Jeff Alexander IT Pro Evangelist Microsoft Australia SVR309

Session Objective(s): Learn about Terminal Services RemoteApp ™ Learn about TS Gateway Learn About TS Web Access Learn about TS Easy Print Learn About the TS Session Broker Understand the importance of x64 for TS Terminal Services is a Rich Client Technology Terminal Services can reduce application deployment and management overhead TS isn’t just about WAN links

Centralized application access Application deployment Branch office Secure anywhere access Compliance and security Enabling technologies TS Gateway TS Remote Programs SSO for managed clients TS in Windows Server 2008 designed for low-complexity scenarios Central Location Mobile Worker In Airport Branch Office Home Office

Terminal Services Gateway Server Remote programs integrated with local computer Centrally configure a terminal server with the Terminal Server Configuration console Remote programs integrated with local computer Centrally configure a terminal server with the Terminal Server Configuration console RemoteApp console used to make application available Also used to make programs available via TS Web Access Programs look like they are running locally Only supported by Remote Desktop client 6.0, or newer Remote Desktop client required

Remote Programs … Look and feel like local apps… Access to local resources with redirection… A vector of attack against the client.. Solution: RDPSign Cryptographically signing RDP file Publisher certificate identifies origin New security UI to help decide trust GP’s to control trust decisions left to users W ho will get your password?...

Zero Deployment Basic Signing Known RDPs Only (recommended) Lockdown (No user decisions) Admin Steps None Obtain signing certificate. Sign RDPs with TS admin tools. Obtain signing certificate. Sign RDPs with TS admin tools. Push out certificate to clients using a GP list. Set a GP flag to block unsigned files. Obtain signing certificate. Sign RDPs with TS admin tools. Push out certificate to clients using a GP list. Set a GP flag to block unsigned files. Set a GP flag to block user- created files. RDPs from Admin Interactive User Third Party RDPs (signed) Legacy RDPs Unknown RDPs

Put common application on same server Microsoft Office system Consider putting individual applications on separate servers when: Application has compatibility issues A single application and associated users may fill server capacity Create load-balanced ‘farm’ for single applications that exceed 1 server Use Microsoft SoftGrid to improve server usage and application compatibility

Provide a simple solution and infrastructure Solution Provides simple Web interface for launching applications TS Gateway Provides the HTTPS transport, NOT Web Access Two modes of configuration Single Terminal Server mode AD Mode (queries group policies for published MSI packages) Ideal for low complexity scenarios Infrastructure Visual Studio Web Part ActiveX Control Samples

TS Web Access default is good for single server deployments Use AD mode for multi-server deployments when customers used to AD MSI deployment When customer has no AD MSI experience use custom ASP scripting solutions or third-party solutions

Allows secure seamless connection without VPN Tunnels RDP over HTTPS Place TS behind multiple firewalls without opening multiple firewall ports other than 443 Uses same infrastructure as Outlook over RPC/HTTPS Allows access to: Terminal Server Remote Desktops and Programs Client Remote Desktop Server Remote Desktop When should TS Gateway be used in place of VPN? When no local copy of data is required When a quicker connection time is required When bandwidth or application data size makes VPN experiences suck

Remote Desktop Connection 6.0 Eliminates need for VPN Terminal Services Gateway and Network Policy Server

SSL Certificate for the TS Gateway IIS 7.0 Network Policy Server TS CAP (Client Access Policy) States who and what machine can access TS RAP (Resource Access Policy) States what resource they can access Associated with the above

Perimeter Network InternetCorp LAN Terminal Server Hotel External Firewall Internal Firewall Home Business Partner/ Client Site Other RDP Hosts Terminal Server Internet Terminal Services Gateway Server Network Policy Server Active Directory DC Tunnels RDP over RPC/HTTPS Passes RDP/SSL traffic to TS Strips off RPC/HTTPS

Use root-signed SSL certificate Don’t rely on TSG to block devices Use a dedicated TSG Server Can co-exist with Outlook RPC/HTTP Consider placing behind ISA Better than just port based firewall Use SSL terminator in DMZ and put TS Gateway in main network Great if network admin is nervous of domain joined Windows servers in the DMZ

Issues have arisen with TS and Printing Enhanced device redirection does not require driver on TS Server Matching drivers were needed or issues would arise Printer configuration follows to TS session Same printers as appears locally TS easy print installed by default Leverages the Microsoft document format XPS High quality printer rendering system Agnostic to the printer it is sent to

Used to be Terminal Services Session Directory Indexes previously disconnected sessions Great for TS farms Provides load balancing capability Does not matter if you connect from a different client Included in Windows Server 2008 Standard Allows uninterrupted user experience

Big investments across the board, in Windows, in terms of eliminating security vulnerabilities Re-write of Windows Multi-User Core Re-engineering of WINLOGON Faster login and logoff Profile corruption scenarios addressed Application Compatibility Improve compatibility Leverage UAC

Large display support / Custom resolutions Span multiple monitors PnP Device Redirection Framework POS Device Redirection Windows Portable Device Redirection Windows Server 2008 Audio Mixer Support Windows Presentation Foundation (WPF) Remoting (Remote Desktop Only) 32-bit color and new RDP compression Display Data Prioritization

Terminal Services Gateway NAP Support Device Redirection Hints Connection Monitoring Network Authentication Single sign-on (SS)) for domain-joined clients CredUI / CredMan / CredSSP integration Ability to block pre-RDP 6.0 client Per-session and direct attached device isolation

Role Management Tool Display Data Prioritization New compression improvements Spooler scalability improvements Improved performance counters Debug Logging available in all builds Full IPv6 support Per-user license tracking Single unified Win32 and ActiveX Client integrated into platform and Windows Update

Today in Windows Server 2003, TS Display resolutions are constrained: 4:3 resolutions 1600(w) & 1200(h) maximums This constraint was imposed due to virtual memory limitations New 16:9 & 16:10 displays entering market now 1680x x1200 Customers have clients with multiple monitors Most common is 2 or 3 monitors in horizontal layout Mstsc.exe /span or h:xxxx y: commands + new RDP file parameters

DWM and Desktop Composition for Remote Desktop scenarios Vista Client to Vista Client or Longhorn server(single session) Clear Type remoting (a.k.a. Font smoothing) Color depth: from 16, 24* to 32 bpp

Automatically controls virtual channel (VC) traffic so that display data, keyboard and mouse data is prioritized over other VC data VCs are used for printing, copy & paste and file transfers This prioritization ensures there is always sufficient traffic prioritization to ensure the user keeps working This feature only affects client RDP- mapped resources

Citrix is a two-time Gold Certified ISV Partner Citrix Presentation Server Value-add to TS & Microsoft Extends TS functionality Citrix MOM pack available Signed 5-year Joint Technology Agreement in 2004 “Constellation Technologies” will add new value in the Windows Server 2008 timeframe

Servicing User Needs Servicing IT Needs Terminal Services Citrix Presentation Server Compatibility Manageability Security & Control Scalability End-User Experience

End-user acceptance through high- performance systems with proactive performance alerting Preferential responsiveness for important users Secure systems with automatic failure avoidance Simpler system provisioning and control for quick time to market Compatibility, compatibility, compatibility… Providing SLA Assurance through autonomic, reconfigurable and high-performance system built for Windows Server 2008

Based on Initial Internal Testing x86 & x64 Performance Tip: Registry Setting to Reduce Microsoft® Outlook® 2003 Periodic Polling: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\RPC [dword] ConnManagerPoll = 0x600 [dword] ConnManagerPoll = 0x600 Knowledge Worker x86 & x64 TS User Capacity Scaling 2003 x64 4cores 4cores 2003 x64 8 cores Windows Server Bit Baseline 2003 x86 4 cores 2000 x86 4 cores ~ x2 ~ x4 ~ x6 Up to 4x improvement in users/server on comparable hardware and price point Performance comparisons are entirely dependent on scenario Your mileage WILL Vary

4 GB (2^32) address space 2 GB kernel mode (KM) virtual address space Shared across processes 2 GB user mode virtual address (VA) space Each process has its own Kernel VA includes: System Page Table Entry (PTE) area – KM thread stacks ~900 MB Paged Pool – page tables, kernel objects ~270 MB System Cache – file cache, registry ~500 MB Others (Non-Paged Pool, images) System PTEs (~900 MB) System Cache (~500 MB) Paged Pool (~270 MB) Non-Paged Pool, images, etc. Kernel VA (2 GB) User VA (2 GB) Process N

Runs 32-bit software without being recompiled Runs 64-bit Windows, drivers and software specifically compiled for the x64 instruction set Can act like an x86 processor when an x64 system is booted into a 32-bit operating system and as such runs all 32-bit versions of Windows commercially available today Runs 32-bit apps at high performance 4 GB User VA for large memory-aware processes Runs 64-bit applications 8 terabyte Virtual Address Space Reduction in mapping and soft page faults in most cases Eases migration to 64-bit infrastructure

32-bit device drivers Printer drivers Software kernel driver components Subsystems Microsoft DOS (NTVDM / Command.com) CMD processor still present 16-bit WOW Portable Operating System Interface for UNIX (POSIX) Services for UNIX (SFU) for x64 available H2’05 Legacy transport protocols AppleTalk, Services for Macintosh DLC LAN, NetBEUI IrDA, OSPF

x64 ideal for current deployments that are kernel VA-limited x64 provides opportunities to significantly scale-up with new multi-core processors and increase user density on Terminal Services-based systems Expected sweet spot for TS moves to 4 cores or more When driver compatibility is an issue consolidate onto Windows Server 2003 x86 SP1 and Citrix Presentation Server 4.0 with 2 to 4 cores Consider x64-based hardware for all deployments Remember, x64 needs more resources for same workload set

Understand your applications and current scalability limitations Re-evaluate hardware purchasing choices 4 to 8 cores are compelling price / performance for TS Ensure hardware has potential for memory and CPU upgrades you might need Can use 32-bit Windows until moving to x64 is possible Start deprecating 16-bit applications Test application compatibility on Beta 2 release Consider using SoftGrid on Windows Server 2003

Centralized application access using TS is about more than just remote access New Terminal Services features bring TS to new customers and scenarios TS Remote Programs and TS Gateway provide a complete solution for low complexity scenarios Expect third-party value to still be required for many scenarios in Windows Server 2008 and beyond Consolidation on Windows Server 2003 and x64 represents significant current opportunities

TS Blog: TS Newsgroup: microsoft.public.windows.terminal_services microsoft.public.windows.terminal_services TS x64 Scalability Whitepaper: 4BBB-9AF8-B91BBC0D2D55&displaylang=en 4BBB-9AF8-B91BBC0D2D55&displaylang=en TS Windows Server 2008 Web Forum: Windows System Resource Manager: Application Compatibility Toolkit: MSDN: TS Main Page:

Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs Microsoft Learning and Certification

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.