test terminal services deployment guide
DESCRIPTION
Terminal Services Deployment GuideTRANSCRIPT
Terminal Services Deployment Guide
Microsoft Corporation
Published: December 2009
AbstractThe Terminal Services server role in Windows Server® 2008 provides technologies that enable
users to access Windows®-based programs that are installed on a terminal server, or to access
the full Windows desktop. With Terminal Services, users can access a terminal server from within
a corporate network or from the Internet.
This document supports a preliminary release of a software product that may be changed
substantially prior to final commercial release, and is the confidential and proprietary information
of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the
recipient and Microsoft. This document is provided for informational purposes only and Microsoft
makes no warranties, either express or implied, in this document. Information in this document,
including URL and other Internet Web site references, is subject to change without notice. The
entire risk of the use or the results from the use of this document remains with the user. Unless
otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred. Complying with all applicable copyright laws is the
responsibility of the user. Without limiting the rights under copyright, no part of this document may
be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by
any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Active Directory, ActiveX, Internet Explorer, ClearType, MSDN, Microsoft, RemoteApp, Windows,
Windows Media, Windows NT, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Terminal Services Deployment Guide.............................................................................................9
About this guide........................................................................................................................... 9
In this guide................................................................................................................................. 9
Role Services and Features in a Terminal Services Deployment....................................................9
What are the role services and features in a Terminal Services deployment?.......................10
Deploying Terminal Server............................................................................................................12
Installation Prerequisites for Terminal Server................................................................................12
Using Remote Desktop................................................................................................................. 14
Installing Terminal Server on a Domain Controller........................................................................15
Terminal Services and Windows Firewall......................................................................................16
Checklist: Configuring Terminal Server.........................................................................................17
Configuring Terminal Server.........................................................................................................18
Install the Terminal Server Role Service.......................................................................................19
Install the Terminal Server role service (when Terminal Services is already installed)..............20
Configure License Settings for a Terminal Server.........................................................................22
Specify the Terminal Services Licensing Mode.............................................................................22
Specify the License Server Discovery Mode.................................................................................23
Configure the Network Level Authentication Setting for a Terminal Server...................................24
Install Programs on a Terminal Server..........................................................................................25
Additional considerations....................................................................................................26
Configure the Remote Desktop Users Group...............................................................................26
Managing Terminal Server............................................................................................................27
Change Remote Connection Settings...........................................................................................27
Enable Single Sign-On for Terminal Services...............................................................................28
Manage User Profiles for Terminal Services.................................................................................30
Install Desktop Experience on a Terminal Server..........................................................................30
Install Desktop Experience........................................................................................................31
Uninstall Desktop Experience....................................................................................................32
Configure Font Smoothing for Remote Sessions..........................................................................32
Monitor a Terminal Server with Windows System Resource Manager..........................................33
Resource-Allocation Policies.....................................................................................................34
Resource Monitor...................................................................................................................... 34
Uninstall the Terminal Server Role Service...................................................................................34
Deny Logon Requests to a Terminal Server.................................................................................35
Deploying TS Licensing................................................................................................................36
Installation Prerequisites for TS Licensing....................................................................................36
Terminal Services Client Access Licenses (TS CALs)..................................................................37
Terminal Services License Server Discovery................................................................................38
Checklist: Deploying TS Licensing................................................................................................39
Installing TS Licensing..................................................................................................................40
Installation prerequisites............................................................................................................40
Install the TS Licensing role service..........................................................................................41
Connecting to a Terminal Services License Server.......................................................................42
Install TS Licensing Manager........................................................................................................43
Activating a Terminal Services License Server.............................................................................43
Activate a Terminal Services License Server Automatically..........................................................44
Activate a Terminal Services License Server by Using a Web Browser........................................45
Activate a Terminal Services License Server by Using the Telephone..........................................46
Installing Terminal Services Client Access Licenses.....................................................................47
Install Terminal Services Client Access Licenses Automatically....................................................48
Install Terminal Services Client Access Licenses by Using a Web Browser.................................49
Install Terminal Services Client Access Licenses by Using the Telephone...................................50
Configuring License Settings on a Terminal Server......................................................................51
Specify the Terminal Services licensing mode...........................................................................51
Specify the license server discovery mode................................................................................53
Tracking the Issuance of Terminal Services Per User Client Access Licenses.............................54
Troubleshooting TS Licensing Installation.....................................................................................56
Review the configuration of your license server........................................................................56
Diagnose licensing problems on your terminal server...............................................................58
Deploying TS Session Broker.......................................................................................................59
Installation Prerequisites for TS Session Broker...........................................................................60
TS Session Broker components................................................................................................60
Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker...........61
Installing TS Session Broker.........................................................................................................61
Installation prerequisites............................................................................................................62
Install the TS Session Broker role service.................................................................................62
Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group.......63
Configuring a Terminal Server to Join a Farm in TS Session Broker............................................63
Configure TS Session Broker Settings by Using Group Policy.....................................................64
Configure TS Session Broker Settings by Using Terminal Services Configuration.......................66
Configuring DNS for TS Session Broker Load Balancing.............................................................67
Configuring Dedicated Redirectors (optional)...............................................................................68
Deploying TS Gateway.................................................................................................................69
Installation Prerequisites for TS Gateway.....................................................................................70
Role, role service, and feature dependencies........................................................................70
Administrative credentials......................................................................................................71
Understanding Requirements for Connecting to a TS Gateway Server........................................71
Supported Windows authentication methods............................................................................72
Checklist: Deploying TS Gateway.................................................................................................72
Installing TS Gateway...................................................................................................................73
Install the TS Gateway role service...........................................................................................73
Verify successful role service installation and TS Gateway service status.............................75
Configuring a Certificate for the TS Gateway Server....................................................................76
Obtain a Certificate for the TS Gateway Server............................................................................77
Certificate requirements for TS Gateway...................................................................................77
Using existing certificates..........................................................................................................78
Certificate installation and configuration process overview.......................................................79
1. Obtain a certificate.............................................................................................................79
2. Install the certificate...........................................................................................................81
3. Map the certificate..............................................................................................................81
Create a Self-Signed Certificate for the TS Gateway Server........................................................81
Install a Certificate on the TS Gateway Server.............................................................................82
Map the TS Gateway Certificate...................................................................................................83
View or Modify Certificate Properties............................................................................................84
Creating a Terminal Services Connection Authorization Policy.....................................................85
Creating a Terminal Services Resource Authorization Policy........................................................87
Configuring the Terminal Services Client for TS Gateway............................................................89
Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)..........89
Configure Remote Desktop Connection Settings..........................................................................91
Verify Connectivity Through TS Gateway.....................................................................................92
Limiting the Maximum Number of Simultaneous Connections Through TS Gateway...................93
Using Group Policy to Manage Client Connections Through TS Gateway...................................94
Set the TS Gateway Server Authentication Method......................................................................95
Enable Connections Through TS Gateway...................................................................................97
Set the TS Gateway Server Address............................................................................................98
Deploying TS RemoteApp..........................................................................................................100
Installation Prerequisites for TS RemoteApp..............................................................................100
Client requirements.................................................................................................................101
Checklist: Configuring TS RemoteApp........................................................................................101
Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution
Mechanism.............................................................................................................................. 102
Checklist: Making RemoteApp Programs Available from the Internet.........................................102
Configuring the Server That Will Host RemoteApp Programs....................................................104
Install the Terminal Server role service....................................................................................104
Install programs on the terminal server...................................................................................105
Verify remote connection settings............................................................................................105
Adding RemoteApp Programs and Configuring Global Deployment Settings.............................106
Add Programs to the RemoteApp Programs List........................................................................106
Configure Global Deployment Settings.......................................................................................107
Configure Terminal Server Settings............................................................................................108
Configure TS Gateway Settings..................................................................................................109
Configure Common RDP Settings (Optional)..............................................................................110
Configure Custom RDP Settings (Optional)................................................................................111
Configure Digital Signature Settings (Optional)...........................................................................112
Using Group Policy settings to control client behavior when opening a digitally signed .rdp file
............................................................................................................................................. 113
Creating an .rdp File from a RemoteApp Program......................................................................114
Creating a Windows Installer Package from a RemoteApp Program..........................................115
Managing RemoteApp Programs and Settings...........................................................................116
Change or Delete a RemoteApp Program..................................................................................117
Export or Import RemoteApp Programs and Settings.................................................................118
Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session..................119
Deploying TS Web Access..........................................................................................................119
Checklist: Deploying RemoteApp Programs Through TS Web Access.......................................120
Enable RemoteApp Programs for TS Web Access.....................................................................121
Install the TS Web Access Role Service.....................................................................................122
Populate the TS Web Access Computers Security Group..........................................................123
Specify the Data Source for TS Web Access..............................................................................123
Connect to TS Web Access........................................................................................................124
Client requirements and configuration.....................................................................................125
Configure the TS Web Access Server to Allow Access from the Internet....................................126
Configure Remote Desktop Web Connection Behavior..............................................................128
Change the Install Location of the TS Web Access Web Site.....................................................129
Deploying Terminal Services Printing..........................................................................................131
Using Terminal Services Easy Print Driver..................................................................................131
Client requirements.................................................................................................................131
Additional information..............................................................................................................132
Installing the Printer Driver on the Server...................................................................................133
Creating a Custom Printer Mapping File.....................................................................................133
Step one: Create or modify an .inf file.....................................................................................133
Step two: Configure the registry..............................................................................................134
Configuring Printer Redirection Settings.....................................................................................135
Configure printer redirection settings per connection..............................................................136
By using Group Policy (best practice)..................................................................................136
By using Terminal Services Configuration............................................................................136
Configure printer redirection settings per user.........................................................................137
Use client-specified printer redirection settings.......................................................................138
Using Terminal Services Printing-Related Group Policy Settings...............................................138
Terminal Services Deployment Guide
Deploying Terminal Services in your Windows Server® 2008 environment provides technologies
that enable users to access Windows®-based programs that are installed on a terminal server, or
to access the full Windows desktop. By using Terminal Services, users can access a terminal
server from within a corporate network or from the Internet.
Terminal Services enables you to efficiently deploy and maintain software in an enterprise
environment from a central location. Because you install the programs on the terminal server and
not on the client computer, programs are easier to upgrade and to maintain.
About this guideThis guide is intended for use by system administrators and system engineers who are
responsible for deploying the Terminal Services role services and features. It provides detailed
guidance for deploying a Terminal Services design that is preselected by you, an infrastructure
specialist, or a system architect in your organization.
For related information about Terminal Services, visit the Terminal Services page on the Windows
Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
In this guideRole Services and Features in a Terminal Services Deployment
Deploying Terminal Server
Deploying TS Licensing
Deploying TS Session Broker
Deploying TS Gateway
Deploying TS RemoteApp
Deploying TS Web Access
Deploying Terminal Services Printing
Role Services and Features in a Terminal Services Deployment
The following figure shows the network diagram for the Terminal Services role services and
features that are covered in this deployment guide. This diagram isolates specific functionality on
separate servers, instead of running multiple services on the same server. Your deployment
design will vary according to your resources and requirements.
9
What are the role services and features in a Terminal Services deployment?Terminal Services is a server role that consists of several sub-components, known as "role
services." In Windows Server 2008, Terminal Services consists of the following role services:
Terminal Server The Terminal Server role service enables a server to host Windows-based
programs or the full Windows desktop. Users can connect to a terminal server to run
programs, to save files, and to use network resources on that server.
TS Licensing Terminal Services Licensing (TS Licensing) manages the Terminal Services
client access licenses (TS CALs) that are required for each device or user to connect to a
terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs
on a Terminal Services license server.
You must have a correctly configured license server within 120 days after your
terminal server accepts its first connection.
TS Session Broker Terminal Services Session Broker (TS Session Broker) supports
session load balancing between terminal servers in a farm, and reconnection to an existing
session in a load-balanced terminal server farm.
To use the built-in TS Session Broker Load Balancing feature, terminal servers in the
farm must be running Windows Server 2008.
Important Important
10
TS Web Access Terminal Services Web Access (TS Web Access) enables users to access
RemoteApp programs and a Remote Desktop connection to the terminal server through a
Web site. TS Web Access also includes Remote Desktop Web Connection, which enables
users to remotely connect to any computer where they have Remote Desktop access.
TS Gateway Terminal Services Gateway (TS Gateway) enables authorized remote users to
connect to resources on an internal corporate network, from any Internet-connected device
that can run the Remote Desktop Connection (RDC) client.
Your deployment might also include the following:
Remote Desktop Connection (RDC) client The RDC client must be installed on client
computers for users to start Terminal Services sessions. To access most of the new features
in Windows Server 2008, the client must be running RDC 6.0 or RDC 6.1.
Active Directory Domain Services If you deploy TS Session Broker, the server where you
install the TS Session Broker role service must be a member of an Active Directory domain. If
you deploy terminal servers or terminal server farms, the servers must be members of the
same Active Directory domain as the license servers, or the license servers must be deployed
at the forest level.
Network Access Protocol (NAP) You can configure TS Gateway servers and Terminal
Services clients to use Network Access Protection (NAP) to further enhance security. NAP is
a health policy creation, enforcement, and remediation technology that is included in
Windows Server 2008, Windows Vista®, Windows Vista Service Pack 1 (SP1), and
Windows XP Service Pack 3 (SP3). With NAP, system administrators can enforce health
requirements, which can include software requirements, security update requirements,
required computer configurations, and other settings.
Network Firewall The Terminal Services role services are typically deployed within the
corporate network behind a firewall. If TS Gateway is deployed, it may be hosted in a
perimeter network. TS Gateway enables most remote users to connect to internal network
resources that are hosted behind firewalls in private networks and across network address
translators (NATs). With TS Gateway, you do not need to perform additional configuration for
the TS Gateway server or clients for this scenario.
In earlier versions of Windows Server, security measures prevented remote users from
connecting to internal network resources across firewalls and NATs. This is because port
3389, the port used for RDP connections, is typically blocked for network security purposes.
TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets
Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443
to enable Internet connectivity, TS Gateway takes advantage of this network design to
provide remote access connectivity across multiple firewalls.
Front-end load balancer If you deploy TS Session Broker, a front-end load balancer is
required. Depending on your requirements, you can use the Domain Name System (DNS)
round robin feature, Network Load Balancing (NLB), or a hardware load balancer.
11
Deploying Terminal Server
Terminal Server is one of the role services provided by the Terminal Services server role. You
install Terminal Server on a server to host Windows-based programs or the full Windows desktop.
Users can connect to a terminal server to run programs (including RemoteApp programs), save
files, and use network resources if they have appropriate permissions.
To install, configure, and manage a terminal server, see the following topics:
Installation Prerequisites for Terminal Server
Checklist: Configuring Terminal Server
Configuring Terminal Server
Managing Terminal Server
Installation Prerequisites for Terminal Server
A terminal server is the server that hosts Windows-based programs or the full Windows desktop
for Terminal Services client computers. Users can connect to a terminal server to run programs,
to save files, and to use network resources on that server. Users can access a terminal server by
using Remote Desktop Connection or by using TS RemoteApp.
The following checklist provides tasks that an administrator should perform before installing and
configuring a terminal server.
Installing a terminal server on an Active Directory domain controller is not recommended.
For more information, see Installing Terminal Server on a Domain Controller.
Task Reference
Determine if you need a terminal server. To allow remote connections for administrative
purposes only, you do not need to install a
terminal server.
For more information about remote connections
for administrative purposes, see Using Remote
Desktop.
Review licensing requirements for a terminal
server.
Each user or computing device that connects to
a terminal server must have a valid Terminal
Services client access license (TS CAL).
A terminal server running Windows Server 2008
can only communicate with a Terminal Services
license server running Windows Server 2008,
and the license server must have Windows
Server 2008 TS CALs installed.
Note
12
Task Reference
For more information about licensing
requirements for Terminal Services, see the TS
Licensing Step-by-Step Guide on the Windows
Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?linkid=85873).
Decide which programs you want to host on the
terminal server.
You should install the Terminal Server role
service on the computer before you install any
programs that you want to make available to
users. If you install the Terminal Server role
service on a computer that already has
programs installed, some of the existing
programs may not work correctly in a multiple
user environment. Uninstalling and then
reinstalling the affected programs may resolve
these issues.
For more information, see Install Programs on a
Terminal Server.
Review information about:
Hardware requirements
Capacity and scaling
See the Checklist: Terminal Server Installation
Prerequisites on the Windows Server 2008
TechCenter (http://go.microsoft.com/fwlink/?
LinkId=101636).
Determine if you need to deploy a load-
balanced terminal server farm.
See the TS Session Broker Load Balancing
Step-by-Step Guide on the Windows
Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=92670).
Determine the Terminal Services licensing
mode that the terminal server will use.
The Terminal Services licensing mode that is
configured on a terminal server must match the
type of TS CALs that are available on the
Terminal Services license server.
See Specify the Terminal Services Licensing
Mode on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?
LinkId=101638 ).
Determine how the terminal server will discover
a license server.
A terminal server must be able to contact a
Terminal Services license server to request
TS CALs for users or computing devices that
are connecting to the terminal server.
For more information about license server
13
Task Reference
discovery, see the TS Licensing Step-by-Step
Guide on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=85873).
Determine which users will be able to remotely
connect to the terminal server.
The Remote Desktop Users group on a terminal
server is used to give users and groups
permission to log on remotely to a terminal
server.
For more information, see Configure the
Remote Desktop Users Group.
Determine if the terminal server will require
Network Level Authentication.
You can enhance terminal server security by
providing user authentication early in the
connection process when a client connects to a
terminal server. This early user authentication
method is referred to as Network Level
Authentication.
For more information, see Configure the
Network Level Authentication Setting for a
Terminal Server.
Review information about Windows Firewall. The installation of the Terminal Server role
service changes the configuration of Windows
Firewall.
For more information, see Terminal Services
and Windows Firewall.
Using Remote Desktop
To allow remote connections for administrative purposes only, you do not have to install a
terminal server. Instead, you can enable Remote Desktop on the computer that you want to
remotely administer.
Remote Desktop supports only two concurrent remote connections to the computer. You
do not need Terminal Services client access licenses (TS CALs) for these connections.
You can use the following procedure to enable Remote Desktop on a computer running Windows
Server 2008.
Membership in the local Administrators group, or equivalent, on the computer that you plan to
configure, is the minimum required to complete this procedure. Review details about using the
appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
Note
14
1. Start the System tool. To start the System tool, click Start, click Run, type control
system and then click OK.
2. Under Tasks, click Remote settings.
3. In the System Properties dialog box, on the Remote tab, click either of the following,
depending on your environment:
Allow connections from computers running any version of Remote Desktop
(less secure)
Allow connections only from computers running Remote Desktop with Network
Level Authentication (more secure)
For more information about the two options, click the Help me choose link on the
Remote tab.
4. Click Select Users to add the users and groups that need to connect to the computer by
using Remote Desktop. The users and groups that you add are added to the Remote
Desktop Users group.
Note
Members of the local Administrators group can connect even if they are not
listed.
Installing Terminal Server on a Domain Controller
Installing a terminal server on an Active Directory domain controller is not recommended. Allowing
users to run programs on a domain controller could create security risks and performance issues.
If the Terminal Server role service is installed on a domain controller, the security settings of the
domain controller need to be adjusted to allow users remote access to the server. This remote
access is controlled by the "Allow log on through Terminal Services" user rights assignment,
which can be configured by using the Group Policy Management Console (GPMC).
On a domain controller, by default, only the Administrators group is granted the "Allow log on
through Terminal Services" user right. To allow remote access to the terminal server for users
who are not members of the Administrators group, you should grant the Remote Desktop Users
group the "Allow log on through Terminal Services" user right.
For more information about using GPMC to configure user rights assignments, see the Windows
Server 2008 Group Policy Management Console Help.
Installing the TS Licensing role service on a domain controller is recommended in certain
circumstances. If a Terminal Services license server is installed on a domain controller,
terminal servers in the same domain as the license server will automatically be able to
To enable Remote DesktopNote
15
discover the license server. Because users are not connecting directly to the license
server to run programs on the license server, the security risks and performance issues
can be mitigated.
For more information about license server discovery and configuring TS Licensing, see the TS
Licensing documentation on the Terminal Services page on the Windows Server 2008
TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).
Terminal Services and Windows Firewall
Windows Firewall is on by default in Windows Server 2008. Windows Firewall helps control which
programs or ports can be used to communicate between the server running Windows
Server 2008 and other computers on the network or the Internet. To allow a program or port to
communicate through Windows Firewall, you need to enable an exception.
If you enable Remote Desktop, Windows Firewall automatically enables the Remote Desktop
exception.
When the Terminal Server role service is installed, Windows Firewall automatically enables the
following exceptions:
Remote Desktop
Terminal Services
If you install other Terminal Services role services, Windows Firewall automatically enables other
exceptions. For example, when you install the TS Licensing role service, Windows Firewall
enables the Terminal Services Licensing Server exception.
When you uninstall a role service from the computer, Windows Firewall automatically removes
the exception for that role service.
When the Terminal Server role service is uninstalled, only the Terminal Services
exception is removed. The Remote Desktop exception is not removed.
Use the following procedure to view Windows Firewall exceptions.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?
LinkId=83477).
1. Click Start, and then click Control Panel.
2. Click Security, and then click Windows Firewall.
3. Click Change Settings, and then, in the Windows Firewall Settings dialog box, click
the Exceptions tab.
4. If the check box associated with the program or port listed is selected, the Windows
Firewall exception for that program or port is enabled.
Important To view Windows Firewall exceptions
16
Some programs only appear in the list when the role service is installed. For example, the
Terminal Services Licensing Server program only appears in the list when the
TS Licensing role service is installed on the computer.
To view more detailed information about Windows Firewall settings, use the Windows Firewall
with Advanced Security snap-in.
Use the following procedure to use Windows Firewall with Advanced Security.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?
LinkId=83477).
1. Click Start, point to Administrative Tools, and then click Windows Firewall with
Advanced Security.
2. To view detailed information about Windows Firewall settings, click either of the following
nodes in the left pane:
Inbound rules
Outbound rules
For more information about configuring Windows Firewall, see the Windows Server 2008
Windows Firewall with Advanced Security Help.
For more information about Terminal Services-specific Windows Firewall exceptions, see the
Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Checklist: Configuring Terminal Server
A terminal server is the server that hosts Windows-based programs or the full Windows desktop
for Terminal Services clients. Users can connect to a terminal server to run programs, to save
files, and to use network resources on that server. Users can access a terminal server by using
Remote Desktop Connection or by using TS RemoteApp.
This checklist provides tasks that an administrator needs to complete to install and configure a
terminal server.
Please note the following:
Installing the Terminal Server role service requires the computer to be restarted.
Installing a terminal server on an Active Directory domain controller is not recommended. For
more information, see Installing Terminal Server on a Domain Controller.
Installing the Terminal Server role service on the computer before you install any programs
that you want to make available to users is recommended. For more information, see Install
Programs on a Terminal Server.
To use the Windows Firewall with Advanced Security snap-in
17
Task Reference
Review prerequisites for installing a terminal
server.
Installation Prerequisites for Terminal Server
Install the Terminal Server role service. Install the Terminal Server Role Service
Configure the license settings on the terminal
server.
Configure License Settings for a Terminal
Server
Configure the Network Level Authentication
setting for the terminal server.
Configure the Network Level Authentication
Setting for a Terminal Server
Install programs on the terminal server. Install Programs on a Terminal Server
Configure which users can remotely connect to
the terminal server.
Configure the Remote Desktop Users Group
Configuring Terminal Server
This section provides procedures for configuring a terminal server. It includes the following topics:
Install the Terminal Server Role Service
Configure License Settings for a Terminal Server
Configure the Network Level Authentication Setting for a Terminal Server
Install Programs on a Terminal Server
Configure the Remote Desktop Users Group
Install the Terminal Server Role Service
In Windows Server 2008, you can use Server Manager to install the Terminal Server role service.
For more information about other ways to install the Terminal Server role service, including by
using servermanagercmd.exe, see the Terminal Services page on the Windows Server 2008
TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
Use the following procedure to install the Terminal Server role service by using Server Manager if
Terminal Services is not already installed on the server. If Terminal Services is already installed
on the server, see Install the Terminal Server role service (when Terminal Services is already
installed).
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
To install the Terminal Server role service
18
2. In the left pane, right-click Roles, and then click Add Roles.
3. In the Add Roles Wizard, on the Before You Begin page, click Next.
4. On the Select Server Roles page, under Roles, select the Terminal Services check
box.
Note
If Terminal Services is already installed on the server, the Terminal Services
check box will be selected and dimmed.
5. Click Next.
6. On the Terminal Services page, click Next.
7. On the Select Role Services page, select the Terminal Server check box, and then
click Next.
Note
If you are installing the Terminal Server role service on a domain controller, you
will receive a warning message because installing the Terminal Server role
service on a domain controller is not recommended. For more information, see
Installing Terminal Server on a Domain Controller.
8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
9. On the Specify Authentication Method for Terminal Server page, select the
appropriate authentication method for the terminal server, and then click Next. For more
information about authentication methods, see Configure the Network Level
Authentication Setting for a Terminal Server.
10. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal
server, and then click Next. For more information about licensing modes, see Specify the
Terminal Services Licensing Mode.
11. On the Select User Groups Allowed Access To This Terminal Server page, add the
users or user groups that you want to be able to remotely connect to this terminal server,
and then click Next. For more information, see Configure the Remote Desktop Users
Group.
12. On the Confirm Installation Selections page, verify that the Terminal Server role
service will be installed, and then click Install.
13. On the Installation Progress page, installation progress will be noted.
14. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
15. If you are prompted that other programs are still running, do either of the following:
To close the programs manually and restart the server later, click Cancel.
To automatically close the programs and restart the server, click Restart now.
16. After the server restarts and you log on to the computer, the remaining steps of the
installation will finish. When the Installation Results page appears, confirm that the
19
installation of Terminal Server succeeded.
You can also confirm that Terminal Server is installed by following these steps:
a. Start Server Manager.
b. Under Roles Summary, click Terminal Services.
c. Under System Services, confirm that Terminal Services has a status of Running.
d. Under Role Services, confirm that Terminal Server has a status of Installed.
Install the Terminal Server role service (when Terminal Services is already installed)Use the following procedure to install the Terminal Server role service when Terminal Services is
already installed on the server.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
The installation of the Terminal Server role service requires the computer to be restarted.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, expand Roles.
3. Right-click Terminal Services, and then click Add Role Services.
4. On the Select Role Services page, select the Terminal Server check box, and then
click Next.
Note
If you are installing the Terminal Server role service on a domain controller, you
will receive a warning message because installing the Terminal Server role
service on a domain controller is not recommended. For more information, see
Installing Terminal Server on a Domain Controller.
5. On the Uninstall and Reinstall Applications for Compatibility page, click Next.
6. On the Specify Authentication Method for Terminal Server page, select the
appropriate authentication method for the terminal server, and then click Next. For more
information about authentication methods, see Configure the Network Level
Authentication Setting for a Terminal Server.
7. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal
server, and then click Next. For more information about licensing modes, see Specify the
Terminal Services Licensing Mode.
8. On the Select User Groups Allowed Access To This Terminal Server page, add the
Important To install the Terminal Server role service when Terminal Services is already installed
20
users or user groups that you want to be able to remotely connect to this terminal server,
and then click Next. For more information, see Configure the Remote Desktop Users
Group.
9. On the Confirm Installation Selections page, verify that the Terminal Server role
service will be installed, and then click Install.
10. On the Installation Progress page, installation progress will be noted.
11. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
12. If you are prompted that other programs are still running, do either of the following:
To close the programs manually and restart the server later, click Cancel.
To automatically close the programs and restart the server, click Restart now.
13. After the server restarts and you log on to the computer, the remaining steps of the
installation will finish. When the Installation Results page appears, confirm that the
installation of Terminal Server succeeded.
You can also confirm that Terminal Server is installed by following these steps:
a. Start Server Manager.
b. Under Roles Summary, click Terminal Services.
c. Under System Services, confirm that Terminal Services has a status of Running.
d. Under Role Services, confirm that Terminal Server has a status of Installed.
Configure License Settings for a Terminal Server
Each user or computing device that connects to a terminal server must have a valid Terminal
Services client access license (TS CAL) issued by a Terminal Services license server.
To ensure that a terminal server can contact (discover) a Terminal Services license server to
request TS CALs for client computers, you need to do the following on the terminal server:
Specify the Terminal Services Licensing Mode
Specify the License Server Discovery Mode
21
Specify the Terminal Services Licensing Mode
The Terminal Services licensing mode determines the type of Terminal Services client access
licenses (TS CALs) that a terminal server will request from a license server on behalf of a client
that is connecting to the terminal server.
The Terminal Services licensing mode that is configured on a terminal server must match
the type of TS CALs that are available on the license server.
There are two types of TS CALs:
TS Per Device CAL, which permits one device (used by any user) to connect to a terminal
server.
TS Per User CAL, which gives one user the right to access terminal servers from an unlimited
number of client computers or devices.
The Terminal Services licensing mode for the terminal server can be set in the following ways:
During the installation of the Terminal Server role service in Server Manager, on the Specify
Licensing Mode page in the Add Roles Wizard.
On the Specify Licensing Mode page, you can select Configure later if you are unsure
during the installation whether to select Per Device or Per User. If you select Configure
later, each time that you log on to the terminal server, a message appears in the lower-right
corner of the desktop reminding you that you need to configure the licensing mode for the
terminal server.
By using the Terminal Services Configuration tool to configure the Terminal Services
licensing mode for the terminal server.
If the Specify the Terminal Services licensing mode choices are dimmed and you cannot
make a selection, the Set Terminal Services licensing mode Group Policy setting has been
enabled and applied to the terminal server.
By applying the Set Terminal Services licensing mode Group Policy setting.
This Group Policy setting is located in Computer Configuration\Administrative Templates\
Windows Components\Terminal Services\Terminal Server\Licensing and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC). Note that this Group Policy setting takes precedence over the setting
configured in Terminal Services Configuration.
For more information about TS CALs and configuring TS Licensing, see the TS Licensing
documentation on the Terminal Services page on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=73931).
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Important
22
Specify the License Server Discovery Mode
A terminal server must be able to contact (discover) a Terminal Services license server to request
Terminal Services client access licenses (TS CALs) for users or computing devices that are
connecting to the terminal server.
You can set the license server discovery mode for the terminal server in the following ways:
By configuring License Server discovery mode for the terminal server in the Terminal
Services Configuration tool.
If the Specify the license server discovery mode choices are dimmed and you cannot
make a selection, the Use the specified Terminal Services license servers Group Policy
setting has been enabled and has been applied to the terminal server.
By applying the Use the specified Terminal Services license servers Group Policy setting.
This Group Policy setting is located in Computer Configuration\Administrative Templates\
Windows Components\Terminal Services\Terminal Server\Licensing and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC). Note that this Group Policy setting takes precedence over the setting
configured in Terminal Services Configuration.
In the license server discovery process, a terminal server in a Windows Server-based domain
attempts to contact a license server in the following order:
License servers that are specified in Terminal Services Configuration
A license server that is installed on the same computer as the terminal server
License servers that are published in Active Directory Domain Services
License servers that are installed on domain controllers in the same domain as the terminal
server
To see which license servers the terminal server discovers and to be alerted to possible
licensing discovery and configuration issues, use Licensing Diagnosis in Terminal
Services Configuration. For information about Licensing Diagnosis, see the topic
"Identify Possible Licensing Problems for the Terminal Server" in the Windows
Server 2008 Terminal Services Configuration Help (http://go.microsoft.com/fwlink/?
Linkid=118659).
For more information about license server discovery and configuring TS Licensing, see the
TS Licensing documentation on the Terminal Services page on the Windows Server 2008
TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Important
23
Configure the Network Level Authentication Setting for a Terminal Server
You can enhance terminal server security by providing user authentication early in the connection
process when a client connects to a terminal server. This early user authentication method is
referred to as Network Level Authentication.
Network Level Authentication completes user authentication before you establish a Remote
Desktop connection and the logon screen appears. This is a more secure authentication method
that can help protect the remote computer from malicious users and malicious software. The
advantages of using Network Level Authentication are:
It requires fewer remote computer resources initially. The remote computer uses a limited
number of resources before authenticating the user, rather than starting a full Remote
Desktop connection as in previous versions.
It reduces the risk of denial-of-service attacks.
To use Network Level Authentication, you need to meet all of the following requirements:
On the client computer, use at least Remote Desktop Connection 6.0.
On the client computer, use an operating system, such as Windows Vista, that supports the
Credential Security Support Provider (CredSSP) protocol.
On the terminal server, use Windows Server 2008.
You can configure a terminal server to only support connections from client computers running
Network Level Authentication. The Network Level Authentication setting for a terminal server can
be set in the following ways:
During the installation of the Terminal Server role service in Server Manager, on the Specify
Authentication Method for Terminal Server page in the Add Roles Wizard.
On the Remote tab in the System Properties dialog box on a terminal server. For more
information, see Change Remote Connection Settings.
If the Allow connections from computers running any version of Remote Desktop (less
secure) is not selected and is dimmed, the Require user authentication for remote
connections by using Network Level Authentication Group Policy setting has been
enabled and has been applied to the terminal server.
On the General tab of the Properties dialog box for a connection in the Terminal Services
Configuration tool by selecting the Allow connections only from computers running
Remote Desktop with Network Level Authentication check box.
If the Allow connections only from computers running Remote Desktop with Network
Level Authentication check box is selected and is dimmed, the Require user
authentication for remote connections by using Network Level Authentication Group
Policy setting has been enabled and has been applied to the terminal server.
By applying the Require user authentication for remote connections by using Network
Level Authentication Group Policy setting.
24
This Group Policy setting is located in Computer Configuration\Administrative Templates\
Windows Components\Terminal Services\Terminal Server\Security and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC). Note that this Group Policy setting takes precedence over the setting
configured in Terminal Services Configuration or on the Remote tab.
To determine whether a computer is running a version of Remote Desktop Connection that
supports Network Level Authentication, start Remote Desktop Connection, click the icon in the
upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the
About Remote Desktop Connection dialog box, look for the phrase "Network Level
Authentication supported."
For more information about security and Terminal Services, see the Terminal Services page on
the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Install Programs on a Terminal Server
You should install the Terminal Server role service on the computer before you install any
programs that you want to make available to users. If you install the Terminal Server role service
on a computer that already has programs installed, some of the existing programs may not work
correctly in a multiple user environment. Uninstalling and then reinstalling the affected programs
may resolve these issues.
To ensure that an application is installed correctly to work in a multiple user environment, you
must put the terminal server into a special installation mode before you install the application on
the terminal server. This special installation mode ensures that the correct registry entries and .ini
files that are needed to support running the application in a multiple user environment are created
during the installation process.
You can put a terminal server into this special installation mode by using either of the following:
Install Application on Terminal Server tool under Programs in Control Panel. This tool
runs a wizard to help install the application.
Change user /install command at a command prompt. You will have to start the installation
of the application manually.
After the application is installed, you must put the terminal server into execution mode before
remote users begin using the application. The Install Application on Terminal Server tool will
automatically put the terminal server into execution mode when it is finished running. To put the
terminal server into execution mode from a command prompt, use the change user /execute
command.
Additional considerations
Some programs may require minor setup modifications to run correctly on a terminal server.
25
If you have programs that are related to each other or have dependencies on each other, you
should install the programs on the same terminal server. For example, you should install
Microsoft® Office as a suite on the same terminal server instead of installing individual Office
programs on separate terminal servers.
You should consider installing individual programs on separate terminal servers in the
following circumstances:
The program has compatibility issues that may affect other programs.
A single program and the number of associated users may fill server capacity.
For more information about the change user command-line tool, see the Terminal Services
Command Reference (http://go.microsoft.com/fwlink/?LinkId=89674).
For more information about deploying programs on a terminal server, see the Terminal
Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?
LinkId=79608).
Configure the Remote Desktop Users Group
The Remote Desktop Users group on a terminal server is used to give users and groups
permission to remotely connect to a terminal server.
You can add users and groups to the Remote Desktop Users group by using one of the following:
Local Users and Groups snap-in
Active Directory Users and Computers snap-in, if the terminal server is installed on a domain
controller
The Remote tab in the System Properties dialog box on a terminal server
You can use the following procedure to add users and groups to the Remote Desktop Users
group by using the Remote tab in the System Properties dialog box on a terminal server.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Start the System tool. To start the System tool, click Start, click Run, type control
system and then click OK.
2. Under Tasks, click Remote settings.
3. In the System Properties dialog box, on the Remote tab, click Select Users. Add the
users or groups that need to connect to the terminal server by using Remote Desktop.
The users and groups that you add are added to the Remote Desktop Users group.
Note
Members of the local Administrators group can connect even if they are not
To add users and groups to the Remote Desktop Users group by using the Remote tab
26
listed.
If you select Don't allow connections to this computer on the Remote tab, no users
will be able to connect remotely to this computer, even if they are members of the
Remote Desktop Users group.
Managing Terminal Server
This section provides procedures for managing a terminal server. It includes the following topics:
Change Remote Connection Settings
Enable Single Sign-On for Terminal Services
Manage User Profiles for Terminal Services
Install Desktop Experience on a Terminal Server
Configure Font Smoothing for Remote Sessions
Monitor a Terminal Server with Windows System Resource Manager
Uninstall the Terminal Server Role Service
Deny Logon Requests to a Terminal Server
Change Remote Connection Settings
On the terminal server, on the Remote tab in the System Properties dialog box, you can change
the following remote connection settings:
Network Level Authentication requirement for Remote Desktop connections
Membership of the Remote Desktop Users group
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Start the System tool. To start the System tool, click Start, click Run, type control
system and then click OK.
2. Under Tasks, click Remote settings.
3. In the System Properties dialog box, on the Remote tab, click either of the following,
depending on your environment:
Allow connections from computers running any version of Remote Desktop
(less secure)
To change remote connections settings
27
Allow connections only from computers running Remote Desktop with Network
Level Authentication (more secure)
For more information about the two options, click the Help me choose link on the
Remote tab.
On the Remote tab, if you select Don't allow connections to this computer, no users
will be able to connect remotely to this computer, even if they are members of the
Remote Desktop Users group.
4. Click Select Users to add the users and groups that need to connect to the computer by
using Remote Desktop. The users and groups that you add are added to the Remote
Desktop Users group.
Note
Members of the local Administrators group can connect even if they are not
listed.
Enable Single Sign-On for Terminal Services
Single sign-on (SSO) is an authentication method that allows users with a domain account to log
on once, by using a password or smart card, and then gain access to remote servers without
being asked for their credentials again.
To implement single sign-on functionality in Terminal Services, ensure that you meet the following
requirements:
You can only use single sign-on for remote connections from a computer running
Windows Vista to a terminal server running Windows Server 2008. You can also use single
sign-on for remote connections from one server running Windows Server 2008 to another
server running Windows Server 2008.
The user accounts that are used for logging on have appropriate rights to log on to both the
terminal server and the Windows Vista client computer.
Your client computer and terminal server must be joined to a domain.
To configure the recommended settings for your terminal server, complete the following steps:
Configure authentication on the terminal server.
Configure the computer running Windows Vista to allow default credentials to be used for
logging on to the specified terminal servers.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?
LinkId=83477).
To configure authentication on the terminal server
28
1. Open Terminal Services Configuration. To open Terminal Services Configuration, click
Start, point to Administrative Tools, point to Terminal Services, and then click
Terminal Services Configuration.
2. Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and
then click Properties.
3. In the Properties dialog box, on the General tab, verify that the Security Layer value is
set to either Negotiate or SSL (TLS 1.0).
4. On the Log on Settings tab, ensure that the Always prompt for password check box is
not selected, and then click OK.
1. On the Windows Vista-based computer, open the Local Group Policy Editor. To open the
Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and
then press ENTER.
2. In the left pane, expand the following: Computer Configuration, Administrative
Templates, System, and then click Credentials Delegation.
3. Double-click Allow Delegating Default Credentials.
4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.
5. In the Show Contents dialog box, click Add to add servers to the list.
6. In the Add Item dialog box, in the Enter the item to be added box, type the prefix
termsrv/ followed by the name of the terminal server; for example, termsrv/Server1, and
then click OK.
7. Click OK to close the Properties dialog box.
For more information about security and Terminal Services, see the Terminal Services page on
the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).
Manage User Profiles for Terminal Services
A user profile describes the configuration for a specific user, including the user’s environment and
preference settings. Unless you carefully plan and manage user profiles in a terminal server
environment, user profiles can become large in size and can cause problems, such as slow logon
times, when a user connects to a terminal server. User profile management is also important
when users connect to several terminal servers or connect to terminal servers in remote
locations.
You can specify a Terminal Services-specific profile path and home folder for a user connecting to
a terminal server. This profile and home folder will only be used for Terminal Services sessions.
You should assign a separate profile for Terminal Services sessions because many of the
common options that are stored in profiles, such as screen savers and animated menu affects,
are not desirable when using Terminal Services.
To allow default credential usage for single sign-on
29
You can manually configure these settings on the Terminal Services Profile tab on the
Properties sheet of a user account in the Local Users and Groups snap-in or the Active Directory
Users and Computers snap-in.
You can also use the following Group Policy settings to configure these settings:
Set TS User Home Directory
Set path for TS Roaming Profiles
Use mandatory profiles on the terminal server
These Group Policy settings are located in Computer Configuration\Administrative
Templates\Windows Components\Terminal Services\Terminal Server\Profiles, and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC).
For more information about implementing user profiles for users connecting to a terminal server,
see the Terminal Services page on the Windows Server 2008 TechCenter
(http://go.microsoft.com/fwlink/?LinkId=73931).
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Install Desktop Experience on a Terminal Server
When a user uses Remote Desktop Connection to connect to a terminal server, the desktop that
exists on the terminal server is reproduced by default in the remote session. To make the remote
session look and feel more like the user's local Windows Vista desktop experience, install the
Desktop Experience feature on a terminal server running Windows Server 2008. Desktop
Experience installs applications and features of Windows Vista, such as Windows Media Player,
Windows Defender, and Windows Calendar.
Install Desktop ExperienceUse the following procedure to install Desktop Experience on the server.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
After installing Desktop Experience, you need to restart the computer.
1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server
Manager.
2. Under Features Summary, click Add Features.
Important To install Desktop Experience
30
3. On the Select Features page, select the Desktop Experience check box, and then click
Next.
4. On the Confirm Installation Selections page, verify that the Desktop Experience
feature will be installed, and then click Install.
5. On the Installation Progress page, installation progress will be noted.
6. On the Installation Results page, you are prompted to restart the server to finish the
installation process. Click Close, and then click Yes to restart the server.
7. After the server restarts and you log on to the computer, the remaining steps of the
installation will finish. When the Installation Results page appears, confirm that the
installation of Desktop Experience succeeded.
You can also confirm that Desktop Experience is installed by following these steps:
a. Start Server Manager.
b. Under Features Summary, confirm that Desktop Experience is listed as installed.
After you install Desktop Experience, the Windows Vista applications, such as Windows
Calendar, will appear under All Programs on the Start menu.
For more information about configuring the look and feel of remote sessions, see the Terminal
Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?
linkid=73931).
Uninstall Desktop ExperienceUse the following procedure to uninstall Desktop Experience from the server.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
After uninstalling Desktop Experience, you need to restart the computer.
1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server
Manager.
2. Under Features Summary, click Remove Features.
3. On the Select Features page, clear the Desktop Experience check box, and then click
Next.
4. On the Confirm Removal Selections page, click Remove.
5. On the Removal Progress page, removal progress will be noted.
6. On the Removal Results page, you are prompted to restart the server to finish the
removal process. Click Close, and then click Yes to restart the server.
7. After the server restarts and you log on to the computer, the remaining steps of the
removal process will finish. When the Removal Results page appears, confirm that the
Important To uninstall Desktop Experience
31
removal of Desktop Experience succeeded.
You can also confirm that Desktop Experience is removed by following these steps:
a. Start Server Manager.
b. Under Features Summary, confirm that Desktop Experience is no longer listed as
installed.
Configure Font Smoothing for Remote Sessions
Windows Server 2008 supports ClearType®, which is a technology for displaying computer fonts
so that they appear clear and smooth, especially when you are using an LCD monitor.
A terminal server running Windows Server 2008 can provide ClearType functionality in a remote
session when a client computer connects to the terminal server by using Remote Desktop
Connection.
ClearType functionality is referred to as font smoothing in Remote Desktop Connection.
Font smoothing is available if the client computer is running any of the following:
Windows Vista
Windows Server 2003 with SP1 and at least Remote Desktop Connection 6.0
Windows XP with SP2 and at least Remote Desktop Connection 6.0
Using font smoothing in a remote session will increase the amount of bandwidth used
between the client computer and the terminal server.
Use the following procedure on the client computer to make font smoothing available for a remote
session.
1. Open Remote Desktop Connection. To open Remote Desktop Connection on
Windows Vista, click Start, point to All Programs, click Accessories, and then click
Remote Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Options.
3. On the Experience tab, select the Font smoothing check box.
4. Configure any remaining connection settings, and then click Connect.
Note Important To make font smoothing available in a remote session
32
Monitor a Terminal Server with Windows System Resource Manager
Windows System Resource Manager (WSRM) on Windows Server 2008 allows you to control
how CPU and memory resources are allocated to applications, services, and processes on the
computer. Managing resources in this way improves system performance and reduces the
chance that applications, services, or processes will take CPU or memory resources away from
one another and slow down the performance of the computer. Managing resources also creates a
more consistent and predictable experience for users of applications and services that are
running on the computer.
You can use WSRM to manage multiple applications on a single computer or to manage users on
a computer on which Terminal Services is installed.
Install the Terminal Server role service on your computer before you install and configure WSRM.
To install WSRM, go to Features in Server Manager.
For more information about installing, configuring, and using WSRM, see the Windows
Server 2008 Windows System Resource Manager Help.
There are two features of WSRM that are of particular interest to terminal server administrators:
Resource-Allocation Policies
Resource Monitor
Resource-Allocation PoliciesWSRM uses resource-allocation policies to determine how computer resources, such as CPU
and memory, are allocated to processes running on the computer. Two resource-allocation
policies that are specifically designed for computers running Terminal Services are:
Equal_Per_User
Equal_Per_Session
The Equal_Per_Session resource-allocation policy is new for Windows Server 2008.
If you implement the Equal_Per_Session resource-allocation policy, each user session (and its
associated processes) gets an equal share of the CPU resources on the computer.
Resource MonitorYou should collect data about the performance of your terminal server before and after
implementing the Equal_Per_Session resource-allocation policy (or making any other WSRM-
related configuration changes). You can use Resource Monitor in the Windows System Resource
Manager snap-in to collect and view data about the usage of hardware resources and the activity
of system services on the computer.
Note
33
Uninstall the Terminal Server Role Service
Use the following procedure to uninstall the Terminal Server role service from the server.
Membership in the local Administrators group, or equivalent, on the terminal server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
The removal of the Terminal Server role service from the server requires the computer to
be restarted.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, expand Roles.
3. Right-click Terminal Services, and then click Remove Role Services.
4. On the Select Role Services page, clear the Terminal Server check box, and then click
Next.
5. On the Confirm Removal Selections page, click Remove.
6. On the Removal Progress page, removal progress will be noted.
7. On the Removal Results page, you are prompted to restart the server to finish the
removal process. Click Close, and then click Yes to restart the server.
8. If you are prompted that other programs are still running, do either of the following:
To close the programs manually and restart the server later, click Cancel.
To automatically close the programs and restart the server, click Restart now.
9. After the server restarts and you log on to the computer, the remaining steps of the
removal process will finish. When the Removal Results page appears, confirm that the
removal of Terminal Server succeeded.
You can also confirm that Terminal Server is removed by following these steps:
a. Start Server Manager.
b. Under Roles Summary, click Terminal Services.
c. Under Role Services, confirm that Terminal Server has a status of Not Installed.
Deny Logon Requests to a Terminal Server
In Windows Server 2008, you can configure a terminal server to deny logon requests from new
users. With the ability to deny logon requests from new users to specific servers in a farm, you
Important To uninstall the Terminal Server role service
34
can maintain your terminal server environment without disrupting end-user service. If you
configure a terminal server to deny new logon requests, the following behavior occurs:
Users with existing sessions can still reconnect to the server. Only new logon requests to that
server are denied. However, an administrator can still log on to the server locally to perform
maintenance on the server.
An administrator can also connect remotely by starting the RDC client from the
command line with the /admin option (mstsc /admin).
If you are using TS Session Broker Load Balancing, TS Session Broker will redirect new
users to other servers in the farm, where new user logon requests are enabled.
Before you take a server down for maintenance, you can notify users with existing sessions to log
off from the server by using Terminal Services Manager to send a message.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click
Terminal Services Configuration.
2. In the Edit settings area, double-click User logon mode under General.
3. On the General tab, click either of the following:
Allow reconnections, but prevent new logons
Allow reconnections, but prevent new logons until the server is restarted
4. Click OK.
When you are finished doing maintenance, ensure that Allow all connections is
selected.
Deploying TS Licensing
The Terminal Services Licensing (TS Licensing) role service is part of the core Terminal Services
environment. You use TS Licensing to install, issue, and track Terminal Services client access
licenses (TS CALs) for your deployment.
To install TS Licensing and configure a license server, see the following topics:
Installation Prerequisites for TS Licensing
Checklist: Deploying TS Licensing
Installing TS Licensing
Connecting to a Terminal Services License Server
Activating a Terminal Services License Server
Installing Terminal Services Client Access Licenses
Configuring License Settings on a Terminal Server
Tracking the Issuance of Terminal Services Per User Client Access Licenses
Note To deny new user logon requests
35
Troubleshooting TS Licensing Installation
Installation Prerequisites for TS Licensing
TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required
for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and
track the availability of TS CALs on a Terminal Services license server.
This checklist provides tasks that an administrator should perform before installing and
configuring TS Licensing.
Task Reference
Determine if a Terminal Services license server
is needed.
Remote Desktop supports two concurrent
connections to remotely administer a computer.
You do not need a license server for these
connections.
Verify that the license server supports the
operating system of the terminal servers.
TS Licensing in Windows Server 2008 supports
terminal servers that run:
Windows Server 2008
Windows Server 2003 R2
Windows Server 2003
Windows 2000
A terminal server running Windows Server 2008
can only communicate with a license server
running Windows Server 2008.
Determine which type of TS CALs to use. Terminal Services Client Access Licenses (TS
CALs)
Purchase the appropriate type and number of
TS CALs.
Purchase Client Access Licenses
(http://go.microsoft.com/fwlink/?LinkID=81077)
Determine the method of the Terminal Services
license server discovery.
Terminal Services License Server Discovery
Terminal Services Client Access Licenses (TS CALs)
There are two types of Terminal Services client access licenses (TS CALs):
36
TS Per Device CALs
TS Per User CALs
The Terminal Services licensing mode configured on a terminal server must match the
type of TS CALs that are available on the license server. For more information, see
Configuring License Settings on a Terminal Server.
When Per Device licensing mode is used, and a client computer or device connects to a terminal
server for the first time, the client computer or device is issued a temporary license by default.
When a client computer or device connects to a terminal server for the second time, if the license
server is activated and enough TS Per Device CALs are available, the license server issues the
client computer or device a permanent TS Per Device CAL.
A TS Per User CAL gives one user the right to access a terminal server from an unlimited number
of client computers or devices. TS Per User CALs are not enforced by TS Licensing. As a result,
client connections can occur regardless of the number of TS Per User CALs that are installed on
the license server. This does not absolve administrators from the Microsoft Software License
Terms requirements to have a valid TS Per User CAL for each user. Failure to have a TS Per
User CAL for each user, if Per User licensing mode is being used, is a violation of the license
terms.
To ensure that you are in compliance with the license terms, make sure that you track the number
of TS Per User CALs that are being used in your organization, and ensure that you have a
sufficient number of TS Per User CALs installed on the license server to provide a TS Per User
CAL for each user that needs to connect to the terminal server.
In Windows Server 2008, you can use the TS Licensing Manager tool to track and generate
reports on the issuance of TS Per User CALs. For more information, see Tracking the Issuance of
Terminal Services Per User Client Access Licenses.
Terminal Services License Server Discovery
When you install the TS Licensing role service, you need to specify a discovery scope, which
determines how the Terminal Services license server will be automatically discoverable by
terminal servers.
The three discovery scopes are:
Workgroup
Domain
Forest
The recommended discovery scope for a license server is Forest.
In Windows Server 2003, "forest discovery scope" was known as "enterprise scope."
Workgroup discovery scope is only available when the computer on which you are installing the
TS Licensing role service is not a member of a domain. If you configure workgroup discovery
Important Note
37
scope, terminal servers, without additional configuration, can automatically discover a license
server in the same workgroup.
Domain discovery scope and forest discovery scope are only available when the computer on
which you are installing the TS Licensing role service is a member of a domain.
If the license server is a member of a workgroup, and then you join the license server to
an Active Directory domain, the discovery scope for the license server is automatically
changed from Workgroup to Domain.
If you configure domain discovery scope, terminal servers, without additional configuration, can
automatically discover a license server in the same domain only if the license server is installed
on a domain controller. You can install the TS Licensing role service on a non-domain controller,
but the license server will not be automatically discoverable by terminal servers in the domain. To
configure domain discovery scope, you must be logged on as a domain administrator to the
domain in which the license server is a member.
If you configure forest discovery scope, terminal servers, without additional configuration, can
automatically discover a license server in the same forest, because the license server is
published in Active Directory Domain Services. To configure forest discovery scope, you must be
logged on as an enterprise administrator to the forest in which the license server is a member.
To issue TS Per User CALs to users in other domains, the license server must be a
member of the Terminal Server License Servers group in those domains, regardless of
whether the discovery scope for the license server is Domain or Forest.
In the license server discovery process, a terminal server in a Windows Server-based domain
attempts to contact a license server in the following order:
License servers that are specified in the Terminal Services Configuration tool or by using
Group Policy
A license server that is installed on the same computer as the terminal server
License servers that are published in Active Directory Domain Services
License servers that are installed on domain controllers in the same domain as the terminal
server
To see which license servers the terminal server discovers and to be alerted to possible
licensing discovery and configuration issues, use Licensing Diagnosis in Terminal
Services Configuration. For more information, see Troubleshooting TS Licensing
Installation.
You can change the discovery scope of the license server by using Review Configuration in the
TS Licensing Manager tool. For more information, see Troubleshooting TS Licensing Installation.
Note Important Important
38
Checklist: Deploying TS Licensing
TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required
for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and
track the availability of TS CALs on a Terminal Services license server.
This checklist provides the tasks that an administrator needs to complete to install and configure
TS Licensing.
Task Reference
Review prerequisites for installing
TS Licensing.
Installation Prerequisites for TS Licensing
Install the TS Licensing role service. Installing TS Licensing
Activate the Terminal Services license server. Activating a Terminal Services License Server
Install Terminal Services client access licenses
(TS CALs) on the Terminal Services license
server.
Installing Terminal Services Client Access
Licenses
Configure the terminal server to support
TS Licensing.
Configuring License Settings on a Terminal
Server
For more information, see TS Licensing Configuration Guidelines in the TS Licensing Manager
Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?
LinkId=107352).
Installing TS Licensing
Use the following procedure to install the TS Licensing role service by using Server Manager.
The installation of the TS Licensing role service does not require the computer to be
restarted.
Installation prerequisites1. Before you install the TS Licensing role service, join your computer to Active Directory
Domain Services (AD DS). If you want your license server to be available to terminal servers
within a domain, you can join it to that domain. If you want your license server to be available
across domains, you must join your computer to the top node in the forest.
2. Before you install your license server, arrange for the credentials that are required to
configure license server discovery scope:
Note
39
For the license server to be accessible to terminal servers within the domain, you need to
have domain administrator permissions.
For the license server to be accessible to terminal servers within the forest, you need to
have enterprise administrator permissions.
If you install the TS Licensing role service without the appropriate credentials, an error
appears that describes the level of access necessary to complete the installation.
Install the TS Licensing role serviceFollowing are the recommended configurations for a new TS Licensing deployment. If you are
configuring a license server for an existing deployment, your choices may be different. Verify that
the settings are correct before you install the new license server.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, right-click Roles, and then click Add Roles.
3. In the Add Roles Wizard, on the Before You Begin page, click Next.
4. On the Select Server Roles page, under Roles, select the Terminal Services check
box, and then click Next.
Note
If Terminal Services is already installed on the server, the Terminal Services
check box will be selected and dimmed.
5. On the Terminal Services page, click Next.
6. On the Select Role Services page, select the TS Licensing check box.
7. On the Configure Discovery Scope for TS Licensing page, select This Domain or
This Forest, verify that the location of the TS Licensing database is correct, and then
click Next.
Note
If your account does not have sufficient permissions for the selected discovery
scope, you will see an alert at the bottom of the page describing the level
needed. If you continue, the TS Licensing role service will install. You can
configure discovery scope by using Review Configuration in the TS Licensing
Manager tool.
8. On the Confirm Installation Selections page, verify that the TS Licensing role service
will be installed, and then click Install.
On the Installation Progress page, installation progress will be noted.
9. On the Installation Results page, confirm that the installation succeeded, and then click
Close.
Note To install the TS Licensing role service
40
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, expand Roles.
3. Right-click Terminal Services, and then click Add Role Services.
4. On the Select Role Services page, select the TS Licensing check box, and then click
Next.
5. On the Configure Discovery Scope for TS Licensing page, select This Domain or
This Forest, verify that the location of the TS Licensing database is correct, and then
click Next.
Note
If your account does not have sufficient permissions for the selected discovery
scope, you will see an alert at the bottom of the page describing the level
needed. If you continue, the TS Licensing role service will install. You can
configure discovery scope by using Review Configuration in the TS Licensing
Manager tool.
6. On the Confirm Installation Selections page, verify that the TS Licensing role service
will be installed, and then click Install.
On the Installation Progress page, installation progress will be noted.
7. On the Installation Results page, confirm that installation for the TS Licensing role
service succeeded, and then click Close.
Connecting to a Terminal Services License Server
After installing TS Licensing, you can use the TS Licensing Manager tool to connect to and
manage Terminal Services license servers.
If you want to use TS Licensing Manager from another computer running Windows Server 2008,
see Installing TS Licensing Manager.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. On the Action menu, click Connect.
3. In the Server box, type the name of the license server to which you want to connect, and
then click Connect.
To install the TS Licensing role service (when Terminal Services is already installed)To connect to a Terminal Services license server
41
When TS Licensing Manager opens, it tries to find all the license servers in the workgroup or
domain that are automatically discoverable and to which the user has the appropriate
administrative permissions.
Install TS Licensing Manager
The TS Licensing Manager tool in Windows Server 2008 is automatically installed on any
computer on which the TS Licensing role service is installed. If you want to manage your license
servers from a remote computer running Windows Server 2008, you can install TS Licensing
Manager on that computer by using the following procedure.
Membership in the local Administrators group, or equivalent, on the computer that you plan to
configure, is the minimum required to complete this procedure.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane, right-click Features, and then click Add Features.
3. On the Select Features page, expand Remote Server Administration Tools, expand
Role Administration Tools, and then expand Terminal Services Tools.
4. Select the TS Licensing Tools check box, and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. On the Installation Progress page, installation progress will be noted.
7. On the Installation Results page, confirm that installation of TS Licensing Manager
succeeded, and then click Close.
8. To run TS Licensing Manager, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS Licensing Manager.
Activating a Terminal Services License Server
A Terminal Services license server must be activated to certify the server and to allow the license
server to issue Terminal Services client access licenses (TS CALs). You can activate a license
server by using the Activate Server Wizard in the TS Licensing Manager tool.
Use one of the following methods to activate your license server:
Activate a Terminal Services License Server Automatically This method requires Internet
connectivity from the computer running TS Licensing Manager. Internet connectivity is not
To install TS Licensing Manager by using Server Manager
42
required from the license server itself. This method uses TCP/IP (TCP port 443) to connect
directly to the Microsoft Clearinghouse.
Activate a Terminal Services License Server by Using a Web Browser You can use the Web
method when the computer running TS Licensing Manager does not have Internet
connectivity, but you have access to the Web by means of a Web browser from another
computer. The URL for the Web method is displayed in the Activate Server Wizard.
Activate a Terminal Services License Server by Using the Telephone The telephone method
allows you to talk to a Microsoft customer service representative to complete the activation
process. The appropriate telephone number is determined by the country/region that you
choose in the Activate Server Wizard and is displayed by the wizard.
When you activate the license server, Microsoft provides the server with a limited-use digital
certificate that validates server ownership and identity. Microsoft uses an X.509 industry standard
certificate for this purpose. By using this certificate, a license server can make subsequent
transactions with Microsoft.
If a license server is not activated, the license server can only issue temporary TS Per Device
CALs that are valid for 90 days, or TS Per User CALs.
Activate a Terminal Services License Server Automatically
The automatic activation method requires Internet connectivity from the computer running the
TS Licensing Manager tool. Internet connectivity is not required from the license server itself. This
method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Right-click the license server that you want to activate, and then click Activate Server.
The Activate Server Wizard starts.
3. Click Next.
4. On the Connection Method page, in the Connection method list, select Automatic
connection (recommended), and then click Next.
5. On the Company Information page, type your name, company, and country/region
information, and then click Next.
6. Specify any other information that you want, such as e-mail and company address. This
information is optional.
7. Click Next. Your license server is activated.
To activate a Terminal Services license server automatically
43
8. On the Completing the Activate Server Wizard page, do one of the following:
To install Terminal Services client access licenses (TS CALs) onto your license
server, ensure that the Start Install Licenses Wizard now check box is selected,
click Next, and then follow the instructions.
To install TS CALs later, clear the Start Install Licenses Wizard now check box,
and then click Finish.
Activate a Terminal Services License Server by Using a Web Browser
The Web activation method can be used when the computer running the TS Licensing Manager
tool does not have Internet connectivity, but you have access to the Web by means of a Web
browser from another computer. The URL for the Web method is displayed in the Activate Server
Wizard.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Right-click the license server that you want to activate, and then click Activate Server.
The Activate Server Wizard starts.
3. Click Next.
4. On the Connection Method page, in the Connection method list, select Web Browser,
and then click Next.
5. On the License Server Activation page, click the hyperlink to connect to the Terminal
Server Licensing Web site.
If you are running TS Licensing Manager on a computer that does not have Internet
connectivity, note the address for the Terminal Server Licensing Web site, and then
connect to the Web site from a computer that has Internet connectivity.
6. Under Select Option, click Activate a license server, and then click Next.
7. In the Product ID boxes, type your Product ID. Your Product ID is displayed on the
License Server Activation page of the Activate Server Wizard. You must also complete
the name, company, and country/region fields. Specify any other information that you
want to provide, such as e-mail and company address, and then click Next.
8. Confirm your entries, and then click Next. Your license server ID is displayed. Write down
the license server ID or print the Web page.
9. On the License Server Activation page of the Activate Server Wizard, type the license
To activate a Terminal Services license server by using a Web browser
44
server ID that you received in the previous step, and then click Next. Your license server
is activated.
10. On the Completing the Activate Server Wizard page, do one of the following:
To install Terminal Services client access licenses (TS CALs) onto your license
server, ensure that the Start Install Licenses Wizard now check box is selected,
click Next, and then follow the instructions.
To install TS CALs later, clear the Start Install Licenses Wizard now check box,
and then click Finish.
Activate a Terminal Services License Server by Using the Telephone
The telephone activation method allows you to talk to a Microsoft customer service representative
to complete the activation process. The appropriate telephone number is determined by the
country/region that you choose in the Activate Server Wizard and is displayed by the wizard.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Right-click the license server that you want to activate, and then click Activate Server.
The Activate Server Wizard starts.
3. Click Next.
4. On the Connection Method page, in the Connection method list, select Telephone,
and then click Next.
5. On the Country or Region Selection page, click your country/region, and then click
Next to display the appropriate telephone number to call.
6. Call Microsoft by using the telephone number that is displayed on the License Server
Activation page, and then provide the Microsoft customer support representative with
the Product ID that is displayed on your screen. The representative will also ask you to
provide your name and the name of your company. The representative processes your
request to activate the license server, and creates a unique ID for your license server.
7. On the License Server Activation page, type the license server ID that the
representative provides, and then click Next. Your license server is activated.
8. On the Completing the Terminal Server License Server Activation Wizard page, do
one of the following:
To install Terminal Services client access licenses (TS CALs) onto your license
To activate a Terminal Services license server by telephone
45
server, ensure that the Start Install Licenses Wizard now check box is selected,
click Next, and then follow the instructions.
To install TS CALs later, clear the Start Install Licenses Wizard now check box,
and then click Finish.
Installing Terminal Services Client Access Licenses
Using the Install Licenses Wizard in the TS Licensing Manager tool, you can use one of three
methods to install Terminal Services client access licenses (TS CALs) onto your license server:
Install Terminal Services Client Access Licenses Automatically This method requires Internet
connectivity from the computer running TS Licensing Manager. Internet connectivity is not
required from the license server itself. This method uses TCP/IP (TCP port 443) to connect
directly to the Microsoft Clearinghouse.
Install Terminal Services Client Access Licenses by Using a Web Browser You can use the
Web method when the computer running TS Licensing Manager does not have Internet
connectivity, but you have access to the Web by means of a Web browser from another
computer. The URL for the Web installation method is displayed in the Install Licenses
Wizard.
Install Terminal Services Client Access Licenses by Using the Telephone The telephone
method allows you to talk to a Microsoft customer service representative to complete the
installation process. The appropriate telephone number is determined by the country/region
that you chose in the Activate Server Wizard and is displayed by the wizard.
Before you install TS CALs onto your license server, note the following:
You must activate your Terminal Services license server before you can install TS CALs onto
your license server. For more information, see Activating a Terminal Services License Server.
You need a license code to install TS CALs onto your license server. A license code is
provided when you purchase your TS CALs. For more information, see Purchase Client
Access Licenses (http://go.microsoft.com/fwlink/?LinkID=81077).
Install Terminal Services Client Access Licenses Automatically
The automatic installation method requires Internet connectivity from the computer running
TS Licensing Manager to complete the Terminal Services client access license (TS CAL)
46
installation process. Internet connectivity is not required from the license server itself. This
method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Verify that the connection method for the Terminal Services license server is set to
Automatic connection (recommended) by right-clicking the license server on which
you want to install TS CALs, and then clicking Properties. On the Connection Method
tab, change the connection method if necessary, and then click OK.
3. In the console tree, right-click the Terminal Services license server on which you want to
install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then
click Next.
4. On the License Program page, select the appropriate program through which you
purchased your TS CALs, and then click Next.
5. The License Program that you selected on the previous page in the wizard will
determine what information you will need to provide on this page. In most cases, you will
have to provide either a license code or an agreement number. Consult the
documentation provided when you purchased your TS CALs.
6. After you have entered the required information, click Next.
7. On the Product Version and License Type page, select the appropriate product version,
license type, and quantity of TS CALs for your environment based on your TS CAL
purchase agreement, and then click Next.
8. The Microsoft Clearinghouse is automatically contacted and processes your request. The
TS CALs are then automatically installed onto the license server.
9. On the Completing the Install Licenses Wizard page, click Finish. The Terminal
Services license server can now issue TS CALs to clients that connect to a terminal
server.
Install Terminal Services Client Access Licenses by Using a Web Browser
The Web method can be used to complete the Terminal Services client access license (TS CAL)
installation process when the computer running the TS Licensing Manager tool does not have
Internet connectivity, but you have access to the Web by means of a Web browser from another
computer. The URL for the Web installation method is displayed in the Install Licenses Wizard.
To install Terminal Services client access licenses automatically
47
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Verify that the connection method for the Terminal Services license server is set to Web
Browser by right-clicking the license server on which you want to install TS CALs, and
then clicking Properties. On the Connection Method tab, change the connection
method if necessary, and then click OK.
3. In the console tree, right-click the Terminal Services license server on which you want to
install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then
click Next.
4. On the Obtain Client License Key Pack page, click the hyperlink to connect to the
Terminal Server Licensing Web site.
If you are running TS Licensing Manager on a computer that does not have Internet
connectivity, note the address for the Terminal Server Licensing Web site, and then
connect to the Web site from a computer that has Internet connectivity.
5. On the Windows Terminal Services Web page, under Select Option, click Install Client
Access License tokens, and then click Next.
6. Provide the following required information:
License Server ID A 35-digit number, in groups of 5 numerals, which is displayed
on the Obtain Client License Key Pack page in the Install Licenses Wizard.
License Program Select the appropriate program through which you purchased
your TS CALs.
Last name or surname
First name or given name
Company name
Country/region
You can also provide the optional information requested, such as company address, e-
mail address, and phone number. In the organizational unit field, you can describe the
unit within your organization that this license server will serve.
7. Click Next.
8. The License Program that you selected on the previous page will determine what
information you will need to provide on this page. In most cases, you will have to provide
either a license code or an agreement number. Consult the documentation provided
when you purchased your TS CALs. In addition, you will need to specify which type of
TS CAL (for example, Windows Server 2008 TS Per Device CAL) and the quantity that
you want to install on the license server.
9. After you have entered the required information, click Next.
To install Terminal Services client access licenses by using a Web browser
48
10. Verify that all of the information that you have entered is correct. To submit your request
to the Microsoft Clearinghouse, click Next. The Web page then displays a license key
pack ID generated by the Microsoft Clearinghouse.
Important
Retain a copy of the license key pack ID. Having this information with you will
facilitate communications with the Microsoft Clearinghouse should you need
assistance with recovering TS CALs.
11. In the Install Licenses Wizard, on the Obtain Client License Key Pack page, enter the
license key pack ID that you received in the previous step in the boxes provided, and
then click Next. The TS CALs are installed on your Terminal Services license server.
12. On the Completing the Install Licenses Wizard page, click Finish. The Terminal
Services license server can now issue TS CALs to clients that connect to a terminal
server.
Install Terminal Services Client Access Licenses by Using the Telephone
The telephone installation method allows you to talk to a Microsoft customer service
representative to complete the Terminal Services client access license (TS CAL) installation
process. The appropriate telephone number is displayed in the Install Licenses Wizard and is
determined by the country/region that you have specified.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Verify that the connection method for the Terminal Services license server is set to
Telephone by right-clicking the license server on which you want to install TS CALs, and
then clicking Properties. On the Connection Method tab, change the connection
method if necessary. On the Required Information tab, change the country/region if
necessary, and then click OK.
3. In the console tree, right-click the Terminal Services license server on which you want to
install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then
click Next.
4. On the Obtain client license key pack page, use the telephone number that is
displayed to call the Microsoft Clearinghouse, and give the representative your Terminal
Services license server ID and the required information for the licensing program through
To install client access licenses by using the telephone
49
which you purchased your TS CALs. The representative then processes your request to
install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to
as the license key pack ID.
Important
Retain a copy of the license key pack ID. Having this information with you will
facilitate communications with the Microsoft Clearinghouse should you need
assistance with recovering TS CALs.
5. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the
license key pack ID provided by the representative into the boxes provided, and then
click Next. The TS CALs are installed on your Terminal Services license server.
6. On the Completing the Install Licenses Wizard page, click Finish. The Terminal
Services license server can now issue TS CALs to clients that connect to a terminal
server.
Configuring License Settings on a Terminal Server
After you install and configure the Terminal Services license server, you need to configure your
terminal server by doing the following:
Specify the Terminal Services licensing mode
Specify the license server discovery mode
Specify the Terminal Services licensing modeThe Terminal Services licensing mode determines the type of Terminal Services client access
licenses (TS CALs) that a terminal server requests from a license server on behalf of a client
computer that is connecting to the terminal server.
The Terminal Services licensing mode that is configured on a terminal server must match
the type of TS CALs that are available on the license server.
For more information about TS CALs, see Terminal Services Client Access Licenses (TS CALs).
The Terminal Services licensing mode for the terminal server can be set in the following ways:
During the installation of the Terminal Server role service in Server Manager, on the Specify
Licensing Mode page in the Add Roles Wizard.
On the Specify Licensing Mode page, you can select Configure later if you are unsure
during the installation whether to select Per Device or Per User. If you select Configure
later, each time you log on as an administrator to the terminal server, a message will appear
Important
50
in the lower-right corner of the desktop reminding you that you need to configure the licensing
mode for the terminal server.
By configuring the Terminal Services licensing mode for the terminal server by using the
Terminal Services Configuration tool.
If the Specify the Terminal Services licensing mode choices are dimmed and you cannot
make a selection, the Set Terminal Services licensing mode Group Policy setting has been
enabled and has been applied to the terminal server.
By applying the Set Terminal Services licensing mode Group Policy setting.
This Group Policy setting is located in Computer Configuration\Administrative Templates\
Windows Components\Terminal Services\Terminal Server\Licensing and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is
configured in Terminal Services Configuration.
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Use the following procedure to specify the Terminal Services licensing mode on a terminal server
by using Terminal Services Configuration.
Membership in the local Administrators group, or equivalent, on the computer that you plan to
configure, is the minimum required to complete this procedure.
1. On the terminal server, open Terminal Services Configuration. To open Terminal Services
Configuration, click Start, point to Administrative Tools, point to Terminal Services,
and then click Terminal Services Configuration.
2. Under Licensing, double-click Terminal Services licensing mode.
3. Select either Per Device or Per User, depending on which is appropriate for your
environment, and then click OK.
Specify the license server discovery modeA terminal server must be able to contact (discover) a Terminal Services license server to request
Terminal Services client access licenses (TS CALs) for users or computing devices that are
connecting to the terminal server.
The license server discovery mode for the terminal server can be set in the following ways:
By configuring License Server discovery mode for the terminal server in the Terminal
Services Configuration tool.
If the Specify the license server discovery mode choices are dimmed and you cannot
make a selection, the Use the specified Terminal Services license servers Group Policy
setting has been enabled and has been applied to the terminal server.
By applying the Use the specified Terminal Services license servers Group Policy setting.
To specify the Terminal Services licensing mode on a terminal server by using Terminal Services Configuration
51
This Group Policy setting is located in Computer Configuration\Administrative Templates\
Windows Components\Terminal Services\Terminal Server\Licensing and can be
configured by using either the Local Group Policy Editor or the Group Policy Management
Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is
configured in Terminal Services Configuration.
For more information about the license server discovery process, see Terminal Services License
Server Discovery.
To see which license servers the terminal server discovers, and to be alerted to possible
licensing discovery and configuration issues, use Licensing Diagnosis in Terminal
Services Configuration. For more information about Licensing Diagnosis, see
Troubleshooting TS Licensing Installation.
For more information about Group Policy settings for Terminal Services, see the Terminal
Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).
Use the following procedure to specify the license server discovery mode on a terminal server by
using Terminal Services Configuration.
Membership in the local Administrators group, or equivalent, on the computer that you plan to
configure, is the minimum required to complete this procedure.
1. On the terminal server, open Terminal Services Configuration. To open Terminal Services
Configuration, click Start, point to Administrative Tools, point to Terminal Services,
and then click Terminal Services Configuration.
2. Under Licensing, double-click License server discovery mode.
3. Select either of the following, depending on which is appropriate for your environment:
Automatically discover a license server
Use the specified license servers
For more information about the license server discovery process, see Terminal Services
License Server Discovery.
4. After you have made a selection, click OK.
Tracking the Issuance of Terminal Services Per User Client Access Licenses
In Windows Server 2008, you can use the TS Licensing Manager tool to generate reports to track
the TS Per User CALs that have been issued by a Terminal Services license server.
Consider the following when using TS Per User CAL tracking and reporting in Windows
Server 2008:
Important To specify the license server discovery mode on a terminal server by using Terminal
Services Configuration
52
TS Per User CAL tracking and reporting can only be used for TS Per User CALs in Windows
Server 2008. You cannot track and report on TS Per User CALs in Windows Server 2003.
TS Per User CAL tracking and reporting is supported only in domain-joined scenarios; that is,
the terminal server and the license server must be members of a domain.
TS Per User CAL tracking and reporting is not supported in workgroup mode.
Active Directory Domain Services (AD DS) is used for TS Per User CAL tracking. The
information about the TS Per User CAL that has been issued to a user is stored as part of the
user account in AD DS.
AD DS can be Windows Server 2008-based or Windows Server 2003-based.
The computer account for the license server must be a member of the Terminal Server
License Servers group in the domain. If the license server is installed on a domain controller,
the Network Service account must also be a member of the Terminal Server License Servers
group.
To issue TS Per User CALs to users in other domains, there must be a two-way trust
between the domains, and the license server must be a member of the Terminal
Server License Servers group in those domains.
To determine if the license server is correctly configured for TS Per User CAL tracking and
reporting, you can use Review Configuration. For more information about Review
Configuration, see Troubleshooting TS Licensing Installation.
Because the information about the TS Per User CALs that have been issued to users is stored in
AD DS, the only way to get the most current information about the TS Per User CALs that have
been issued by the license server is to create a report by using TS Licensing Manager. When you
create a report, the necessary information is pulled from AD DS and is compiled together into a
report.
Because TS Licensing Manager cannot dynamically update the number of TS Per User
CALs that are currently issued and available, those columns are left blank in some areas
of TS Licensing Manager. Instead there is a Generate Report hyperlink that takes you to
this topic. In the Report node, you can view information from reports that have been
created, but that information is specific to the date and time when the report was created.
Use the following procedure to create a report about the TS Per User CALs that have been
issued by a license server.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Select the license server for which you want to generate a report.
3. On the Action menu, point to Create Report, and then click Per User CAL Usage.
4. In the Create Per User CAL Usage Report dialog box, select one of the following:
Important Note To create a report about the TS Per User CALs that have been issued by a license server
53
Entire domain This is the domain in which the license server is a member.
Organizational Unit This is any OU within the domain in which the license server is
a member.
Entire domain and all trusted domains This can include domains in other forests.
Selecting this option can increase the time that it takes to create the report.
The selection that you make determines which user accounts in AD DS will be searched
for TS Per User CAL information to generate the report.
5. Click Create Report. The report will be created and a message will appear to confirm
that the report was successfully created. Click OK to close the message.
6. The report that you created will appear in the Reports section under the node for the
license server. The report provides the following information:
Date and time the report was created
The scope of the report (for example, Domain, OU=Sales, or All trusted domains)
The number of TS Per User CALs that are installed on the license server
The number of TS Per User CALs that have been issued by the license server
specific to the scope of the report
7. You can also save the report as a CSV file to a folder location on the computer. To save
the report, right-click the report that you want to save, click Save As, and then specify the
file name and location to save the report.
Reports that you create are listed in the Reports node under the node for the license server in
TS Licensing Manager. If you no longer need a report, you can delete the report.
Use the following procedure to delete a report in TS Licensing Manager.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. Expand the All Servers node, expand the node for the license server for which the report
was created, and then click Reports.
3. If there is a specific report that you want to delete, right-click the report, and then click
Delete Report. To confirm that you want to delete the report, click Yes.
4. If you want to delete all the reports or only reports older than a certain number of days,
on the Action menu, click Delete Reports.
5. In the Delete Reports dialog box, select either to delete all reports or only reports older
than the number of days that you specify, and then click OK. The reports will be deleted
immediately, and you will not be prompted to confirm the deletion.
To delete a report in TS Licensing Manager
54
Troubleshooting TS Licensing Installation
You can check the configuration of your Terminal Services license server and identify common
licensing problems for a terminal server by using the following:
Review Configuration in the TS Licensing Manager tool
Licensing Diagnosis in the Terminal Services Configuration tool
Review the configuration of your license serverAfter you install and configure the TS Licensing role service on a computer running Windows
Server 2008, you can use Review Configuration in the TS Licensing Manager tool to review the
configuration of the license server and to help identify possible TS Licensing configuration
problems that would prevent the license server from doing the following:
Being discovered by terminal servers
Issuing Terminal Services client access licenses (TS CALs) to users or devices that are
connecting to a terminal server
Tracking and reporting the issuance of TS Per User CALs
Review Configuration is used to identify possible TS Licensing configuration problems on
a license server, not configuration problems on a terminal server. To be alerted to
possible licensing discovery and configuration issues on a terminal server, use Licensing
Diagnosis in the Terminal Services Configuration tool. For information about Licensing
Diagnosis, see Diagnose licensing problems on your terminal server.
To use Review Configuration, the license server must be a member of an Active Directory
domain.
You can use Review Configuration to do the following:
Check discovery scope settings:
If the discovery scope for a license server is set to Domain, Review Configuration checks if
the license server is installed on a domain controller.
If the discovery scope for a license server is set to Forest, Review Configuration checks if the
license server is published in Active Directory Domain Services (AD DS).
If the discovery scope for a license server is set to Domain or Forest, Review Configuration
checks if the license server is a member of the Terminal Server License Servers group in
AD DS.
Change the discovery scope of the license server by clicking Change Scope. For more
information, see Change the Discovery Scope of a Terminal Services License Server in the
TS Licensing Manager Help in the Windows Server 2008 Technical Library
(http://go.microsoft.com/fwlink/?LinkId=107404).
Find the location of the TS Licensing database.
Check if the License server security group Group Policy setting is enabled and applied to
the license server. For more information about the License server security group Group
Note Important
55
Policy setting, see Control the Issuance of Terminal Services Client Access Licenses
(TS CALs) in the TS Licensing Manager Help in the Windows Server 2008 Technical Library
(http://go.microsoft.com/fwlink/?LinkId=107405).
Use the following procedure to review the configuration of a license server by using TS Licensing
Manager.
Membership in the local Administrators group, or equivalent, on the license server, is the
minimum required to complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS
Licensing Manager.
2. In the left pane, click All servers. In the right pane, in the Configuration column, you
see either OK or Review. Review indicates that there is a possible configuration issue
with the license server.
3. To review the configuration details of a license server, do one of the following:
Select the license server that you want to review, and then on the Action menu, click
Review Configuration.
Right-click the license server that you want to review, and then click Review
Configuration.
If Review is displayed in the Configuration column for a license server, click Review.
4. In the Configuration dialog box, a list of messages provides you with information about
the configuration of the license server and identifies possible configuration issues.
For certain configuration issues, you can correct the problem from within the
Configuration dialog box if you have the appropriate administrative privileges. For
example, if the license server is not published in AD DS and you have Enterprise
Admins privileges in AD DS, you can click Publish in AD DS to correct the problem.
Diagnose licensing problems on your terminal serverEach user or computing device that connects to a terminal server must have a valid Terminal
Services client access license (TS CAL) issued by a Terminal Services license server. A terminal
server must be able to discover a Terminal Services license server to request TS CALs for users
or computing devices that are connecting to the terminal server.
Terminal Services Configuration for Windows Server 2008 includes the Licensing Diagnosis tool,
which provides information to help identify possible licensing problems for the terminal server,
including the following:
Determines which license servers the terminal server can discover
Determines whether those license servers have TS CALs available to issue to users or
computing devices that are connecting to the terminal server
To review the configuration of a license server by using TS Licensing Manager
56
Tries to identify possible licensing problems and provide resolutions to those problems
Use the following procedure to run the Licensing Diagnosis tool.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure.
1. Open Terminal Services Configuration. To open Terminal Services Configuration, click
Start, point to Administrative Tools, point to Terminal Services, and then click
Terminal Services Configuration.
2. In the left pane, click Licensing Diagnosis. Licensing Diagnosis automatically runs and
tries to discover license servers and identify licensing configuration problems, and then
displays the results.
The Licensing Diagnosis results include the following:
Terminal Server Configuration Details, which displays configuration information about the
terminal server, including the licensing mode and discovery mode that have been specified
for the terminal server.
Licensing Diagnosis Information, which displays any licensing problems that were
identified along with suggested resolutions to the problems.
Terminal Services License Server Information, which displays the license servers that
were discovered by the terminal server.
License Server Configuration Details, which displays configuration information about a
license server, including the type and version of TS CALs installed and available on that
license server.
To view the configuration details of a selected license server, the account that you are logged on
as needs administrator privileges on the license server. If your account does not have
administrator privileges on the license server, you can use Provide Credentials in the Licensing
Diagnosis tool to provide credentials that have administrative privileges on the license server.
To view the configuration details of a Windows 2000 or a Windows Server 2003 license
server, you must provide the credentials of the built-in local Administrator account on the
license server. The credentials of any other account, even if that account has
administrator privileges on the license server, will not allow you to view the configuration
details.
Deploying TS Session Broker
Terminal Services Session Broker (TS Session Broker) is a role service that keeps track of user
sessions in a load-balanced terminal server farm. The TS Session Broker database stores
session state information that includes session IDs, their associated user names, and the name
of the server where each session resides. TS Session Broker uses this information to redirect
users who have an existing session to the terminal server where their session exists.
To run the Licensing Diagnosis toolImportant
57
If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the
number of user sessions on each terminal server in the farm, and directs new sessions to the
terminal server with the fewest sessions.
To install and configure a TS Session Broker server, see the following topics:
Installation Prerequisites for TS Session Broker
Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker
Installing TS Session Broker
Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group
Configuring a Terminal Server to Join a Farm in TS Session Broker
Configuring DNS for TS Session Broker Load Balancing
Configuring Dedicated Redirectors (optional)
Installation Prerequisites for TS Session Broker
To participate in TS Session Broker Load Balancing, the following system requirements apply:
The TS Session Broker server and the terminal servers in the farm must be running Windows
Server 2008. TS Session Broker is available in the following operating systems: Windows
Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008
Datacenter.
Windows Server 2003-based terminal servers cannot use the TS Session Broker
Load Balancing feature.
All terminal servers in the load-balanced farm must be configured identically, with the same
available programs.
Client computers must be running Remote Desktop Connection (RDC) version 5.2 or later.
In addition, we recommend that you configure all terminal servers in the farm to restrict each user
to a single session. To do this, use either of the following methods:
Configure the Restrict Terminal Services users to a single remote session Group Policy
setting. This policy setting is available in the Computer Configuration\Policies\
Administrative Templates\Windows Components\Terminal Services\Terminal Server\
Connections node of the Group Policy Management Console (GPMC) on a Windows
Server 2008-based domain controller. It is a best practice to group the terminal servers that
are in the same terminal server farm into a single organizational unit (OU), and then configure
this policy setting in a Group Policy object (GPO) that applies to the OU.
If you are using the Local Group Policy Editor, Policies is not part of the node path.
Configure the Restrict each user to a single session setting on each terminal server by
using Terminal Services Configuration. This setting appears under Edit settings, in the
General section.
Note Note
58
TS Session Broker componentsThe following are two TS Session Broker components to consider:
TS Session Broker server, which is the server that runs the Terminal Services Session
Broker service and tracks user sessions for one or more load-balanced terminal server farms.
TS Session Broker uses a farm name to determine which servers are in the same terminal
server farm.
Terminal servers that use TS Session Broker, which are load-balanced terminal servers
that are members of a farm in TS Session Broker.
Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker
With a load-balanced terminal server farm, you can scale the performance of a single terminal
server by distributing Terminal Services sessions across multiple servers. You can configure a
load-balanced farm by using the TS Session Broker Load Balancing feature, Network Load
Balancing (NLB), or a non-Microsoft solution. TS Session Broker also enables a user to
reconnect to their existing session in a load-balanced terminal server farm.
This checklist shows the steps that are required to create and configure a load-balanced terminal
server farm by using TS Session Broker Load Balancing.
The TS Session Broker Load Balancing feature is only supported on terminal servers that
are running Windows Server 2008.
Task Reference
Install the TS Session Broker role service on
the server that you want to use to track user
sessions for a farm.
Installing TS Session Broker
Add the terminal servers in the farm to the
Session Directory Computers local group on
the TS Session Broker server.
Adding Each Terminal Server in the Farm to the
Session Directory Computers Local Group
Configure the terminal servers in the farm to
join a farm in TS Session Broker, and to
participate in TS Session Broker Load
Balancing.
Configuring a Terminal Server to Join a Farm in
TS Session Broker
Configure DNS round robin entries for terminal
servers in the farm.
Configuring DNS for TS Session Broker Load
Balancing
Important
59
Installing TS Session Broker
You must install the TS Session Broker role service on a server (running Windows Server 2008)
that you want to use to track user session information for a load-balanced terminal server farm.
The server where you install the TS Session Broker role service does not have to be a terminal
server or have Remote Desktop enabled.
You can use a single TS Session Broker server to track user sessions across multiple farms
because there is minimal performance overhead.
When you install the TS Session Broker role service, the following changes occur on the local
computer:
The Terminal Services Session Broker service is installed. By default, the service is set to
Started and to Automatic.
The Session Directory Computers local group is created.
Installation prerequisitesThe server where you install TS Session Broker must be a member of a domain.
If you install the TS Session Broker role service on a domain controller, the Session
Directory Computers group will be a domain local group and available on all domain
controllers.
Install the TS Session Broker role serviceMembership in the local Administrators group is the minimum required to complete this
procedure.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. If the Terminal Services role is already installed:
a. Under Roles Summary, click Terminal Services.
b. Under Role Services, click Add Role Services.
c. On the Select Role Services page, select the TS Session Broker check box, and
then click Next.
If the Terminal Services role is not already installed:
a. Under Roles Summary, click Add Roles.
b. On the Before You Begin page of the Add Roles Wizard, click Next.
c. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
d. On the Terminal Services page, click Next.
Note To install the TS Session Broker role service
60
e. On the Select Role Services page, select the TS Session Broker check box, and
then click Next.
3. On the Confirm Installation Selections page, confirm that TS Session Broker is listed,
and then click Install.
4. On the Installation Results page, click Close.
Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group
For terminal servers to use TS Session Broker, you must add the computer account for each
terminal server in the farm to the Session Directory Computers local group on the TS Session
Broker server.
Membership in the local Administrators group is the minimum required to complete this
procedure.
You must perform this procedure on the server where you installed the TS Session
Broker role service.
1. On the TS Session Broker server, click Start, point to Administrative Tools, and then
click Computer Management.
2. In the left pane, expand Local Users and Groups, and then click Groups.
3. In the right pane, right-click the Session Directory Computers group, and then click
Properties.
4. Click Add.
5. In the Select Users, Computers or Groups dialog box, click Object Types.
6. Select the Computers check box, and then click OK.
7. Locate and then add the computer account for each terminal server that you want to add.
8. When you finish, click OK.
Important To add terminal servers to the Session Directory Computers local group
61
Configuring a Terminal Server to Join a Farm in TS Session Broker
You can configure a terminal server to join a farm in TS Session Broker and to participate in
TS Session Broker Load Balancing by using Group Policy or the Terminal Services Configuration
tool. However, you must use Terminal Services Configuration to configure the following settings:
The IP addresses to be used for reconnection
The relative weight of the server when using TS Session Broker Load Balancing
For information about how to configure the settings by using Group Policy, see Configure TS
Session Broker Settings by Using Group Policy. Configuring the settings by using Group Policy is
a recommended best practice.
For information about how to configure the settings by using Terminal Services Configuration, see
Configure TS Session Broker Settings by Using Terminal Services Configuration.
Group Policy settings take precedence over configuration settings in the Terminal
Services Configuration snap-in and settings that are made by using the Terminal Services
WMI provider.
Configure TS Session Broker Settings by Using Group Policy
You can use Group Policy to configure TS Session Broker settings. However, to configure the IP
addresses to be used for reconnection, or to configure the relative server weight when using
TS Session Broker Load Balancing, you must use Terminal Services Configuration.
To assign TS Session Broker settings through Group Policy, it is a best practice to group the
terminal servers that are in the same terminal server farm into a single organizational unit (OU) in
Active Directory Domain Services (AD DS). Then, configure the TS Session Broker settings in a
Group Policy object (GPO) that applies to the OU.
For the TS Session Broker settings to be effective on a server, the server must have the
Terminal Server role service installed.
The following procedure describes how to configure TS Session Broker Group Policy settings by
using the Group Policy Management Console (GPMC).
To change Group Policy settings for a domain or an OU, you must be logged on as a member of
the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners
group, or have been delegated the appropriate authority over Group Policy to complete this
procedure.
1. To start the GPMC, click Start, point to Administrative Tools, and then click Group
Policy Management.
Important Note To apply TS Session Broker settings to an Active Directory OU
62
2. In the left pane, locate the OU that contains the terminal servers.
3. To modify an existing GPO for the OU, expand the OU, and then click the GPO.
To create a new GPO, follow these steps:
a. Right-click the OU, and then click Create a GPO in this domain, and link it here.
b. In the Name box, type a name for the GPO, and then click OK.
c. In the left pane, locate and then click the new GPO.
4. In the right pane, click the Settings tab.
5. Right-click Computer Configuration, and then click Edit.
6. In the left pane, under Computer Configuration, expand Policies, Administrative
Templates, Windows Components, Terminal Services, Terminal Server, and then
click TS Session Broker.
7. In the right pane, double-click the Join TS Session Broker policy setting, click Enabled,
and then click OK.
8. Double-click the Configure TS Session Broker farm name policy setting, and then do
the following:
a. Click Enabled.
b. In the TS Session Broker farm name box, type the name of the farm in TS Session
Broker that you want to join, and then click OK.
Important
TS Session Broker uses a farm name to determine which servers are in the
same terminal server farm. You must use the same farm name for all servers
that are in the same load-balanced terminal server farm. Although the farm
name in TS Session Broker does not have to be registered in AD DS, it is
recommended that you use the same name that you will use in DNS for the
terminal server farm. (The terminal server farm name in DNS represents the
virtual name that clients will use to connect to the terminal server farm.) If
you type a new farm name, a new farm is created in TS Session Broker and
the server is joined to the farm. If you type an existing farm name, the server
joins the existing farm in TS Session Broker.
9. Double-click the Configure TS Session Broker server name policy setting, and then do
the following:
a. Click Enabled.
b. In the TS Session Broker server name box, type the name of the server where you
installed the TS Session Broker role service, and then click OK.
10. To use TS Session Broker Load Balancing, double-click the Use TS Session Broker
load balancing policy setting, click Enabled, and then click OK.
11. Optionally, if you have a hardware load balancer that supports TS Session Broker token
redirection, double-click Use IP Address Redirection and configure the setting. For
more information, see the Group Policy Explain text and Configuring Dedicated
63
Redirectors (optional).
To configure TS Session Broker settings by using local Group Policy, use the Local Group
Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type
gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a
member of the Administrators group on the local computer or you must have been
delegated the appropriate authority.
Configure TS Session Broker Settings by Using Terminal Services Configuration
You can configure a terminal server to join a farm in TS Session Broker and to participate in
TS Session Broker Load Balancing by using Terminal Services Configuration.
The following steps are only applicable if the Terminal Server role service is installed.
Membership in the local Administrators group is the minimum required to complete this
procedure.
1. Start Terminal Services Configuration. To do this, click Start, point to Administrative
Tools, point to Terminal Services, and then click Terminal Services Configuration.
2. In the Edit settings area, under TS Session Broker, double-click Member of farm in
TS Session Broker.
3. On the TS Session Broker tab, click to select the Join a farm in TS Session Broker
check box.
4. In the TS Session Broker server name or IP address box, type the name or the IP
address of the TS Session Broker server.
Note
The TS Session Broker server is the server where you installed the TS Session
Broker role service.
5. In the Farm name in TS Session Broker box, type the name of the farm that you want
to join in TS Session Broker.
Important
TS Session Broker uses a farm name to determine which servers are in the
same terminal server farm. You must use the same farm name for all servers that
are in the same load-balanced terminal server farm. Although the farm name in
TS Session Broker does not have to be registered in AD DS, it is recommended
that you use the same name that you will use in DNS for the terminal server
farm. (The terminal server farm name in DNS represents the virtual name that
clients will use to connect to the terminal server farm.) If you type a new farm
name, a new farm is created in TS Session Broker and the server is joined to the
Note Note To configure TS Session Broker settings by using Terminal Services Configuration
64
farm. If you type an existing farm name, the server joins the existing farm in
TS Session Broker.
6. To participate in TS Session Broker Load Balancing, select the Participate in Session
Broker Load-Balancing check box.
7. Optionally, in the Relative weight of this server in the farm box, modify the server
weight. By default, the value is 100. The server weight is relative. Therefore, if you assign
one server a value of 100, and one a value of 200, the server with a relative weight of
200 will receive twice the number of sessions.
8. Verify that you want to use IP address redirection. By default, the Use IP address
redirection (recommended) setting is enabled. If you clear the check box, the server
switches to token redirection mode.
9. In the Select IP addresses to be used for reconnection box, click to select the check
box next to each IP address that you want to use. When you select the IP addresses to
use, consider the following:
Only the first selected IPv4 address will be used by clients that are running RDC 5.2
and earlier.
Using IPv6 addresses is not recommended if the terminal server farm contains
servers that are running Windows Server 2003.
10. When you finish, click OK.
Configuring DNS for TS Session Broker Load Balancing
To configure DNS round robin entries for TS Session Broker Load Balancing, you must map the
IP address of each terminal server in the farm to the terminal server farm name in DNS.
The following procedure provides the steps to configure DNS on a Windows Server 2008-based
domain controller.
You must be a member of the Domain Admins, Enterprise Admins, or the DnsAdmins group
to complete this procedure.
1. Click Start, point to Administrative Tools, and then click DNS.
2. Expand the server name, expand Forward Lookup Zones, expand the domain name,
and then click the appropriate zone.
3. Right-click the zone, and then click New Host (A or AAAA).
4. In the Name (uses parent domain name if blank) box, type the terminal server farm
name.
The farm name is the virtual name that clients will use to connect to the terminal server
To add DNS entries for each terminal server in the farm
65
farm. For management purposes, it is recommended that you use the same farm name
that you specified when you configured the terminal servers to join a farm in TS Session
Broker.
Important
Do not use the name of an existing server for the farm name.
5. In the IP address box, type the IP address of a terminal server in the farm.
6. Click Add Host, and then click OK when you receive the message that the host record
was successfully created.
7. Repeat steps three through six for each terminal server in the farm.
Important
You must specify the same farm name in the Name (uses parent domain name
if blank) box for each DNS entry.
For example, if you have three terminal servers in a farm named FARM1, with IP
addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would look
similar to the following:
Farm1 Host(A) 192.168.1.20
Farm1 Host(A) 192.168.1.21
Farm1 Host(A) 192.168.1.22
8. When you finish, click Done.
By default, a DNS round robin entry is enabled when using DNS on a Windows
Server 2008-based domain controller. The Enable round robin setting is available on
the Advanced tab when you view the properties of the server in DNS.
Configuring Dedicated Redirectors (optional)
If you use Domain Name System (DNS) round robin as the front-end load balancer, when you
register the IP address of each terminal server in the farm to a single terminal server farm name
in DNS, incoming Terminal Services clients try to connect to the first IP address for the farm name
that is returned by DNS. The terminal server that receives this initial connection request acts as
the redirector.
To increase session redirection performance in a large terminal server farm, you can configure
terminal servers to be dedicated redirectors. These servers process incoming requests, but they
do not accept user sessions.
To configure dedicated redirectors, you must do the following:
1. Create DNS round robin entries for the terminal servers that you want to use as dedicated
redirectors. When you do so, you must map the IP address of each terminal server that you
want to use as a dedicated redirector to the terminal server farm name in DNS. (The farm
Note
66
name is the virtual name that clients use to connect to the terminal server farm.) The farm
name must not match an existing server name in Active Directory Domain Services (AD DS).
Only the dedicated redirectors should have host resource records in DNS that map to
the terminal server farm name.
2. Configure the terminal servers that you want to use as dedicated redirectors to deny new
user logon requests. For more information about how to deny new user logon requests, see
Deny Logon Requests to a Terminal Server.
Deploying TS Gateway
Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users
to connect to resources on an internal corporate or private network, from any Internet-connected
device that can run the Remote Desktop Connection (RDC) client. The network resources can be
terminal servers, terminal servers running RemoteApp programs, or computers with Remote
Desktop enabled.
TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a
Secure Sockets Layer (SSL) connection. In this way, TS Gateway helps improve security by
establishing an encrypted connection between remote users on the Internet and the internal
network resources on which their productivity applications run.
To install, configure, and manage a TS Gateway server, see the following topics:
Installation Prerequisites for TS Gateway
Understanding Requirements for Connecting to a TS Gateway Server
Checklist: Deploying TS Gateway
Installing TS Gateway
Configuring a Certificate for the TS Gateway Server
Creating a Terminal Services Connection Authorization Policy
Creating a Terminal Services Resource Authorization Policy
Configuring the Terminal Services Client for TS Gateway
Limiting the Maximum Number of Simultaneous Connections Through TS Gateway
Using Group Policy to Manage Client Connections Through TS Gateway
Installation Prerequisites for TS Gateway
For TS Gateway to function correctly, you must meet these prerequisites:
You must have a server running Windows Server 2008.
You must obtain an SSL certificate for the TS Gateway server if you do not have one already.
By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS
Note
67
service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients
and TS Gateway servers over the Internet. For TLS to function correctly, you must install an
SSL certificate on the TS Gateway server.
You do not need a certification authority (CA) infrastructure within your organization if
you can use another method to obtain an externally trusted certificate that meets the
requirements for TS Gateway. If your company does not maintain a stand-alone CA
or an enterprise CA and you do not have a compatible certificate from a trusted public
CA, you can create and import a self-signed certificate for your TS Gateway server
for technical evaluation and testing purposes.
For information about certificate requirements for TS Gateway and how to obtain and install a
certificate, see "Obtain a certificate for the TS Gateway server" in Configuring the TS
Gateway Core Scenario.
TS Gateway servers must be joined to an Active Directory domain in the following cases:
If you configure a TS Gateway authorization policy that requires that users be domain
members to connect to the TS Gateway server.
If you configure a TS Gateway authorization policy that requires that client computers be
domain members to connect to the TS Gateway server.
If you are deploying a load-balanced TS Gateway server farm.
Role, role service, and feature dependenciesTo function correctly, TS Gateway requires several role services and features to be installed and
running. When you use Server Manager to install the TS Gateway role service, the following
additional roles, role services, and features are automatically installed and started, if they are not
already installed:
Remote Procedure Call (RPC) over HTTP Proxy
Web Server (IIS) [Internet Information Services 7.0]
IIS 7.0 must be installed and running for the RPC over HTTP Proxy feature to function.
Network Policy and Access Services
You can also configure TS Gateway to use Terminal Services connection authorization
policies (TS CAPs) that are stored on another server that runs the Network Policy Server
(NPS) service. By doing this, you are using the server that is running Network Policy Server
(NPS)—formerly known as a Remote Authentication Dial-In User Service (RADIUS) server—
to centralize the storage, management, and validation of TS CAPs. If you have already
deployed a server running NPS for remote access scenarios such as VPN and dial-up
networking, using the existing server running NPS for TS Gateway scenarios as well can
enhance your deployment.
Administrative credentialsYou must be a member of the Administrators group on the computer that you want to configure as
a TS Gateway server.
Note
68
Understanding Requirements for Connecting to a TS Gateway Server
Users on Terminal Services client computers must meet specific requirements before they can
connect to TS Gateway. These requirements include the following:
Supported Windows authentication method (required). You can configure the
authentication methods that the TS Gateway server allows by using TS Gateway Manager.
On clients, you can configure the authentication method to be used to connect to the
TS Gateway server by using Group Policy.
A client and the TS Gateway server to which the client connects must have at least
one common authentication method, or the client’s attempt to connect to the
TS Gateway server will fail.
If you configure the authentication method on the client by using Group Policy, the
Group Policy settings for Terminal Services client connections can be applied in one
of two ways. These policy settings can either be suggested (that is, they can be
enabled, but not enforced) or they can be enabled and enforced. For more
information, see Using Group Policy to Manage Client Connections Through TS
Gateway.
User group membership (required). You configure the user group membership requirement
by using TS Gateway Manager.
Client computer group membership (optional). You configure the client computer group
membership requirement by using TS Gateway Manager.
In TS Gateway Manager, you configure these requirements on the Requirements tab of a
Terminal Services connection authorization policy (TS CAP). For more information, see Creating
a Terminal Services Connection Authorization Policy.
Supported Windows authentication methodsIf you configure the supported Windows authentication method by using TS Gateway Manager,
you can specify that a user must use a password or a smart card, or both. If you select both
methods, either can be used to connect.
If you configure the supported Windows authentication method by using Group Policy, the
following options are available:
Ask for credentials, use NTLM protocol (a Windows NT® challenge/response protocol).
For information about the NTLM protocol, see Logon and Authentication Technologies
(http://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM
(http://go.microsoft.com/fwlink/?LinkId=94216).
Ask for credentials, use Basic protocol. The Basic authentication method is a widely used
industry-standard method for collecting user name and password information. It is less
secure, however, because the passwords are transmitted in Base64-encoded form, not
Important Note
69
encrypted. For more information, see Basic Authentication (http://go.microsoft.com/fwlink/?
LinkId=94217).
Use locally logged-on credentials. In this case, the same credentials that users provide to
log on to their local computer are used to connect to the TS Gateway server. If you select this
option, but users have previously connected to the same TS Gateway server and they have
selected the Remember my credentials check box in the TS Gateway Server Settings
dialog box on their client computer, their saved credentials are used to connect to the
TS Gateway server.
Use smart card. Smart cards contain a microcomputer and a small amount of memory, and
they provide secure, tamper-proof storage for private keys and X.509 security certificates. A
smart card is a form of two-factor authentication that requires the user to have a smart card
and know the PIN to gain access to network resources. For more information, see The
Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/?
LinkId=94218).
If all these credentials are available to users, and if users have specified to save their credentials
when connecting to the TS Gateway server, their credentials are used in the following order:
1. Saved credentials
2. Locally logged-on credentials
3. Other password or smart card credentials supplied by the user
Checklist: Deploying TS Gateway
The following steps are required to successfully set up and demonstrate the TS Gateway core
scenario. This scenario enables you to configure a TS Gateway server so that a remote user can
access an internal network resource over the Internet through the TS Gateway server. In this
scenario, the internal network resource can be a terminal server, a terminal server running
RemoteApp programs, or a computer with Remote Desktop enabled.
To configure the TS Gateway server, complete the following tasks.
Task Reference/Step-by-step instructions
Install the TS Gateway role service. Installing TS Gateway
Configure a certificate for the TS Gateway
server.
Configuring a Certificate for the TS Gateway
Server
Create a Terminal Services connection
authorization policy (TS CAP).
Creating a Terminal Services Connection
Authorization Policy
Create a Terminal Services resource
authorization policy (TS RAP).
Creating a Terminal Services Resource
Authorization Policy
Configure the Terminal Services client for Configuring the Terminal Services Client for TS
70
Task Reference/Step-by-step instructions
TS Gateway. Gateway
Installing TS Gateway
Follow these steps to install the TS Gateway role service. Optionally, during the role service
installation process, you can select an existing certificate (or create a new self-signed certificate),
and you can create a Terminal Services connection authorization policy (TS CAP) and a Terminal
Services resource authorization policy (TS RAP).
Install the TS Gateway role serviceUse the following procedure to install the TS Gateway role service.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. If the Terminal Services role is not already installed:
a. In Server Manager, under Roles Summary, click Add roles.
b. In the Add Roles Wizard, if the Before You Begin page appears, click Next. This
page will not appear if you have already installed other roles and you have selected
the Skip this page by default check box.
c. On the Select Server Roles page, under Roles, select the Terminal Services check
box, and then click Next.
d. On the Terminal Services page, click Next.
e. On the Select Role Services page, in the Role services list, select the TS Gateway
check box.
f. If prompted to specify whether you want to install the additional role services required
for TS Gateway, click Add Required Role Services.
g. On the Select Role Services page, confirm that TS Gateway is selected, and then
click Next.
If the Terminal Services role is already installed:
a. Under Roles Summary, click Terminal Services.
b. Under Role Services, click Add Role Services.
c. On the Select Role Services page, select the TS Gateway check box, and then click
Next.
d. If prompted to specify whether you want to install the additional role services required
for TS Gateway, click Add Required Role Services.
To install the TS Gateway role service
71
e. On the Select Role Services page, click Next.
3. On the Choose a Server Authentication Certificate for SSL Encryption page, specify
whether to choose an existing certificate for SSL encryption (recommended), create a
self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later.
If you are completing an installation for a new server that does not yet have certificates,
see Obtain a Certificate for the TS Gateway Server for certificate requirements and
information about how to obtain and install a certificate.
Under the Choose an existing certificate for SSL encryption (recommended) option,
only certificates that have the intended purpose (server authentication) and Enhanced
Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the
TS Gateway role service will appear in the list of certificates. If you select this option, click
Import, and then import a new certificate that does not meet these requirements, the
imported certificate will not appear in the list.
4. On the Create Authorization Policies for TS Gateway page, specify whether you want
to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role
service installation process or later. If you select Later, follow the procedures in Creating
a Terminal Services Connection Authorization Policy to create this policy. If you select
Now, do the following:
a. On the Select User Groups That Can Connect Through TS Gateway page, click
Add to specify additional user groups. In the Select Groups dialog box, specify the
user group location and name, and then click OK as needed to check the name and
to close the Select Groups dialog box.
b. To specify more than one user group, do either of the following: Type the name of
each user group, separating the name of each group with a semi-colon; or add
additional groups from different domains by repeating the first part of this step for
each group.
c. After you finish specifying additional user groups, on the Select User Groups that
Can Connect Through TS Gateway page, click Next.
d. On the Create a TS CAP for TS Gateway page, accept the default name for the
TS CAP (TS_CAP_01) or specify a new name, select one or more supported
Windows authentication methods, and then click Next.
e. On the Create a TS RAP for TS Gateway page, accept the default name for the
TS RAP (TS_RAP_01) or specify a new name, and then do one of the following:
Specify whether to allow users to connect only to computers in one or more computer
groups, and then specify the computer groups; or specify that users can connect to
any computer on the network. Click Next.
5. On the Network Policy and Access Services page (which appears if this role service is
not already installed), review the summary information, and then click Next.
6. On the Select Role Services page, verify that Network Policy Server is selected, and
then click Next.
7. On the Web Server (IIS) page (which appears if this role service is not already installed),
72
review the summary information, and then click Next.
8. On the Select Role Services page, accept the default selections for Web Server (IIS),
and then click Next.
9. On the Confirm Installation Options page, verify that the following roles, role services,
and features will be installed:
Terminal Services\TS Gateway
Network Policy and Access Services\Network Policy Server
Web Server (IIS)\Web Server\Management Tools
RPC over HTTP Proxy
Windows Process Activation Service\Process Model\Configuration APIs
10. Click Install.
11. On the Installation Progress page, installation progress will be noted.
If any of these roles, role services, or features has already been installed, installation
progress will be noted only for the new roles, role services, or features that are being
installed.
12. On the Installation Results page, confirm that installation was successful, and then click
Close.
Verify successful role service installation and TS Gateway service statusUse the following procedure to verify that the TS Gateway role service and dependent roles, role
services, and features are installed correctly and running.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the console tree, expand Roles, and then double-click Terminal Services.
3. On the Terminal Services summary page, in the System Services area, verify that the
status of Terminal Services Gateway is Running and that the startup type is set to Auto.
4. Close Server Manager.
5. Open Internet Information Services (IIS) Manager. To open IIS Manager, click Start, point
to Administrative Tools, and then click Internet Information Services (IIS) Manager.
6. In the console tree, expand <TS Gateway_Server_Name>\Sites\Default Web Site, and
then click Default Web Site.
7. Right-click Default Web Site, point to Manage Web Site, and then click Advanced
Settings.
8. In the Advanced Settings dialog box, under (General), verify that Start Automatically
is set to True. If it is not set to True, click the drop-down arrow to display the list, and then
click True.
To verify that installation was successful
73
9. Click OK.
10. Close IIS Manager.
Configuring a Certificate for the TS Gateway Server
By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between
Terminal Services clients and TS Gateway servers over the Internet. For TLS to function correctly,
you must install a Secure Sockets Layer-compatible X.509 certificate on the TS Gateway server.
You can obtain this certificate in one of the following ways:
You can generate and submit a certificate request to obtain a certificate from a stand-alone or
an enterprise certification authority (CA).
You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the
trusted public CAs that participate in the Microsoft Root Certificate Program Members
program, as listed in article 931125 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=59547).
You can use the Add Roles Wizard to create a self-signed certificate when you install the
TS Gateway role service, or you can use TS Gateway Manager to do this after TS Gateway is
installed.
We recommend that you use a self-signed certificate only for testing and evaluation
purposes.
This section describes certificate requirements for the TS Gateway server and provides more
information about the methods that you can use to obtain a certificate. The following topics are
included:
Obtain a Certificate for the TS Gateway Server
Create a Self-Signed Certificate for the TS Gateway Server
Install a Certificate on the TS Gateway Server
Map the TS Gateway Certificate
View or Modify Certificate Properties
Obtain a Certificate for the TS Gateway Server
This section assumes an understanding of certificate trust chaining, certificate signing, and
general certificate configuration principles.
Note
74
For information about public key infrastructure (PKI) configuration in Windows Server 2008, see
ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008
(http://go.microsoft.com/fwlink/?LinkId=93995).
For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure
(http://go.microsoft.com/fwlink/?LinkID=54917).
By default TLS 1.0 is used to encrypt communications between Terminal Services clients and
TS Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web
communications on the Internet or intranets. TLS is the latest and most secure version of the SSL
protocol. For more information about TLS, see:
SSL/TLS in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkID=19646)
RFC 2246: The TLS Protocol Version 1.0 (http://go.microsoft.com/fwlink/?LinkID=40979)
For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the
TS Gateway server.
Certificate requirements for TS GatewayCertificates for TS Gateway must meet the following requirements:
The name in the Subject line of the server certificate (certificate name, or CN) must match the
DNS name that the client uses to connect to the TS Gateway server, unless you are using
wildcard certificates or the SAN attributes of certificates. If your organization issues
certificates from an enterprise certification authority (CA), a certificate template must be
configured so that the appropriate name is supplied in the certificate request. If your
organization issues certificates from a stand-alone CA, you do not need to do this.
If you are using the SAN attributes of certificates, clients that connect to the
TS Gateway server must be running Remote Desktop Connection (RDC) 6.1.
(RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included
with Windows Server 2008, Windows Vista SP1, and Windows XP SP3.
The certificate is a computer certificate.
The intended purpose of the certificate is server authentication. The enhanced key usage is
Server Authentication (1.3.6.1.5.5.7.3.1).
The certificate has a corresponding private key.
The certificate has not expired. We recommend that the certificate be valid one year from the
date of installation.
A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the
certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the
certificate if at least one of the following key usage values is also set:
CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE,
and CERT_DATA_ENCIPHERMENT_KEY_USAGE.
For more information about these values, see Advanced Certificate Enrollment and
Management (http://go.microsoft.com/fwlink/?LinkID=74577).
Note
75
The certificate must be trusted on clients. That is, the public certificate of the CA that signed
the TS Gateway server certificate must be located in the Trusted Root Certification Authorities
store on the client computer.
Using existing certificatesIf you already have a certificate, you can reuse it for the TS Gateway server if the certificate:
Is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate
Program Members program, as listed in article 931125 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=59547); and
Meets the certificate requirements for TS Gateway server .
If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for
example, if you create and install a self-signed certificate on the TS Gateway server and you do
not manually configure the certificate to trust the Terminal Services client computer), a warning
appears when the client attempts to connect through the TS Gateway server, stating that you do
not have a trusted certificate and the connection will not succeed. To prevent this error from
occurring, install the certificate onto the computer certificate store on the client computer before
the client attempts to connect through the TS Gateway server.
Certificate installation and configuration process overviewThe process of obtaining, installing, and configuring a certificate for the TS Gateway server
involves the following steps.
1. Obtain a certificateObtain a certificate for the TS Gateway server by doing one of the following:
If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-
compatible X.509 certificates that meet TS Gateway requirements, you can generate and
submit a certificate request in several ways, depending on the policies and configuration of
your organization's CA. Methods for obtaining a certificate include:
Initiating auto-enrollment from the Certificates snap-in.
Requesting certificates by using the Certificate Request Wizard.
Requesting a certificate over the Web.
If you have a Windows Server 2003 CA, be aware that the Windows Server 2003
Certificate Services Web enrollment functionality relies on an ActiveX® control
that is named Xenroll. This ActiveX control is available in Microsoft
Windows 2000, Windows Server 2003, and Windows XP.
However, Xenroll has been deprecated in Windows Server 2008 and
Windows Vista. The sample certificate enrollment Web pages that are included
Notes
76
with the original release version of Windows Server 2003, Windows Server 2003
Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not
designed to handle the change in how Windows Server 2008 and Windows Vista
perform Web-based certificate enrollment operations.
For information about the steps that you can take to address this issue, see
article 922706 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?
LinkId=94472).
Using the Certreq command-line tool.
For more information about using any of these methods to obtain certificates for Windows
Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the
"Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates
snap-in Help topics, click Start, click Run, type hh certmgr.chm, and then click OK. For
information about how to request certificates for Windows Server 2003, see Requesting
Certificates (http://go.microsoft.com/fwlink/?LinkID=19638).
A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA
that participates in the Microsoft Root Certification Program Members program
(http://go.microsoft.com/fwlink/?LinkID=59547). Otherwise, users connecting from home
computers or kiosks might not be able to connect to TS Gateway servers. These connections
might fail because the enterprise CA-issued root might not be trusted by computers that are
not members of domains, such as home computers or kiosks.
If your company does not maintain a stand-alone or enterprise CA that is configured to issue
SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA
that participates in the Microsoft Root Certificate Program Members program
(http://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer
certificates at no cost on a trial basis.
Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do
not have a compatible certificate from a trusted public CA, you can create and import a self-
signed certificate for your TS Gateway server for technical evaluation and testing purposes.
For step-by-step instructions, see Create a Self-Signed Certificate for the TS Gateway
Server.
In the example configurations described in this guide, a self-signed certificate is used.
If you use either of the first two methods to obtain a certificate (that is, if you obtain a
certificate from a stand-alone or enterprise CA or a trusted public CA), you must also
install the certificate on the TS Gateway server and map the certificate. However, if you
create a self-signed certificate by using the Add Roles Wizard during installation of the
TS Gateway role service or by using TS Gateway Manager after installation (as
described in Create a Self-Signed Certificate for the TS Gateway Server), you do not
need to install or map the certificate to the TS Gateway server. In this case, the certificate
is automatically created, installed in the correct location on the TS Gateway server, and
mapped to the TS Gateway server.
Important
77
Terminal Services clients must have the certificate of the CA that issued the server
certificate in their Trusted Root Certification Authorities store. Therefore, if you create a
self-signed certificate by following the procedure in this guide, you must copy the
certificate to the client computer (or to a network share that can be accessed from the
client computer) and then install the certificate in the Trusted Root Certification Authorities
store on the client computer. For step-by-step instructions, see Install the TS Gateway
Server Root Certificate on the Terminal Services Client (Optional).
If you use one of the first two methods to obtain a certificate and the Terminal Services client
computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the
server certificate in the client computer certificate store. For example, you do not need to install
the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public,
trusted CA certificate is installed on the TS Gateway server.
If you use the third method to obtain a certificate (that is, if you create a self-signed certificate),
you do need to copy the certificate of the CA that issued the server certificate to the client
computer. Then, you must install that certificate in the Trusted Root Certification Authorities store
on the client computer. For more information, see Install the TS Gateway Server Root Certificate
on the Terminal Services Client (Optional).
2. Install the certificateInstall a Certificate on the TS Gateway Server. Use this procedure, described later in this guide,
to install the certificate on your TS Gateway server.
3. Map the certificateMap the TS Gateway Certificate. This procedure, described later in this guide, allows you to
specify that the existing certificate be used by the TS Gateway server.
Create a Self-Signed Certificate for the TS Gateway Server
This procedure describes how to use TS Gateway Manager to create a self-signed certificate for
technical evaluation and testing purposes, if you did not already create one by using the Add
Roles Wizard when you installed the TS Gateway role service.
We recommend that you use self-signed certificates only for testing and evaluation
purposes. After you create the self-signed certificate, you must copy it to the client
computer (or to a network share that can be accessed from the client computer), and
then install it in the Trusted Root Certification Authorities store on the client computer.
If you create a self-signed certificate by using the Add Roles Wizard during installation of the
TS Gateway role service, or by using TS Gateway Manager after installation (as described in this
procedure), you do not need to install or map the certificate to the TS Gateway server.
Note Important
78
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the console tree, click to select the node that represents your TS Gateway server,
which is named for the computer on which the TS Gateway server is running.
3. In the results pane, under Configuration Status, click View or modify certificate
properties.
4. On the SSL Certificate tab, click Create a self-signed certificate for SSL encryption,
and then click Create Certificate.
5. In the Create Self-Signed Certificate dialog box, do the following:
a. Under Certificate name, verify that the correct common name (CN) is specified for
the self-signed certificate, or specify a new name. The CN must match the DNS
name that the client uses to connect to the TS Gateway server, unless you are using
wildcard certificates or the SAN attributes of certificates.
b. Under Certificate location, to store the root certificate in a specified location so that
you can manually distribute the root certificate to clients, verify that the Store the
root certificate check box is selected, and then specify where to store the certificate.
By default, this check box is selected and the certificate is stored under the %Windir
%\Users\<Username>\Documents folder.
c. Click OK.
6. If you selected the Store the root certificate check box and specified a location for the
certificate, a message will appear stating that TS Gateway has successfully created the
self-signed certificate, and confirming the location of the stored certificate. Click OK to
close the message.
7. Click OK again to close the TS Gateway server Properties dialog box.
Install a Certificate on the TS Gateway Server
After you obtain a certificate, use this procedure to install the certificate in the correct location on
the TS Gateway server, if the certificate is not already installed. After you complete this
procedure, you must Map the TS Gateway Certificate.
This procedure is not required if you created a self-signed certificate by using the Add
Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway
To create a self-signed certificate for the TS Gateway serverNote
79
Manager after installation, as described in Create a Self-Signed Certificate for the TS
Gateway Server. In either case, a certificate is automatically created, installed in the
correct location on the TS Gateway server, and mapped to the TS Gateway server.
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Open the Certificates snap-in console. If you have not already added the Certificates
snap-in console, you can do so by doing the following:
a. Click Start, click Run, type mmc, and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, and then click
Next.
e. In the Select Computer dialog box, click Local computer: (the computer this
console is running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), and then click Personal.
3. Right-click the Personal folder, point to All Tasks, and then click Import.
4. On the Welcome to the Certificate Import Wizard page, click Next.
5. On the File to Import page, in the File name box, specify the name of the certificate that
you want to import, and then click Next.
6. On the Password page, do the following:
a. If you specified a password for the private key associated with the certificate earlier,
type the password.
b. If you want to mark the private key for the certificate as exportable, ensure that Mark
this key as exportable is selected.
c. If you want to include all extended properties for the certificate, ensure that Include
all extended properties is selected.
d. Click Next.
7. On the Certificate Store page, accept the default option, and then click Next.
8. On the Completing the Certificate Import Wizard page, confirm that the correct
certificate has been selected.
9. Click Finish.
10. After the certificate import has successfully completed, a message appears confirming
To install a certificate on the TS Gateway server
80
that the import was successful. Click OK.
11. With Certificates selected in the console tree, in the details pane, verify that the correct
certificate appears in the list of certificates on the TS Gateway server. The certificate
must be under the Personal store of the local computer.
Map the TS Gateway Certificate
You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a
TS Gateway server certificate by using any other method, TS Gateway will not function correctly.
This procedure is not required if you created a self-signed certificate by using the Add
Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway
Manager after installation, as described in Create a Self-Signed Certificate for the TS
Gateway Server.
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and
then click Properties.
3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption
(recommended), and then click Browse Certificates.
4. In the Install Certificate dialog box, click the certificate that you want to use, and then
click Install.
5. Click OK to close the Properties dialog box for the TS Gateway server.
6. If this is the first time that you have mapped the TS Gateway certificate, after the
certificate mapping is completed, you can verify that the mapping was successful by
viewing the TS Gateway Server Status area in TS Gateway Manager. Under
Configuration Status and Configuration Tasks, the warning stating that a server
certificate is not yet installed or selected and the View or modify certificate properties
hyperlink are no longer displayed.
Note To map a certificate to the local TS Gateway server
81
View or Modify Certificate Properties
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the console tree, click to select the node that represents your TS Gateway server,
which is named for the computer on which the TS Gateway server is running.
3. Right-click the local TS Gateway server, and then click Properties.
4. On the SSL Certificate tab, click Select an existing certificate for SSL encryption
(recommended), click Browse Certificates, and then do one of the following in the
Install Certificate dialog box:
To map a different certificate to the TS Gateway server, select the certificate that you
want this TS Gateway server to use, and then click Install. On the SSL Certificates
tab, review the Issued to, Issued by, and Expiration date fields to verify that the
correct certificate is mapped to the TS Gateway server.
To view the properties for a certificate that is installed on the TS Gateway server,
select the certificate that you want to view, and then click View Certificate. In the
Certificate dialog box, review the certificate properties, click OK to close the
Certificate dialog box, and then click Cancel to close the Install Certificate dialog
box.
5. Click OK to close the TS Gateway server Properties dialog box.
Creating a Terminal Services Connection Authorization Policy
This procedure describes how to use TS Gateway Manager to create a custom Terminal Services
connection authorization policy (TS CAP) for TS Gateway. Alternatively, you can use the
Authorization Policies Wizard to create a TS CAP.
If you configure more than one TS CAP, TS Gateway uses the following policy lookup
behavior: Policies are applied in the numerical order that appears in the TS Gateway
Manager results pane, and access to the TS Gateway server is granted by the first
matching policy. That is, if a client does not meet the requirements of the first TS CAP in
To view or modify certificate propertiesImportant
82
the list, TS Gateway evaluates the second policy in the list, and so on, until it locates a
TS CAP whose requirements are met. If a client does not meet the requirements of any
TS CAP in the list, TS Gateway denies access to the client.
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the console tree, click to select the node that represents the TS Gateway server, which
is named for the computer on which the TS Gateway server is running.
3. In the console tree, expand Policies, and then click Connection Authorization Policies.
4. Right-click the Connection Authorization Policies folder, click Create New Policy, and
then click Custom.
5. On the General tab, type a name for the policy, and then verify that the Enable this
policy check box is selected.
6. On the Requirements tab, under Supported Windows authentication methods, select
one or both of the following check boxes:
Password
Smart card
When both of these options are selected, clients that use either authentication method
are allowed to connect.
7. Under User group membership (required), click Add Group, and then specify a user
group whose members can connect to the TS Gateway server. You must specify at least
one user group.
8. In the Select Groups dialog box, specify the user group location and name, and then
click OK as needed to check the name and to close the Select Groups dialog box. To
specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-
colon.
Add additional groups from different domains by repeating this step for each group.
9. To specify computer domain membership criteria that client computers should meet
(optional), on the Requirements tab, under Client computer group membership
(optional), click Add Group, and then specify the computer groups. In the example
configurations, no computer group is specified.
To specify computer groups, you can use the same steps that you used to specify user
groups.
10. On the Device Redirection tab, select one of the following options to enable or disable
redirection for remote client devices:
To permit all client devices to be redirected when connecting through the TS Gateway
server, click Enable device redirection for all client devices. By default, this option
To create a TS CAP for the TS Gateway server
83
is selected.
To disable device redirection for all client devices except for smart cards when
connecting through the TS Gateway server, click Disable device redirection for all
client devices except for smart card.
To disable device redirection for only certain device types when connecting through
the TS Gateway server, click Disable device redirection for the following client
device types, and then select the check boxes that correspond to the client device
types for which device redirection should be disabled.
Important
Device redirection settings can be enforced only for Microsoft Remote
Desktop Connection (RDC) clients.
11. Click OK.
12. The new TS CAP that you created appears in the TS Gateway Manager results pane.
When you click the name of the TS CAP, the policy details appear in the lower pane.
Creating a Terminal Services Resource Authorization Policy
This procedure describes how to use TS Gateway Manager to create a custom Terminal Services
resource authorization policy (TS RAP) for TS Gateway, and to specify computers that users can
connect to through the TS Gateway server. Alternatively, you can use the Authorization Policies
Wizard to complete these tasks.
If users are connecting to members of a terminal server farm, you must configure a
TS RAP that explicitly specifies the name of the terminal server farm. To do so, when you
create the TS RAP, on the Computer Group tab, click the Select existing TS Gateway-
managed computer group or create a new one option, and then specify the name of
the terminal server farm. If the name of the terminal server farm is not specified, users
will not be able to connect to members of the farm.
For optimal security and ease of administration, to specify the terminal servers that are
members of the farm, create a second TS RAP. On the Computer Group tab, click the
Select an Active Directory security group option, and then specify the security group
that contains the terminal servers in the farm. Doing this optimizes security by ensuring
that the members of the farm are trusted members of an Active Directory security group.
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
Important To create a TS RAP and specify computers that users can connect to through the
TS Gateway server
84
2. In the console tree, click to select the node that represents your TS Gateway server,
which is named for the computer on which the TS Gateway server is running.
3. In the console tree, expand Policies, and then click Resource Authorization Policies.
4. Right-click the Resource Authorization Policies folder, click Create New Policy, and
then click Custom.
5. On the General tab, in the Policy name box, enter a name that is no longer than 64
characters.
6. In the Description box, enter a description for the new TS RAP.
7. On the User Groups tab, click Add to select the user groups to which you want this
TS RAP to apply.
8. In the Select Groups dialog box, specify the user group location and name, and then
click OK. To specify more than one user group, do either of the following:
Type the name of each user group, separating the name of each group with a semi-
colon.
Add additional groups from different domains by repeating Step 7 for each group.
9. On the Computer Group tab, specify the computer group that users can connect to
through TS Gateway by doing one of the following:
To specify an existing security group, click Select an existing Active Directory
security group, and then click Browse. In the Select Group dialog box, specify the
user group location and name, and then click OK. Note that you can select a security
group in Local Users and Groups rather than in Active Directory Domain Services.
To specify a TS Gateway-managed computer group, click Select an existing
TS Gateway-managed computer group or create a new one, and then click
Browse. In the Select a TS Gateway-managed Computer Group dialog box, do
one of the following:
Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box.
Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed Computer Group dialog box, click the name of the new computer group, and then click OK to close the dialog box.
Important
When you add an internal network computer to the list of TS Gateway-
managed computers, if you want to allow remote users to connect to the
computer by specifying either its computer name or its IP address, you must
85
add the computer to the computer group twice (by specifying the computer
name of the computer and adding it to the computer group, and then
specifying the IP address of the computer and adding it to the computer
group again). If you specify only an IP address for a computer when you add
it to a computer group, users must also specify the IP address of that
computer when they connect to that computer through TS Gateway.
To ensure that remote users connect to the internal network computers that
you intend, we recommend that you do not specify IP addresses for the
computers if the computers are not configured to use static IP addresses. For
example, you should not specify IP addresses if your organization uses
DHCP to dynamically reconfigure IP addresses for the computers.
To specify any network resource, click Allow users to connect to any network
resource, and then click OK.
10. After you specify a computer group, the new TS RAP that you created appears in the
TS Gateway Manager results pane. When you click the name of the TS RAP, the policy
details appear in the lower pane.
Configuring the Terminal Services Client for TS Gateway
This section provides procedures for configuring your Terminal Services client computers to
connect to internal network resources through TS Gateway. It includes the following topics:
Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)
Configure Remote Desktop Connection Settings
Verify Connectivity Through TS Gateway
Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)
The client computer must verify and trust the identity of the TS Gateway server before the client
can send the user's password and logon credentials securely and complete the authentication
process. To establish this trust, the clients must trust the root certificate of the server. That is,
clients must have the certificate of the certification authority (CA) that issued the server certificate
in their Trusted Root Certification Authorities store. You can view this store by using the
Certificates snap-in.
86
This procedure is not required if:
A certificate that is issued by one of the trusted public CAs that participate in the Microsoft
Root Certificate Program Members program is installed on the TS Gateway server; for a list
of trusted public CAs, see article 931125 in the Microsoft Knowledge Base
(http://go.microsoft.com/fwlink/?LinkID=59547); and
The Terminal Services client computer already trusts the CA that issued the certificate.
If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and
the certificate is recognized and trusted by your client computer, proceed to complete the steps in
the Configure remote desktop connection settings section.
Do not install certificates from any untrusted sources or individuals.
If you are configuring the Terminal Services client for use with Network Access Protection
(NAP), you must install the TS Gateway server root certificate by using the computer
account. If not, you can install the TS Gateway server root certificate by using the user
account.
Before you complete the steps in the following procedure, you must have already copied the
certificate to the client computer. For example, if you created a self-signed certificate for the
TS Gateway server by using TS Gateway Manager, you must have already copied that certificate
from the TS Gateway server to the client computer.
1. Open the Certificates snap-in console. If you have not already added the Certificates
snap-in console, you can do so by doing the following:
a. Click Start, click Run, type mmc, and then click OK.
b. On the File menu, click Add/Remove Snap-in.
c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click
Certificates, and then click Add.
d. In the Certificates snap-in dialog box, to open the snap-in for a computer account,
click Computer account, and then click Next. To open the snap-in for a user
account, click My user account, and then click Finish.
e. If you opened the Certificates snap-in for a computer account, in the Select
Computer dialog box, click Local computer: (the computer this console is
running on), and then click Finish.
f. In the Add or Remove snap-ins dialog box, click OK.
2. In the Certificates snap-in console, in the console tree, expand Certificates (Local
Computer), expand Trusted Root Certification Authorities, right-click Certificates,
point to All Tasks, and then click Import.
3. On the Welcome to the Certificate Import Wizard page, click Next.
4. On the File to Import page, in the File name box, browse to the TS Gateway server root
certificate, click Open, and then click Next.
Important Note To install the TS Gateway server root certificate in the Trusted Root Certification
Authorities store on the Terminal Services client
87
5. On the Certificate Store page, accept the default option (Place all certificates in the
following store - Trusted Root Certification Authorities), and then click Next.
6. On the Completing the Certificate Import Wizard page, confirm that the following
certificate settings appear:
Certificate Store Selected by User: Trusted Root Certification Authorities
Content: Certificate
File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name>
is the name of the TS Gateway server root certificate.
7. Click Finish.
8. After the certificate import has successfully completed, a message appears confirming
that the import was successful. Click OK.
9. With Certificates selected in the console tree, in the details pane, verify that the root
certificate of the TS Gateway server appears in the list of certificates on the client. Ensure
that the certificate appears under the Trusted Root Certification Authorities store.
Configure Remote Desktop Connection Settings
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you
plan to configure, is the minimum required to complete this procedure. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection
client, click Start, point to All Programs, point to Accessories, and then click Remote
Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box
and view settings.
3. On the Advanced tab, in the Connect from anywhere area, click Settings.
4. In the TS Gateway Server Settings dialog box, select the appropriate options:
Automatically detect TS Gateway server settings (default). If you select this
option, the Terminal Services client attempts to use Group Policy settings that
determine the behavior of client connections to TS Gateway servers or TS Gateway
server farms, if these settings have been configured and enabled. For more
information, see the "Using Group Policy to Manage Client Connections Through
TS Gateway" topic in the TS Gateway Help.
Use these TS Gateway server settings. If a TS Gateway server name or
To configure Remote Desktop Connection settings for TS Gateway
88
TS Gateway server farm name and a logon method are not already enabled and
enforced by Group Policy, you can select this option and specify the name of the
TS Gateway server or TS Gateway server farm that you want to connect to and the
logon method to use for the connection. The name that you specify for the server
must match the name in the Issued to field of the TS Gateway server certificate. If
you create a self-signed certificate by using the Add Roles Wizard during installation
of the TS Gateway role service or by using TS Gateway Manager after installation,
specify the fully qualified domain name (FQDN) of the TS Gateway server.
Bypass TS Gateway server for local addresses. This option is selected by default.
If you want the Terminal Services client to automatically detect when TS Gateway is
required, select this check box. If you use a mobile computer, selecting this option will
optimize client connectivity performance and minimize latency because TS Gateway
will only be used when it is required. If your computer is always connected to the
local area network (LAN) or if it is hosted inside the internal network firewall,
TS Gateway will not be used. If you are outside the internal network and connecting
to the internal network over the Internet, TS Gateway will be used.If you are in a LAN,
but want to test connectivity through a TS Gateway server or
TS Gateway server farm, clear this check box. Otherwise, the client will not connect
through the TS Gateway server or TS Gateway server farm in this case.
Do not use a TS Gateway server. Select this option if your computer is always
connected to the LAN or if it is hosted inside the internal network firewall. This option
is appropriate if you know that you do not need to use TS Gateway to traverse a
firewall.
5. Do one of the following:
To save the settings and close the Remote Desktop Connection dialog box, click
Save, and then click Cancel. The settings will be saved as an RDP file to a default
location (by default, the file is saved to Drive:\<Username>\Documents).
To save the RDP file to a specified location (you can customize and distribute the file
later to multiple clients as needed), click Save As. In the Save as dialog box, in the
File name box, specify the file name and location, and then click Save.
To proceed with a connection to an internal network resource, click Save, click
Connect, and then proceed to Step 5 in the next procedure ("Verify that end-to-end
connectivity through TS Gateway is functioning correctly").
Verify Connectivity Through TS Gateway
Use the following procedure to verify the functionality of the TS Gateway deployment.
To verify the functionality of the TS Gateway deployment
89
1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection
client, click Start, point to All Programs, point to Accessories, and then click Remote
Desktop Connection.
2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box
and view settings.
3. On the General tab, type the name of the computer (terminal server or computer running
Remote Desktop) to which you want to connect remotely through TS Gateway.
4. Click Connect.
5. In the Enter your credentials dialog box, select the user account that you want to use to
log on remotely to the computer, enter the required credentials, and then click OK.
6. In the Gateway server credentials dialog box, select the user name that you want to
use to log on to the TS Gateway server, enter the required credentials, and then click OK.
7. After a few moments, the connection completes and a connection will be established
through the TS Gateway server to the computer.
Limiting the Maximum Number of Simultaneous Connections Through TS Gateway
By default, with the exception of TS Gateway servers that are running the Windows Server 2008
Standard operating system, no limit is set for the number of simultaneous connections that clients
can make to internal network resources through a TS Gateway server. To optimize TS Gateway
server performance or to ensure compliance with the connection and security policies of your
organization, you can set a limit for the number of simultaneous connections that clients can
make to network resources through a TS Gateway server.
For TS Gateway servers that are running Windows Server 2008 Standard, a maximum of
250 simultaneous connections is supported.
1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to
Administrative Tools, point to Terminal Services, and then click TS Gateway
Manager.
2. In the console tree, click to select the node that represents your TS Gateway server,
which is named for the computer on which the TS Gateway server is running.
3. In the console tree, expand Monitoring.
4. With the Monitoring folder selected, right-click the Monitoring folder, and then click Edit
Connection Limit.
Note To limit the maximum number of allowable connections for TS Gateway
90
5. On the General tab, under Maximum Connections, do one of the following:
To set a limit for the maximum number of simultaneous connections that Terminal
Services clients can make to internal network resources through TS Gateway, click
Limit maximum allowed simultaneous connections to, and then specify the
number of allowable connections.
To set no limit on the number of allowable connections between clients and internal
network resources through TS Gateway, click Allow the maximum supported
simultaneous connections. This is the default option. For TS Gateway servers that
are running Windows Server 2008 Standard, a maximum of 250 simultaneous
connections is supported.
To prevent new connections from being made between clients and internal network
resources through TS Gateway, click Disable new connections. If you select this
option, only new connection attempts will be rejected. Current connections will not be
ended by TS Gateway.
6. Click OK.
Using Group Policy to Manage Client Connections Through TS Gateway
You can use Group Policy and Active Directory Domain Services to centralize and simplify the
administration of TS Gateway Group Policy settings. You use the Local Group Policy Editor to
configure these policy settings, which are contained within Group Policy objects (GPOs). You use
the Group Policy Management Console (GPMC) to link GPOs to sites, domains, or organizational
units (OUs) in Active Directory Domain Services.
The Local Group Policy Editor operates as an extension to the GPMC. When you edit a GPO
from within the GPMC, the Local Group Policy Editor appears, displaying the policy settings for
that particular GPO. You must have editing rights on a GPO to open it in the Local Group Policy
Editor.
The Default Domain Policy GPO and Default Domain Controllers Policy GPO are vital to
the health of any domain. As a best practice, you should not edit the Default Domain
Controllers Policy GPO or the Default Domain Policy GPO, except in the following cases:
If it is required that account policy settings be configured in the Default Domain GPO.
If you install applications on domain controllers that require modifications to the User Rights
or Audit policy settings, you must modify the policy settings in the Default Domain Controllers
Policy GPO.
Group Policy settings for Terminal Services client connections through TS Gateway can be
applied in one of two ways. These policy settings can be suggested (that is, they can be enabled,
but not enforced), or they can be enabled and enforced.
Important
91
To suggest a policy setting for TS Gateway, enable the policy setting in Group Policy, but do not
clear the Allow users to change this setting check box. Doing this allows users on the client to
enter alternate TS Gateway connection settings. To specify alternate policy settings, users select
the Use these TS Gateway server settings option in the TS Gateway Server Settings dialog
box on the client, and then specify the alternate TS Gateway connection settings.
To enforce a policy setting for TS Gateway, enable the policy setting in Group Policy and clear the
Allow users to change this setting check box. When you do this, users cannot change the
TS Gateway connection setting, even if they select the Use these TS Gateway server settings
option on the client. For information about how to configure Terminal Services client settings, see
Configuring the Terminal Services Client for TS Gateway.
This section provides procedures for using Group Policy to manage Terminal Services client
connections to the network through TS Gateway. It includes the following topics:
Set the TS Gateway Server Authentication Method
Enable Connections Through TS Gateway
Set the TS Gateway Server Address
Set the TS Gateway Server Authentication Method
The following procedure describes how to use the Group Policy Management Console (GPMC) to
set an authentication method for Terminal Services clients that connect to internal network
resources through a TS Gateway server.
To manage Group Policy on a Windows Server 2008-based domain controller, you must
first add the Group Policy Management Console feature. To do this, start Server
Manager, and then under Feature Summary, click Add Features. On the Select
Features page, select the Group Policy Management check box. Follow the on-screen
instructions to complete the installation.
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged
on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy
Creator Owners group, or have been delegated the appropriate authority over Group Policy.
1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click
Group Policy Management.
2. In the left pane, locate the OU that you want to edit.
3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then
click the GPO.
4. To create a new GPO, follow these steps:
a. Right-click the OU, and then click Create a GPO in this domain, and link it here.
Note To set the TS Gateway server authentication method
92
b. In the Name box, type a name for the GPO, and then click OK.
c. In the left pane, locate and click the new GPO.
5. In the right pane, click the Settings tab.
6. Right-click User Configuration, and then click Edit.
7. In the left pane, under User Configuration, expand Administrative Templates, expand
Windows Components, expand Terminal Services, and then click TS Gateway.
8. In the right pane, in the settings list, right-click Set TS Gateway authentication method,
and then click Properties.
9. On the Setting tab, do one of the following:
Click Not Configured. The authentication method that is specified by the user is
used. If an authentication method is not specified, the NTLM protocol that is enabled
on the client or a smart card can be used for authentication.
Click Enabled, and then select the authentication method. By default, the Allow
users to change this setting check box is selected, meaning that the authentication
method setting is suggested, and that users on the client can specify an alternate
authentication method. To enforce the authentication method, clear this check box.
For information about supported Windows authentication methods for TS Gateway,
see Understanding Requirements for Connecting to a TS Gateway Server.
Click Disabled. The authentication method that is specified by the user is used. If an
authentication method is not specified, the NTLM protocol that is enabled on the
client or a smart card can be used for authentication.
10. Click OK.
To configure TS Gateway Group Policy settings by using the local computer policy, use
the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click
Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you
must be a member of the Administrators group on the local computer or you must have
been delegated the appropriate authority.
Enable Connections Through TS Gateway
The following procedure describes how to use the Group Policy Management Console (GPMC) to
enable connections through TS Gateway. When this policy setting is enabled, and when Terminal
Services clients cannot connect directly to an internal network resource, the clients will attempt to
connect to the computer through the TS Gateway server that is specified in the Set TS Gateway
server address policy setting.
To manage Group Policy on a Windows Server 2008-based domain controller, you must
first add the Group Policy Management Console feature. To do this, start Server
Manager, and then under Feature Summary, click Add Features. On the Select
Note Note
93
Features page, select the Group Policy Management check box. Follow the on-screen
instructions to complete the installation.
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged
on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy
Creator Owners group, or have been delegated the appropriate authority over Group Policy.
1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click
Group Policy Management.
2. In the left pane, locate the OU that you want to edit.
3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then
click the GPO.
4. To create a new GPO, follow these steps:
a. Right-click the OU, and then click Create a GPO in this domain, and link it here.
b. In the Name box, type a name for the GPO, and then click OK.
c. In the left pane, locate and click the new GPO.
5. In the right pane, click the Settings tab.
6. Right-click User Configuration, and then click Edit.
7. In the left pane, under User Configuration, expand Administrative Templates, expand
Windows Components, expand Terminal Services, and then click TS Gateway.
8. In the right pane, in the settings list, right-click Enable connection through TS
Gateway, and then click Properties.
9. On the Settings tab, do one of the following:
Click Not Configured. Terminal Services clients will not use the TS Gateway server
address that is specified in the Set TS Gateway server address policy setting. If a
TS Gateway server is specified by the user, a client connection attempt will be made
through that TS Gateway server.
Click Enabled. When Terminal Services clients cannot connect directly to an internal
network resource, the clients will attempt to connect to the internal network resource
through the TS Gateway server that is specified in the Set TS Gateway server
address policy setting.
Click Disabled. Terminal Services clients will not use the TS Gateway server address
that is specified in the Set TS Gateway server address policy setting. If a
TS Gateway server is specified by the user, a client connection attempt will be made
through that TS Gateway server.
10. Click OK.
To configure TS Gateway Group Policy settings by using the local computer policy, use
the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click
Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you
To enable connections through TS GatewayNote
94
must be a member of the Administrators group on the local computer or you must have
been delegated the appropriate authority.
Set the TS Gateway Server Address
The following procedure describes how to use the Group Policy Management Console (GPMC) to
specify the TS Gateway server that Terminal Services clients use when connecting to internal
network resources through a TS Gateway server.
By default, Terminal Services clients automatically detect when TS Gateway is required.
To manage Group Policy on a Windows Server 2008-based domain controller, you must
first add the Group Policy Management Console feature. To do this, start Server
Manager, and then under Feature Summary, click Add Features. On the Select
Features page, select the Group Policy Management check box. Follow the on-screen
instructions to complete the installation.
To change Group Policy settings for a domain or an organizational unit (OU), you must be logged
on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy
Creator Owners group, or have been delegated the appropriate authority over Group Policy.
1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click
Group Policy Management.
2. In the left pane, locate the OU that you want to edit.
3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then
click the GPO.
4. To create a new GPO, follow these steps:
a. Right-click the OU, and then click Create a GPO in this domain, and link it here.
b. In the Name box, type a name for the GPO, and then click OK.
c. In the left pane, locate and click the new GPO.
5. In the right pane, click the Settings tab.
6. Right-click User Configuration, and then click Edit.
7. In the left pane, under User Configuration, expand Administrative Templates, expand
Windows Components, expand Terminal Services, and then click TS Gateway.
8. In the right pane, in the list of policy settings, right-click Set TS Gateway server
address, and then click Properties.
9. On the Settings tab, do one of the following:
Click Not Configured. Terminal Services clients automatically detect when
TS Gateway is required. When a connection through TS Gateway is required, the
TS Gateway server or the TS Gateway server farm specified by the user is used.
Click Enabled, and then specify a valid, fully qualified domain name (FQDN) of the
Note To set the TS Gateway server address
95
TS Gateway server or TS Gateway server farm that clients are to use when
connecting to internal network resources. The name must match the name that
appears in the Secure Sockets Layer (SSL) certificate for the TS Gateway server.
By default, the Allow users to change this setting check box is selected, meaning
that this policy setting is suggested, and users can specify an alternate TS Gateway
server or TS Gateway server farm. To enforce this policy setting so that users cannot
specify an alternate TS Gateway server or TS Gateway server farm, clear this check
box.
Click Disabled. Terminal Services clients automatically detect when TS Gateway is
required.
Important
If you disable or do not configure this policy setting, but enable the Enable
connections through TS Gateway policy setting, client connection attempts
to any internal network resource will fail, if the client cannot connect directly
to the internal network resource.
10. Click OK.
To configure TS Gateway Group Policy settings by using the local computer policy, use
the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click
Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you
must be a member of the Administrators group on the local computer or you must have
been delegated the appropriate authority.
Deploying TS RemoteApp
Terminal Services RemoteApp (TS RemoteApp) is a feature that enables you to deploy
RemoteApp programs to users. RemoteApp programs are applications that are accessed
remotely through Terminal Services and appear as if they are running on the end user's local
computer. Instead of being presented to the user on the desktop of the remote terminal server,
the RemoteApp program is integrated with the client's desktop, running in its own resizable
window with its own entry in the taskbar.
Users can run RemoteApp programs side-by-side with their local programs. If a user is running
more than one RemoteApp program on the same terminal server, the RemoteApp programs
share the same Terminal Services session.
To install, configure, and manage TS RemoteApp, see the following topics:
Installation Prerequisites for TS RemoteApp
Checklist: Configuring TS RemoteApp
Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution
Mechanism
Checklist: Making RemoteApp Programs Available from the Internet
Note
96
Configuring the Server That Will Host RemoteApp Programs
Adding RemoteApp Programs and Configuring Global Deployment Settings
Creating an .rdp File from a RemoteApp Program
Creating a Windows Installer Package from a RemoteApp Program
Managing RemoteApp Programs and Settings
Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session
Deploying TS Web Access
Installation Prerequisites for TS RemoteApp
To access RemoteApp programs that are deployed as .rdp files or as Windows Installer
packages, the client computer must be running Remote Desktop Connection (RDC) 6.0 or
RDC 6.1. A supported version of the RDC client is included with Windows Server 2008 and
Windows Vista. To download RDC 6.0 for Windows Server 2003 with Service Pack 1 (SP1),
Windows Server 2003 with Service Pack 2 (SP2), or Windows XP with SP2, see article 925876 in
the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373).
RDC 6.1 (6.0.6001) supports Remote Desktop Protocol 6.1.
Client requirementsTo access RemoteApp programs through TS Web Access, the client computer must be running
RDC 6.1. RDC 6.1 is included with the following operating systems:
Windows Server 2008
Windows Vista with Service Pack 1 (SP1)
Windows XP with Service Pack 3 (SP3)
Checklist: Configuring TS RemoteApp
You can make programs on a terminal server available to users through TS RemoteApp. You can
deploy RemoteApp programs to users through .rdp files or Windows Installer packages, or you
can use TS Web Access to make the programs available through a Web page.
The following checklist applies to an environment where you are using a single terminal
server to host RemoteApp programs.
Task Reference
Configure the server that will host RemoteApp
programs.
Configuring the Server That Will Host
RemoteApp Programs
Note Note
97
Task Reference
Add programs to the RemoteApp Programs list. Add Programs to the RemoteApp Programs List
Configure global deployment settings. Configure Global Deployment Settings
Configure TS Web Access if you are going to
distribute RemoteApp programs through a Web
page.
Checklist: Deploying RemoteApp Programs
Through TS Web Access
Configure RemoteApp programs if you are
going to distribute them through .rdp files or
Windows Installer packages.
Checklist: Deploying RemoteApp Programs
Through a File Share or Other Distribution
Mechanism
Manage the RemoteApp Programs list
(optional).
Managing RemoteApp Programs and Settings
Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism
Instead of using TS Web Access, you can deploy RemoteApp programs through .rdp files or
Windows Installer packages that are made available through file sharing, or through other
distribution mechanisms such as Microsoft System Center Configuration Manager or Active
Directory software distribution. These methods enable you to distribute RemoteApp programs to
users without using TS Web Access.
If you distribute RemoteApp programs through Windows Installer packages, you can also
configure whether the terminal server takes over client file name extensions for the
RemoteApp programs. If this is the case, a user can double-click a file where the file
name extension is associated with a RemoteApp program.
You must complete the following tasks to configure RemoteApp programs for distribution through
a file share or some other distribution mechanism. After you create .rdp files or Windows Installer
packages, you can distribute them to users.
Task Reference
Configure the server that will host RemoteApp
programs. This includes installing Terminal
Server, installing programs, and verifying
remote connection settings.
Configuring the Server That Will Host
RemoteApp Programs
Add RemoteApp programs and configure global Add Programs to the RemoteApp Programs
Note
98
Task Reference
deployment settings. List
Configure Global Deployment Settings
Create .rdp files or Windows Installer packages
from RemoteApp programs.
Creating an .rdp File from a RemoteApp
Program
Creating a Windows Installer Package from
a RemoteApp Program
Checklist: Making RemoteApp Programs Available from the Internet
By using TS RemoteApp with TS Gateway, you can enable users to connect from the Internet to
individual programs on a terminal server without first establishing a virtual private network (VPN)
connection. Depending on the deployment method that you choose, remote users can connect to
a program by opening an .rdp file, by clicking a shortcut to a Windows Installer package on their
desktop or Start menu, or by accessing a RemoteApp program on a Web page through TS Web
Access.
This checklist shows the steps that are required to make RemoteApp programs available from the
Internet through TS Gateway. Alternatively, if you do not want to deploy TS Gateway, you can
make RemoteApp programs available through a VPN solution.
Task Reference
Ensure that you meet the following
prerequisites:
You have deployed RemoteApp programs
on the terminal server.
You have successfully deployed TS Web
Access in an intranet environment (if you
want to make RemoteApp programs
available from the Internet through TS Web
Access).
Checklist: Configuring TS RemoteApp
Checklist: Deploying RemoteApp Programs
Through TS Web Access
Review information about TS Gateway. TS Gateway Server Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=85872)
Deploy and configure TS Gateway. When you
configure TS Gateway, ensure that you do the
following:
TS Gateway Server Step-by-Step Guide
(http://go.microsoft.com/fwlink/?
LinkId=85872)
99
Task Reference
Create a Terminal Services connection
authorization policy (TS CAP) to define the
list of user groups that can connect to the
terminal servers that host the RemoteApp
programs.
Create a Terminal Services resource
authorization policy (TS RAP) that provides
access to the terminal servers that host the
RemoteApp programs. When you create
the TS RAP, add the user groups that you
defined in the TS CAP.
Create a new TS Gateway-managed
computer group that contains both the
NetBIOS names and the fully qualified
domain names (FQDNs) of the terminal
servers or the terminal server farm that
hosts the RemoteApp programs.
Overview of TS Gateway
(http://go.microsoft.com/fwlink/?
LinkId=179869)
Checklist: Deploying TS Gateway
Creating a Terminal Services Connection
Authorization Policy
Creating a Terminal Services Resource
Authorization Policy
Configure TS Gateway settings in
TS RemoteApp Manager (either in the global
deployment settings or when you create an .rdp
file or Windows Installer package).
Configure TS Gateway Settings
Ensure that existing .rdp files or Windows
Installer packages were created with the
correct TS Gateway settings if you want to use
them to access RemoteApp programs over the
Internet. If they were not, you must create new
files with the correct settings, and then
distribute them to users.
Creating an .rdp File from a RemoteApp
Program
Creating a Windows Installer Package from
a RemoteApp Program
Configure firewall and authentication settings if
you want to allow Internet access to
RemoteApp programs through TS Web Access.
Configure the TS Web Access Server to Allow
Access from the Internet
Configuring the Server That Will Host RemoteApp Programs
Before you can deploy RemoteApp programs to users, you must configure the server to host
RemoteApp programs. You must make sure that the Terminal Server role service is installed,
100
install programs on the server, and verify remote connection settings. This process includes the
following procedures:
Install the Terminal Server role service
Install programs on the terminal server
Verify remote connection settings
To perform these procedures, you must be a member of the Administrators group on the
terminal server.
Install the Terminal Server role serviceTo use TS RemoteApp, the Terminal Server role service must be installed. The TS RemoteApp
feature is automatically installed as part of the Terminal Server role service. For more information,
see Install the Terminal Server Role Service.
Install programs on the terminal serverWe recommend that you install programs on the terminal server after you install the Terminal
Server role service. If you install a program from a Windows Installer package, the program
automatically installs in Terminal Server Install mode. If you are installing from another kind of
setup package, use either of the following methods to put the server into Install mode:
To install the program, use the Install Application on Terminal Server option in Control
Panel.
Before you install a program, run the change user /install command from the command line.
After the program is installed, run the change user /execute command to exit from Install
mode.
If you have programs that are related or have dependencies, we recommend that you install the
programs on the same terminal server. For example, we recommend that you install Microsoft
Office as a suite instead of installing individual Office programs on separate terminal servers.
You should consider putting individual programs on separate terminal servers in the following
circumstances:
The program has compatibility issues that may affect other programs.
A single program and the number of associated users may fill server capacity.
Verify remote connection settingsBy default, remote connections are enabled after you install the Terminal Server role service. You
can use the following procedure to add users and groups that need to connect to the terminal
server, and to verify or change remote connection settings.
1. Start the System tool. To do this, click Start, click Run, type control system in the Open
To verify remote connection settings
101
box, and then click OK.
2. Under Tasks, click Remote settings.
3. In the System Properties dialog box, on the Remote tab, ensure that the Remote
Desktop connection setting is configured correctly, depending on your environment. You
can select either of the following options:
Allow connections from computers running any version of Remote Desktop
(less secure)
Allow connections only from computers running Remote Desktop with Network
Level Authentication (more secure)
For more information about the two options, on the Remote tab, click the Help me
choose link.
4. To add the users and groups that need to connect to the terminal server by using Remote
Desktop, click Select Users, and then click Add.
The users and groups that you add are added to the Remote Desktop Users group.
Note
Members of the local Administrators group can connect even if they are not
listed.
5. When you are finished, click OK to close the System Properties dialog box.
Adding RemoteApp Programs and Configuring Global Deployment Settings
After you have prepared the terminal server to host RemoteApp programs, you can use
TS RemoteApp Manager to do the following:
Add Programs to the RemoteApp Programs List
Configure Global Deployment Settings
In TS RemoteApp Manager, you can also delete or modify RemoteApp programs, import
RemoteApp programs and settings from another terminal server, or export RemoteApp programs
and settings to another terminal server. For more information, see Managing RemoteApp
Programs and Settings.
102
Add Programs to the RemoteApp Programs List
To make a RemoteApp program available to users through any distribution mechanism, you must
add the program to the RemoteApp Programs list. By default, programs that you add to the list
are configured to be available through TS Web Access.
1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS RemoteApp Manager.
2. In the Actions pane, click Add RemoteApp Programs.
3. On the Welcome to the RemoteApp Wizard page, click Next.
4. On the Choose programs to add to the RemoteApp Programs list page, select the
check box next to each program that you want to add to the RemoteApp Programs list.
You can select multiple programs.
Note
The programs that are shown on the Choose programs to add to the
RemoteApp Programs list page are the programs that are found on the All
Users Start menu on the terminal server. If the program that you want to add to
the RemoteApp Programs list is not in the list on that page, click Browse, and
then specify the location of the program's .exe file.
5. To configure the properties for a RemoteApp program, click the program name, and then
click Properties. You can configure the following:
The program name that will appear to users. To change the name, type a new name
in the RemoteApp program name box.
The path of the program executable file. To change the path, type the new path in the
Location box, or click Browse to locate the .exe file.
Note
You can use system environment variables in the path name. For example,
you can substitute %windir% for the explicit path of the Windows folder (such
as C:\Windows). You cannot use per user environment variables.
The alias for the RemoteApp program. The alias is a unique identifier for the program
that defaults to the program's file name (without the extension). We recommend that
you do not change this name.
Whether the RemoteApp program is available through TS Web Access. By default,
the RemoteApp program is available through TS Web Access setting is enabled.
To change the setting, select or clear the check box.
Whether command-line arguments are allowed, not allowed, or whether to always
use the same command-line arguments.
To add a program to the RemoteApp Programs list
103
The program icon that will be used. To change the icon, click Change Icon.
6. When you are finished configuring program properties, click OK, and then click Next.
7. On the Review Settings page, review the settings, and then click Finish.
The programs that you selected should appear in the RemoteApp Programs list.
Configure Global Deployment Settings
You can configure global deployment settings that apply to all RemoteApp programs that appear
in the RemoteApp Programs list. These settings apply to any RemoteApp program that you make
available through TS Web Access. Additionally, these settings are used as the default settings if
you create .rdp files or Windows Installer packages from any of the listed RemoteApp programs.
Any changes to deployment settings that you make when you use TS RemoteApp
Manager to create .rdp files or Windows Installer packages override the global settings.
These global deployment settings include:
Configure Terminal Server Settings
Configure TS Gateway Settings
Configure Common RDP Settings (Optional)
Configure Custom RDP Settings (Optional)
Configure Digital Signature Settings (Optional)
Configure Terminal Server Settings
To define how users will connect to the terminal server (or terminal server farm) to access
RemoteApp programs, you can configure terminal server deployment settings.
1. In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings. (Or, in
the Overview pane, next to Terminal Server Settings, click Change.)
2. On the Terminal Server tab, under Connection settings, accept or modify the server or
farm name, the RDP port number, and server authentication settings.
Important
If the Require server authentication check box is selected, consider the
following:
If any client computers are running Windows Server 2003 with SP1 or Windows XP
with SP2, you must configure the terminal server to use a Secure Sockets Layer
(SSL) certificate. (You cannot use a self-signed certificate.)
Note To configure terminal server settings
104
If the RemoteApp program is for intranet use, and all client computers are running
either Windows Server 2008 or Windows Vista, you do not have to configure the
terminal server to use an SSL certificate. In this case, Network Level Authentication is
used.
3. To provide a link to the full terminal server desktop through TS Web Access, under
Remote desktop access, select the Show a remote desktop connection to this
terminal server in TS Web Access check box.
4. Under Access to unlisted programs, choose either of the following:
Do not allow users to start unlisted program on initial connection
(recommended)
To help protect against malicious users, or a user unintentionally starting a program
from an .rdp file on initial connection, we recommend that you select this setting.
Important
This setting does not prevent users from starting unlisted programs remotely
after they connect to the terminal server by using the RemoteApp program.
For example, if Microsoft Word is in the RemoteApp Programs list and
Microsoft Internet Explorer® is not, if a user starts a remote Word session,
and then clicks a hyperlink in a Word document, they can start Internet
Explorer.
Allow users to start both listed and unlisted programs on initial connection
Caution
If you choose this option, users can start any program remotely from an .rdp
file on initial connection, not just those programs in the RemoteApp
Programs list. To help protect against malicious users, or a user
unintentionally starting a program from an .rdp file, we recommend that you
do not select this setting.
5. When you finish, click OK.
Configure TS Gateway Settings
To define whether users will connect to the terminal server across a firewall through TS Gateway,
you can configure TS Gateway deployment settings. For more information about TS Gateway,
see the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=85872).
1. In the Actions pane of TS RemoteApp Manager, click TS Gateway Settings. (Or, in the
Overview pane, next to TS Gateway Settings, click Change.)
2. On the TS Gateway tab, configure the desired TS Gateway behavior. You can configure
To configure TS Gateway settings
105
whether to automatically detect TS Gateway server settings, to use TS Gateway server
settings that you specify, or to not use a TS Gateway server.
If you select Automatically detect TS Gateway server settings, the client tries to use
Group Policy settings to determine the behavior of client connections to TS Gateway.
Note
For more information about client Group Policy settings, see Using Group Policy
to Manage Client Connections Through TS Gateway.
If you select Use these TS Gateway server settings, do the following:
a. Configure the TS Gateway server name and the logon method.
Important
The server name must match what is specified in the SSL certificate for the
TS Gateway server.
b. If you want the connection to try to use the same user credentials to access both the
TS Gateway server and the terminal server, select the Use the same user
credentials for TS Gateway and terminal server check box. However, users may
still receive two prompts for credentials if conflicting credentials exist from any source
such as Group Policy settings, and those credentials do not work. They may also
receive two prompts for credentials if default credentials are used for the connection
and those credentials do not work.
c. If you want the client computer to automatically detect when TS Gateway is required,
select the Bypass TS Gateway server for local addresses check box. (Selecting
this option optimizes client performance.)
To always use a TS Gateway server for client connections, clear the Bypass TS
Gateway server for local addresses check box.
3. When you finish, click OK.
Configure Common RDP Settings (Optional)
You can specify common Remote Desktop Protocol (RDP) settings for RemoteApp connections,
such as device and resource redirection and some user display settings. These settings apply
when a user connects to a RemoteApp program through TS Web Access, or when you create
an .rdp file or a Windows Installer package from an existing RemoteApp program.
1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change.
2. Under Devices and resources, configure which devices and resources on the client
computer you want to make available in the remote session.
3. Under User experience, choose whether to enable font smoothing and the desired color
To configure common RDP settings
106
depth.
4. When you are finished, click Apply.
Note
To configure additional RDP settings, such as audio redirection, click the Custom
RDP Settings tab. For more information, see Configure Custom RDP Settings
(Optional).
5. To close the RemoteApp Deployment Settings dialog box, click OK.
If you do not sign .rdp files with a digital signature, or if you sign .rdp files with a digital
signature that clients do not recognize (such as a certificate from a private certification
authority), the client computer may override some redirection settings that you specify in
TS RemoteApp Manager. For example, if you enable all the redirection settings on the
Common RDP Settings tab, and a user connects to an .rdp file that is not signed, disk
drives and supported Plug and Play devices are not redirected automatically. These
devices and resources are only redirected if the user enables these redirection settings in
the RemoteApp warning dialog box that appears when they try to connect. This default
behavior helps reduce potential security vulnerabilities. (Note that the same behavior
occurs if you enable serial port redirection on the Custom RDP Settings tab.)
Configure Custom RDP Settings (Optional)
You can specify custom RDP settings for RemoteApp connections, such as audio redirection.
These settings apply when a user connects to a RemoteApp program through TS Web Access, or
when you create a Windows Installer package or .rdp file from an existing RemoteApp program.
You can use custom RDP settings to configure the working directory for RemoteApp
programs. By default, the working directory for a RemoteApp program is the same
location as the program executable file. If you configure the working directory as a
custom RDP setting, the setting applies to all RemoteApp programs that are available
through TS Web Access, and to any .rdp files or Windows Installer packages that you
create from a RemoteApp program. If you want to customize the working directory for
RemoteApp programs that you plan to distribute as .rdp files or Windows Installer
packages, you can add the working directory as a custom RDP setting, create the files
from the RemoteApp programs, and then clear the working directory custom RDP setting.
1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change.
2. On the Custom RDP Settings tab, type or copy the custom RDP settings that you want
to use into the Custom RDP settings box.
To copy settings from an existing .rdp file, open the file in a text editor such as Notepad,
and then copy the desired settings.
Note Note To specify custom RDP settings
107
Important
You cannot override settings that are available in the global deployment settings
in TS RemoteApp Manager. If you do so, you will be prompted to remove those
settings when you click Apply.
To create an .rdp file to copy the settings from, follow these steps:
a. Open the RDC client, and then click Options.
b. Configure the settings that you want, such as audio redirection.
c. When you are finished, on the General tab, click Save As, and then save the .rdp
file.
d. Open the .rdp file in Notepad, and then copy the desired settings into the Custom
RDP settings box on the Custom RDP Settings tab.
3. When you have finished adding the settings that you want, click Apply.
4. If the Error with Custom RDP Settings dialog box appears, do the following:
a. Click Remove to automatically remove the settings that are not valid or cannot be
overridden, or click OK to remove the settings manually.
b. After the settings are removed, click Apply again.
5. To close the RemoteApp Deployment Settings dialog box, click OK.
Configure Digital Signature Settings (Optional)
You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the
terminal server. This includes the .rdp files that are used for connections through TS Web Access
to RemoteApp programs on the terminal server and to the terminal server desktop.
To connect to a RemoteApp program by using a digitally signed .rdp file, the client must
be running Remote Desktop Connection (RDC) 6.1. The RDC 6.1 (6.0.6001) client
supports Remote Desktop Protocol 6.1.
If you use a digital certificate, the cryptographic signature on the connection file provides
verifiable information about your identity as its publisher. This enables clients to recognize your
organization as the source of the RemoteApp program or the remote desktop connection, and
allows the clients to make more informed trust decisions about whether to start the connection.
This helps protect against the use of .rdp files that were altered by a malicious user.
You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication
certificate (SSL certificate) or a Code Signing certificate. You can obtain SSL and Code Signing
certificates from public certification authorities (CAs) or from an enterprise CA in your public key
infrastructure hierarchy.
Important
108
If you already use an SSL certificate for terminal server or TS Gateway connections, you can use
the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from
public or home computers, you must use either of the following:
A certificate from a public certification authority (CA) that participates in the Microsoft Root
Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547)
An enterprise CA-issued certificate that is co-signed by a public CA that participates in the
Microsoft Root Certification Program Members program
1. In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings. (Or, in
the Overview pane, next to Digital Signature Settings, click Change.)
2. Select the Sign with a digital certificate check box.
3. In the Digital certificate details box, click Change.
4. In the Select Certificate dialog box, select the certificate that you want to use, and then
click OK.
Note
The Select Certificate dialog box is populated by certificates that are located in
the local computer's certificates store or in your personal certificate store. The
certificate that you want to use must be located in one of these stores.
Using Group Policy settings to control client behavior when opening a digitally signed .rdp fileYou can use Group Policy settings to configure clients to always trust RemoteApp programs from
a particular publisher. You can also configure whether clients will block RemoteApp programs and
remote desktop connections from external or unknown sources. By using these policy settings,
you can reduce the number and complexity of security decisions that users face. This reduces the
chances of inadvertent user actions that may lead to security vulnerabilities.
The relevant Group Policy settings are located in the Local Group Policy Editor at the following
location, in the Computer Configuration node and in the User Configuration node:
Administrative Templates\Windows Components\Terminal Services\Remote Desktop
Connection Client
The available policy settings include the following:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate
thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any
certificate with a SHA1 thumbprint that matches a thumbprint on the list is trusted.
Allow .rdp files from valid publishers and user’s default .rdp settings
This policy setting allows you to specify whether users can run .rdp files from a publisher that
signed the file with a valid certificate. This policy setting also controls whether the user can
To configure the digital certificate to use
109
start an RDP session by using default .rdp settings, such as when a user directly opens the
RDC client without specifying an .rdp file.
Allow .rdp files from unknown publishers
This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp
files from unknown publishers on the client computer.
To use these Group Policy settings, the client computer must be running RDC 6.1.
For more information about these policy settings, view the Group Policy Explain text in the Local
Group Policy Editor.
Creating an .rdp File from a RemoteApp Program
You can use the RemoteApp Wizard to create an .rdp file from any program in the RemoteApp
Programs list.
1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS RemoteApp Manager.
2. In the RemoteApp Programs list, click the program that you want to create an .rdp file
for. To select multiple programs, press and hold the CTRL key when you click each
program name.
3. In the Actions pane for the program or selected programs, click Create .rdp file.
Note
If you selected multiple programs, the settings described in the rest of this
procedure apply to all of the selected programs. A separate .rdp file is created for
each program.
4. On the Welcome to the Remote App Wizard page, click Next.
5. On the Specify Package Settings page, do the following:
a. In the Enter the location to save the packages box, accept the default location or
click Browse to specify a new location to save the .rdp file.
b. In the Terminal server settings area, click Change to modify the terminal server or
farm name, the RDP port number, and the Require server authentication setting.
(For more information about these settings, see Configure Terminal Server Settings.)
When you finish, click OK.
c. In the TS Gateway settings area, click Change to modify or to configure whether
clients will use a TS Gateway server to connect to the target terminal server across a
firewall. (For more information about these settings, see Configure TS Gateway
Settings.) When you finish, click OK.
d. To digitally sign the .rdp file, in the Certificate Settings section, click Change to
Important To create an .rdp file
110
select or to change the certificate to use. Select the certificate that you want to use,
and then click OK. (For more information about these settings, see Configure Digital
Signature Settings (Optional).)
6. When you finish, click Next.
7. On the Review Settings page, click Finish.
When the wizard is finished, the folder where the .rdp file was saved opens in a new
window. You can confirm that the .rdp file was created.
Creating a Windows Installer Package from a RemoteApp Program
You can use the RemoteApp Wizard to create a Windows Installer (.msi) package from any
program in the RemoteApp Programs list.
1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS RemoteApp Manager.
2. In the RemoteApp Programs list, click the program that you want to create a Windows
Installer package for. To select multiple programs, press and hold the CTRL key when
you click each program name.
3. In the Actions pane for the program or selected programs, click Create Windows
Installer package.
Note
If you selected multiple programs, the settings described in the rest of this
procedure apply to all of the selected programs. A separate Windows Installer
package is created for each program.
4. On the Welcome to the RemoteApp Wizard page, click Next.
5. On the Specify Package Settings page, do the following:
a. In the Enter the location to save the packages box, accept the default location or
click Browse to specify a new location to save the Windows Installer package.
b. In the Terminal server settings area, click Change to modify the terminal server or
farm name, the RDP port number, and the Require server authentication setting.
(For more information about these settings, see Configure Terminal Server Settings.)
When you finish, click OK.
c. In the TS Gateway settings area, click Change to modify or to configure whether
clients will use a TS Gateway server to connect to the target terminal server across a
firewall. (For more information about these settings, see Configure TS Gateway
To create a Windows Installer package
111
Settings.) When you finish, click OK.
d. To digitally sign the file, in the Certificate Settings section, click Change to select or
to change the certificate to use. Select the certificate that you want to use, and then
click OK. (For more information about these settings, see Configure Digital Signature
Settings (Optional).)
6. When you finish, click Next.
7. On the Configure Distribution Package page, do the following:
a. In the Shortcut icons area, specify where the shortcut icon for the program will
appear on client computers.
b. In the Take over client extensions area, configure whether to take over client file
name extensions for the program.
If you associate the file name extensions on the client computer with the RemoteApp
program, all file name extensions that are handled by the program on the terminal
server will also be associated on the client computer with the RemoteApp program.
For example, if you add Microsoft Word as a RemoteApp program, and you configure
the option to take over client file name extensions, any file name extensions on the
client computer that Word takes over will be associated with Remote Word. This
means that any existing program on the client computer will no longer handle file
name extensions such as .doc and .dot. Note that users are not prompted whether
the terminal server should take over file extensions for the program.
To view what file name extensions are associated with a program on the terminal
server, click Start, click Control Panel, and then double-click Default Programs.
Click Associate a file type or protocol with a program to view the file name
extensions and their default associated program.
Caution
Do not install Windows Installer packages that were created with this setting
enabled on the terminal server itself. If you do, clients that use the Windows
Installer package may not be able to start the associated RemoteApp
program.
8. After you have configured the properties of the distribution package, click Next.
9. On the Review Settings page, click Finish.
When the wizard is finished, the folder where the Windows Installer package was saved
opens in a new window. You can confirm that the Windows Installer package was
created.
112
Managing RemoteApp Programs and Settings
In TS RemoteApp Manager, you can make changes to an existing RemoteApp program, or you
can remove the program from the list. Additionally, you can export or import the RemoteApp
Programs list and the global deployment settings to or from another terminal server. This section
includes the following topics:
Change or Delete a RemoteApp Program
Export or Import RemoteApp Programs and Settings
Change or Delete a RemoteApp Program
After you have added a program to the RemoteApp Programs list, you can change the
deployment settings for all RemoteApp programs, change the properties of a single RemoteApp
program, or delete the RemoteApp program from the list.
To change deployment settings for all RemoteApp programs, in the Actions pane of
TS RemoteApp Manager, click Terminal Server Settings, TS Gateway Settings, or
Digital Signature Settings. (Or, click one of the Change options in the Overview pane.
You can also change custom RDP settings in the Overview pane.)
Important
If you make any changes, the changes do not affect .rdp files or Windows
Installer packages that you already created by using TS RemoteApp Manager.
To change the properties of a single RemoteApp program, click the program in the
RemoteApp Programs list, and then in the Actions pane for the program, click
Properties.
Note
You cannot change the properties of an existing .rdp file or Windows Installer
package by using TS RemoteApp Manager. Instead, you must click Create .rdp
File or Create Windows Installer Package in the Actions pane to create a
new .rdp file or Windows Installer package that has the desired properties.
To change whether the RemoteApp program is available from TS Web Access, click the
program, and then in the Actions pane, click Show in TS Web Access or Hide in TS
Web Access.
To delete a program in the RemoteApp Programs list, click the RemoteApp program, and
then in the Actions pane for the program, click Remove. Click Yes to confirm the
deletion.
To change or delete a RemoteApp program
113
Note
When you delete a program in the RemoteApp Programs list, any .rdp files or
Windows Installer packages that you created from the RemoteApp program are
not deleted.
Export or Import RemoteApp Programs and Settings
You can copy the RemoteApp Programs list and deployment settings from one terminal server to
another terminal server. This allows you to configure multiple terminal servers identically to host
RemoteApp programs, such as in a terminal server farm.
1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS RemoteApp Manager.
2. In the Actions pane, click Export RemoteApp Settings.
3. Select either of the following options:
Export the RemoteApp Programs list and settings to another terminal server
If you select this option, in the Terminal server name box, enter the name of the
terminal server that you want to export the settings to, and then click OK. (For the
export operation to succeed, the source terminal server must have Windows
Management Instrumentation (WMI) access to the target terminal server.)
Important
When you click OK, the RemoteApp Programs list and deployment settings
will be automatically overwritten on the target terminal server.
Export the RemoteApp Programs list and settings to a file
If you select this option, click OK. In the Save As dialog box, specify a location to
save the .tspub file, and then click Save.
1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,
point to Terminal Services, and then click TS RemoteApp Manager.
2. In the Actions pane, click Import RemoteApp Settings.
3. Select either of the following options:
Import the RemoteApp Programs list and settings from another terminal server
If you select this option, in the Terminal server name box, enter the name of the
terminal server that you want to import the settings from, and then click OK. The
To export the RemoteApp Programs list and deployment settingsTo import the RemoteApp Programs list and deployment settings
114
settings are imported directly into TS RemoteApp Manager. (For the import operation
to succeed, the source terminal server must have WMI access to the target terminal
server.)
Import the RemoteApp Programs list and settings from a file
If you select this option, click OK. In the Open dialog box, locate and then click
the .tspub file that you want to import, and then click Open.
If you import a configuration, and the target terminal server does not have a program in the
RemoteApp Programs list installed or the program is installed in a different folder, the program
will appear in the RemoteApp Programs list. However, the name will be displayed with
strikethrough text.
Only the RemoteApp Programs list and deployment settings are exported or imported.
Any .rdp files or Windows Installer packages that were created from the programs are not
exported or imported. You must create new .rdp files or Windows Installer packages on
each terminal server unless the server is a member of a terminal server farm. If you
specified a farm name when you created the .rdp files or Windows Installer packages,
and the server where you want to copy the files is a member of the same terminal server
farm, you can manually copy the files.
Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session
If a user has administrative access to the terminal server where the RemoteApp programs are
installed, when the user starts a RemoteApp program, the Server Manager tool and Initial
Configuration Tasks also start in the RemoteApp session.
You can control this behavior by using the following Group Policy settings in the Computer
Configuration\Administrative Templates\System\Server Manager node of the Local Group
Policy Editor on the terminal server:
Do not display Initial Configuration Tasks window automatically at logon
You must enable this policy setting to prevent the Initial Configuration Tasks window from
opening when a user with administrative access starts a RemoteApp session.
Do not display Server Manager automatically at logon
You must enable this policy setting to prevent Server Manager from opening when a user with
administrative access starts a RemoteApp session.
Note
115
Deploying TS Web Access
TS Web Access and TS RemoteApp allow you to deploy a single Web site to allow users to run
programs, access the full terminal server desktop, or connect remotely to the desktop of any
computer in the internal network where they have the appropriate permissions.
To install and configure TS Web Access, see the following topics:
Checklist: Deploying RemoteApp Programs Through TS Web Access
Enable RemoteApp Programs for TS Web Access
Install the TS Web Access Role Service
Populate the TS Web Access Computers Security Group
Specify the Data Source for TS Web Access
Connect to TS Web Access
Configure the TS Web Access Server to Allow Access from the Internet
Configure Remote Desktop Web Connection Behavior
Change the Install Location of the TS Web Access Web Site
Checklist: Deploying RemoteApp Programs Through TS Web Access
If you use TS Web Access, you can deploy RemoteApp programs from a single terminal server or
terminal server farm, or from a link to the terminal server desktop, directly through TS Web
Access. All RemoteApp programs on the terminal server or terminal server farm that are
configured for TS Web Access will appear on the TS Web Access Web site.
TS Web Access includes the Remote Desktop Web Connection feature, which allows
users to connect from a Web browser to the remote desktop of any server or client
computer where they have Remote Desktop access. You can determine whether you
want this feature to be available to users. For more information, see Configure Remote
Desktop Web Connection Behavior.
To deploy RemoteApp programs by using TS Web Access, complete the following tasks.
Task Reference
Configure the server that will host RemoteApp
programs. This includes installing Terminal
Server, installing programs, and verifying
remote connection settings.
Configuring the Server That Will Host
RemoteApp Programs
Add RemoteApp programs that are enabled for
TS Web Access, and configure global
Add Programs to the RemoteApp Programs
List
Note
116
Task Reference
deployment settings. Configure Global Deployment Settings
Install TS Web Access on the server that you
want users to connect to over the Web to
access RemoteApp programs.
Install the TS Web Access Role Service
Add the computer account of the TS Web
Access server to the TS Web Access
Computers group on the terminal server.
Populate the TS Web Access Computers
Security Group
Configure the TS Web Access server to
populate its list of RemoteApp programs from a
single terminal server or single terminal server
farm.
Specify the Data Source for TS Web Access
After you complete this checklist, users can access the TS Web Access site from an intranet. To
make the TS Web Access Web site available from the Internet, see Checklist: Making
RemoteApp Programs Available from the Internet.
Enable RemoteApp Programs for TS Web Access
By default, a RemoteApp program is enabled for TS Web Access when you add a program to the
RemoteApp Programs list on a terminal server.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure. Review details about using the appropriate accounts and group
memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?
LinkId=83477).
1. On the terminal server where the RemoteApp programs are configured, start
TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS RemoteApp Manager.
2. In the RemoteApp Programs list, verify that a Yes value appears in the TS Web Access
column next to the program that you want to make available through TS Web Access.
3. To change whether a RemoteApp program is available through TS Web Access, do either
of the following:
To enable a RemoteApp program for TS Web Access, click the program name, and
then in the Actions pane, click Show in TS Web Access.
To disable a RemoteApp program for TS Web Access, click the program name, and
To determine if a RemoteApp program is enabled for TS Web Access
117
then in the Actions pane, click Hide in TS Web Access.
If TS Web Access is configured to populate its list of RemoteApp programs from the terminal
server, RemoteApp programs that are enabled for TS Web Access automatically appear on the
TS Web Access Web site. For more information, see Specify the Data Source for TS Web
Access.
Install the TS Web Access Role Service
You must install the TS Web Access role service on the server that you want users to connect to
over the Web to access RemoteApp programs. When you install the TS Web Access role service,
Microsoft Internet Information Services (IIS) 7.0 is also installed.
The server where you install TS Web Access acts as the Web server. The server does not have
to be a terminal server.
By default, when you install TS Web Access, the TS Web Access Web site installs to the
Default Web Site in IIS. To change the default install location of the site, you can
configure a different location in the registry. You must do this before you install the
TS Web Access role service. For more information, see Change the Install Location of
the TS Web Access Web Site.
Membership in the local Administrators group is the minimum required to complete this
procedure.
1. Open Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. If the Terminal Services role is already installed:
a. Under Roles Summary, click Terminal Services.
b. Under Role Services, click Add Role Services.
c. On the Select Role Services page, select the TS Web Access check box.
If the Terminal Services role is not already installed:
a. Under Roles Summary, click Add Roles.
b. On the Before You Begin page, click Next.
c. On the Select Server Roles page, select the Terminal Services check box, and
then click Next.
d. Review the Terminal Services page, and then click Next.
e. On the Select Role Services page, select the TS Web Access check box.
3. Review the information about the required role services, and then click Add Required
Role Services.
4. Click Next.
Note To install TS Web Access
118
5. Review the Web Server (IIS) page, and then click Next.
6. On the Select Role Services page, where you are prompted to select the role services
that you want to install for IIS, click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Installation Results page, confirm that the installation succeeded, and then click
Close.
Populate the TS Web Access Computers Security Group
If the TS Web Access server and the terminal server that hosts the RemoteApp programs are
separate servers, you must add the computer account of the TS Web Access server to the
TS Web Access Computers security group on the terminal server.
1. On the terminal server, click Start, point to Administrative Tools, and then click
Computer Management.
2. In the left pane, expand Local Users and Groups, and then click Groups.
3. In the right pane, double-click TS Web Access Computers.
4. In the TS Web Access Computers Properties dialog box, click Add.
5. In the Select Users, Computers, or Groups dialog box, click Object Types.
6. In the Object Types dialog box, select the Computers check box, and then click OK.
7. In the Enter the object names to select box, specify the computer account of the
TS Web Access server, and then click OK.
8. Click OK to close the TS Web Access Computers Properties dialog box.
Specify the Data Source for TS Web Access
You can configure TS Web Access to populate the list of RemoteApp programs that appear in the
Web Part from a specific terminal server or terminal server farm. By default, TS Web Access
populates its list of RemoteApp programs from a single terminal server and points to the local
host. The Web Part is populated by all RemoteApp programs that are enabled for TS Web Access
on that terminal server's RemoteApp Programs list.
To add the computer account of the TS Web Access server to the security group
119
To complete the following procedure, you must log on to the TS Web Access server by using the
local Administrator account or an account that is a member of the TS Web Access
Administrators group on the TS Web Access server.
1. Connect to the TS Web Access Web site. To do this, use either of the following methods:
On the TS Web Access server, click Start, point to Administrative Tools, point to
Terminal Services, and then click TS Web Access Administration.
Use Internet Explorer to connect to the TS Web Access Web site. By default, the
Web site is located at the following address, where server_name is the name of the
TS Web Access server:
http://server_name/ts
Note
If you have configured the Web site to use Secure Sockets Layer (SSL),
connect to https://server_name/ts.
2. Log on to the site by using either the local Administrator account, or an account that is a
member of the local TS Web Access Administrators group. (If you are already logged on
to the computer as one of these accounts, you are not prompted for credentials.)
3. On the title bar, click the Configuration tab.
Note
If you access the TS Web Access Web site by using the TS Web Access
Administration option, the page automatically opens to the Configuration tab.
4. In the Editor Zone area, in the Terminal server name box, enter the name of the
terminal server or terminal server farm that you want to use as the data source.
5. Click Apply to apply the changes.
To test TS Web Access, see Connect to TS Web Access.
Connect to TS Web Access
By default, you can access the TS Web Access Web site at the following location, where
server_name is the NetBIOS name or the fully qualified domain name of the Web server where
you installed TS Web Access:
http://server_name/ts
If you have configured the Web site to use Secure Sockets Layer (SSL), connect to
https://server_name/ts.
If you connect to TS Web Access from a public computer, such as a computer in an "Internet
café," you should clear the I am using a private computer that complies with my
To specify which terminal server or terminal server farm to use as the data sourceNote
120
organization's security policy check box that appears in the lower-right corner of the Web Part.
In public mode, you are not provided with the option to save your credentials.
Client requirements and configurationTo connect to TS Web Access, the client computer must be running RDC 6.1 (6.0.6001). RDC 6.1
is included with the following operating systems:
Windows Server 2008
Windows Vista with SP1
Windows XP with SP3
The client computer must be running Internet Explorer 6 or a later version. Additionally, the
Terminal Services ActiveX Client control must be enabled. The ActiveX control is included with
RDC 6.1.
If you are running Windows Server 2008 or Windows Vista with SP1, and you receive a warning
message on the Internet Explorer Information bar about the site being restricted from showing
certain content, click the message line, point to Add-on Disabled, and then click Run ActiveX
Control. When you do this, you may see a security warning. Before you click Run, make sure
that the publisher for the ActiveX control is "Microsoft Corporation."
If the Internet Explorer Information bar does not appear, and you cannot connect to
TS Web Access, you can enable the Terminal Services ActiveX control by using the
Manage Add-ons tool on the Tools menu of Internet Explorer. The add-on appears as
Microsoft Terminal Services Client Control.
If you are running Windows XP with SP3, when you first access the TS Web Access site, the
page displays an ActiveX control not installed or not enabled error message. Use the
following procedure to enable the ActiveX control.
1. Connect to the TS Web Access site, and then enter your logon credentials.
2. Do either of the following, depending on the version of Internet Explorer that you are
running.
If you are using Internet Explorer 7, on the Tools menu, point to Manage Add-ons,
and then click Enable or Disable Add-ons.
If you are using Internet Explorer 6, on the Tools menu, click Manage Add-ons.
The Manage Add-ons dialog box appears. Make sure that the Show list is set to Add-
ons currently loaded in Internet Explorer.
3. Under Disabled, click either Microsoft Terminal Services Client Control (redist) or
Microsoft RDP Client Control (redist)—whichever is listed.
4. Under Settings, click Enable. (If you are running Internet Explorer 6, click OK in
response to the message saying that you may need to restart Internet Explorer for the
changes to take effect.)
Note To enable the ActiveX control in Windows XP with SP3
121
Note
If the ActiveX control is listed two times, enable both instances.
5. Click OK to close the Manage Add-ons dialog box. (If you are running Internet
Explorer 7, click OK in response to the message saying that you may need to restart
Internet Explorer for the changes to take effect.)
Any available RemoteApp programs should appear on the TS Web Access Web site.
Configure the TS Web Access Server to Allow Access from the Internet
To allow users to access the TS Web Access server from the Internet through TS Gateway, the
recommended configuration is to place both the TS Gateway server and the TS Web Access
server in the perimeter network, and to place the terminal servers that host RemoteApp programs
behind the internal firewall.
Alternatively, you can deploy TS Web Access on the internal network, and then make the Web
site available through Microsoft Internet Security and Acceleration (ISA) Server. For more
information about Web publishing through ISA Server 2006, see Publishing Concepts in ISA
Server 2006 (http://go.microsoft.com/fwlink/?LinkId=86359).
If you deploy TS Web Access in the perimeter network, you must configure your firewall to allow
Windows Management Instrumentation (WMI) traffic from the TS Web Access server to the
terminal server. You must ensure that TCP port 135 is open for WMI-related DCOM traffic. To
control the other ports that are used for WMI traffic, you can configure a fixed port. For
information about how to do this, see Setting Up a Fixed Port for WMI on MSDN®
(http://go.microsoft.com/fwlink/?LinkId=109867). To use this procedure on a Windows
Server 2008-based server, note the following additional information:
If you are not logged on by using the local Administrator account, you must run the
commands from an elevated command prompt. To open an elevated command prompt, click
Start, right-click Command Prompt, and then click Run as administrator.
The procedure shows how to configure TCP port 24158 for WMI traffic. By default, the
winmgmt -standalonehost command moves the Windows Management Instrumentation
service (Winmgmt) to a standalone Svchost process that has a fixed DCOM endpoint of
"ncacn_ip_tcp.0.24158".
To specify a different port number, do not use the winmgmt -standalonehost command.
Instead, you must use the following procedure.
1. Use Component Services to configure the fixed DCOM endpoint for WMI to the port that
you want. To do this, follow these steps:
To specify a port number that is different from the default
122
a. Open Component Services. To do this, click Start, point to Administrative Tools,
and then click Component Services.
b. In the console tree, expand Component Services, expand Computers, expand My
Computer, and then click DCOM Config.
c. In the middle pane, right-click Windows Management and Instrumentation, and
then click Properties.
d. On the Endpoints tab, click either Properties or Add, depending on whether an
existing custom entry already exists.
e. Click Use static endpoint, enter the port number to use, and then click OK two
times.
2. Restart the Winmgmt service for the change to take effect. To restart the service, run the
commands net stop winmgmt and net start winmgmt from the command line.
3. Run the netsh command with the port parameter set to the same port that you specified
in Component Services.
When you run the netsh command to create a firewall rule, you must include the
protocol parameter and specify TCP as the protocol type. The following is an example of
the command syntax: netsh firewall add portopening protocol=TCP port=24158
profile=domain name=WMIFixedPort
Note
The profile parameter indicates whether the firewall rule applies to the Domain,
Private, or Public profile. For more information, see "Understanding Windows
Firewall with Advanced Security Profiles" in the Windows Firewall with Advanced
Security Help.
Additionally, the TS Web Access Web site must be configured to use Windows authentication. By
default, Windows authentication is enabled for the TS Web Access Web site.
1. On the TS Web Access server, click Start, point to Administrative Tools, and then click
Internet Information Services (IIS) Manager.
2. In the left pane of Internet Information Services (IIS) Manager, expand the server name,
expand Sites, expand Default Web Site, and then click TS.
3. In the middle pane, under IIS, double-click Authentication.
4. Ensure that Windows Authentication is set to Enabled. If it is not, right-click Windows
Authentication, and then click Enable.
Note
If you placed TS Web Access in a custom Web site, you must ensure that the
authentication method that is used for the Web site can map to the user's
Windows account. You can do this by using integrated Windows authentication
on the custom Web site.
To verify that Windows authentication is enabled
123
Configure Remote Desktop Web Connection Behavior
Terminal Services Remote Desktop Web Connection enables a user to connect to the desktop of
a remote computer from the TS Web Access Web site. To connect to a remote computer, the
following conditions must be true:
The remote computer must be configured to accept Remote Desktop connections.
The user must be a member of the Remote Desktop Users group on the remote computer.
A user can access Remote Desktop Web Connection by clicking the Remote Desktop tab on the
TS Web Access page. As an administrator, you can configure whether the Remote Desktop tab
is available to users. Additionally, you can configure settings such as which TS Gateway server to
use, and the default device and resource redirection options.
Membership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure.
1. On the TS Web Access server, start Internet Information Services (IIS) Manager. To do
this, click Start, point to Administrative Tools, and then click Internet Information
Services (IIS) Manager.
2. In the left pane, expand the server name, expand Sites, expand Default Web Site, and
then click TS.
3. In the middle pane, under ASP.NET, double-click Application Settings.
4. To change Remote Desktop Web Connection settings, modify the values in the
Application Settings pane.
To configure a default TS Gateway server, double-click DefaultTSGateway, enter the
fully qualified domain name of the server in the Value box (for example,
server1.contoso.com), and then click OK.
To specify the TS Gateway authentication method, double-click
GatewayCredentialsSource, type the number that corresponds to the desired
authentication method in the Value box, and then click OK. The possible values
include:
0 = Ask for password (NTLM)
1 = Smart card
4 = Allow user to select later
To configure whether the Remote Desktop tab appears on the TS Web Access
page, double-click ShowDesktops. In the Value box, type true to show the Remote
Desktop tab, or type false to hide the Remote Desktop tab. When you are finished,
To configure Remote Desktop Web Connection behavior
124
click OK.
To configure default device and resource redirection settings, double-click the setting
that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,
xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable
the redirection setting by default, or type false to disable the redirection setting by
default, and then click OK.
5. When you finish, close IIS Manager.
Your changes should take effect immediately on the TS Web Access Web site. If the Web
page is open, refresh the page to view the changes.
You can also configure these settings by modifying the %windir%\Web\ts\Web.config file
directly by using a text editor such as Notepad.
Change the Install Location of the TS Web Access Web Site
By default, when you install TS Web Access, the TS Web Access Web site installs to the Default
Web Site in IIS (to the /TS virtual path). To specify a different Web site to install TS Web Access,
you can configure a different target Web site in the registry. You must do this before you install the
TS Web Access role service.
Serious problems might occur if you modify the registry incorrectly by using Registry
Editor or by using another method. These problems might require that you reinstall the
operating system. Microsoft cannot guarantee that these problems can be solved. Modify
the registry at your own risk.
1. If you do not already have IIS installed, install IIS. To do this, follow these steps:
a. Start Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
b. Under Roles Summary, click Add Roles.
c. On the Before You Begin page, click Next.
d. On the Select Server Roles page, select the Web Server (IIS) check box, click Add
Required Features, and then click Next.
e. On the Web Server (IIS) page, click Next.
f. On the Select Role Services page, click Next.
g. On the Confirm Installation Selections page, click Install.
h. On the Installation Results page, verify that the installation succeeded, and then
click Close.
2. Click Start, point to Administrative Tools, and then click Internet Information Services
Note Caution To change the location of the TS Web Access Web site
125
(IIS) Manager.
3. In Internet Information Services (IIS) Manager, expand the server name, right-click Sites,
and then click Add Web Site.
4. In the Add Web Site dialog box, add the information for the new Web site, such as the
site name. Ensure that you do the following:
In the Physical path box, specify the path C:\Windows\Web, where "C:" represents
the drive where you installed Windows.
To not conflict with the Default Web Site, you should either specify a different IP
address in the IP address list, or specify a port other than port 80 in the Port box. (If
you specify another port, ensure that the firewall is configured to permit HTTP or
HTTPS traffic on that port, depending on your configuration.)
5. When you finish, click OK.
6. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and
then press ENTER.
7. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
8. To specify a new install location for the TS Web Access Web site, do the following:
a. Right-click Microsoft, point to New, and then click Key.
b. Type Terminal Server Web Access as the subkey name, and then press ENTER.
c. Right-click Terminal Server Web Access, point to New, and then click String Value.
d. Type Website as the entry name, and then press ENTER.
e. Right-click Website, and then click Modify.
f. In the Value data box, type the name of the Web site where you want to install the
TS Web Access Web site (the site name that you specified in step 4 of this
procedure), and then click OK.
9. Close Registry Editor.
10. Install TS Web Access. For more information, see Install the TS Web Access Role
Service.
Deploying Terminal Services Printing
Terminal Services printing has been enhanced in Windows Server 2008 by the addition of the
Terminal Services Easy Print printer driver and a Group Policy setting that enables you to redirect
only the default client printer. The Terminal Services Easy Print driver enables users to reliably
print from a Terminal Services RemoteApp program or from a Terminal Services desktop session
to the correct printer on their client computer. It also enables users to have a much more
consistent printing experience between local and remote sessions.
126
To install and configure Terminal Services Printing, see the following topics:
Using Terminal Services Easy Print Driver
Installing the Printer Driver on the Server
Creating a Custom Printer Mapping File
Configuring Printer Redirection Settings
Using Terminal Services Printing-Related Group Policy Settings
Using Terminal Services Easy Print Driver
By default, a Windows Server 2008-based terminal server is configured to use the Terminal
Services Easy Print printer driver first when a client tries to print, and then it tries to use a
matching printer driver on the server if the client does not support Terminal Services Easy Print.
To change this default behavior, modify the Use Terminal Services Easy Print printer driver
first Group Policy setting. If you set this policy setting to Disabled, the terminal server first tries to
find a suitable printer driver to install the client printer. If the terminal server does not have a
printer driver that matches the client printer, the server tries to use the Terminal Services
Easy Print driver to install the client printer. For more information, see Using Terminal Services
Printing-Related Group Policy Settings.
This policy setting is available in the Computer Configuration node and the User
Configuration node.
Client requirementsTo use the Terminal Services Easy Print driver, clients must be running both of the following:
Remote Desktop Connection 6.1 [The RDC 6.1 (6.0.6001) client supports Remote Desktop
Protocol 6.1.]
At least Microsoft .NET Framework 3.0 Service Pack 1 (SP1)
The following list provides information about which operating systems support the Terminal
Services Easy Print driver, and whether additional configuration is required.
Windows Vista with SP1 includes both of the required components. By default,
Windows Vista with SP1 supports the Terminal Services Easy Print driver with no additional
configuration.
Windows XP with Service Pack 3 (SP3) includes RDC 6.1. However, you must install a
supported version of the .NET Framework separately. You can download Microsoft .NET
Framework 3.5 (which includes .NET Framework 3.0 SP1) from the Microsoft Download
Center (http://go.microsoft.com/fwlink/?LinkId=109422).
Windows Server 2008 includes both of the required components. However, by default, NET
Framework 3.0 SP1 is not installed. Therefore, to use the Terminal Services Easy Print driver
on a Windows Server 2008-based server (that is acting as the client), you must add .NET
Note
127
Framework 3.0 SP1 by using Server Manager or by adding the feature from the command
line.
1. Start Server Manager. To open Server Manager, click Start, point to Administrative
Tools, and then click Server Manager.
2. In the left pane of Server Manager, right-click Features, and then click Add
Features.
3. On the Select Features page, expand .NET Framework 3.0.
4. Select the .NET Framework 3.0 Features and the XPS Viewer check boxes, and
then click Next.
5. Click Install.
1. Start the command prompt with elevated privileges. To do this, click Start, right-click
Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following, and then press ENTER:
pkgmgr.exe /iu:NetFx3
The installation occurs silently, and may take several minutes.
Additional informationWhen you use the Terminal Services Easy Print driver, users cannot save printing preferences
from Printers in Control Panel. Instead, printing preferences can only be applied and saved per
application.
Installing the Printer Driver on the Server
If some client computers do not support the Terminal Services Easy Print driver, you can install
matching printer drivers on the terminal server.
If the printer driver that is installed on the client computer is an OEM driver, and a driver is
available from the printer's manufacturer, replace the OEM driver with the driver that is available
from the printer’s manufacturer. If you are installing a non-Microsoft driver, make sure that the
driver is a Windows Hardware Quality Labs (WHQL)-signed driver.
After you install a printer driver, terminal server clients must log off and then log on to the
terminal server before the printer driver change takes effect.
To add .NET Framework 3.0 SP1 by using Server ManagerTo add .NET Framework 3.0 SP1 by using the command lineNote
128
To install the printer driver, use either of the following methods. To perform these procedures, you
must have membership in the local Administrators group, or you must have been delegated the
appropriate authority.
Method 1: Run the printer's Setup program to install the printer driver .inf file on the terminal
server.
Method 2: Install the printer driver by using the Add Printer Driver Wizard.
1. On the terminal server, click Start.
2. In the Start Search box, type control printers and then press ENTER.
3. On the File menu, click Server Properties.
4. On the Drivers tab, click Add, and then follow the instructions in the Add Printer Driver
Wizard to install the printer driver .inf file.
Creating a Custom Printer Mapping File
You can create or modify an existing custom printer mapping file to define mappings from client-
side drivers to server-side drivers on the terminal server.
To perform the following procedures on the terminal server, you must have membership in the
local Administrators group, or you must have been delegated the appropriate authority.
Step one: Create or modify an .inf fileUsing a text editor such as Notepad, create or modify an .inf file to include the user-defined
mappings from the client-side driver to the server-side driver. Follow the format used in the
following example:
;NTPRINTSUBS.INF
;Printer mapping file for client-side to server-side drivers
[Printers]
"OEM Printer Driver Name" = "Windows Server 2008 Driver Name"
For example:
"HP DeskJet 720C Series v10.3" = "HP DeskJet 722C"
The left side of the equation is the exact name of the printer driver that is associated with the
client-side print queue that is being redirected to the server.
1. On the client computer, in Control Panel, open Printers.
2. Right-click the printer that you want to use, and then click Properties.
To install the printer driver by using the Add Printer Driver WizardTo obtain the exact name of the client-side driver
129
The exact name of the printer driver appears on the General tab, next to Model.
Note
You can also click the Advanced tab and view the driver name in the Driver list.
The right side of the equation is the exact name of the server-side driver equivalent that is
installed on the terminal server.
1. On the terminal server, in Control Panel, open Printers.
2. On the File menu, click Server Properties.
3. The exact name of the printer driver is listed on the Drivers tab in the Name column.
Note
If the server-side printer driver that you want to use is not installed, click Add,
and then follow the instructions in the Add Printer Driver Wizard to install the
printer driver.
Step two: Configure the registryAfter you create the printer mapping file, you must configure the registry to point to the printer
mapping .inf file, and to the correct section of the printer mapping file that contains the user-
defined mappings.
Incorrectly editing the registry might severely damage your system. Before you make
changes to the registry, you should back up any valued data.
1. On the terminal server, open Registry Editor. To do this, click Start, type regedit in the
Start Search box, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
3. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\
Wds\rdpwd
4. Create a registry entry for the printer mapping file name. To do this, follow these steps:
a. Right-click the rdpwd subkey, point to New, and then click String Value.
b. Type PrinterMappingINFName as the entry name, and then press ENTER.
c. Right-click PrinterMappingINFName, and then in the Value data box, enter the path
and name of the .inf file to which you want to redirect lookups. For example, type c:\
windows\inf\ntprintsubs.inf.
d. When you finish, click OK.
5. Create a registry entry for the section of the .inf file to which you want to redirect lookups.
To do this, follow these steps:
To obtain the exact name of the server-side driverCaution
To use a custom printer mapping file
130
a. Right-click the rdpwd subkey, point to New, and then click String Value.
b. Type PrinterMappingINFSection as the entry name, and then press ENTER.
c. Right-click PrinterMappingINFSection, and then in the Value data box, enter the
name of the section in the .inf file that contains the user-defined mappings. For
example, type Printers.
d. When you finish, click OK.
6. Close Registry Editor.
For the changes to take effect, you must restart the Print Spooler service on the terminal
server.
Configuring Printer Redirection Settings
As an administrator, you can configure printer redirection settings for terminal server connections
as a whole (per connection) or on a per user basis.
Configure printer redirection settings per connection
By using Group Policy (best practice)To configure Group Policy settings for a domain or an organizational unit (OU), you must be
logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group
Policy Creator Owners group, or have been delegated the appropriate authority over Group
Policy.
To configure Group Policy settings by using the Local Group Policy Editor, membership in the
local Administrators group, or equivalent, is the minimum required to complete this procedure.
1. In either the Group Policy Management Console or the Local Group Policy Editor, locate
the following node:
Computer Configuration\Policies\Administrative Templates\Windows Components\
Terminal Services\Terminal Server\Printer Redirection
2. Configure the desired printer redirection settings:
To disable client printer redirection, enable the Do not allow client printer
redirection policy setting.
To use the default printer of the server as the default printer for all client sessions,
enable the Do not set default client printer to be default printer in a session
policy setting.
Important To configure per connection printer redirection settings on a terminal server by using
Group Policy
131
By using Terminal Services ConfigurationMembership in the local Administrators group, or equivalent, is the minimum required to
complete this procedure.
1. Click Start, point to Administrative Tools, point to Terminal Services, and then click
Terminal Services Configuration.
2. In the middle pane, under Connections, right-click the connection, and then click
Properties.
3. On the Client Settings tab, under Redirection, configure the desired printer redirection
settings:
To disable client printer redirection, select the Windows Printer check box.
To use the default printer of the server as the default printer for all client sessions,
select the Default to main client printer check box. To print to the default printer of
the client, clear this check box.
Configure printer redirection settings per userYou can configure per user printer redirection settings by using either Local Users and Groups or
Active Directory Users and Computers. These settings override client-specified settings.
To configure per user printer redirection settings by using Active Directory Users and Computers,
you must be logged on as a member of the Domain Admins group, or have been delegated the
appropriate authority.
To configure per user printer redirection settings by using Local Users and Groups, membership
in the local Administrators group, or equivalent, is the minimum required to complete this
procedure.
1. Do either of the following, depending on whether you are configuring settings for a
domain user or for a local user on the terminal server.
To configure settings for a domain user, on a domain controller, click Start, point to
Administrative Tools, and then click Active Directory Users and Computers.
To configure settings for a local user, on a terminal server, click Start, point to
Administrative Tools, click Computer Management, and then expand Local Users
and Groups.
2. In the console tree, locate the user for whom you want to configure printer redirection
settings.
3. Right-click the user name, and then click Properties.
4. On the Environment tab, configure the following settings:
Connect client printers at logon
To configure per connection printer redirection settings on a terminal server by using Terminal Services Configuration
To configure per user printer redirection settings
132
If you clear this check box, client printers are not automatically connected. However,
a user can still manually map their client printer.
Default to main client printer
Select this check box to print to the default printer of the client. If you clear this check
box, the default printer of the server is used as the default printer for all client
sessions.
Note
By default, both of these check boxes are selected.
5. When you finish, click OK.
Use client-specified printer redirection settingsUsers can also control printer redirection settings through the Remote Desktop Connection (RDC)
client, or when starting a connection to a RemoteApp program.
1. Start the Remote Desktop Connection client.
2. Click Options.
3. On the Local Resources tab, under Local devices and resources, select or clear the
Printers check box.
Using Terminal Services Printing-Related Group Policy Settings
There are several Group Policy settings that you can configure to help control Terminal Services
printing behavior. These settings are located in the following node of the Group Policy
Management Console:
Computer Configuration\Policies\Administrative Templates\Windows Components\
Terminal Services\Terminal Server\Printer Redirection
Some of the policy settings are available in both the Computer Configuration node and
the User Configuration node.
Following are the available Group Policy settings for Terminal Services printing.
Name Description Requirements
Do not allow client printer
redirection
This policy setting allows you to
specify whether to prevent the
mapping of client printers in
At least Windows XP
Professional or Windows
Server 2003 family
To control printer redirection through the RDC clientNote
133
Name Description Requirements
Terminal Services sessions.
You can use this policy setting to
prevent users from redirecting
print jobs from the remote
computer to a printer attached to
their local (client) computer. By
default, Terminal Services allows
this client printer mapping.
If you enable this policy setting,
users cannot redirect print jobs
from the remote computer to a
local client printer in Terminal
Services sessions.
If you disable this policy setting,
users can redirect print jobs with
client printer mapping.
If you do not configure this policy
setting, client printer mapping is
not specified at the Group Policy
level. However, an administrator
can still disable client printer
mapping by using the Terminal
Services Configuration tool.
Do not set default client
printer to be default printer
in a session
This policy setting allows you to
specify whether the client default
printer is automatically set as the
default printer in a Terminal
Services session.
By default, Terminal Services
automatically designates the
client default printer as the
default printer in a Terminal
Services session. You can use
this policy setting to override this
behavior.
If you enable this policy setting,
the default printer is the printer
specified on the remote
computer.
At least Windows XP
Professional or Windows
Server 2003
134
Name Description Requirements
If you disable this policy setting,
the terminal server automatically
maps the client default printer
and sets it as the default printer
upon connection.
If you do not configure this policy
setting, the default printer is not
specified at the Group Policy
level. However, an administrator
can configure the default printer
for client sessions by using the
Terminal Services Configuration
tool.
Redirect only the default
client printer
This policy setting allows you to
specify whether the default client
printer is the only printer
redirected in Terminal Services
sessions.
If you enable this policy setting,
only the default client printer is
redirected in Terminal Services
sessions.
If you disable or do not configure
this policy setting, all client
printers are redirected in Terminal
Services sessions.
At least Windows Server 2008
Specify terminal server
fallback printer driver
behavior
This policy setting allows you to
specify the terminal server
fallback printer driver behavior.
By default, the terminal server
fallback printer driver is disabled.
If the terminal server does not
have a printer driver that matches
the client's printer, no printer will
be available for the terminal
server session.
If you enable this policy setting,
the fallback printer driver is
enabled, and the default behavior
Windows Server 2003 with
Service Pack 1 only
135
Name Description Requirements
is for the terminal server to find a
suitable printer driver. If one is
not found, the client's printer is
not available. You can choose to
change this default behavior. The
available options are:
Do nothing if one is not
found If there is a printer driver
mismatch, the server will attempt
to find a suitable driver. If one is
not found, the client's printer is
not available. This is the default
behavior.
Default to PCL if one is not
found If no suitable printer driver
can be found, default to the
Printer Control Language (PCL)
fallback printer driver.
Default to PS if one is not
found If no suitable printer driver
can be found, default to the
PostScript (PS) fallback printer
driver.
Show both PCL and PS if one
is not found If no suitable driver
can be found, show both PS and
PCL-based fallback printer
drivers.
If you disable this policy setting,
the terminal server fallback driver
is disabled and the terminal
server will not attempt to use the
fallback printer driver.
If you do not configure this policy
setting, the fallback printer driver
behavior is off by default.
Note
If the Do not allow
client printer
136
Name Description Requirements
redirection policy setting
is enabled, this policy
setting is ignored and the
fallback printer driver is
disabled.
Use Terminal Services
Easy Print printer driver
first
This policy setting allows you to
specify whether the Terminal
Services Easy Print printer driver
is used first to install all client
printers.
If you enable or do not configure
this policy setting, the terminal
server first tries to use the
Terminal Services Easy Print
printer driver to install all client
printers. If for any reason the
Terminal Services Easy Print
printer driver cannot be used, a
printer driver on the terminal
server that matches the client
printer is used. If the terminal
server does not have a printer
driver that matches the client
printer, the client printer is not
available for the Terminal
Services session.
If you disable this policy setting,
the terminal server tries to find a
suitable printer driver to install
the client printer. If the terminal
server does not have a printer
driver that matches the client
printer, the server tries to use the
Terminal Services Easy Print
printer driver to install the client
printer. If for any reason the
Terminal Services Easy Print
printer driver cannot be used, the
client printer is not available for
the Terminal Services session.
At least Windows Server 2008
137
Name Description Requirements
Note
If the Do not allow
client printer
redirection policy setting
is enabled, the Use
Terminal Services Easy
Print printer driver first
policy setting is ignored.
138