Post on 25-Dec-2015
Implementing and Configuring Implementing and Configuring MicrosoftMicrosoft®® Windows Server Windows Server®®
2008 Terminal Services2008 Terminal Services
Nicola Ferriniinfo@nicolaferrini.it
Who Am I ?TrainerTechnical WriterSystems EngineerServer & Application Virtualization Technology SpecialistMore on:
http://www.nicolaferrini.it/curriculum.shtmlhttp://www.windowserver.it/ChiSiamo/Staff/tabid/71/Default.
aspx
Outline Configuring Terminal Services Core Functionality Configuring and Managing Terminal Services Licensing Configuring and Troubleshooting Terminal Services Connections Configuring Terminal Services RemoteApp and Easy Print Configuring Terminal Services Web Access and Session Broker Configuring and Troubleshooting Terminal Services Gateway Managing and Monitoring Terminal Services
Configuring Terminal Services Core Functionality
Main OfficeTerminal Server
• Configuring the TS Server Role Service
• Configuring the TS Settings
Configuring the TS Server Role Service TS Features Installing the TS Server Role Service Authentication Modes TS Core Functionality Remote Desktop Connection 6.1 Remote Desktop Connection Display Remote Desktop Experience Device Redirection Introduction to a Standalone Instance and a Farm Standalone Instance vs. Farm
TS in Microsoft Windows Server® 2008 provides the following features:
• Support for Remote Desktop Protocol (RDP) over Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)
• Support for spanning of display
• Improved printing with TS Easy Print
• Enhanced security features
• Improved management and scalability features
TS Features
• Support for Microsoft® Internet Protocol version 6 (IPv6)
• Support for presentation virtualization technology
1. Use the Server Manager to install the TS server role service
2. Install the programs that need to be hosted on the terminal server
Installing the TS Server Role Service
3. Configure the remote connection settings to enable users and groups to connect to TS
Server Manager
TS Server RoleService
11
22
33
Authentication Modes
SSL/TLS Certificate
Kerberos
Password
Smart card
One-Time Password
Terminal Server
TS Core Functionality
• RDC 6.1
• Plug and Play (PnP) device redirection for media players and digital cameras
• Embedded Point of Service (POS)
• RDC Display
• Single Sign-On (SSO) for domain joined clients
Remote Desktop Connection 6.1
Terminal Server
Remote
Desktop
RDP 6.1
RDC 6.1
Supports:
Remote Desktop Connection Display
1680x1050
• High resolution desktops
• Spanning multiple displays
On Windows 2008 terminal server, you can configure the redirection of portable devices, such as:
Device Redirection
PTP
POS
• Media players based on Media Transfer Protocol (MTP)
• Digital cameras based on Picture Transfer Protocol (PTP)
Configuring the TS SettingsConfiguring ‘Start Program on
Connection’Restricting Remote Connection SessionsConfiguring Other TS Settings
Configuring and Managing Terminal Services Licensing
Configuring TS LicensingManaging TS Licenses
Main office
Configuring TS LicensingTS Licensing RoleTS Licensing Manager Snap-InTS Client Access LicensesInstalling the TS Licensing Role ServiceConfiguring the Terminal Server for
Licensing
The TS licensing role:
• Has minimum impact on the performance of the server on which it is installed
• Can be centrally administered
• Tracks all license issuances
• Supports secure communication
TS Licensing Role
You can use the TS Licensing Manager snap-in to:
• Determine the availability of TS CALs
• Discover a license server
• Generate reports
• Confirm the location of the TS licensing database
• Install the TS CALs on the TS license server
TS Licensing Manager Snap-In
TS Client Access Licenses
11 22Connects Requests License
Terminal Server
License Server
Delivers License
3344
TS Per Device CALs
11 22Connects Requests License
TerminalServer
License Server
Stores License3344
Active Directory Domain Services
TS Per User CALs
Installing the TS Licensing Role Service
TS Licensing Manager Snap-In
Steps for installing the TS licensing role service:
3. Install the TS CALs by using the Install Licenses Wizard in the TS Licensing Manager snap-in
1. Install the TS licensing role service
2. Activate the license server via the Internet, Web browser, or telephone
Configuring the Terminal Server for Licensing You need to specify the following:
•TS licensing mode
•License server discovery mode
Lab: Installing the TS Server RoleExercise 1 : Install the TS Server Role and
Licensing Role Service
Main office
Terminal Server
Configuring and Troubleshooting Terminal Services Connections
Configuring the TS Connection PropertiesConfiguring the TS Connection Properties by
Using Group PolicyTroubleshooting TS Connections
Configuring the TS Connection PropertiesIntroduction to TS PropertiesIntroduction to the TS Connection PropertiesConfiguring the Maximum Number of
Simultaneous ConnectionsDemonstration: Configuring the Time-Out
and Reconnection SettingsConfiguring Authentication and EncryptionConfiguring the Desktop ExperienceConfiguring the Plug and Play Device
Redirection Framework
Configure
Connection
Properties
Device and Resource Redirectio
n Remote Session
Environments
Session Time Limits
Profiles
Introduction to TS Properties
Configuring the Plug and Play Device Redirection Framework
The Plug and Play (PnP) device redirection framework:
• Is automatically installed when the session on the remote computer is launched
• Is enabled by the .rdp file created by the RemoteApp Wizard
• Displays notifications on the taskbar of the remote computer
Configuring the TS Connection Properties by Using Group Policy
Using Group Policy to Configure the TS Connection Properties
Introduction to Single Sign-OnConsiderations for Configuring Single
Sign-On
By using Group Policy, you can configure the following connection properties:
• Client connection encryption level
• Enable and disable remote control
• Maximum number of sessions that can connect to the server
• Automatic start program on a user logon
• Time-out and reconnection
• Client settings such as connecting drives and printers, mapping client devices, and limiting the maximum color depth
Using Group Policy to Configure the TS Connection Properties
SSO has the following key features:
● Using SSO, users are not required to enter credentials each time they log on to a remote session
● SSO facilitates low maintenance costs
● Users can also attain SSO by using Active Directory
● SSO can be deployed in Line of Business (LOB) and centralized applications
Multiple Logons with Single Credential
Introduction to Single Sign-On
SSO can be used:
• For an RDC connection from a Microsoft Windows 2008-based server to a Microsoft Windows 2008 Server-based TS
• On the client computers and terminal server that are part of a domain
• For an RDC connection from a Microsoft Windows Vista® based-computer to a Microsoft Windows® 2008 Server-based TS
• By users who have appropriate rights to log on to both TS and Windows Vista client
Windows Vista
Terminal Server
Terminal Server
Considerations for Configuring Single Sign-On
Main officeApplication
Remote Application
Printer
Configuring Terminal Services RemoteApp and Easy Print
Installing ApplicationsConfiguring RemoteApp ProgramsConfiguring Printers
Configuring RemoteApp Programs
Introduction to TS RemoteApp ProgramsAdvantages of Using RemoteApp ProgramsMethods for Deploying RemoteApp ProgramsUsing TS Web Access to Deploy RemoteApp
ProgramsConsiderations for Connecting to TS Web
AccessDemonstration: Using an MSI File to Deploy
RemoteApp Programs
RemoteApp integrates with the Windows Desktop
A RemoteApp™ program on a terminal server:
• Can be accessed remotely through TS
• Displays on the client as if it is running on the local computer
• Can run along with local programs on the client computer
• Has its own resizable window and entry on the taskbar of a client desktop
• Can share a TS session with another RemoteApp program on the same terminal server
Introduction to TS RemoteApp Programs
Using RemoteApp programs:
• Centralizes and minimizes administration
• Enhances experience for users who securely accessremote programs
• Is useful in environments where users do not have computersassigned to them
• Helps deploy multiple versions of an application without conflicts
• Causes minimum problems while running different programs onmultiple desktops
Advantages of Using RemoteApp Programs
TS Web Access
.rdp
.msi
Methods for Deploying RemoteApp Programs
To deploy RemoteApp programs by using TS Web Access:
1. Configure the settings on the terminal server
2. Add the programs to the RemoteApp Programs list
3. Configure the global deployment settings that apply to all programs in the list
4. Install the TS Web Access role service
5. Populate the TS Web Access Computers security group
6. Specify the terminal server from which to populate the list of RemoteApp programs
Using TS Web Access to Deploy RemoteApp Programs
To connect to TS Web Access, the client computer must:
Considerations for Connecting to TS Web Access
• Run Windows Server® 2008, Windows Vista® with SP1, or Windows® XP SP3
• Have the TS ActiveX client control approved by a standard user
In this demonstration, you will deploy RemoteApp programs by using a .msi file
Demonstration: Using an MSI File to Deploy RemoteApp Programs
Lab: Implementing TS RemoteAppInstall TS RemoteApp Role ServiceAdd a program to the Allow listPublish an application trough RDP fileCreate a MSI file that installs an applicationUsing RemoteApp Access
Configuring Printers
TS Easy PrintConsiderations for Using TS Easy PrintConfiguring Group Policy for Printer
Redirection
TS Easy Print allows users to print:
TS Easy Print has the following setting in Group Policy:
• From RemoteApp programs and Remote Desktop sessions
• To any client side printer with a printer driver loaded on theclient machine
• Redirect only the default client printer in TS sessions
TS Easy Print
To use TS Easy Print, clients must have:
• Windows Vista SP1 or Windows XP SP3
If the client computers do not support TS Easy Print:
• Ensure that local and network client printer drivers are installed on the terminal server
• Add the local and network client printer drivers to a custom printermapping file on the terminal server
Considerations for Using TS Easy Print
Configure the following Group Policy settings:
• Use Terminal Services Easy “Print driver first”
• Redirect only the default client printer
Configuring Group Policy for Printer Redirection
Configuring Terminal Services Web Access and Session Broker
Woodgrove Bank
• Installing TS Web Access
• Configuring TS Session Broker
Introduction to TS Web AccessTS Web Access is a role service that allows you to start
RemoteApp™ programs without the need to download or run .msi or .rdp files
TS Web Access in Microsoft Windows Server® 2008:
• Does not require the Remote Desktop Connection (RDC) client to be manually started for launching a RemoteApp program
• Allows you to run applications on a remote computer
• Enables you to access RemoteApp programs seamlessly
• Does not require a separate ActiveX control to be downloaded
What's Different in Windows Server 2008 TS Web Access?
Consider the following points:
• The TS Web Access server need not be a terminal server
• Installation of TS Web Access will automatically install the required Microsoft® Internet Information Services (IIS) 7.0 components
• Client computers must be running RDC 6.1
• A standard user can approve an ActiveX Control
Considerations for Installing TS Web Access
To install RemoteApp programs:
1. Configure RemoteApp programs on one or more terminal servers
2. Enable RemoteApp programs for TS Web Access
3. Install TS Web Access on the server
4. Add the computer running TS Web Access server to the TS Web Access computers group on the terminal server
5. Specify the terminal server or farm from which to populate the list of RemoteApp programs
User Terminal Server
Installing and Configuring RemoteApp Programs by Using TS Web Access
Remote Desktop Web connection:
• Is installed as part of the TS Web Access role service
• Provides features that can be controlled by the administrator
• Is available as a Remote Desktop tab on the TS Web Access page
• Supports Microsoft Windows® XP and Microsoft Windows® Server 2003
Connecting to Remote Desktop Web by Using TS Web Access
TS Session Broker:
• Provides fault tolerance features
• Provides load balancing features and distributes connections across multiple servers
• Stores the following information:
Session Ids
Sessions’ associated user names
Names of servers on which each session is started
Introduction to TS Session Broker
System requirements for configuring TS Session Broker load balancing:
• All the terminal servers in the farm should have the same programs
• Clients should have RDC 5.1, RDC 6.0, or RDC 6.1
• The terminal servers in the farm and the TS Session Broker server should be running Windows Server 2008
• The server on which TS Session Broker will be installed should be a member of a domain
• All servers should be running the same versions of Windows x86 orWindows x64
Prerequisites for Configuring TS Session Broker
Lab: Implementing TS Web AccessInstall TS Web Access Role ServiceConnect to TS Web Access and launch
application
Introduction to TS Gateway
TS Gateway requires the following role services and features to be installed and functioning:
• Remote procedure call (RPC) over HTTP Proxy
• Microsoft® Internet Information Server (IIS) 7.0 for the RPC over HTTP Proxy service to function
• Local or remote Microsoft Windows® Server 2008 Network Policy Server (NPS)
Requirements for TS Gateway
Steps:
2. Add the TS Gateway Manager snap-in
3. Install the certificate on the TS Gateway server
4. Map the TS Gateway server certificate
5. View the certificate properties
6. Establish trust with a client
1. Obtain a certificate from a third party, such as Verisign, or from a corporate certificate authority (CA), or use a self-signed certificate
Configuring TS Gateway
Methods for obtaining a certificate:
• Requesting certificates by using the Certificate Request Wizard
• Requesting a certificate on the Web
• Using the Certreq command
• Using Auto-enrollment in the Certificates snap-in
Obtaining Certificates
TS Connection Authorization Policies
User Group
TS Gateway Server
Computer Group
TS CAPs
Computer Group
TS RAPs
TS Gateway Server
TS Resource Authorization Policies
Lab: Implementing TS GatewayInstall the TS Gateway Role ServiceCreate and map a certificate for the TS
Gateway ServerMap a certificate for a different TS Gateway
ServerCreate a Connection Authorization Policy
(CAP)Create a Resource Authorization Policy (RAP)Configure Remote Desktop connection
settings on the Client Computer
Log Off a TS
Connection
Disconnect a TS
Connection
Reset a Disconnected
Session
Control a User Session
Remotely
Managing the TS Connections
Monitoring the TS ConnectionsMonitoring Tool Used to Monitor
TS Gateway Manager Snap-In
• Connection status
• Health
• Events
Performance and Reliability monitor TS RemoteApp Programs
Microsoft System Center Operation Manager 2007 System
Windows Event Viewer Connections
Microsoft® Internet Security and Acceleration (ISA) Server Best Practices Analyzer
TS Web Access outbound traffic
WSRM:
• Uses standard or custom resource policies
• Allows you to manage CPU and memory utilization by applications,services, and processes
WSRM
Memory
Printer
Applications
CPU
• Is a resource manager in a TS environment
Introduction to Windows System Resource Manager
WSRM:
• Can select appropriate resource policies based on: Server properties Events Changes in physical memory Available processors
• Can use preconfigured policies or create custom policies to allocateresources per process, user, and IIS application pool
• Can use calendar rules to automatically apply policies at different times
• Can collect resource usage data locally or in a SQL database
Features of Windows System Resource Manager
• WSRM uses resource allocation policies to determine the performance of CPU resources, memory, and processes
• You can configure the following resource allocation policies on the terminal server:
Equal_Per_User
Equal_Per_Session
Configuring Windows System Resource Manager
Lab: Using Windows System Resource Manager (optional)
Implement a Windows Resource Manager Policy