Terminal Services

 Allows end user application to be used on different clients connected via a network applications are executed on the server  Terminal server is a computer on which several users can work simultaneously while their screen can be displayed remotely  A technology that enables remote users to establish interactive sessions—both desktop sessions and application sessions—on a computer running Windows Server  Benefits  Time and Money

Development of Terminal Services  Edward Lacobucci had been working with IBM trying to develop a multi-user version of OS/2  Ed Founded Citrix during late 80’s  The First version of Windows NT was launched in May 1993  Windows NT was not based on DOS, it was completely new 32 bit operating system  Microsoft was not interested in equipping its high-end OS with multiple user features like UNIX  In 1994 Microsoft granted Citrix access to the NT source code to develop and market a multi user expansion  The expansion was named WinFrame and quite successful  Microsoft launched Windows NT4.0 Server, Terminal Server Edition code name HYDRA  Windows 2000 Terminal services included the option of using the clients printer and clipboards from the server

Terminal Services  How it works?  Applications run on the server and render their output there  Server composes the screen  Instead of being sent to the physical display adapter, the server routes the screen to the Terminal Services subsystem  The screen pixel data is broken apart, wrapped in RDP or ICA, compressed, encrypted, and sent to the client device.

A Single server behaves like multiple workstations Terminal Services

Terminal Service Benefits  Providing a virtual desktop experience  Terminal Services clients are available for many different desktop platforms including Microsoft MS-DOS, Windows-based terminals, Macintosh  A Web-based version of the Terminal Services client (Remote Desktop Web Connection) provides Terminal Services connectivity to computers with Web access and an Internet Explorer browser.  Centralized deployment of programs - all program execution, data processing, and data storage occur on the server, centralizing the deployment of programs.  Ensures that all clients can access the same version of a program

Terminal Service Vs Remote Desktop Same Client Software Uses Same Service Uses Same Port Advantages of Remote Desktop  TSCALS – 120 Days  Easy to Implement Enable Remote Desktop  control sysdm.cpl

New Features in Windows Server 2008 TS RemoteApp  Shortcuts on the Start menu TS Web Access  Launch Terminal Services applications through a Web page TS Gateway  Remote access without virtual private networks (VPNs) TS Session Broker  Load balancing TS Easy Print  No more printer driver confusion

TS RemoteApp Enhancing the application experience Enables Terminal Services applications to run seamlessly on the end-user desktop  Enables Terminal Services applications to run in individual windows on the user’s desktop  Includes notification icons in the notification area on the client computer

Current Environment Accessing terminal servers—challenges Terminal servers can be accessed only from within the internal corporate network Remote users must first establish a virtual private network (VPN) connection to the internal network  VPN connection requires an appropriately configured computer

Terminal Services Gateway A Web server component Provides the following functionalities  Acts as the endpoint of an SSL connection  Performs authentication and authorization of the connecting user  Forwards the user’s connection to a resource by using Remote Desktop Protocol (RDP) Requires Terminal Services client (TSClient) version 6.0

TS Gateway Design Connection process Load Balanced TS Gateway RDP Traffic HTTPS Traffic

Terminal Service Installation

Terminal Services Configuration Console

The Terminal Services Configuration (TSC) console is designed to control settings Settings effect all users connecting to the terminal server

LAB Installing and Configuring a License Server

Connection Authorization Policies - TS CAP TS Gateway provides access to RDP resources from outside the corporate network, and includes the following new features to simplify administration and enhance security. TS CAPs Terminal Services connection authorization policies (TS CAPs) allow you to specify user groups, and optionally client computer groups, that can access a TS Gateway server.

TS CAP Why are TS CAPs important? TS CAPs allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services. You can also specify other conditions that users must meet to access a TS Gateway server. You can list specific conditions. For example, you might require a user to use a smart card to connect through TS Gateway. Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP.

Resource Authorization Policy (TS RAP) A TS RAP allows you to specify the internal network resources that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to internal network resources through this TS Gateway server.

RemoteApp programs  RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user's local  In Windows Server 2008, users can access RemoteApp programs in several ways  Access a link to the program on a Web site by using TS Web Access.  Double-click a Remote Desktop Protocol (.rdp) file that has been created and distributed by their administrator.  Double-click a program icon on their desktop or Start menu that has been created and distributed by their administrator with a Windows Installer (.msi) package.

Deploy RemoteApp programs

The Distributed File System (DFS) In Windows Server® 2008, DFS is implemented as a role service of the File Services role. The Distributed File System role service consists of two child role services:  DFS Namespaces  DFS Replication

DFS Namespace DFS Namespaces enables you to group shared folders located on different servers by transparently connecting them to one or more namespaces. A namespace is a virtual view of shared folders in an organization

DFS Namespace server.  A namespace server hosts a namespace.  The namespace server can be a member server or a domain controller. Namespace root.  The root is the starting point of the namespace.  In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public.\\Contoso\Public  This type of namespace is known as a domain-based namespace, because it begins with a domain name Folder.  Folders help build the namespace hierarchy.  Folders can optionally have folder targets Folder targets.  A folder target is a UNC path of a shared folder

Lesson 3: Managing Server Roles with the SCW SCW Features Automating Server Role Security Using the SCW Demonstration: Managing Server Roles and Features Using the SCW Automating Server Roles

Monitors and removes unnecessary services and roles Creates and deploys security policies Provides secure role-based server configurations SCW Features

Automating Server Role Security Using the SCW Add additional server roles and features Review changes to the Local Security Profile Save changes for deployment at a later date

Demonstration: Managing Server Roles and Features Using the SCW In this demonstration, you will see how to:  Use the SCW to add a server role  Identify which features and options will be added

Automating Server Roles Manual deployment of server roles can take time and are usually repetitive Automate server roles using these utilities: Servermanager.cmd Automates server role deployment using scripts WDS Automates server deployments and server roles SCW Automates a server’s security profile

Upgrading your Active Directory to Windows Server 2008 In-place upgrading Transitioning Restructuring

Upgrading your Active Directory to Windows Server 2008 In-place upgrading is good when:  You worked hard to get your Active Directory in the shape it's in.  Your servers are in tip-top shape.  There's really no budget to buy new servers.

Reasons not to upgrade in-place  Your servers do not meet the required patchlevel for in- place upgrading (The Windows Server 2003 patchlevel should be at least Service Pack 1)  You want to upgrade across architectures (between x86, x64 and/or Itanium)  You're running Windows Small Business Server 2003  Standard Edition can be upgraded to both Standard and Enterprise Edition  You want your Windows Server 2008 Domain Controllers to be Server Core installations of Windows Server 2008.

Commands adprep.exe /forestprep Schema Master adprep.exe /domainprepInfrastructure Master adprep.exe /domainprep /gpprepInfrastructure Master adprep.exe /rodcprep *Domain Naming Master

IIS 7: The Next Generation Web Application Server Platform

IIS 7.0 Describe the architecture of IIS 7.0, including new features. Define the purpose of the Application Server role. Describe the purpose of role services related to the Web Server (IIS) role. Install the Web Server (IIS) role and add and remove role services. Perform command-line installations and automated installations of the Web Server (IIS) role.

Web Standards and Protocols HTTP HTTP Provide request response Model Plain Text The Hypertext Markup Language (HTML) is the primary specification for Web pages Development platforms - ASP.NET (a component of the Microsoft.NET Framework) to build active Web sites. These sites can keep track of user sessions and can provide access to databases and other information that is stored within the environment.

Web Server Usage Scenarios Public Web sites Online shopping Intranet scenarios Enterprise applications Internet applications Web hosting

New Features Administration - previous versions of IIS was dealing with a large number of property pages and dialog boxes. Security - the binary files for unused features are not available for access in the standard operating system locations Diagnostics and troubleshooting - includes new features that make it easier to pinpoint problems and obtain the details necessary to address them Support for delegation Backward compatibility

IIS Role Services IIS role services are organized into several major areas:  Common HTTP Features  Application Development  Health and Diagnostics  Security  Performance  Management Tools  FTP Publishing Service

Default Roles

Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection

Application Development Features ASP.NET  Primary Microsoft Web server development platform.  Based on the.NET Framework  Provides a powerful and flexible development framework for handling common Web site design tasks.NET Extensibility  Can make modifications to IIS Web server functionality ASP Active Server Pages (ASP)  Technology is the predecessor to the ASP.NET platform.  ASP provided a simplified, script-based method of developing Web-based applications.

Health and Diagnostics Features HTTP Logging Logging Tools Request Monitor - enables administrators to see which requests are executing within the Web server process currently Tracing - enables IIS to store detailed information for any failed requests Custom Logging ODBC Logging

Security Features Basic Authentication Windows Authentication Digest Authentication Client Certificate Mapping Authentication IIS Client Certificate Mapping Authentication URL Authorization Request Filtering IP and Domain Restrictions

Performance Features Static Content Compression Dynamic Content Compression

Management Tools An important design goal for IIS 7.0 was to provide support for IIS 6.0–based Web applications. Although many applications can be moved directly to IIS 7.0, several backward-compatibility features are included as role services: IIS 6.Management Compatibility IIS 6 Metabase Compatibility IIS 6 WMI Compatibility IIS 6 Scripting Tools IIS 6 Management Console

Installation and Verification

IIS Manager Feature View Content View

Creating and Configuring Web Sites Understanding Sites and Site Bindings The configuration of the Web site specifies which protocols, ports, and other settings will b e used to connect to the Web server. This information is known collectively as a site binding. How to view Bindings Web Site  IP Address  Port  Hostname

Application Pools Memory leaks or application bugs potentially can cause a loss of service or reduced performance for many different Web applications. Application pools are designed to isolate different sites from each other so that failures and other problems can be contained.

Virtual Directories Web sites may need content from folders that are located outside of the Web site’s primary folder structure. Multiple Web sites that share the same set of images They include an alias name Alias name will be used in the requesting URL Alias name point to a physical file system location path.

Using Command-Line Management IIS includes an executable command, AppCmd.exe provides a simple way for systems administrators to perform common operational tasks

LAB Installing WEB Application and Backup

Configuring IIS Security In IIS 7, a standard account named IUSRS and a local security group called IIS_IUSRS are used on each Windows Server 2008 Web server computer. Managing File System Permissions

Remote Management Enabling Remote Management IIS Manager Users Creating IIS Manager Users Defining IIS Management Permissions Configuring Feature Delegation Connecting to a Remote Server Using IIS Manager

LAB Remote Management

Managing IIS Authentication Authentication refers to the process by which a user or computer proves its identity for security purposes The most familiar method is through a logon or username and an associated password. When working with Web servers such as IIS, Authentication settings and options determine how users will provide their credentials to access content stored on the Web server.

Authentication Methods Anonymous Forms Authentication Basic Digest Windows