1. Implementing and Configuring Microsoft ® Windows Server ® 2008 Terminal Services Nicola Ferrini info@nicolaferrini.it

2. Who Am I ? Trainer Technical Writer Systems Engineer Server & Application Virtualization Technology Specialist More on: http://www.nicolaferrini.it/curriculum.shtml http://www.windowserver.it/ChiSiamo/Staff/tabid/71/Default.aspx

3. Outline Configuring Terminal Services Core Functionality Configuring and Managing Terminal Services Licensing Configuring and Troubleshooting Terminal Services Connections Configuring Terminal Services RemoteApp and Easy Print Configuring Terminal Services Web Access and Session Broker Configuring and Troubleshooting Terminal Services Gateway Managing and Monitoring Terminal Services

5. Configuring Terminal Services Core Functionality Main Office Terminal Server Configuring the TS Server Role Service Configuring the TS Settings

6. Configuring the TS Server Role Service TS Features Installing the TS Server Role Service Authentication Modes TS Core Functionality Remote Desktop Connection 6.1 Remote Desktop Connection Display Remote Desktop Experience Device Redirection Introduction to a Standalone Instance and a Farm Standalone Instance vs. Farm

7. TS in Microsoft Windows Server® 2008 provides the following features: Support for Remote Desktop Protocol (RDP) over Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) Support for spanning of display Improved printing with TS Easy Print Enhanced security features Improved management and scalability features TS Features Support for Microsoft® Internet Protocol version 6 (IPv6) Support for presentation virtualization technology

8. 1.Use the Server Manager to install the TS server role service 2.Install the programs that need to be hosted on the terminal server Installing the TS Server Role Service 3.Configure the remote connection settings to enable users and groups to connect to TS Server Manager TS Server Role Service 1 1 2 2 3 3

9. Authentication Modes SSL/TLS Certificate Kerberos Password Smart card One-Time Password Terminal Server

10. TS Core Functionality RDC 6.1 Plug and Play (PnP) device redirection for media players and digital cameras Embedded Point of Service (POS) RDC Display Single Sign-On (SSO) for domain joined clients

11. Remote Desktop Connection 6.1 Terminal Server Remote Desktop RDP 6.1RDC 6.1

12. Supports: Remote Desktop Connection Display 1680x1050 High resolution desktops Spanning multiple displays

13. On Windows 2008 terminal server, you can configure the redirection of portable devices, such as: Device Redirection PTP POS Media players based on Media Transfer Protocol (MTP) Digital cameras based on Picture Transfer Protocol (PTP)

14. Configuring the TS Settings Configuring ‘Start Program on Connection’ Restricting Remote Connection Sessions Configuring Other TS Settings

16. Configuring and Managing Terminal Services Licensing Configuring TS Licensing Managing TS Licenses Main office

17. Configuring TS Licensing TS Licensing Role TS Licensing Manager Snap-In TS Client Access Licenses Installing the TS Licensing Role Service Configuring the Terminal Server for Licensing

18. The TS licensing role: Has minimum impact on the performance of the server on which it is installed Can be centrally administered Tracks all license issuances Supports secure communication TS Licensing Role

19. You can use the TS Licensing Manager snap-in to: Determine the availability of TS CALs Discover a license server Generate reports Confirm the location of the TS licensing database Install the TS CALs on the TS license server TS Licensing Manager Snap-In

20. TS Client Access Licenses 1 1 2 2 Connects Requests License Terminal Server License Server Delivers License 3 3 4 4 TS Per Device CALs 1 1 2 2 Connects Requests License Terminal Server License Server Stores License 3 3 4 4 Active Directory Domain Services TS Per User CALs

21. Installing the TS Licensing Role Service TS Licensing Manager Snap-In Steps for installing the TS licensing role service: 3.Install the TS CALs by using the Install Licenses Wizard in the TS Licensing Manager snap-in 1.Install the TS licensing role service 2.Activate the license server via the Internet, Web browser, or telephone

22. Configuring the Terminal Server for Licensing You need to specify the following: TS licensing mode License server discovery mode

23. Lab: Installing the TS Server Role Exercise 1 : Install the TS Server Role and Licensing Role Service

25. Main office Terminal Server Configuring and Troubleshooting Terminal Services Connections Configuring the TS Connection Properties Configuring the TS Connection Properties by Using Group Policy Troubleshooting TS Connections

26. Configuring the TS Connection Properties Introduction to TS Properties Introduction to the TS Connection Properties Configuring the Maximum Number of Simultaneous Connections Demonstration: Configuring the Time-Out and Reconnection Settings Configuring Authentication and Encryption Configuring the Desktop Experience Configuring the Plug and Play Device Redirection Framework

27. Configure Connection Properties Device and Resource Redirection Remote Session Environments Session Time Limits Profiles Introduction to TS Properties

28. Configuring the Plug and Play Device Redirection Framework The Plug and Play (PnP) device redirection framework: Is automatically installed when the session on the remote computer is launched Is enabled by the.rdp file created by the RemoteApp Wizard Displays notifications on the taskbar of the remote computer

29. Configuring the TS Connection Properties by Using Group Policy Using Group Policy to Configure the TS Connection Properties Introduction to Single Sign-On Considerations for Configuring Single Sign-On

30. By using Group Policy, you can configure the following connection properties: Client connection encryption level Enable and disable remote control Maximum number of sessions that can connect to the server Automatic start program on a user logon Time-out and reconnection Client settings such as connecting drives and printers, mapping client devices, and limiting the maximum color depth Using Group Policy to Configure the TS Connection Properties

31. SSO has the following key features: ● Using SSO, users are not required to enter credentials each time they log on to a remote session ● SSO facilitates low maintenance costs ● Users can also attain SSO by using Active Directory ● SSO can be deployed in Line of Business (LOB) and centralized applications Multiple Logons with Single Credential Introduction to Single Sign-On

32. SSO can be used: For an RDC connection from a Microsoft Windows 2008-based server to a Microsoft Windows 2008 Server-based TS On the client computers and terminal server that are part of a domain For an RDC connection from a Microsoft Windows Vista® based-computer to a Microsoft Windows® 2008 Server-based TS By users who have appropriate rights to log on to both TS and Windows Vista client Windows Vista Terminal Server Considerations for Configuring Single Sign-On

34. Main office Application Remote Application Printer Configuring Terminal Services RemoteApp and Easy Print Installing Applications Configuring RemoteApp Programs Configuring Printers

35. Configuring RemoteApp Programs Introduction to TS RemoteApp Programs Advantages of Using RemoteApp Programs Methods for Deploying RemoteApp Programs Using TS Web Access to Deploy RemoteApp Programs Considerations for Connecting to TS Web Access Demonstration: Using an MSI File to Deploy RemoteApp Programs

36. RemoteApp integrates with the Windows Desktop

37. A RemoteApp™ program on a terminal server: Can be accessed remotely through TS Displays on the client as if it is running on the local computer Can run along with local programs on the client computer Has its own resizable window and entry on the taskbar of a client desktop Can share a TS session with another RemoteApp program on the same terminal server Introduction to TS RemoteApp Programs

38. Using RemoteApp programs: Centralizes and minimizes administration Enhances experience for users who securely access remote programs Is useful in environments where users do not have computers assigned to them Helps deploy multiple versions of an application without conflicts Causes minimum problems while running different programs on multiple desktops Advantages of Using RemoteApp Programs

39. TS Web Access.rdp.msi Methods for Deploying RemoteApp Programs

40. To deploy RemoteApp programs by using TS Web Access: 1. Configure the settings on the terminal server 2. Add the programs to the RemoteApp Programs list 3. Configure the global deployment settings that apply to all programs in the list 4. Install the TS Web Access role service 5. Populate the TS Web Access Computers security group 6. Specify the terminal server from which to populate the list of RemoteApp programs Using TS Web Access to Deploy RemoteApp Programs

41. To connect to TS Web Access, the client computer must: Considerations for Connecting to TS Web Access Run Windows Server® 2008, Windows Vista® with SP1, or Windows® XP SP3 Have the TS ActiveX client control approved by a standard user

42. In this demonstration, you will deploy RemoteApp programs by using a.msi file Demonstration: Using an MSI File to Deploy RemoteApp Programs

43. Lab: Implementing TS RemoteApp Install TS RemoteApp Role Service Add a program to the Allow list Publish an application trough RDP file Create a MSI file that installs an application Using RemoteApp Access

44. Configuring Printers TS Easy Print Considerations for Using TS Easy Print Configuring Group Policy for Printer Redirection

45. TS Easy Print allows users to print: TS Easy Print has the following setting in Group Policy: From RemoteApp programs and Remote Desktop sessions To any client side printer with a printer driver loaded on the client machine Redirect only the default client printer in TS sessions TS Easy Print

46. To use TS Easy Print, clients must have: Windows Vista SP1 or Windows XP SP3 If the client computers do not support TS Easy Print: Ensure that local and network client printer drivers are installed on the terminal server Add the local and network client printer drivers to a custom printer mapping file on the terminal server Considerations for Using TS Easy Print

47. Configure the following Group Policy settings: Use Terminal Services Easy “Print driver first” Redirect only the default client printer Configuring Group Policy for Printer Redirection

49. Configuring Terminal Services Web Access and Session Broker Woodgrove Bank Installing TS Web Access Configuring TS Session Broker

50. Introduction to TS Web Access TS Web Access is a role service that allows you to start RemoteApp™ programs without the need to download or run.msi or.rdp files

51. TS Web Access in Microsoft Windows Server® 2008: Does not require the Remote Desktop Connection (RDC) client to be manually started for launching a RemoteApp program Allows you to run applications on a remote computer Enables you to access RemoteApp programs seamlessly Does not require a separate ActiveX control to be downloaded What's Different in Windows Server 2008 TS Web Access?

52. Consider the following points: The TS Web Access server need not be a terminal server Installation of TS Web Access will automatically install the required Microsoft® Internet Information Services (IIS) 7.0 components Client computers must be running RDC 6.1 A standard user can approve an ActiveX Control Considerations for Installing TS Web Access

53. To install RemoteApp programs: 1. Configure RemoteApp programs on one or more terminal servers 2. Enable RemoteApp programs for TS Web Access 3. Install TS Web Access on the server 4. Add the computer running TS Web Access server to the TS Web Access computers group on the terminal server 5. Specify the terminal server or farm from which to populate the list of RemoteApp programs User Terminal Server Installing and Configuring RemoteApp Programs by Using TS Web Access

54. Remote Desktop Web connection: Is installed as part of the TS Web Access role service Provides features that can be controlled by the administrator Is available as a Remote Desktop tab on the TS Web Access page Supports Microsoft Windows® XP and Microsoft Windows® Server 2003 Connecting to Remote Desktop Web by Using TS Web Access

55. TS Session Broker: Provides fault tolerance features Provides load balancing features and distributes connections across multiple servers Stores the following information:  Session Ids  Sessions’ associated user names  Names of servers on which each session is started Introduction to TS Session Broker

56. System requirements for configuring TS Session Broker load balancing: All the terminal servers in the farm should have the same programs Clients should have RDC 5.1, RDC 6.0, or RDC 6.1 The terminal servers in the farm and the TS Session Broker server should be running Windows Server 2008 The server on which TS Session Broker will be installed should be a member of a domain All servers should be running the same versions of Windows x86 or Windows x64 Prerequisites for Configuring TS Session Broker

57. Lab: Implementing TS Web Access Install TS Web Access Role Service Connect to TS Web Access and launch application

59. Introduction to TS Gateway

60. TS Gateway requires the following role services and features to be installed and functioning: Remote procedure call (RPC) over HTTP Proxy Microsoft® Internet Information Server (IIS) 7.0 for the RPC over HTTP Proxy service to function Local or remote Microsoft Windows® Server 2008 Network Policy Server (NPS) Requirements for TS Gateway

61. Steps: 2.Add the TS Gateway Manager snap-in 3.Install the certificate on the TS Gateway server 4.Map the TS Gateway server certificate 5.View the certificate properties 6.Establish trust with a client 1.Obtain a certificate from a third party, such as Verisign, or from a corporate certificate authority (CA), or use a self-signed certificate Configuring TS Gateway

62. Methods for obtaining a certificate: Requesting certificates by using the Certificate Request Wizard Requesting a certificate on the Web Using the Certreq command Using Auto-enrollment in the Certificates snap-in Obtaining Certificates

63. TS Connection Authorization Policies User Group TS Gateway Server Computer Group TS CAPs

64. Computer Group TS RAPs TS Gateway Server TS Resource Authorization Policies

65. Lab: Implementing TS Gateway Install the TS Gateway Role Service Create and map a certificate for the TS Gateway Server Map a certificate for a different TS Gateway Server Create a Connection Authorization Policy (CAP) Create a Resource Authorization Policy (RAP) Configure Remote Desktop connection settings on the Client Computer

67. Log Off a TS Connection Disconnect a TS Connection Reset a Disconnected Session Control a User Session Remotely Managing the TS Connections

68. Monitoring the TS Connections Monitoring ToolUsed to Monitor TS Gateway Manager Snap-In Connection status Health Events Performance and Reliability monitor TS RemoteApp Programs Microsoft System Center Operation Manager 2007 System Windows Event ViewerConnections Microsoft® Internet Security and Acceleration (ISA) Server Best Practices Analyzer TS Web Access outbound traffic

69. WSRM: Uses standard or custom resource policies Allows you to manage CPU and memory utilization by applications, services, and processes WSRM Memory Printer Applications CPU Is a resource manager in a TS environment Introduction to Windows System Resource Manager

70. WSRM: Can select appropriate resource policies based on:  Server properties  Events  Changes in physical memory  Available processors Can use preconfigured policies or create custom policies to allocate resources per process, user, and IIS application pool Can use calendar rules to automatically apply policies at different times Can collect resource usage data locally or in a SQL database Features of Windows System Resource Manager

71. WSRM uses resource allocation policies to determine the performance of CPU resources, memory, and processes You can configure the following resource allocation policies on the terminal server:  Equal_Per_User  Equal_Per_Session Configuring Windows System Resource Manager

72. Lab: Using Windows System Resource Manager (optional) Implement a Windows Resource Manager Policy