inaproductionenvironmentyoushoulduseacertificategeneratedbyaCertificateAuthority(CA)trustedbythecomputersthatwillbeusedtoaccesstheTSGateway,otherwiseuserswillencounterbrowserwarningsaboutacertificatewhichcannotbevalidated.TheTSGatewayservermustbelongtoanActiveDirectorydomainifyouconfigureauthorizationpoliciesthatrequireusersorclientcomputerstobedomainmembers,orifyouaredeployingaloadbalancedserverfarm.Thenextstepistoconfigureauthorizationpolicies.Therearetwokindsofpolicies,youneedtoconfigureatleastoneofeach:TerminalServicesconnectionauthenticationpolicies(TSCAP)andTerminalServicesresourceauthenticationpolicies(TSRAP).ATSCAPspecifieswhocanconnecttotheTSGatewayserver.YoucanfurtherrestrictinboundconnectionsbyothercriteriasuchaswhethertheircomputerisamemberofaninternalActiveDirectorydomainorwhethertoallowresourceredirectionforPlugandPlaydevices.ATSRAPdefineswhatinternalresourcestheuserscanaccessthroughtheTSGatewayserver.TocreatethesepoliciesopenTSGatewayManagerandclickontheserverinthenavigationtree,thendothefollowing:
1. ExpandtheTSGatewayserverinthenavigationtree,expandthePoliciesfolder,rightclicktheConnectionAuthorizationPoliciesfolder,selectCreateNewPolicy,thenclickCustom.
2. OntheGeneraltab,enteranameforthepolicyandensurethatEnablethispolicyisselected.3. ClicktheRequirementstab,enablethedesiredauthenticationmethod,thenclickAddGrouptoselectwhichgroupsofuserswillbe
allowedtoconnect,asshowninfigure3.Optionally,youcanalsospecifywhichgroupsofcomputersareallowed.
Figure3:DefiningtheTSCAPRequirements.
4. ClicktheDeviceRedirectiontab,youcanspecifywhetherornotdeviceredirectionisallowed.Keepinmindthefactthatthe
enforcementofthispolicyoccursontheclientcomputersodonotthinkofitasarobustsecuritysetting,adeterminedusermaybeabletobypassit.
5. ClickOKtofinishcreatingtheTSCAP.
-
6. RightclicktheResourceAuthorizationPoliciesfolder,selectCreateNewPolicy,thenclickCustom.7. OntheGeneraltab,enteranameforthepolicy,ensurethatEnablethispolicyisselected,andenteradescriptionifdesired.8. ClicktheUserGroupstabtodefinewhichuserscanconnect.9. ClicktheComputertabtospecifytheinternalcomputersthatcanconnectto.Therearethreeoptions:
a. EnterthenameofadomainsecuritygroupthatincludesthecomputeraccountsfortheappropriateTSservers.b. Createalocalgroupandaddthenamesofthecomputersasshowninfigure4.
Figure4:ConfiguringaNewTSGatewayComputerGroup.
c. Allowuserstoconnecttoanyinternalresource.
10. IftheTSserversareconfiguredtousecustomTCPportsclicktheAllowedPorttabstospecifytheportnumbers.ClickOKtofinishcreatingtheTSRAP.
ThereareafewotherconfigurablesettingsforTSGatewayservers.RightclicktheserverinthenavigationtreeandselectPropertiestoviewthem.Youcanlimitthenumberofsimultaneousconnections,selectadifferentSSLcertificate,configureaTSgatewayserverfarm,andmakeotherchangesusingtheserverspropertiesdialogbox.ToviewactiveconnectionsselecttheMonitoringfolderinthenavigationtree.UsingTSGatewaywithInternetSecurityandAccelerationServerInternetSecurityandAccelerationServer(ISA)canenhancethesecurityforaserverrunningtheTSGatewayroleservicebecauseitcaninspectincomingtrafficbeforeforwardingit.InthisconfigurationtheISAserverisconfiguredasanSSLbridge,thatis,ISAhandlestheestablishmentandmaintenanceoftheSSLtunnelsothatitcanviewthedecryptednetworkpackets.InthisarchitecturetheclientsestablishandSSLconnectionwiththeISAserver,theISAserverdecryptsandinspectsthetraffic,thentheISAserverforwardsacceptabletraffictotheTSGateway.TheconnectionbetweentheISAserverandtheTSGatewaycanrunoverHTTP,forgreatersecurityimplementSSLbetweentheseserverstoo.ToimplementSSLbridgingexporttheSSLcertificatefromtheTSGatewayserver,copyittotheISAServer,theninstallthecertificateontheISAServer.CreateawebpublishingruleontheISAservertoenableaccesstotheTSGatewayserver.WhencreatingthewebpublishingruleyoucanspecifywhethertouseHTTPSHTTPbridgingorHTTPSHTTPSbridging.Exportandimportingthecertificateisalittlecomplicated,todosoperformthefollowing:1.OntheTSGatewayserver,opentheMicrosoftManagementConsolebyclickingStartandthenenteringmmc.2.YoumustmanuallyaddtheCertificatessnapin,clickFile,thenclickAdd/RemoveSnapin.3.SelectCertificatesandclickAdd.4.SpecifyComputeraccountandclickNext.5.SelectthelocalcomputerandclickFinish.6.Inthenavigationtree,expandCertificates(LocalComputer),expandPersonal,thenclickCertificates.7.RightclicktheTSGatewaycertificate,selectAllTasks,andclickExport.IfyouareunsurewhichcertificatetoexportviewtheirpropertiestodeterminewhichmeetstheTSGatewayrequirements.8.Completethewizardtoexportthecertificate.9.CopythecertificatetotheISAserver.10.OntheISAserver,repeatsteps1through6.11.RightclickonPersonal,selectAllTasks,andclickImport.12.Usethewizardtospecifythecopiedfile,whenpromptedtospecifythecertificatestoreselectAutomaticallyselectthecertificatestorebasedonthetypeofcertificate.13.Finishthewizardtocompletetheimportationprocess.
-
Tip:rememberthatthedefaultfileextensionforcertificatesis.cer,butiftheprivatekeyisalsoexportedthedefaultextensionis.pfxinstead.ConfigureTerminalServicesLoadBalancingTSSessionBrokerprovidesloadbalancingforTSservers,thatis,clientsareevenlydistributedacrossthefarmofserverstominimizetheriskofanybecomingoverloaded.ItmaintainssessionstatedataincludingwhichuserisassociatedwitheachsessionIDandthenameoftheserverservicingthesession.ThismeansthatuserscanautomaticallybereconnectedtotheirexistingTSsessionshouldtheirconnectionterminateunexpectedly.Thearchitectureisstraightforward:someloadbalancingmethodisimplementedindependentlyofTS,twoormoreTSservers,andtheTSSessionBrokerserver.RoundRobinDNSisthesimplestloadbalancingmethod,theDNSrecordthatpointstotheTSserverfarmhasalistofaddresses,oneforeachserverinthefarm.TheDNSserverrespondstoqueriesbycyclingthroughtheaddressessequentially.AftertheclientretrievestheaddressfromtheDNSserveritestablishesanconnectiontotheinitialTSserver.TheinitialTSserverqueriestheTSSessionBrokerservertodeterminewhichTSservertheclientwilluse.Theinitialserverthenredirectstheclienttousetheassignedserver.TheclientthenestablishesafullTSsessiontotheassignedserverandthatserverinformstheTSSessionBrokerofitsnewclientconnection.Thisconceptisillustratedinfigure5.
Figure5:UsingRoundRobinDNSwithTSSessionBroker.
WhenusingDNSroundrobintodistributeconnectionsthenyoumustconfigureDNSrecordsforeachserverinthefarm.However,anyloadbalancingmethodcanbeused,includingtheNetworkLoadBalancingService(NLBS)availablewithWindowsServer2008.ForinformationaboutNLBSseeDeployingServers.MicrosoftpublishedadetailedguideforloadbalancingterminalserviceswithNLBScalledNetworkLoadBalancingStepbyStepGuide:ConfiguringNetworkLoadBalancingwithTerminalServices.TheprocessofinstallingandconfiguringtheTSserverfarmandtheTSSessionBrokerisasfollows:
1. InstallandconfiguretheTSserverrole,desiredroleservices,anduserapplicationsoneachTSserverinthefarm.2. InstalltheTSSessionBrokerroleserviceonanotherserver.3. OntheTSSessionBrokerserver,addeachTSserverinthefarmtothelocalSessionDirectoryComputersgroup.
a. OpenComputerManagement,expandSystemToolsinthenavigationtree,thenexpandLocalUsersandGroups,andselecttheGroupsfolder.
b. DoubleclicktheSessionDirectoryComputersgroupinthedetailspane.c. ClickAdd,thenclickObjectTypes,enabletheComputerscheckboxandclickOK,asshowninfigure6.d.
Figure6:EnablingtheSelectionofComputerAccounts.
-
4. ConfigureeachTSserverinthefarmusingTerminalServicesConfiguration:a. DoubleclickMemberoffarminTSSessionBrokerandselecttheTSSessionBrokertab.b. SpecifyingthenameorIPaddressoftheTSSessionBrokerserverunderTSSessionBrokerservernameorIPaddress.c. SpecifythenameofthefarmunderFarmnameinTSSessionBroker.d. EnableParticipateinSessionBrokerLoadBalancing.e. AdjustweightifdesiredbychangingthevalueofRelativeweightofthisserverinthefarm.f. SpecifytheIPaddresstobeusedforreconnectionandclickOK,asshowninfigure7.
Figure7:ConfiguringTSSessionBrokerSettings.
MostTSSessionBrokersettingscanbeconfiguredthroughgrouppolicyatthefollowinglocation:ComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices\TSSessionBroker.GrouppolicycansimplifyconfiguringmultipleTSSessionBrokerserverswithidenticalsettings.ThetwosettingsthatcannotbeconfiguredviagrouppolicyaretheIPaddressestobeusedforreconnectionandtherelativeweightofeachserver.FormoreinformationaboutusinggrouppolicyseeCreatingandMaintainingActiveDirectoryObjects.DoesMicrosoftInnovate?SomepunditssharplycriticizeMicrosoftfornotinnovatingbutrathergrowingitstechnologyportfoliothroughacquisitionsandcopyingotherfirmsideas.Inmypersonalopinion,whileitistruethatmanyMicrosofttechnologiesbecameMicrosoftsafterthecompanypurchasedthefirmorlicensedoneoftheirproductsthecompanyishardlyuniqueinthisregard.ItisalsotruethatwhenanothercompanyopensanewmarketsometimesMicrosoftwillbegintocompeteaggressivelywiththemayearortwolater,butagain,numerouscompaniesdothis.IthinktheTerminalServicestechnologyisaninterestingcasethatbringstogetherseveralexamplesrelatingtotheseaccusations.Formedin1989,CitrixSystemslicensedsourcecodeforWindowsNT3.51in1992,uponwhichtheybuiltWinFrame.Releasedin1995,WinFramewastheirmostsuccessfulproductthusfar.ThefirmwasstrugglingtosurvivewhenMicrosoftinvestedsignificantlyinthecompanyandlicensedthetechnologythatbecameWindowsNT4.0TerminalServerEdition,whichwasreleasedin1997.Microsoftpurchasedanothercompany,T.share,fortheRDPusedforcommunicationbetweenTSserversandclients.Citrixhasdonequitewelloverthepast20yearsbycontinuingtomaintainamutuallybeneficialrelationshipwithMicrosoft.CitrixretainedtherighttoextenduponMicrosoftsTSbasedproducts.SofaryouseeexamplesofMicrosoftnotdevelopingtheirowntechnologyfromthegroundup,butthestoryisfarfromcomplete.Microsoftwentontoimprovethecoretechnologyandbuildmanyothersolutionsbaseduponit.SinceacquiringthetechnologyMicrosofthasaddedloadbalancing,RemoteAppapplications,TSGateway,andsophisticateddeviceredirection.MicrosofthasalsocreatedwholenewsolutionsbasedonTSsuchasRemoteAssistancewhereuserssharetheirdesktopwithanotherremoteuserwhocanhelpresolveproblems.TheswitchusercapabilityinWindowsXP,WindowsVista,andWindowsServer2008isanotherTSbasedfeature.WindowsMeetingSpaceisalsobasedonTS.ConfigureTerminalServicesLicensingThepurposeoftheTSLicensingroleserviceistohelptrackclientaccesslicenses(CALs).ItensuresthatyourorganizationdoesnotviolateitspurchaseagreementsbyhavingmoreclientsconnecttotheTSserversthanthenumberoflicensespurchased.WhenaclientconnectstheTSservercheckstoseeifaCALisrequired,ifoneisneededtheTSserverwillrequestitfromtheTSLicensingserver.Ifoneisavailablethelicenseserverwillissueit.TwosimultaneousRemoteDesktopsessionsareallowedforremoteadministrationwithoutrequiringCALsoralicense
-
server.CALscanbetrackedbyeitheruserormachine.Thereisalsoa120graceperiodthatallowsunlimitedclientconnectivitywithoutrequiringactivationofthelicenseserverorinstallationofCALs.Beforethelicenseserverwillbeginissuinglicensesyoumustactivateit.OpenTSLicensingManager,rightclickontheserverinthenavigationtree,andselectActivateServertolaunchtheActivateServerWizard.Thewizardprovidesthreeactivationmethods.ThesimplestisAutomaticconnection;thelicenseserverrequiresongoingInternetconnectivitytousethismethod.TheWebBrowsermethodallowsyoutoactivatefromanothercomputerthathasInternetconnectivity,thelicenseserverdoesnotrequiresuchconnectivityinthiscase.ThetelephonemethodallowsyoudoactivatebycontactingaMicrosoftcustomerservicerepresentative.OnceactivatedyoucaninstallCALsbutyoumustvalidatethemusingoneofthesethreemethods.ToinstallCALsrightclickontheTSLicensingserverinthenavigationpane,selectInstallLicenses,andcompletethewizard.YouconfigurethelicensingmodeoneachTSserverusingTerminalServicesConfiguration.TodosodoubleclickonTerminalServiceslicensingmodeinthedetailspaneandthenselectPerDeviceorPerUser.YoucanalsospecifyalicenseserverfortheTSservertouse,orallowittoautomaticallydiscoveralicenseserver,asshowninfigure8.Ifthesechoicesaredimmeditsbecausetheyhavebeenconfiguredviagrouppolicy.NotethatperuserCALtrackingisonlysupportedwhentheserversandusersaremembersofanActiveDirectorydomain.Also,thelicenseservermustbeamemberoftheTerminalServerLicenseServersgroupinActiveDirectory,itshouldhavebeenaddedtothegroupautomaticallyduringinstallationoftheroleservice.
Figure8:ConfiguringLicensingforTerminalServices.
YoucanusetheLicensingDiagnosistooltotroubleshootlicensingissues.TolaunchthetoolopenTerminalServicesConfigurationandclickonLicensingDiagnosis in thenavigation tree. Informationabout the servers configurationand license statuswillappear in thedetailspane.Considermy test server forexample, as you can see in figure9 I face twoproblems, the license server isnot activated andnoCALs areavailable.
Figure9:DiagnosingLicensingIssues.
EachCALisvalidforbetween52and89days,thenumberofdaysisdeterminedrandomlywhentheCALisissued.WhenaCALisduetoexpirein7daystheTSserverwillattempttorenewit,again,forbetween52and89days.Ifitcannotconnecttothelicenseserveritwillattemptto
-
renewtheCALeachtimetheclientlogson.WhenaCALexpiresitisreturnedtothepoolofavailablelicenses.ThishelpsthelicenseservertoautomaticallyrecoverPerDeviceCALsthatarelostwhenthedeviceisnolongerinuseorwhenitsoperatingsystemisreinstalled.Ifthelicenseserveritselfislostthenyoushouldtrytorecoveritusingthemostrecentbackup.Ifnobackupisavailablethenyoumustreinstalltheserver,reactivateit,andcontactthelicenseclearinghousetohavethemissuereplacementCALs.ConfigureandMonitorTerminalServicesResourcesYoumaywanttolimithowmuchmemoryorCPUtimeaparticularapplicationcanconsumeonanyserverthatneedstosupportmanyuserswhoaccessseveraldifferentapplications.ThisisparticularlyimportantonTSserverssustaininglargenumbersofsimultaneoususersessions,asingleuserwhoconsumesalargeportionofsystemresourceswillnegativelyimpactalloftheotherusers.ThereisapowerfultoolforcontrollingresourceusageinWindowsServer2008:WindowsSystemResourceManager(WSRM)AsnotedinMaintainingtheActiveDirectoryEnvironment,WindowsSystemResourceManagerisanoptionalfeatureofWindowsServer2008.TakeaquicklookattheUsingWindowsSystemResourceManagersectioninthatchaptertoinstallthetoolontheTSserverinyourpracticelab.WSRMusesresourceallocationpoliciestocontroltheuseofcomputerresources.WSRMincludestwopoliciesdesignedforTerminalServices.
Equal_Per_UserProcessesareclusteredbyuser,eachclusterhasaccesstothesameproportionofsystemresourcesregardlessofhowmanyapplicationsarerunning.
Equal_Per_SessionProcessesareclusteredbyTSsessions,eachsessionhasaccesstothesameproportionofsystemresources.ToimplementtheEqual_Per_Sessionresourceallocationpolicydothefollowing:
1. OpenWindowsSystemResourceManagerfromtheAdministrativeToolsfolderandspecifyThisComputerwhenpromptedtoconnecttoacomputer.
2. ExpandtheResourceAllocationPoliciesnodeinthenavigationtree.3. RightclickEqual_Per_SessionandclickSetasManagingPolicy.4. IfaconfirmationdialogboxappearsclickOK.
AfterconfiguringWSRMpoliciesyoushouldobserveperformanceoftheTSservertoverifythattheimpactispositive.ClickontheResourceMonitornodeinthenavigationtreetogetstarted.ClicktheAddCountersbutton(thegreenplussymbol)andselecttheTerminalServicesSessioncountersfromthelistofavailablecounters,clickAdd,thenclickOK,asshowninfigure10.Theseincludedozensofcounters,youcanhidesomefromthegraphbydeselectingtheircheckboxundertheShowcolumn.Otherperformancecountersthatwillhelpyouassesstheperformanceimpactoftheresourceallocationpolicyfromahigherlevelarethoserelatedtoprocessorandmemoryutilization.YoucanreviewtheUsingReliabilityandPerformanceMonitorsectioninMaintainingtheActiveDirectoryEnvironmenttorefreshyourmemoryonhowtouseperformancecounters.
Figure10:AddingTerminalServicesSessionPerformanceCounters.
ConfigureTerminalServicesClientConnectionsTherearemanyclientconfigurationsettingsavailable,broadlyspeaking,theyaremanagedinthreedifferentlocations.Mostclientsettingscanbeconfiguredontheclientcomputers.MostclientsettingscanalsobemanagedinActiveDirectoryusinggrouppolicy,afewadditionalsettingscanbeconfiguredontheuseraccountobjects.SomesettingscanbemanagedontheTSservers.ConfiguringClientSettingsontheClient
-
TherearethreewaysforclientstoconnecttoTSservers.RemoteDesktopConnection(RDC)istheprimaryway.ThereareseveralmethodsforinvokingRDCincludingclickingtheshortcutfromtheStartmenu,doubleclickingacustomized.RDPfile,orbyenteringmstsc.exeatacommandprompt.YoucanalsoconnectusingtheActiveXbasedclientasdiscussedearlierinthechapter.ThethirdwayistousetheRemoteDesktopsMMCsnapin.ThissnapinisincludedwithWindowsServer2008,youcaninstallitonWindowsVistabydownloadingandinstallingtheMicrosoftRemoteServerAdministrationToolsforWindowsVista.ThissnapinisdesignedforadministratorswhohavetoconnecttonumerousserversusingtheRDCbutdontwanttocluttertheirdesktopwithshortcutsforeach.YourightclickontheRemoteDesktopsnodeinthenavigationtreeandselectAddnewconnectiontoaddaservertothelistofserversinthenavigationtree.YourightclickonanyoftheserversandselectConnecttoopenaTSsessionintherighthandpane,asshowninfigure11.
Figure11:UsingtheRemoteDesktopsSnapIn.
AftercreatingaconnectioninRemoteDesktopsyoucanrightclickonitandselectPropertiestocustomizeit.Therearethreetabsforsavinglogoncredentials,specifyingthedesktopsize,configuringdriveredirectionandmakingafewotherchanges.ThereareadditionalcustomizationoptionsavailablewhenyouuseRDC,clickOptionstoseethetabsthatgrantaccesstoallofthem,asshowninfigure12.
Figure12:CustomizingtheRemoteDesktopConnection.
YoucanimproveperformancebyreducingthescreensizeandloweringthecolordepthontheDisplaytab.YoucanfurtheroptimizeperformancebydisablingthegraphicalfeaturesavailableontheExperiencetab.TheLocalResourcestabiswhereyouconfigurewhethertobringsoundfromtheremotecomputertotheclient,howtohandleWindowskeycombinations,andwhatlocalresourcesontheclienttomakeavailableontheserver.Thislastoptionisparticularlyimportantbecauseithassecurityimplications.Ifyouconnecttoaserverunderthecontrolofsomeonewhowantstodoyouharmandyouchoosetomakeyourlocaldiskdrivesavailableontheremoteserverthatmaliciouspersonmaybeabletofigureouthowtoaccessfilesonyourlocalcomputerwithoutyourpermission.Itwouldbeacomplicatedattack,soitsnotanissueinmostsituations,howeveritmaybeafeatureyouwishtodisableinhighsecurityenvironments.TheProgramstabiswhereyou
-
configurethenameandworkingdirectoryforanapplicationtolaunchafterconnectingtotheTSserver.YoucanconfigureserverauthenticationandTSgatewaysettingsontheAdvancedtab.ConfiguringClientSettingsinActiveDirectoryTherearetwoplacestoconfigureclientsettingsinActiveDirectory.Youcanmodifyacoupleofsettingsbyeditingthepropertiesofeachuseraccountobject.TodosoopenActiveDirectoryUsersandComputers,navigatetothedesiredcontainer,rightclickontheaccountyouwishtomodifyandselectProperties.YoucanconfigurethepathtotheTSuserprofileandtheTShomefolder,asshowninfigure13.
Figure13:ConfiguringtheTerminalServicesProfileforanAccount.
Note:youcanalsoconfiguretheprofileandhomefolderpathsforlocalaccountsbyeditingthepropertiesoftheaccountintheLocalUsersandGroupssnapin.Whenmanaginglargenumbersofusersgrouppolicyisamoreconvenientwaytoconfigureallofthesesettings.ThesesettingsareavailableinthegrouppolicyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Forexample,belowthislocation,navigatetoTerminalServer\DeviceandResourceRedirectiontodisabledriveredirectionandtomanageotherrelatedsettings.Notewellthatsomeofthesettingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyouunderstandwhichsettingsapplytoclients.UserspecificsettingsforTerminalServicescanbefoundatUserConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.ConfiguringClientSettingsontheServerToconfigureclientsettingsontheTSserveropenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetailspane,selectProperties,andclicktheClientSettingstab,asshowninfigure14.Youcanconfiguredeviceredirectionandcolordepth,howeverthesesettingsareenforcedontheclient.Althoughtheynormallytakeprecedenceoverthesettingsconfiguredontheclientadetermineduserwithadministrativeprivilegesmaybeabletobypassthem.Ofcourse,onlythemembersoftheinformationtechnologystaffwhoactuallyneedadministrativeprivilegeshavethem,right?Right?
-
Figure14:ConfiguringClientSettingsontheTSServer.
Important:WhenusersconnecttoadefaultinstallationofaserverviaTerminalServicessomeaspectsofthedesktopandapplicationsavailablewilllookdifferent.ToensureasmootherexperienceforendusersinstalltheDesktopExperiencefeatureusingServerManager.ThiswillinstallapplicationsandfeaturestheywillbefamiliarwithfromWindowsVistasuchasWindowsMediaPlayerandWindowsCalender.ConfigureTerminalServicesServerOptionsToconfigureTSserversettingsopenTerminalServicesConfiguration,rightclickonRDPtcpbelowConnectionsinthedetailspane,andselectProperties.YouconfigureencryptionandauthenticationontheGeneraltab,themostsecurevaluesaretouseSSL(TLS1.0)forthesecuritylayerwithandencryptionlevelofFIPSCompliantandNetworkLevelAuthenticationenabled,asshowninfigure15.However,usingthesevalueswillcauseproblemswitholderversionsofRDC.
Figure15:ConfiguringTerminalServicesEncryption.
-
UsetheLogonSettingstabtohaveallincomingconnectionslogonwiththesameaccount,howeverusethissettingwithcautionasitincreasestheriskofanunauthorizedpersonaccessingtheserver.YoucanconfiguresessionlimitsontheSessionstabsothatdisconnectedsessions,idle,oractivesessionsareterminatedafterthespecifiedtime.Thiscanhelpensurethatmemoryisnotwastedonsessionsthatarenotbeingused.TheEnvironmenttabisusedtospecifyaprogramtobelaunchedautomaticallyforeachuserwhentheyconnect.Youcanconfigurewhetherremotecontrolisallowed,andifsowhethertheusermustgrantpermissionontheRemoteControltab.Remotecontrolisveryusefulwhentroubleshootingortrainingusers,howeveramaliciousadministratorcouldusethisfeaturetosurreptitiouslyobserveanotheremployeeworkingwithsensitivedata.Thisconcernshouldbelowonyourlistofprioritiesthough,ifyougiveadministrativeprivilegestopeoplewhoarenottrustworthythenyouhavemuchbiggerproblemsthentoworryaboutthanTSremotecontrol.YoucandefinewhichnetworkadapterswilllistenforRDPconnectionrequestsandlimitthenumberofsimultaneousconnectionsontheNetworkAdaptertab.TherearetwowaystospecifywhichusersareabletologintotheTSserverviaRDP:byconfiguringthegroupsandaccountsontheSecuritytabofthisdialogbox,asshowninfigure16,orbyadjustingmembershipintheRemoteDesktopUsersgroup.Thesecondmethodisthepreferredonebecauseitissimplerandlesslikelytoleadtomisconfiguration.
Figure16:ViewingRDPPermissions.
Whenmanaginglargenumbersofserversgrouppolicyisamoreconvenientwaytoconfigurethesesettings.YoucanfindtheminthegrouppolicyeditoratComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices.Rememberthatsomeofthesettingsareserveroptionswhileothersareclientoptions,readtheirdescriptionscarefullytoensurethatyouunderstandwhichsettingsapplytoservers.ManagingActiveSessionsToviewandmanageactivesessionsopenTerminalServicesManager.RightclickontheTerminalServicesManagernodeinthenavigationtreetoaddmoreserverstothemanagementlistandtoorganizethemintocustomgroups.Selectaserverinthenavigationtreetoviewtheactivesessions.Therearethreetabsinthedetailspane,makesuretheUserstabisselected.Youcanrightclickonasessiontodisconnectit,takeremotecontrol,resetit,sendtheuserapopupmessage,andforcetheusertologoff.ClicktheSessionstabtoseethelistofsessionsandtheircurrentstatus,rightclickonanytoperformthesametasksnotedforusers.TheProcessestabdisplaysalloftherunningprocessesontheTSserverincludingwhichaccountwasusedtoexecuteit.ItissimilartoTaskManager,butyoucanalsoviewprocessesonremoteterminalservers.RightclickonaprocessandselectEndProcesstoforciblyterminateit.SummaryInmyopinion,TerminalServicesisoneofthebestfeaturesinWindowsServer2008.Itisawesomeformanagingremoteservers,especiallyforsystemsadministratorswhoarenotcomfortableusingthecommandpromptandwritingscripts.Itsalsoagreatwaytocentralizemanagementofenduserapplications.Regardingexampreparation,thistechnologymakesupaconsiderableproportionofthecontentanditsimportantthatyouhaveasolidunderstandingofhowtoimplement,manage,andtroubleshootit.ChapterReviewThissectionpresentsalistofreviewquestionsdesignedtohelpreinforcetheknowledgepresentedearlierinthechapter.Topersuadeyoutoexplorethemanagementtoolsmoredeeplyafewquestionsmayrequireyoutoexaminethosetoolsfurtherratherthanrereadingthechapter.Questions
-
1. UserscomplainthattheRDCwindowtakesuptoomuchspaceontheirWindowsdesktop.TheyonlyneedtoaccessacoupleofprogramsontheTSserver,buttheystartmenuandotheruserinterfaceelementsofterminalservicesandtheRDCwastevaluablerealestate.Whatshouldyoudotohelptheusers?
a. TelltheuserstorunRDCinfullscreenmode.b. TelltheuserstoreducethescreenresolutionwithintheirRDCsession.c. InstallanadditionalmonitorforeachuserscomputersothattheycanmovetheRDCwindowtoitsownmonitor.d. DeployTSRemoteAppforeachapplication.
2. WhichTerminalServicesroleservicemakesitpossibletodistributeincomingconnectionrequestsacrossseveralTSservers?a. TSWebAccess.b. TSGateway.c. TerminalServer.d. TSSessionBroker.e. NetworkLoadBalancing.
3. IfalicensingmodeandlicenseserverhavenotbeenspecifiedhowmanyconnectionsdoesTSallow?a. 0b. 1c. 2d. 3e. Unlimited.
4. YoudeployaserverwithboththeTerminalServicesandTSWebAccessroleservices.YoucreateseveralRemoteAppprogramsontheserverandconfigurethemtobeshowninTSWebAccess.YouwantremoteuserstobeabletotheapplicationswithouthavingtoestablishadedicatedVPNconnectionsocreateanaccessruleontheperimeterfirewallallowingTCPports80and443totheserver.WhichtwoofthefollowinganswerswilltheremoteuserstoaccesstheRemoteAppprograms?(choose2)
a. CreateanotheraccessruleonthefirewallrulethatallowsportTCPport3389totheserver.b. InstalltheTSGatewayroleontheserverandconfigureappropriateaccesspolicies.c. InstalltheTSSessionBrokerrole.d. DeploytwoadditionalserverswiththeTerminalServicesserverrole,configurethemidenticallytothefirstserver,
configureroundrobinDNStodistributeincomingaccessrequestsacrossallthreeservers.5. YoudeployafarmofTSserversandaTSSessionBrokerserver.Everythingworksgreat,nowyouwanttoenableaccessforremote
userswiththeminimuminvestmentofadditionalresources.TheremoteuserswillneedtoaccesstheTSserversfromjustaboutanylocationimaginablethathasInternetconnectivity.Whatstepsremain?(choose2)
a. InstallanInternetSecurityandAcceleration(ISA)server.b. CreaterulesforTCPport3389thatallowincomingtraffictoaccessthefarmofTSservers.c. InstallTSGatewayonaserver.d. ConfigureappropriateTSResourceAuthorizationPolicies(TSRAP)andTSConnectionAuthorizationPolicies(TSCAP).e. CreateapublishingruleforTerminalServicesthatpointstothefarmofTSservers.
6. YouinstallTerminalServicesandconfigureittoallowaccessfordomainuserswhoareontheinternalnetwork.WindowsVistaclientsareabletoestablishconnectionsandlogontotheWindowsdesktopusingRDCbutWindowsXPclientsareunableto.Whatshouldyoudotoresolvethisquickly?
a. ConfiguretheTSserversothatitwillallowconnectionsfromcomputersthatdonotsupportNetworkLevelAuthentication.b. UpgradetheWindowsXPcomputerstoWindowsVista.c. InstallServicePack3ontheWindowsXPcomputers.d. InstallthelatestversionofRDContheWindowsXPclients.
7. YoudeployaTSserverfarmwithaTSSessionBrokerServerandWindowsNetworkLoadBalancing.YoudeployaTSGatewayserverthatpointstotheserverfarmandconfigureappropriateaddressrecordsontheinternalandexternalDNSservers.UsersareabletoaccesstheTSserverfarmfromthecorporatenetworkhowevertheyareunabletodosowhenworkingremotely.Whatarethemostlikelyreasonsfortheproblem?(pick2)
a. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromtheTSGatewayserver.
b. TheperimeterfirewallhasnotbeenconfiguredtoallowinboundHTTPtraffictoreachtheTSGatewayserver.c. TheTSRAPandTSCAPpolicieshavenotbeenconfigured.d. TheusersarenotmembersoftheRemoteDesktopUsersgroupontheTSservers.e. TheWindowsFirewallwithAdvancedSecurityontheTSservershasnotbeenconfiguredtoallowRDPtrafficfromthe
remoteusers.8. Youdeployandconfigure4TSserversinafarmwithaTSSessionBrokerServer.YouinstallandconfigureWindowsNetworkLoad
Balancingastheloadbalancingmethod.Afterseveralweeksyourealizethatoneserveristakingabout70%oftheconnectionsandisalwaysrunninglowonsystemresourceswhiletheotherthreeservershaveabout10%eachandhaveagreatdealofCPUpowerandsystemmemorytospare.Whatshouldyoudotoensureallfourserversarebeingusedefficiently?
a. Installadditionalmemoryandprocessorsinthebusiestserver.b. InstalladditionalTSserversinthefarmuntilthebusiestserverisnolongeroverwhelmed.c. Instructtheuserstoconnectdirectlytothethreelessbusyserversbyspecifyingtheiraddressesratherthantheaddress
sharedbythefarm.d. Checktherelativeweightconfigurationofeachserverinthefarmtoensurethattheyaresetappropriately.
9. Whatarethe3waystoactivateTSLicensingservers?(choose3)a. OvertheInternetfromthelicensingserver.b. Bytelephone.c. Bymail.d. Bytelegraph.e. OvertheInternetfromanothercomputer.f. Bypurchasingclientaccesslicensesfromyourauthorizedreseller.
-
10. YouhaveconfiguredyourTSserverstouseperuserlicensing.WhatshouldyoudotorecoverCALsfromuserswhohavelefttheorganization?
a. Youcannot,youmustpurchaseadditionalCALs.b. Donothing.c. OpenTSLicensingManagerontheserverrunningtheTSLicensingserverrole,rightclickontheserverinthenavigation
treeandselectRecoverExpiredLicenses.d. OpenTerminalServicesConfigurationoneachTSserver,rightclickonRDPTcpinthedetailspain,selectProperties,and
clickReleaseExpiredLicenses.11. YouisrequiredtoenabletheremotecontrolfeatureofTerminalServices?
a. ThefeaturemustbeenabledoneachusersRDCclient.b. ThefeaturemustbeenabledontheTSserver.c. AvalidSSLcertificatemustbeinstalledontheTSserver.d. ThefeatureisnolongeravailableinWindowsServer2008.e. DownloadanddeploytheadvancedRDCclient.
12. WhatarevalidmethodstocontrolwhichusersareabletoaccessTerminalServices?(choose2)a. ConfiguremembershipinthelocalRemoteDesktopUsersgroup.b. ConfiguremembershipinthedomainRemoteDesktopUsersglobalgroup.c. ModifypermissionsontheRDPTcpconnectionforeachTSserverusingTerminalServicesConfiguration.d. ConfigurepoliciesusingWindowsSystemResourceManager.e. OnlyinstallCALsontheclientcomputersthatyouwanttobeabletoaccessTerminalServices.
Answers1. Discorrect.TSRemoteAppwascreatedspecificallytohelpwiththissituationandtomakeusingTSlesscomplexforusers.NeitherA
norBadequatelyresolvetheproblem,andwhileCmaybethemostappealingtotheusersitsalsomoreexpensive.2. Discorrect,althoughNLBScouldbeusedastheloadbalancingmethodinconjunctionwithTSSessionBroker3. Ciscorrect,TSallowstwoconnectionsforremoteadministration.4. AandBarecorrect,allowingport80meansthatHTTPtrafficcantransitthefirewallbuttheRDPtrafficrequiresTCPport3389.You
couldeitheropenthatportorusetheTSGatewayserverroletoencapsulatetheRDPtrafficinHTTPS,whichrequiresTPCport443bydefault.
5. CandDarecorrect,deployingTSGatewaywouldbelessexpensivethandeployingISAServerorafullVPNandTSGatewayisabletotraverseawiderangeofnetworksincludingthosethatusenetworkaddresstranslation(NAT)andproxyservers.TSGatewayrequiresTSRAPandTSCAPpoliciestospecifywhatinboundconnectionsareallowedandwhatresourcescanbeaccessed.
6. Aiscorrect,WindowsXPdoesnotsupportNetworkLevelAuthenticationevenwithSP3andthelatestRDCclient.UsersconnectingfromcomputersrunningWindowsXPwillseethefollowingerrormessage:TheremotecomputerrequiresNetworkLevelAuthentication,whichyourcomputerdoesnotsupport.Forassistancecontactyoursystemadministratorortechnicalsupport.AnswerBwouldresolvetheissuebutitsmoretimeconsumingandthequestionaskedforaquickresolution.
7. BandCarecorrect,theyarethemostlikelycauseofsuchissues.ItspossiblethattheWindowsFirewallontheTSserversisblockingtrafficfromtheTSGateway,butunlikelysincebydefaultsuchtrafficisallowed,thereforeAiswrong.Disincorrectbecausethegroupmembershipisclearlynottheissuesinceuserscanconnectfromthecorporatenetwork.EiswrongbecausetheremoteusersconnectthroughtheTSGateway,theydonotconnectdirectlytotheTSservers.
8. Discorrect,itappearsthatsomeoneconfiguredtherelativeweightofthebusyserverwithavalue10timesgreaterthantheothers.Sincethedefaultvalueforrelativeweightis100itsprobablethatthebusyserverwassetto1000.
9. A,B,andEarecorrect,apologiesformysadattemptathumorinanswerD.10. Biscorrect,eachCALisgrantedarandomperiodofvalidityfrom52to89days.Whenauserconnectswithalicensethatiswithin7
daysofexpirationtheTSserverwillattempttorenewit.ACALwillautomaticallyexpireandbereturnedtotheCALpoolifthesystemorusertowhichitisassignedstopsusingit.
11. Biscorrect,remotecontrolcanbeenabledoneachserverbyconfiguringthepropertiesfortheRDPTcpconnectioninTerminalServicesConfigurationorviaGroupPolicy.
12. AandCarecorrect.Biswrongbecausethereisnosuchdomaingroup;DandEareincorrectbecause,well,neitherprocedureispossible.