Post on 21-Dec-2015
Windows Server 2008 Terminal ServicesConfiguration WalkthroughJeff AlexanderIT Pro EvangelistMicrosoft Australia
SVR309
Session Objectives and Key TakeawaysSession Objective(s):
Learn about Terminal Services RemoteApp™Learn about TS GatewayLearn About TS Web AccessLearn about TS Easy PrintLearn About the TS Session BrokerUnderstand the importance of x64 for TS
Terminal Services is a Rich Client TechnologyTerminal Services can reduce application deployment and management overheadTS isn’t just about WAN links
Terminal Services
Centralized application accessApplication deployment Branch officeSecure anywhere accessCompliance and security
Enabling technologiesTS GatewayTS Remote ProgramsSSO for managed clients
TS in Windows Server 2008 designed for low-complexity scenarios
Central Location
Mobile WorkerIn Airport
Branch Office
Home Office
Terminal Services RemoteApp™
Terminal Services
Gateway Server
Remote programs integrated with local computerCentrally configure a terminal server with the Terminal Server Configuration console
RemoteApp console used to make application availableAlso used to make programs available via TS Web Access
Programs look like they are running locallyOnly supported by Remote Desktop client 6.0, or newer
Remote Desktop
client required
Remote Rogue Execution ?!Remote Programs …
Look and feel like local apps…Access to local resources with redirection…A vector of attack against the client..
Solution: RDPSign
Cryptographically signing RDP filePublisher certificate identifies originNew security UI to help decide trustGP’s to control trust decisions left to users
Who will get your password?...
RDPSign PoliciesDefault client behavior:
No publisher is Trusted.Signed RDPs Green PromptInteractive user on TS client Green PromptUnsigned RDPs Yellow WarningExpired, invalid, corrupt Red - Blocked
Group Policy options:Define Trusted publishersBlock Unsigned RDPsBlock user & signed RDPs
RDPSign DeploymentsZero
DeploymentBasic
Signing Known RDPs
Only(recommended)
Lockdown
(No user decisions)
Admin Steps
None •Obtain signing certificate.•Sign RDPs with TS admin tools.
•Obtain signing certificate.•Sign RDPs with TS admin tools.•Push out certificate to clients using a GP list.•Set a GP flag to block unsigned files.
•Obtain signing certificate.•Sign RDPs with TS admin tools.•Push out certificate to clients using a GP list.•Set a GP flag to block unsigned files.•Set a GP flag to block user-created files.
RDPs from Admin
Warning Prompt No prompt No Prompt
Interactive User
Prompt Prompt Prompt Blocked
Third Party RDPs (signed)
Prompt Prompt Prompt Blocked
Legacy RDPs Warning Warning Blocked Blocked
Unknown RDPs
Warning Warning Blocked Blocked
Terminal Services RemoteApp™
demo
Configuring TS Remote ProgramsUsing the RDP & MSI file creation toolSetting 32-bit Colour
TS Remote Programs Deployment Best Practices
Put common application on same serverMicrosoft Office system
Consider putting individual applications on separate servers when:
Application has compatibility issuesA single application and associated users may fill server capacityCreate load-balanced ‘farm’ for single applications that exceed 1 server
Use Microsoft SoftGrid to improve server usage and application compatibility
TS Web Access
Provide a simple solution and infrastructureSolution
Provides simple Web interface for launching applications
TS Gateway Provides the HTTPS transport, NOT Web Access
Two modes of configurationSingle Terminal Server modeAD Mode (queries group policies for published MSI packages)
Ideal for low complexity scenarios
InfrastructureVisual Studio Web PartActiveX ControlSamples
TS Web AccessDeployment Best Practices
TS Web Access default is good for single server deploymentsUse AD mode for multi-server deployments when customers used to AD MSI deploymentWhen customer has no AD MSI experience use custom ASP scripting solutions or third-party solutions
TS GatewayAllows secure seamless connection without VPN
Tunnels RDP over HTTPS Place TS behind multiple firewalls without opening multiple firewall ports other than 443Uses same infrastructure as Outlook over RPC/HTTPS
Allows access to:Terminal Server Remote Desktops and ProgramsClient Remote DesktopServer Remote Desktop
When should TS Gateway be used in place of VPN?
When no local copy of data is requiredWhen a quicker connection time is requiredWhen bandwidth or application data size makes VPN experiences suck
Requirements and Policy Control
SSL Certificate for the TS GatewayIIS 7.0Network Policy Server
TS CAP (Client Access Policy)States who and what machine can access
TS RAP (Resource Access Policy)States what resource they can accessAssociated with the above
TS Gateway Remote AccessPerimeter Network
Internet Corp LAN
Terminal Server
HotelExte
rnal Fi
rew
all
Inte
rnal Fi
rew
all
Home
Business Partner/Client Site
Other RDPHosts
TerminalServer
Internet
Terminal Services Gateway Server
Network Policy Server
Active Directory DC
Tunnels RDP over
RPC/HTTPS
Passes RDP/SSL
traffic to TS
Strips off RPC/HTTPS
TS Gateway Best Practices
Use root-signed SSL certificateDon’t rely on TSG to block devicesUse a dedicated TSG Server
Can co-exist with Outlook RPC/HTTP
Consider placing behind ISABetter than just port based firewall
Use SSL terminator in DMZ and put TS Gateway in main network
Great if network admin is nervous of domain joined Windows servers in the DMZ
TS Easy Print
Issues have arisen with TS and PrintingEnhanced device redirection does not require driver on TS Server
Matching drivers were needed or issues would arise
Printer configuration follows to TS session
Same printers as appears locally
TS easy print installed by defaultLeverages the Microsoft document format XPS
High quality printer rendering systemAgnostic to the printer it is sent to
TS Session Broker
Used to be Terminal Services Session DirectoryIndexes previously disconnected sessionsGreat for TS farmsProvides load balancing capabilityDoes not matter if you connect from a different clientIncluded in Windows Server 2008 StandardAllows uninterrupted user experience
Windows Platform Investments
Big investments across the board, in Windows, in terms of eliminating security vulnerabilitiesRe-write of Windows Multi-User CoreRe-engineering of WINLOGONFaster login and logoff Profile corruption scenarios addressedApplication Compatibility
Improve compatibilityLeverage UAC
Other New Experience Features
Large display support / Custom resolutions Span multiple monitorsPnP Device Redirection Framework
POS Device RedirectionWindows Portable Device Redirection
Windows Server 2008 Audio Mixer SupportWindows Presentation Foundation (WPF) Remoting (Remote Desktop Only)32-bit color and new RDP compressionDisplay Data Prioritization
Other New Security Features
Terminal Services GatewayNAP SupportDevice Redirection HintsConnection Monitoring
Network AuthenticationSingle sign-on (SS)) for domain-joined clientsCredUI / CredMan / CredSSP integration Ability to block pre-RDP 6.0 clientPer-session and direct attached device isolation
Other New Manageability & Scalability Features
Role Management ToolDisplay Data PrioritizationNew compression improvementsSpooler scalability improvementsImproved performance countersDebug Logging available in all buildsFull IPv6 supportPer-user license trackingSingle unified Win32 and ActiveX Client integrated into platform and Windows Update
Custom Display Resolutions
Today in Windows Server 2003, TS Display resolutions are constrained:
4:3 resolutions1600(w) & 1200(h) maximums
This constraint was imposed due to virtual memory limitations New 16:9 & 16:10 displays entering market now
1680x10501920x1200
Customers have clients with multiple monitors
Most common is 2 or 3 monitors in horizontal layout Mstsc.exe /span or h:xxxx y: commands + new RDP file parameters
RDP6.1: Getting even richer DWM and Desktop Composition for Remote Desktop scenarios
Vista Client to Vista Client or Longhorn server(single session)Clear Type remoting (a.k.a. Font smoothing)Color depth: from 16, 24* to 32 bpp
Profile 32 24 16
PPT1 73,052365 112,359183.7 73,320620.3
PPT2 1,182144 2,060018.667 1,225201
WORD 4,871323.3 4,258341.333 3,299331
WORD3 3,603849.7 11,238595.67 7,438361
IE-Word 11,609604 20,830233.67 12,773213.3
Explorer 1,716492 2,249739 ,978692
Display Data Prioritization
Automatically controls virtual channel (VC) traffic so that display data, keyboard and mouse data is prioritized over other VC dataVCs are used for printing, copy & paste and file transfersThis prioritization ensures there is always sufficient traffic prioritization to ensure the user keeps workingThis feature only affects client RDP-mapped resources
Citrix and Microsoft
Citrix is a two-time Gold Certified ISV PartnerCitrix Presentation Server
Value-add to TS & MicrosoftExtends TS functionalityCitrix MOM pack available
Signed 5-year Joint Technology Agreement in 2004“Constellation Technologies” will add new value in the Windows Server 2008 timeframe
Based on Initial Internal Testingx86 & x64 Performance Tip: Registry Setting to Reduce Microsoft® Outlook® 2003 Periodic Polling:HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\RPC [dword] ConnManagerPoll = 0x600
Why Is x64 so Important for TS?
Knowledge Worker
x86 & x64 TS User Capacity Scaling
2003 x64
4cores
2003 x64
8 coresWindows Server 2000 32 Bit Baseline
2003 x86
4 cores
2000 x86
4 cores
~ x2
~ x4
~ x6Up to 4x improvement in users/server on comparable hardware and price pointPerformance comparisons are entirely dependent on scenarioYour mileage WILL VaryWhitepaper @ http://www.microsoft.com/ts
Benefits of x64 Architecture
Runs 32-bit software without being recompiledRuns 64-bit Windows, drivers and software specifically compiled for the x64 instruction setCan act like an x86 processor when an x64 system is booted into a 32-bit operating system and as such runs all 32-bit versions of Windows commercially available today
Runs 32-bit apps at high performance4 GB User VA for large memory-aware processes
Runs 64-bit applications8 terabyte Virtual Address Space
Reduction in mapping and soft page faults in most casesEases migration to 64-bit infrastructure
Features Not Supported in 64-bit Windows
32-bit device driversPrinter driversSoftware kernel driver components
SubsystemsMicrosoft DOS (NTVDM / Command.com)
CMD processor still present16-bit WOWPortable Operating System Interface for UNIX (POSIX)
Services for UNIX (SFU) for x64 available H2’05
Legacy transport protocolsAppleTalk, Services for MacintoshDLC LAN, NetBEUI
IrDA, OSPF
x64 and Terminal Server Recommendations
x64 ideal for current deployments that are kernel VA-limitedx64 provides opportunities to significantly scale-up with new multi-core processors and increase user density on Terminal Services-based systemsExpected sweet spot for TS moves to 4 cores or moreWhen driver compatibility is an issue consolidate onto Windows Server 2003 x86 SP1 and Citrix Presentation Server 4.0 with 2 to 4 coresConsider x64-based hardware for all deploymentsRemember, x64 needs more resources for same workload set
Preparing for Windows Server 2008 Terminal Services
Understand your applications and current scalability limitationsRe-evaluate hardware purchasing choices
4 to 8 cores are compelling price / performance for TSEnsure hardware has potential for memory and CPU upgrades you might needCan use 32-bit Windows until moving to x64 is possible
Start deprecating 16-bit applicationsTest application compatibility on Beta 2 releaseConsider using SoftGrid on Windows Server 2003
Summary
Centralized application access using TS is about more than just remote accessNew Terminal Services features bring TS to new customers and scenariosTS Remote Programs and TS Gateway provide a complete solution for low complexity scenariosExpect third-party value to still be required for many scenarios in Windows Server 2008 and beyondConsolidation on Windows Server 2003 and x64 represents significant current opportunities
TS ResourcesTS Blog: http://blogs.msdn.com/ts
TS Newsgroup: microsoft.public.windows.terminal_services
TS x64 Scalability Whitepaper: http://www.microsoft.com/downloads/details.aspx?familyid=9B1A8518-D693-4BBB-9AF8-B91BBC0D2D55&displaylang=en
TS Windows Server 2008 Web Forum: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=580&SiteID=17
Windows System Resource Manager:http://www.microsoft.com/windowsserver2003/technologies/management/wsrm/default.mspx
Application Compatibility Toolkit:http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx
MSDN:http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnanchor/html/anch_terminalservices.asp?frame=true
TS Main Page: http://ww.microsoft.com/ts
ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.