Windows Server 2008 Terminal Services Overview
Note: In Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services.
Terminal Services server role in Windows Server 2008 provides technologies that enable users to access Windows based programs that are installed on a terminal server, or to access the full Windows desktop. With Terminal Services, users can access a terminal server from within a corporate network or from the Internet.
Terminal Services lets you efficiently deploy and maintain software in an enterprise environment. You can easily deploy programs from a central location. Because you install the programs on the terminal server and not on the client computer, programs are easier to upgrade and to maintain.Terminal Services is especially useful when you have programs that are frequently updated, infrequently used, or difficult to manage.
When a user accesses a program on a terminal server, the program execution occurs on the server. Only keyboard, mouse, and display information is transmitted over the network.Windows Server 2008, Terminal Services consists of the following role services:
TS Web Access
TS Web Access lets you make RemoteApp programs and a Remote Desktop connection to the terminal server available to users from a Web browser. With TS Web Access, users can visit a Web site from the Internet or an intranet, to access a list of available RemoteApp programs. When they start a RemoteApp program, a Terminal Services session is started on the terminal server that hosts the RemoteApp program. When you deploy TS Web Access, you can specify which terminal server to use as the data source to populate the list of RemoteApp programs that appears on the Web page.
The Remote Desktop Web Connection feature is also included with TS Web Access. With Remote Desktop Web Connection, a user can specify which computer they want to connect to, and then start a full Remote Desktop session to that computer. To successfully connect, the user must have Remote Desktop access on the destination computer.
TS Gateway enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet connected device that can run the RDC client.
The network resources can be terminal servers, terminal servers that are running RemoteApp programs, or computers that have Remote Desktop enabled.
TS Gateway encapsulates Remote Desktop Protocol within RPC, within HTTP over a Secure Sockets Layer connection.
TS Gateway enables remote users to connect to internal network resources over the Internet by using an encrypted connection, without having to configure virtual private network connections.
TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources.
TS Gateway provides a point to point RDP connection.TS Gateway enables remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators.
With TS Gateway, you do not have to perform additional configuration for the TS Gateway server or clients for this scenario.
TS Gateway transmits RDP traffic to port 443 by using an HTTP Secure Sockets Layer/Transport Layer Security tunnel.
Because most corporations open port 443 to enable Internet connectivity,
TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
TS Gateway Manager enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources.
For example, you can specify Who can connect to network resources,What internal network resources users can connect to.
Whether client computers must be members of specific Active Directory security groups.
You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection to further enhance security.
Computers that are running Windows Server 2008 cannot be used as NAP clients when TS Gateway enforces NAP.
Only computers that are running Windows Vista or Windows XP with SP3 can be used as NAP clients when TS Gateway enforces NAP.
TS Session Broker
TS Session Broker keeps track of user sessions in a load balanced terminal server farm. The TS Session Broker database stores session state information that includes session IDs, their associated user names, and the name of the server where each session resides. When a user who has an existing session connects to a terminal server in the load balanced farm, TS Session Broker redirects the user to the terminal server where their session exists. This prevents the user from being connected to a different server in the farm and starting a new session.
If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the number of user sessions on each terminal server in the farm, and redirects users who do not have an existing session to the server that has the fewest sessions.
Installing Terminal Server
Click Start,Administrative Tools Server Manager. Right click Roles, choose Add Roles to open the Add Roles Wizard, and then click Next
Choose Terminal Services by selecting it and then Next.
Note: Do not install the Terminal Server role on a server that already has the Active Directory
Domain Services role installed.
Application Compatibility page telling you that if you installed applications on the server prior to installing Terminal Services, some of the existing applications may not work in a multiple user environment. Click Next.
Now you have to choose whether you want computers logging into the terminal server
to support Network Level Authentication (NLA). NLA is supported only for RDC 6.x and later
(and only 6.0 on Windows Vista; both Windows XP SP2 and SP3 and Windows Vista SP1
support RDC 6.1). NLA works with CredSSP to authenticate the user early in the process.
NLA enables you to force users to authenticate themselves before they can
create a connection to the terminal server.If you require NLA, only clients supporting CredSSP (Windows Vista or Windows XP
Service Pack 3) will be able to connect to the terminal server.
Next is the license mode of the terminal server. A terminal server can be in per user or per device mode that is, it can accept either per user licenses or
per device licenses but not both.
The incoming connection must present the kind of license that the terminal server is expecting, if the machine or user making the connection already
has one. It also means that if the incoming connection do not present a TS CAL at connection time, and the terminal server has to request one from the license server, then the licenses on the license server must be a type the terminal server is able to accept.
Next,you choose who has access to the terminal server. Terminal Server access is partially
determined by user membership in the Remote Desktop Users group. Click next.
Now we need to do some basic configuration before we let the users connect to the server.
To install WSRM, start Server Manager. Right click Features and click Add Features to start
the Add Features Wizard. Select Windows Server Resource Manager in the list.
You may be prompted that you must install an additional component.WSRM requires that you have a database to store historical data, so if the Windows Internal Database is not already installed you be prompted to add that feature. Go ahead and install it if prompted to do so by clicking the
Add Required Features button.Click next.Click Install to perform the installation.
When the installation is finished, Server Manager will show you that the two features fully
installed. Close the dialog box.You do not need to reboot.
By default, WSRM is not set up appropriately for a terminal server, so you need to configure
it. To open WSRM, click Start,Administrative Tools,Windows System Resource Manager to
open the Windows System Resource Manager snap in.Choose the computer you want to manage.
Change the default policy to Equal Per Session to balance resource usage evenly across all sessions.
The Calendar option must be enabled if you like to set up separate policies for working hours versus off hours
Enabling Plug and Play Redirection with the Desktop Experience
To enable Plug and Play redirection on the terminal server, install Desktop Experience.
To install it, simply open the Server Manager and migrate to the list of features. Click the link to add a new feature and then walk
through the wizard to select and install Desktop Experience.You will need to reboot after installing/uninstalling Desktop Experience.
After you have WSRM and Desktop Experience set up, the next step is reviewing the confguration settings.
Open the Terminal Services Confguration tool by clicking Start, Administrative Tools,
Terminal Services,Terminal Server Confguration.
To change a setting in this window double click any single entry in the Edit Settings section to open a dialog box.
Terminal Server Licensing Settings
Allows you to configure the licensing settings, both for the type of license you
use and the discovery method that the server will use to locate license servers. Getting the
correct settings is crucial for the successful implementation of Terminal Services.
Terminal Services Licensing Mode: A terminal server can be in either per device mode or per user mode. The mode you select depends on the type of licenses you purchase. If there are more computers than users or if people using terminal servers can log in from either a work computer or from a home computer then per user licensing makes more sense. If there are more computers then per device licensing makes more sense.
You can change the licensing mode, but , you must be sure that the matching license types are installed on the license server you using. Even if
the terminal server can find a license server, it will not be able to allocate licenses to users or computers.
License Server Discovery Mode: The license server discovery mode specifes the method
by which terminal servers should find license servers. You have two options: to rely on license
server discovery alone, or to specify license servers explicitly and supplement with license
The license servers you specify must be Windows Server 2008 license servers. It is
not possible for a Windows Server 2003 license server to issue Windows Server 2008
terminal server TS CALs. A Windows Server 2008 license server can issue TS CALs for
Windows Server 2003 terminal servers.
You can point to a license server outside the terminal server forest.
If this license server will be issuing per user TS CALs, there must be a trust relationship between the two domains.
When issuing per-user TS CALs, the license server needs to be able to contact Active Directory on behalf of the person requesting a TS CAL