test terminal services deployment guide

Terminal Services Deployment Guide

Microsoft Corporation

Published: December 2009

AbstractThe Terminal Services server role in Windows Server® 2008 provides technologies that enable

users to access Windows®-based programs that are installed on a terminal server, or to access

the full Windows desktop. With Terminal Services, users can access a terminal server from within

a corporate network or from the Internet.

This document supports a preliminary release of a software product that may be changed

substantially prior to final commercial release, and is the confidential and proprietary information

of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the

recipient and Microsoft. This document is provided for informational purposes only and Microsoft

makes no warranties, either express or implied, in this document. Information in this document,

including URL and other Internet Web site references, is subject to change without notice. The

entire risk of the use or the results from the use of this document remains with the user. Unless

otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place,

or event is intended or should be inferred. Complying with all applicable copyright laws is the

responsibility of the user. Without limiting the rights under copyright, no part of this document may

be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by

any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,

without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

© 2009 Microsoft Corporation. All rights reserved.

Active Directory, ActiveX, Internet Explorer, ClearType, MSDN, Microsoft, RemoteApp, Windows,

Windows Media, Windows NT, Windows Server, and Windows Vista are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Contents

Terminal Services Deployment Guide.............................................................................................9

About this guide........................................................................................................................... 9

In this guide................................................................................................................................. 9

Role Services and Features in a Terminal Services Deployment....................................................9

What are the role services and features in a Terminal Services deployment?.......................10

Deploying Terminal Server............................................................................................................12

Installation Prerequisites for Terminal Server................................................................................12

Using Remote Desktop................................................................................................................. 14

Installing Terminal Server on a Domain Controller........................................................................15

Terminal Services and Windows Firewall......................................................................................16

Checklist: Configuring Terminal Server.........................................................................................17

Configuring Terminal Server.........................................................................................................18

Install the Terminal Server Role Service.......................................................................................19

Install the Terminal Server role service (when Terminal Services is already installed)..............20

Configure License Settings for a Terminal Server.........................................................................22

Specify the Terminal Services Licensing Mode.............................................................................22

Specify the License Server Discovery Mode.................................................................................23

Configure the Network Level Authentication Setting for a Terminal Server...................................24

Install Programs on a Terminal Server..........................................................................................25

Additional considerations....................................................................................................26

Configure the Remote Desktop Users Group...............................................................................26

Managing Terminal Server............................................................................................................27

Change Remote Connection Settings...........................................................................................27

Enable Single Sign-On for Terminal Services...............................................................................28

Manage User Profiles for Terminal Services.................................................................................30

Install Desktop Experience on a Terminal Server..........................................................................30

Install Desktop Experience........................................................................................................31

Uninstall Desktop Experience....................................................................................................32

Configure Font Smoothing for Remote Sessions..........................................................................32

Monitor a Terminal Server with Windows System Resource Manager..........................................33

Resource-Allocation Policies.....................................................................................................34

Resource Monitor...................................................................................................................... 34

Uninstall the Terminal Server Role Service...................................................................................34

Deny Logon Requests to a Terminal Server.................................................................................35

Deploying TS Licensing................................................................................................................36

Installation Prerequisites for TS Licensing....................................................................................36

Terminal Services Client Access Licenses (TS CALs)..................................................................37

Terminal Services License Server Discovery................................................................................38

Checklist: Deploying TS Licensing................................................................................................39

Installing TS Licensing..................................................................................................................40

Installation prerequisites............................................................................................................40

Install the TS Licensing role service..........................................................................................41

Connecting to a Terminal Services License Server.......................................................................42

Install TS Licensing Manager........................................................................................................43

Activating a Terminal Services License Server.............................................................................43

Activate a Terminal Services License Server Automatically..........................................................44

Activate a Terminal Services License Server by Using a Web Browser........................................45

Activate a Terminal Services License Server by Using the Telephone..........................................46

Installing Terminal Services Client Access Licenses.....................................................................47

Install Terminal Services Client Access Licenses Automatically....................................................48

Install Terminal Services Client Access Licenses by Using a Web Browser.................................49

Install Terminal Services Client Access Licenses by Using the Telephone...................................50

Configuring License Settings on a Terminal Server......................................................................51

Specify the Terminal Services licensing mode...........................................................................51

Specify the license server discovery mode................................................................................53

Tracking the Issuance of Terminal Services Per User Client Access Licenses.............................54

Troubleshooting TS Licensing Installation.....................................................................................56

Review the configuration of your license server........................................................................56

Diagnose licensing problems on your terminal server...............................................................58

Deploying TS Session Broker.......................................................................................................59

Installation Prerequisites for TS Session Broker...........................................................................60

TS Session Broker components................................................................................................60

Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker...........61

Installing TS Session Broker.........................................................................................................61

Installation prerequisites............................................................................................................62

Install the TS Session Broker role service.................................................................................62

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group.......63

Configuring a Terminal Server to Join a Farm in TS Session Broker............................................63

Configure TS Session Broker Settings by Using Group Policy.....................................................64

Configure TS Session Broker Settings by Using Terminal Services Configuration.......................66

Configuring DNS for TS Session Broker Load Balancing.............................................................67

Configuring Dedicated Redirectors (optional)...............................................................................68

Deploying TS Gateway.................................................................................................................69

Installation Prerequisites for TS Gateway.....................................................................................70

Role, role service, and feature dependencies........................................................................70

Administrative credentials......................................................................................................71

Understanding Requirements for Connecting to a TS Gateway Server........................................71

Supported Windows authentication methods............................................................................72

Checklist: Deploying TS Gateway.................................................................................................72

Installing TS Gateway...................................................................................................................73

Install the TS Gateway role service...........................................................................................73

Verify successful role service installation and TS Gateway service status.............................75

Configuring a Certificate for the TS Gateway Server....................................................................76

Obtain a Certificate for the TS Gateway Server............................................................................77

Certificate requirements for TS Gateway...................................................................................77

Using existing certificates..........................................................................................................78

Certificate installation and configuration process overview.......................................................79

1. Obtain a certificate.............................................................................................................79

2. Install the certificate...........................................................................................................81

3. Map the certificate..............................................................................................................81

Create a Self-Signed Certificate for the TS Gateway Server........................................................81

Install a Certificate on the TS Gateway Server.............................................................................82

Map the TS Gateway Certificate...................................................................................................83

View or Modify Certificate Properties............................................................................................84

Creating a Terminal Services Connection Authorization Policy.....................................................85

Creating a Terminal Services Resource Authorization Policy........................................................87

Configuring the Terminal Services Client for TS Gateway............................................................89

Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)..........89

Configure Remote Desktop Connection Settings..........................................................................91

Verify Connectivity Through TS Gateway.....................................................................................92

Limiting the Maximum Number of Simultaneous Connections Through TS Gateway...................93

Using Group Policy to Manage Client Connections Through TS Gateway...................................94

Set the TS Gateway Server Authentication Method......................................................................95

Enable Connections Through TS Gateway...................................................................................97

Set the TS Gateway Server Address............................................................................................98

Deploying TS RemoteApp..........................................................................................................100

Installation Prerequisites for TS RemoteApp..............................................................................100

Client requirements.................................................................................................................101

Checklist: Configuring TS RemoteApp........................................................................................101

Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution

Mechanism.............................................................................................................................. 102

Checklist: Making RemoteApp Programs Available from the Internet.........................................102

Configuring the Server That Will Host RemoteApp Programs....................................................104

Install the Terminal Server role service....................................................................................104

Install programs on the terminal server...................................................................................105

Verify remote connection settings............................................................................................105

Adding RemoteApp Programs and Configuring Global Deployment Settings.............................106

Add Programs to the RemoteApp Programs List........................................................................106

Configure Global Deployment Settings.......................................................................................107

Configure Terminal Server Settings............................................................................................108

Configure TS Gateway Settings..................................................................................................109

Configure Common RDP Settings (Optional)..............................................................................110

Configure Custom RDP Settings (Optional)................................................................................111

Configure Digital Signature Settings (Optional)...........................................................................112

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file

............................................................................................................................................. 113

Creating an .rdp File from a RemoteApp Program......................................................................114

Creating a Windows Installer Package from a RemoteApp Program..........................................115

Managing RemoteApp Programs and Settings...........................................................................116

Change or Delete a RemoteApp Program..................................................................................117

Export or Import RemoteApp Programs and Settings.................................................................118

Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session..................119

Deploying TS Web Access..........................................................................................................119

Checklist: Deploying RemoteApp Programs Through TS Web Access.......................................120

Enable RemoteApp Programs for TS Web Access.....................................................................121

Install the TS Web Access Role Service.....................................................................................122

Populate the TS Web Access Computers Security Group..........................................................123

Specify the Data Source for TS Web Access..............................................................................123

Connect to TS Web Access........................................................................................................124

Client requirements and configuration.....................................................................................125

Configure the TS Web Access Server to Allow Access from the Internet....................................126

Configure Remote Desktop Web Connection Behavior..............................................................128

Change the Install Location of the TS Web Access Web Site.....................................................129

Deploying Terminal Services Printing..........................................................................................131

Using Terminal Services Easy Print Driver..................................................................................131

Client requirements.................................................................................................................131

Additional information..............................................................................................................132

Installing the Printer Driver on the Server...................................................................................133

Creating a Custom Printer Mapping File.....................................................................................133

Step one: Create or modify an .inf file.....................................................................................133

Step two: Configure the registry..............................................................................................134

Configuring Printer Redirection Settings.....................................................................................135

Configure printer redirection settings per connection..............................................................136

By using Group Policy (best practice)..................................................................................136

By using Terminal Services Configuration............................................................................136

Configure printer redirection settings per user.........................................................................137

Use client-specified printer redirection settings.......................................................................138

Using Terminal Services Printing-Related Group Policy Settings...............................................138

Terminal Services Deployment Guide

Deploying Terminal Services in your Windows Server® 2008 environment provides technologies

that enable users to access Windows®-based programs that are installed on a terminal server, or

to access the full Windows desktop. By using Terminal Services, users can access a terminal

server from within a corporate network or from the Internet.

Terminal Services enables you to efficiently deploy and maintain software in an enterprise

environment from a central location. Because you install the programs on the terminal server and

not on the client computer, programs are easier to upgrade and to maintain.

About this guideThis guide is intended for use by system administrators and system engineers who are

responsible for deploying the Terminal Services role services and features. It provides detailed

guidance for deploying a Terminal Services design that is preselected by you, an infrastructure

specialist, or a system architect in your organization.

For related information about Terminal Services, visit the Terminal Services page on the Windows

Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).

In this guideRole Services and Features in a Terminal Services Deployment

Deploying Terminal Server

Deploying TS Licensing

Deploying TS Session Broker

Deploying TS Gateway

Deploying TS RemoteApp

Deploying TS Web Access

Deploying Terminal Services Printing

Role Services and Features in a Terminal Services Deployment

The following figure shows the network diagram for the Terminal Services role services and

features that are covered in this deployment guide. This diagram isolates specific functionality on

separate servers, instead of running multiple services on the same server. Your deployment

design will vary according to your resources and requirements.

9

http://go.microsoft.com/fwlink/?linkid=73931

What are the role services and features in a Terminal Services deployment?Terminal Services is a server role that consists of several sub-components, known as "role

services." In Windows Server 2008, Terminal Services consists of the following role services:

Terminal Server The Terminal Server role service enables a server to host Windows-based

programs or the full Windows desktop. Users can connect to a terminal server to run

programs, to save files, and to use network resources on that server.

TS Licensing Terminal Services Licensing (TS Licensing) manages the Terminal Services

client access licenses (TS CALs) that are required for each device or user to connect to a

terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs

on a Terminal Services license server.

You must have a correctly configured license server within 120 days after your

terminal server accepts its first connection.

TS Session Broker Terminal Services Session Broker (TS Session Broker) supports

session load balancing between terminal servers in a farm, and reconnection to an existing

session in a load-balanced terminal server farm.

To use the built-in TS Session Broker Load Balancing feature, terminal servers in the

farm must be running Windows Server 2008.

Important Important

10

TS Web Access Terminal Services Web Access (TS Web Access) enables users to access

RemoteApp programs and a Remote Desktop connection to the terminal server through a

Web site. TS Web Access also includes Remote Desktop Web Connection, which enables

users to remotely connect to any computer where they have Remote Desktop access.

TS Gateway Terminal Services Gateway (TS Gateway) enables authorized remote users to

connect to resources on an internal corporate network, from any Internet-connected device

that can run the Remote Desktop Connection (RDC) client.

Your deployment might also include the following:

Remote Desktop Connection (RDC) client The RDC client must be installed on client

computers for users to start Terminal Services sessions. To access most of the new features

in Windows Server 2008, the client must be running RDC 6.0 or RDC 6.1.

Active Directory Domain Services If you deploy TS Session Broker, the server where you

install the TS Session Broker role service must be a member of an Active Directory domain. If

you deploy terminal servers or terminal server farms, the servers must be members of the

same Active Directory domain as the license servers, or the license servers must be deployed

at the forest level.

Network Access Protocol (NAP) You can configure TS Gateway servers and Terminal

Services clients to use Network Access Protection (NAP) to further enhance security. NAP is

a health policy creation, enforcement, and remediation technology that is included in

Windows Server 2008, Windows Vista®, Windows Vista Service Pack 1 (SP1), and

Windows XP Service Pack 3 (SP3). With NAP, system administrators can enforce health

requirements, which can include software requirements, security update requirements,

required computer configurations, and other settings.

Network Firewall The Terminal Services role services are typically deployed within the

corporate network behind a firewall. If TS Gateway is deployed, it may be hosted in a

perimeter network. TS Gateway enables most remote users to connect to internal network

resources that are hosted behind firewalls in private networks and across network address

translators (NATs). With TS Gateway, you do not need to perform additional configuration for

the TS Gateway server or clients for this scenario.

In earlier versions of Windows Server, security measures prevented remote users from

connecting to internal network resources across firewalls and NATs. This is because port

3389, the port used for RDP connections, is typically blocked for network security purposes.

TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets

Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443

to enable Internet connectivity, TS Gateway takes advantage of this network design to

provide remote access connectivity across multiple firewalls.

Front-end load balancer If you deploy TS Session Broker, a front-end load balancer is

required. Depending on your requirements, you can use the Domain Name System (DNS)

round robin feature, Network Load Balancing (NLB), or a hardware load balancer.

11

Deploying Terminal Server

Terminal Server is one of the role services provided by the Terminal Services server role. You

install Terminal Server on a server to host Windows-based programs or the full Windows desktop.

Users can connect to a terminal server to run programs (including RemoteApp programs), save

files, and use network resources if they have appropriate permissions.

To install, configure, and manage a terminal server, see the following topics:

Installation Prerequisites for Terminal Server

Checklist: Configuring Terminal Server

Configuring Terminal Server

Managing Terminal Server


A terminal server is the server that hosts Windows-based programs or the full Windows desktop

for Terminal Services client computers. Users can connect to a terminal server to run programs,

to save files, and to use network resources on that server. Users can access a terminal server by

using Remote Desktop Connection or by using TS RemoteApp.

The following checklist provides tasks that an administrator should perform before installing and

configuring a terminal server.

Installing a terminal server on an Active Directory domain controller is not recommended.

For more information, see Installing Terminal Server on a Domain Controller.

Task Reference

Determine if you need a terminal server. To allow remote connections for administrative

purposes only, you do not need to install a

terminal server.

For more information about remote connections

for administrative purposes, see Using Remote

Desktop.

Review licensing requirements for a terminal

server.

Each user or computing device that connects to

a terminal server must have a valid Terminal

Services client access license (TS CAL).

A terminal server running Windows Server 2008

can only communicate with a Terminal Services

license server running Windows Server 2008,

and the license server must have Windows

Server 2008 TS CALs installed.

Note

12

Task Reference

For more information about licensing

requirements for Terminal Services, see the TS

Licensing Step-by-Step Guide on the Windows

Server 2008 TechCenter

(http://go.microsoft.com/fwlink/?linkid=85873).

Decide which programs you want to host on the

terminal server.

You should install the Terminal Server role

service on the computer before you install any

programs that you want to make available to

users. If you install the Terminal Server role

service on a computer that already has

programs installed, some of the existing

programs may not work correctly in a multiple

user environment. Uninstalling and then

reinstalling the affected programs may resolve

these issues.

For more information, see Install Programs on a

Terminal Server.

Review information about:

Hardware requirements

Capacity and scaling

See the Checklist: Terminal Server Installation

Prerequisites on the Windows Server 2008

TechCenter (http://go.microsoft.com/fwlink/?

LinkId=101636).

Determine if you need to deploy a load-

balanced terminal server farm.

See the TS Session Broker Load Balancing

Step-by-Step Guide on the Windows

Server 2008 TechCenter

(http://go.microsoft.com/fwlink/?LinkId=92670).

Determine the Terminal Services licensing

mode that the terminal server will use.

The Terminal Services licensing mode that is

configured on a terminal server must match the

type of TS CALs that are available on the

Terminal Services license server.

See Specify the Terminal Services Licensing

Mode on the Windows Server 2008 TechCenter

(http://go.microsoft.com/fwlink/?

LinkId=101638 ).

Determine how the terminal server will discover

a license server.

A terminal server must be able to contact a

Terminal Services license server to request

TS CALs for users or computing devices that

are connecting to the terminal server.

For more information about license server

13

http://go.microsoft.com/fwlink/?LinkId=101638%20

http://go.microsoft.com/fwlink/?LinkId=101638%20

http://go.microsoft.com/fwlink/?LinkId=92670






Task Reference

discovery, see the TS Licensing Step-by-Step

Guide on the Windows Server 2008 TechCenter


Determine which users will be able to remotely

connect to the terminal server.

The Remote Desktop Users group on a terminal

server is used to give users and groups

permission to log on remotely to a terminal

server.

For more information, see Configure the

Remote Desktop Users Group.

Determine if the terminal server will require

Network Level Authentication.

You can enhance terminal server security by

providing user authentication early in the

connection process when a client connects to a

terminal server. This early user authentication

method is referred to as Network Level

Authentication.

For more information, see Configure the

Network Level Authentication Setting for a

Terminal Server.

Review information about Windows Firewall. The installation of the Terminal Server role

service changes the configuration of Windows

Firewall.

For more information, see Terminal Services

and Windows Firewall.

Using Remote Desktop

To allow remote connections for administrative purposes only, you do not have to install a

terminal server. Instead, you can enable Remote Desktop on the computer that you want to

remotely administer.

Remote Desktop supports only two concurrent remote connections to the computer. You

do not need Terminal Services client access licenses (TS CALs) for these connections.

You can use the following procedure to enable Remote Desktop on a computer running Windows

Server 2008.

Membership in the local Administrators group, or equivalent, on the computer that you plan to

configure, is the minimum required to complete this procedure. Review details about using the

appropriate accounts and group memberships at Local and Domain Default Groups


Note

14




1. Start the System tool. To start the System tool, click Start, click Run, type control

system and then click OK.

2. Under Tasks, click Remote settings.

3. In the System Properties dialog box, on the Remote tab, click either of the following,

depending on your environment:

Allow connections from computers running any version of Remote Desktop

(less secure)

Allow connections only from computers running Remote Desktop with Network

Level Authentication (more secure)

For more information about the two options, click the Help me choose link on the

Remote tab.

4. Click Select Users to add the users and groups that need to connect to the computer by

using Remote Desktop. The users and groups that you add are added to the Remote

Desktop Users group.

Note

Members of the local Administrators group can connect even if they are not

listed.

Installing Terminal Server on a Domain Controller

Installing a terminal server on an Active Directory domain controller is not recommended. Allowing

users to run programs on a domain controller could create security risks and performance issues.

If the Terminal Server role service is installed on a domain controller, the security settings of the

domain controller need to be adjusted to allow users remote access to the server. This remote

access is controlled by the "Allow log on through Terminal Services" user rights assignment,

which can be configured by using the Group Policy Management Console (GPMC).

On a domain controller, by default, only the Administrators group is granted the "Allow log on

through Terminal Services" user right. To allow remote access to the terminal server for users

who are not members of the Administrators group, you should grant the Remote Desktop Users

group the "Allow log on through Terminal Services" user right.

For more information about using GPMC to configure user rights assignments, see the Windows

Server 2008 Group Policy Management Console Help.

Installing the TS Licensing role service on a domain controller is recommended in certain

circumstances. If a Terminal Services license server is installed on a domain controller,

terminal servers in the same domain as the license server will automatically be able to

To enable Remote DesktopNote

15

discover the license server. Because users are not connecting directly to the license

server to run programs on the license server, the security risks and performance issues

can be mitigated.

For more information about license server discovery and configuring TS Licensing, see the TS

Licensing documentation on the Terminal Services page on the Windows Server 2008

TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).

Terminal Services and Windows Firewall

Windows Firewall is on by default in Windows Server 2008. Windows Firewall helps control which

programs or ports can be used to communicate between the server running Windows

Server 2008 and other computers on the network or the Internet. To allow a program or port to

communicate through Windows Firewall, you need to enable an exception.

If you enable Remote Desktop, Windows Firewall automatically enables the Remote Desktop

exception.

When the Terminal Server role service is installed, Windows Firewall automatically enables the

following exceptions:

Remote Desktop

Terminal Services

If you install other Terminal Services role services, Windows Firewall automatically enables other

exceptions. For example, when you install the TS Licensing role service, Windows Firewall

enables the Terminal Services Licensing Server exception.

When you uninstall a role service from the computer, Windows Firewall automatically removes

the exception for that role service.

When the Terminal Server role service is uninstalled, only the Terminal Services

exception is removed. The Remote Desktop exception is not removed.

Use the following procedure to view Windows Firewall exceptions.

Membership in the local Administrators group, or equivalent, is the minimum required to

complete this procedure. Review details about using the appropriate accounts and group

memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?

LinkId=83477).

1. Click Start, and then click Control Panel.

2. Click Security, and then click Windows Firewall.

3. Click Change Settings, and then, in the Windows Firewall Settings dialog box, click

the Exceptions tab.

4. If the check box associated with the program or port listed is selected, the Windows

Firewall exception for that program or port is enabled.

Important To view Windows Firewall exceptions

16



Some programs only appear in the list when the role service is installed. For example, the

Terminal Services Licensing Server program only appears in the list when the

TS Licensing role service is installed on the computer.

To view more detailed information about Windows Firewall settings, use the Windows Firewall

with Advanced Security snap-in.

Use the following procedure to use Windows Firewall with Advanced Security.




LinkId=83477).

1. Click Start, point to Administrative Tools, and then click Windows Firewall with

Advanced Security.

2. To view detailed information about Windows Firewall settings, click either of the following

nodes in the left pane:

Inbound rules

Outbound rules

For more information about configuring Windows Firewall, see the Windows Server 2008

Windows Firewall with Advanced Security Help.

For more information about Terminal Services-specific Windows Firewall exceptions, see the

Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Checklist: Configuring Terminal Server

A terminal server is the server that hosts Windows-based programs or the full Windows desktop

for Terminal Services clients. Users can connect to a terminal server to run programs, to save

files, and to use network resources on that server. Users can access a terminal server by using

Remote Desktop Connection or by using TS RemoteApp.

This checklist provides tasks that an administrator needs to complete to install and configure a

terminal server.

Please note the following:

Installing the Terminal Server role service requires the computer to be restarted.

Installing a terminal server on an Active Directory domain controller is not recommended. For

more information, see Installing Terminal Server on a Domain Controller.

Installing the Terminal Server role service on the computer before you install any programs

that you want to make available to users is recommended. For more information, see Install

Programs on a Terminal Server.

To use the Windows Firewall with Advanced Security snap-in

17

http://go.microsoft.com/fwlink/?Linkid=89673


Task Reference

Review prerequisites for installing a terminal

server.


Install the Terminal Server role service. Install the Terminal Server Role Service

Configure the license settings on the terminal

server.

Configure License Settings for a Terminal

Server

Configure the Network Level Authentication

setting for the terminal server.

Configure the Network Level Authentication

Setting for a Terminal Server

Install programs on the terminal server. Install Programs on a Terminal Server

Configure which users can remotely connect to

the terminal server.

Configure the Remote Desktop Users Group

Configuring Terminal Server

This section provides procedures for configuring a terminal server. It includes the following topics:

Install the Terminal Server Role Service

Configure License Settings for a Terminal Server

Configure the Network Level Authentication Setting for a Terminal Server

Install Programs on a Terminal Server


Install the Terminal Server Role Service

In Windows Server 2008, you can use Server Manager to install the Terminal Server role service.

For more information about other ways to install the Terminal Server role service, including by

using servermanagercmd.exe, see the Terminal Services page on the Windows Server 2008

TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).

Use the following procedure to install the Terminal Server role service by using Server Manager if

Terminal Services is not already installed on the server. If Terminal Services is already installed

on the server, see Install the Terminal Server role service (when Terminal Services is already

installed).

1. Open Server Manager. To open Server Manager, click Start, point to Administrative

Tools, and then click Server Manager.

To install the Terminal Server role service

18


2. In the left pane, right-click Roles, and then click Add Roles.

3. In the Add Roles Wizard, on the Before You Begin page, click Next.

4. On the Select Server Roles page, under Roles, select the Terminal Services check

box.

Note

If Terminal Services is already installed on the server, the Terminal Services

check box will be selected and dimmed.

5. Click Next.

6. On the Terminal Services page, click Next.

7. On the Select Role Services page, select the Terminal Server check box, and then

click Next.

Note

If you are installing the Terminal Server role service on a domain controller, you

will receive a warning message because installing the Terminal Server role

service on a domain controller is not recommended. For more information, see

Installing Terminal Server on a Domain Controller.

8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.

9. On the Specify Authentication Method for Terminal Server page, select the

appropriate authentication method for the terminal server, and then click Next. For more

information about authentication methods, see Configure the Network Level

Authentication Setting for a Terminal Server.

10. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal

server, and then click Next. For more information about licensing modes, see Specify the

Terminal Services Licensing Mode.

11. On the Select User Groups Allowed Access To This Terminal Server page, add the

users or user groups that you want to be able to remotely connect to this terminal server,

and then click Next. For more information, see Configure the Remote Desktop Users

Group.

12. On the Confirm Installation Selections page, verify that the Terminal Server role

service will be installed, and then click Install.

13. On the Installation Progress page, installation progress will be noted.

14. On the Installation Results page, you are prompted to restart the server to finish the

installation process. Click Close, and then click Yes to restart the server.

15. If you are prompted that other programs are still running, do either of the following:

To close the programs manually and restart the server later, click Cancel.

To automatically close the programs and restart the server, click Restart now.

16. After the server restarts and you log on to the computer, the remaining steps of the

installation will finish. When the Installation Results page appears, confirm that the

19

installation of Terminal Server succeeded.

You can also confirm that Terminal Server is installed by following these steps:

a. Start Server Manager.

b. Under Roles Summary, click Terminal Services.

c. Under System Services, confirm that Terminal Services has a status of Running.

d. Under Role Services, confirm that Terminal Server has a status of Installed.

Install the Terminal Server role service (when Terminal Services is already installed)Use the following procedure to install the Terminal Server role service when Terminal Services is

already installed on the server.

Membership in the local Administrators group, or equivalent, on the terminal server that you

plan to configure, is the minimum required to complete this procedure. Review details about using

the appropriate accounts and group memberships at Local and Domain Default Groups


The installation of the Terminal Server role service requires the computer to be restarted.



2. In the left pane, expand Roles.

3. Right-click Terminal Services, and then click Add Role Services.

4. On the Select Role Services page, select the Terminal Server check box, and then

click Next.

Note

If you are installing the Terminal Server role service on a domain controller, you

will receive a warning message because installing the Terminal Server role

service on a domain controller is not recommended. For more information, see

Installing Terminal Server on a Domain Controller.

5. On the Uninstall and Reinstall Applications for Compatibility page, click Next.

6. On the Specify Authentication Method for Terminal Server page, select the

appropriate authentication method for the terminal server, and then click Next. For more

information about authentication methods, see Configure the Network Level

Authentication Setting for a Terminal Server.

7. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal

server, and then click Next. For more information about licensing modes, see Specify the

Terminal Services Licensing Mode.

8. On the Select User Groups Allowed Access To This Terminal Server page, add the

Important To install the Terminal Server role service when Terminal Services is already installed

20


users or user groups that you want to be able to remotely connect to this terminal server,

and then click Next. For more information, see Configure the Remote Desktop Users

Group.

9. On the Confirm Installation Selections page, verify that the Terminal Server role

service will be installed, and then click Install.









installation of Terminal Server succeeded.

You can also confirm that Terminal Server is installed by following these steps:



c. Under System Services, confirm that Terminal Services has a status of Running.

d. Under Role Services, confirm that Terminal Server has a status of Installed.

Configure License Settings for a Terminal Server

Each user or computing device that connects to a terminal server must have a valid Terminal

Services client access license (TS CAL) issued by a Terminal Services license server.

To ensure that a terminal server can contact (discover) a Terminal Services license server to

request TS CALs for client computers, you need to do the following on the terminal server:

Specify the Terminal Services Licensing Mode

Specify the License Server Discovery Mode

21

Specify the Terminal Services Licensing Mode

The Terminal Services licensing mode determines the type of Terminal Services client access

licenses (TS CALs) that a terminal server will request from a license server on behalf of a client

that is connecting to the terminal server.

The Terminal Services licensing mode that is configured on a terminal server must match

the type of TS CALs that are available on the license server.

There are two types of TS CALs:

TS Per Device CAL, which permits one device (used by any user) to connect to a terminal

server.

TS Per User CAL, which gives one user the right to access terminal servers from an unlimited

number of client computers or devices.

The Terminal Services licensing mode for the terminal server can be set in the following ways:

During the installation of the Terminal Server role service in Server Manager, on the Specify

Licensing Mode page in the Add Roles Wizard.

On the Specify Licensing Mode page, you can select Configure later if you are unsure

during the installation whether to select Per Device or Per User. If you select Configure

later, each time that you log on to the terminal server, a message appears in the lower-right

corner of the desktop reminding you that you need to configure the licensing mode for the

terminal server.

By using the Terminal Services Configuration tool to configure the Terminal Services

licensing mode for the terminal server.

If the Specify the Terminal Services licensing mode choices are dimmed and you cannot

make a selection, the Set Terminal Services licensing mode Group Policy setting has been

enabled and applied to the terminal server.

By applying the Set Terminal Services licensing mode Group Policy setting.

This Group Policy setting is located in Computer Configuration\Administrative Templates\

Windows Components\Terminal Services\Terminal Server\Licensing and can be

configured by using either the Local Group Policy Editor or the Group Policy Management

Console (GPMC). Note that this Group Policy setting takes precedence over the setting

configured in Terminal Services Configuration.

For more information about TS CALs and configuring TS Licensing, see the TS Licensing

documentation on the Terminal Services page on the Windows Server 2008 TechCenter


For more information about Group Policy settings for Terminal Services, see the Terminal

Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Important

22




Specify the License Server Discovery Mode

A terminal server must be able to contact (discover) a Terminal Services license server to request

Terminal Services client access licenses (TS CALs) for users or computing devices that are

connecting to the terminal server.

You can set the license server discovery mode for the terminal server in the following ways:

By configuring License Server discovery mode for the terminal server in the Terminal

Services Configuration tool.

If the Specify the license server discovery mode choices are dimmed and you cannot

make a selection, the Use the specified Terminal Services license servers Group Policy

setting has been enabled and has been applied to the terminal server.

By applying the Use the specified Terminal Services license servers Group Policy setting.






In the license server discovery process, a terminal server in a Windows Server-based domain

attempts to contact a license server in the following order:

License servers that are specified in Terminal Services Configuration

A license server that is installed on the same computer as the terminal server

License servers that are published in Active Directory Domain Services

License servers that are installed on domain controllers in the same domain as the terminal

server

To see which license servers the terminal server discovers and to be alerted to possible

licensing discovery and configuration issues, use Licensing Diagnosis in Terminal

Services Configuration. For information about Licensing Diagnosis, see the topic

"Identify Possible Licensing Problems for the Terminal Server" in the Windows

Server 2008 Terminal Services Configuration Help (http://go.microsoft.com/fwlink/?

Linkid=118659).

For more information about license server discovery and configuring TS Licensing, see the

TS Licensing documentation on the Terminal Services page on the Windows Server 2008

TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).



Important

23





Configure the Network Level Authentication Setting for a Terminal Server

You can enhance terminal server security by providing user authentication early in the connection

process when a client connects to a terminal server. This early user authentication method is

referred to as Network Level Authentication.

Network Level Authentication completes user authentication before you establish a Remote

Desktop connection and the logon screen appears. This is a more secure authentication method

that can help protect the remote computer from malicious users and malicious software. The

advantages of using Network Level Authentication are:

It requires fewer remote computer resources initially. The remote computer uses a limited

number of resources before authenticating the user, rather than starting a full Remote

Desktop connection as in previous versions.

It reduces the risk of denial-of-service attacks.

To use Network Level Authentication, you need to meet all of the following requirements:

On the client computer, use at least Remote Desktop Connection 6.0.

On the client computer, use an operating system, such as Windows Vista, that supports the

Credential Security Support Provider (CredSSP) protocol.

On the terminal server, use Windows Server 2008.

You can configure a terminal server to only support connections from client computers running

Network Level Authentication. The Network Level Authentication setting for a terminal server can

be set in the following ways:


Authentication Method for Terminal Server page in the Add Roles Wizard.

On the Remote tab in the System Properties dialog box on a terminal server. For more

information, see Change Remote Connection Settings.

If the Allow connections from computers running any version of Remote Desktop (less

secure) is not selected and is dimmed, the Require user authentication for remote

connections by using Network Level Authentication Group Policy setting has been

enabled and has been applied to the terminal server.

On the General tab of the Properties dialog box for a connection in the Terminal Services

Configuration tool by selecting the Allow connections only from computers running

Remote Desktop with Network Level Authentication check box.

If the Allow connections only from computers running Remote Desktop with Network

Level Authentication check box is selected and is dimmed, the Require user

authentication for remote connections by using Network Level Authentication Group

Policy setting has been enabled and has been applied to the terminal server.

By applying the Require user authentication for remote connections by using Network

Level Authentication Group Policy setting.

24


Windows Components\Terminal Services\Terminal Server\Security and can be



configured in Terminal Services Configuration or on the Remote tab.

To determine whether a computer is running a version of Remote Desktop Connection that

supports Network Level Authentication, start Remote Desktop Connection, click the icon in the

upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the

About Remote Desktop Connection dialog box, look for the phrase "Network Level

Authentication supported."

For more information about security and Terminal Services, see the Terminal Services page on

the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).



Install Programs on a Terminal Server

You should install the Terminal Server role service on the computer before you install any

programs that you want to make available to users. If you install the Terminal Server role service

on a computer that already has programs installed, some of the existing programs may not work

correctly in a multiple user environment. Uninstalling and then reinstalling the affected programs

may resolve these issues.

To ensure that an application is installed correctly to work in a multiple user environment, you

must put the terminal server into a special installation mode before you install the application on

the terminal server. This special installation mode ensures that the correct registry entries and .ini

files that are needed to support running the application in a multiple user environment are created

during the installation process.

You can put a terminal server into this special installation mode by using either of the following:

Install Application on Terminal Server tool under Programs in Control Panel. This tool

runs a wizard to help install the application.

Change user /install command at a command prompt. You will have to start the installation

of the application manually.

After the application is installed, you must put the terminal server into execution mode before

remote users begin using the application. The Install Application on Terminal Server tool will

automatically put the terminal server into execution mode when it is finished running. To put the

terminal server into execution mode from a command prompt, use the change user /execute

command.

Additional considerations

Some programs may require minor setup modifications to run correctly on a terminal server.

25



http://go.microsoft.com/fwlink/?LinkID=73931

If you have programs that are related to each other or have dependencies on each other, you

should install the programs on the same terminal server. For example, you should install

Microsoft® Office as a suite on the same terminal server instead of installing individual Office

programs on separate terminal servers.

You should consider installing individual programs on separate terminal servers in the

following circumstances:

The program has compatibility issues that may affect other programs.

A single program and the number of associated users may fill server capacity.

For more information about the change user command-line tool, see the Terminal Services

Command Reference (http://go.microsoft.com/fwlink/?LinkId=89674).

For more information about deploying programs on a terminal server, see the Terminal

Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?

LinkId=79608).


The Remote Desktop Users group on a terminal server is used to give users and groups

permission to remotely connect to a terminal server.

You can add users and groups to the Remote Desktop Users group by using one of the following:

Local Users and Groups snap-in

Active Directory Users and Computers snap-in, if the terminal server is installed on a domain

controller

The Remote tab in the System Properties dialog box on a terminal server

You can use the following procedure to add users and groups to the Remote Desktop Users

group by using the Remote tab in the System Properties dialog box on a terminal server.








3. In the System Properties dialog box, on the Remote tab, click Select Users. Add the

users or groups that need to connect to the terminal server by using Remote Desktop.

The users and groups that you add are added to the Remote Desktop Users group.

Note


To add users and groups to the Remote Desktop Users group by using the Remote tab

26






listed.

If you select Don't allow connections to this computer on the Remote tab, no users

will be able to connect remotely to this computer, even if they are members of the

Remote Desktop Users group.

Managing Terminal Server

This section provides procedures for managing a terminal server. It includes the following topics:

Change Remote Connection Settings

Enable Single Sign-On for Terminal Services

Manage User Profiles for Terminal Services

Install Desktop Experience on a Terminal Server

Configure Font Smoothing for Remote Sessions

Monitor a Terminal Server with Windows System Resource Manager

Uninstall the Terminal Server Role Service

Deny Logon Requests to a Terminal Server

Change Remote Connection Settings

On the terminal server, on the Remote tab in the System Properties dialog box, you can change

the following remote connection settings:

Network Level Authentication requirement for Remote Desktop connections

Membership of the Remote Desktop Users group








3. In the System Properties dialog box, on the Remote tab, click either of the following,

depending on your environment:


(less secure)

To change remote connections settings

27




For more information about the two options, click the Help me choose link on the

Remote tab.

On the Remote tab, if you select Don't allow connections to this computer, no users

will be able to connect remotely to this computer, even if they are members of the

Remote Desktop Users group.

4. Click Select Users to add the users and groups that need to connect to the computer by

using Remote Desktop. The users and groups that you add are added to the Remote

Desktop Users group.

Note


listed.

Enable Single Sign-On for Terminal Services

Single sign-on (SSO) is an authentication method that allows users with a domain account to log

on once, by using a password or smart card, and then gain access to remote servers without

being asked for their credentials again.

To implement single sign-on functionality in Terminal Services, ensure that you meet the following

requirements:

You can only use single sign-on for remote connections from a computer running

Windows Vista to a terminal server running Windows Server 2008. You can also use single

sign-on for remote connections from one server running Windows Server 2008 to another

server running Windows Server 2008.

The user accounts that are used for logging on have appropriate rights to log on to both the

terminal server and the Windows Vista client computer.

Your client computer and terminal server must be joined to a domain.

To configure the recommended settings for your terminal server, complete the following steps:

Configure authentication on the terminal server.

Configure the computer running Windows Vista to allow default credentials to be used for

logging on to the specified terminal servers.




LinkId=83477).

To configure authentication on the terminal server

28


1. Open Terminal Services Configuration. To open Terminal Services Configuration, click

Start, point to Administrative Tools, point to Terminal Services, and then click

Terminal Services Configuration.

2. Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and

then click Properties.

3. In the Properties dialog box, on the General tab, verify that the Security Layer value is

set to either Negotiate or SSL (TLS 1.0).

4. On the Log on Settings tab, ensure that the Always prompt for password check box is

not selected, and then click OK.

1. On the Windows Vista-based computer, open the Local Group Policy Editor. To open the

Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and

then press ENTER.

2. In the left pane, expand the following: Computer Configuration, Administrative

Templates, System, and then click Credentials Delegation.

3. Double-click Allow Delegating Default Credentials.

4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.

5. In the Show Contents dialog box, click Add to add servers to the list.

6. In the Add Item dialog box, in the Enter the item to be added box, type the prefix

termsrv/ followed by the name of the terminal server; for example, termsrv/Server1, and

then click OK.

7. Click OK to close the Properties dialog box.

For more information about security and Terminal Services, see the Terminal Services page on

the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).

Manage User Profiles for Terminal Services

A user profile describes the configuration for a specific user, including the user’s environment and

preference settings. Unless you carefully plan and manage user profiles in a terminal server

environment, user profiles can become large in size and can cause problems, such as slow logon

times, when a user connects to a terminal server. User profile management is also important

when users connect to several terminal servers or connect to terminal servers in remote

locations.

You can specify a Terminal Services-specific profile path and home folder for a user connecting to

a terminal server. This profile and home folder will only be used for Terminal Services sessions.

You should assign a separate profile for Terminal Services sessions because many of the

common options that are stored in profiles, such as screen savers and animated menu affects,

are not desirable when using Terminal Services.

To allow default credential usage for single sign-on

29


You can manually configure these settings on the Terminal Services Profile tab on the

Properties sheet of a user account in the Local Users and Groups snap-in or the Active Directory

Users and Computers snap-in.

You can also use the following Group Policy settings to configure these settings:

Set TS User Home Directory

Set path for TS Roaming Profiles

Use mandatory profiles on the terminal server

These Group Policy settings are located in Computer Configuration\Administrative

Templates\Windows Components\Terminal Services\Terminal Server\Profiles, and can be


Console (GPMC).

For more information about implementing user profiles for users connecting to a terminal server,

see the Terminal Services page on the Windows Server 2008 TechCenter




Install Desktop Experience on a Terminal Server

When a user uses Remote Desktop Connection to connect to a terminal server, the desktop that

exists on the terminal server is reproduced by default in the remote session. To make the remote

session look and feel more like the user's local Windows Vista desktop experience, install the

Desktop Experience feature on a terminal server running Windows Server 2008. Desktop

Experience installs applications and features of Windows Vista, such as Windows Media Player,

Windows Defender, and Windows Calendar.

Install Desktop ExperienceUse the following procedure to install Desktop Experience on the server.





After installing Desktop Experience, you need to restart the computer.

1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server

Manager.

2. Under Features Summary, click Add Features.

Important To install Desktop Experience

30





3. On the Select Features page, select the Desktop Experience check box, and then click

Next.

4. On the Confirm Installation Selections page, verify that the Desktop Experience

feature will be installed, and then click Install.






installation of Desktop Experience succeeded.

You can also confirm that Desktop Experience is installed by following these steps:


b. Under Features Summary, confirm that Desktop Experience is listed as installed.

After you install Desktop Experience, the Windows Vista applications, such as Windows

Calendar, will appear under All Programs on the Start menu.

For more information about configuring the look and feel of remote sessions, see the Terminal

Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?

linkid=73931).

Uninstall Desktop ExperienceUse the following procedure to uninstall Desktop Experience from the server.





After uninstalling Desktop Experience, you need to restart the computer.

1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server

Manager.

2. Under Features Summary, click Remove Features.

3. On the Select Features page, clear the Desktop Experience check box, and then click

Next.

4. On the Confirm Removal Selections page, click Remove.

5. On the Removal Progress page, removal progress will be noted.

6. On the Removal Results page, you are prompted to restart the server to finish the

removal process. Click Close, and then click Yes to restart the server.


removal process will finish. When the Removal Results page appears, confirm that the

Important To uninstall Desktop Experience

31




removal of Desktop Experience succeeded.

You can also confirm that Desktop Experience is removed by following these steps:


b. Under Features Summary, confirm that Desktop Experience is no longer listed as

installed.

Configure Font Smoothing for Remote Sessions

Windows Server 2008 supports ClearType®, which is a technology for displaying computer fonts

so that they appear clear and smooth, especially when you are using an LCD monitor.

A terminal server running Windows Server 2008 can provide ClearType functionality in a remote

session when a client computer connects to the terminal server by using Remote Desktop

Connection.

ClearType functionality is referred to as font smoothing in Remote Desktop Connection.

Font smoothing is available if the client computer is running any of the following:

Windows Vista

Windows Server 2003 with SP1 and at least Remote Desktop Connection 6.0

Windows XP with SP2 and at least Remote Desktop Connection 6.0

Using font smoothing in a remote session will increase the amount of bandwidth used

between the client computer and the terminal server.

Use the following procedure on the client computer to make font smoothing available for a remote

session.

1. Open Remote Desktop Connection. To open Remote Desktop Connection on

Windows Vista, click Start, point to All Programs, click Accessories, and then click

Remote Desktop Connection.

2. In the Remote Desktop Connection dialog box, click Options.

3. On the Experience tab, select the Font smoothing check box.

4. Configure any remaining connection settings, and then click Connect.

Note Important To make font smoothing available in a remote session

32

Monitor a Terminal Server with Windows System Resource Manager

Windows System Resource Manager (WSRM) on Windows Server 2008 allows you to control

how CPU and memory resources are allocated to applications, services, and processes on the

computer. Managing resources in this way improves system performance and reduces the

chance that applications, services, or processes will take CPU or memory resources away from

one another and slow down the performance of the computer. Managing resources also creates a

more consistent and predictable experience for users of applications and services that are

running on the computer.

You can use WSRM to manage multiple applications on a single computer or to manage users on

a computer on which Terminal Services is installed.

Install the Terminal Server role service on your computer before you install and configure WSRM.

To install WSRM, go to Features in Server Manager.

For more information about installing, configuring, and using WSRM, see the Windows

Server 2008 Windows System Resource Manager Help.

There are two features of WSRM that are of particular interest to terminal server administrators:

Resource-Allocation Policies

Resource Monitor

Resource-Allocation PoliciesWSRM uses resource-allocation policies to determine how computer resources, such as CPU

and memory, are allocated to processes running on the computer. Two resource-allocation

policies that are specifically designed for computers running Terminal Services are:

Equal_Per_User

Equal_Per_Session

The Equal_Per_Session resource-allocation policy is new for Windows Server 2008.

If you implement the Equal_Per_Session resource-allocation policy, each user session (and its

associated processes) gets an equal share of the CPU resources on the computer.

Resource MonitorYou should collect data about the performance of your terminal server before and after

implementing the Equal_Per_Session resource-allocation policy (or making any other WSRM-

related configuration changes). You can use Resource Monitor in the Windows System Resource

Manager snap-in to collect and view data about the usage of hardware resources and the activity

of system services on the computer.

Note

33

Uninstall the Terminal Server Role Service

Use the following procedure to uninstall the Terminal Server role service from the server.





The removal of the Terminal Server role service from the server requires the computer to

be restarted.




3. Right-click Terminal Services, and then click Remove Role Services.

4. On the Select Role Services page, clear the Terminal Server check box, and then click

Next.

5. On the Confirm Removal Selections page, click Remove.

6. On the Removal Progress page, removal progress will be noted.

7. On the Removal Results page, you are prompted to restart the server to finish the

removal process. Click Close, and then click Yes to restart the server.





removal process will finish. When the Removal Results page appears, confirm that the

removal of Terminal Server succeeded.

You can also confirm that Terminal Server is removed by following these steps:



c. Under Role Services, confirm that Terminal Server has a status of Not Installed.

Deny Logon Requests to a Terminal Server

In Windows Server 2008, you can configure a terminal server to deny logon requests from new

users. With the ability to deny logon requests from new users to specific servers in a farm, you

Important To uninstall the Terminal Server role service

34


can maintain your terminal server environment without disrupting end-user service. If you

configure a terminal server to deny new logon requests, the following behavior occurs:

Users with existing sessions can still reconnect to the server. Only new logon requests to that

server are denied. However, an administrator can still log on to the server locally to perform

maintenance on the server.

An administrator can also connect remotely by starting the RDC client from the

command line with the /admin option (mstsc /admin).

If you are using TS Session Broker Load Balancing, TS Session Broker will redirect new

users to other servers in the farm, where new user logon requests are enabled.

Before you take a server down for maintenance, you can notify users with existing sessions to log

off from the server by using Terminal Services Manager to send a message.

1. Click Start, point to Administrative Tools, point to Terminal Services, and then click


2. In the Edit settings area, double-click User logon mode under General.

3. On the General tab, click either of the following:

Allow reconnections, but prevent new logons

Allow reconnections, but prevent new logons until the server is restarted

4. Click OK.

When you are finished doing maintenance, ensure that Allow all connections is

selected.

Deploying TS Licensing

The Terminal Services Licensing (TS Licensing) role service is part of the core Terminal Services

environment. You use TS Licensing to install, issue, and track Terminal Services client access

licenses (TS CALs) for your deployment.

To install TS Licensing and configure a license server, see the following topics:

Installation Prerequisites for TS Licensing

Checklist: Deploying TS Licensing

Installing TS Licensing

Connecting to a Terminal Services License Server

Activating a Terminal Services License Server

Installing Terminal Services Client Access Licenses

Configuring License Settings on a Terminal Server

Tracking the Issuance of Terminal Services Per User Client Access Licenses

Note To deny new user logon requests

35

Troubleshooting TS Licensing Installation


TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required

for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and

track the availability of TS CALs on a Terminal Services license server.

This checklist provides tasks that an administrator should perform before installing and

configuring TS Licensing.

Task Reference

Determine if a Terminal Services license server

is needed.

Remote Desktop supports two concurrent

connections to remotely administer a computer.

You do not need a license server for these

connections.

Verify that the license server supports the

operating system of the terminal servers.

TS Licensing in Windows Server 2008 supports

terminal servers that run:

Windows Server 2008

Windows Server 2003 R2

Windows Server 2003

Windows 2000

A terminal server running Windows Server 2008

can only communicate with a license server

running Windows Server 2008.

Determine which type of TS CALs to use. Terminal Services Client Access Licenses (TS

CALs)

Purchase the appropriate type and number of

TS CALs.

Purchase Client Access Licenses

(http://go.microsoft.com/fwlink/?LinkID=81077)

Determine the method of the Terminal Services

license server discovery.

Terminal Services License Server Discovery

Terminal Services Client Access Licenses (TS CALs)

There are two types of Terminal Services client access licenses (TS CALs):

36


TS Per Device CALs

TS Per User CALs

The Terminal Services licensing mode configured on a terminal server must match the

type of TS CALs that are available on the license server. For more information, see

Configuring License Settings on a Terminal Server.

When Per Device licensing mode is used, and a client computer or device connects to a terminal

server for the first time, the client computer or device is issued a temporary license by default.

When a client computer or device connects to a terminal server for the second time, if the license

server is activated and enough TS Per Device CALs are available, the license server issues the

client computer or device a permanent TS Per Device CAL.

A TS Per User CAL gives one user the right to access a terminal server from an unlimited number

of client computers or devices. TS Per User CALs are not enforced by TS Licensing. As a result,

client connections can occur regardless of the number of TS Per User CALs that are installed on

the license server. This does not absolve administrators from the Microsoft Software License

Terms requirements to have a valid TS Per User CAL for each user. Failure to have a TS Per

User CAL for each user, if Per User licensing mode is being used, is a violation of the license

terms.

To ensure that you are in compliance with the license terms, make sure that you track the number

of TS Per User CALs that are being used in your organization, and ensure that you have a

sufficient number of TS Per User CALs installed on the license server to provide a TS Per User

CAL for each user that needs to connect to the terminal server.

In Windows Server 2008, you can use the TS Licensing Manager tool to track and generate

reports on the issuance of TS Per User CALs. For more information, see Tracking the Issuance of

Terminal Services Per User Client Access Licenses.

Terminal Services License Server Discovery

When you install the TS Licensing role service, you need to specify a discovery scope, which

determines how the Terminal Services license server will be automatically discoverable by

terminal servers.

The three discovery scopes are:

Workgroup

Domain

Forest

The recommended discovery scope for a license server is Forest.

In Windows Server 2003, "forest discovery scope" was known as "enterprise scope."

Workgroup discovery scope is only available when the computer on which you are installing the

TS Licensing role service is not a member of a domain. If you configure workgroup discovery

Important Note

37

scope, terminal servers, without additional configuration, can automatically discover a license

server in the same workgroup.

Domain discovery scope and forest discovery scope are only available when the computer on

which you are installing the TS Licensing role service is a member of a domain.

If the license server is a member of a workgroup, and then you join the license server to

an Active Directory domain, the discovery scope for the license server is automatically

changed from Workgroup to Domain.

If you configure domain discovery scope, terminal servers, without additional configuration, can

automatically discover a license server in the same domain only if the license server is installed

on a domain controller. You can install the TS Licensing role service on a non-domain controller,

but the license server will not be automatically discoverable by terminal servers in the domain. To

configure domain discovery scope, you must be logged on as a domain administrator to the

domain in which the license server is a member.

If you configure forest discovery scope, terminal servers, without additional configuration, can

automatically discover a license server in the same forest, because the license server is

published in Active Directory Domain Services. To configure forest discovery scope, you must be

logged on as an enterprise administrator to the forest in which the license server is a member.

To issue TS Per User CALs to users in other domains, the license server must be a

member of the Terminal Server License Servers group in those domains, regardless of

whether the discovery scope for the license server is Domain or Forest.

In the license server discovery process, a terminal server in a Windows Server-based domain

attempts to contact a license server in the following order:

License servers that are specified in the Terminal Services Configuration tool or by using

Group Policy

A license server that is installed on the same computer as the terminal server

License servers that are published in Active Directory Domain Services

License servers that are installed on domain controllers in the same domain as the terminal

server

To see which license servers the terminal server discovers and to be alerted to possible


Services Configuration. For more information, see Troubleshooting TS Licensing

Installation.

You can change the discovery scope of the license server by using Review Configuration in the

TS Licensing Manager tool. For more information, see Troubleshooting TS Licensing Installation.

Note Important Important

38

Checklist: Deploying TS Licensing

TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required

for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and

track the availability of TS CALs on a Terminal Services license server.

This checklist provides the tasks that an administrator needs to complete to install and configure

TS Licensing.

Task Reference

Review prerequisites for installing

TS Licensing.


Install the TS Licensing role service. Installing TS Licensing

Activate the Terminal Services license server. Activating a Terminal Services License Server

Install Terminal Services client access licenses

(TS CALs) on the Terminal Services license

server.

Installing Terminal Services Client Access

Licenses

Configure the terminal server to support

TS Licensing.

Configuring License Settings on a Terminal

Server

For more information, see TS Licensing Configuration Guidelines in the TS Licensing Manager

Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?

LinkId=107352).

Installing TS Licensing

Use the following procedure to install the TS Licensing role service by using Server Manager.

The installation of the TS Licensing role service does not require the computer to be

restarted.

Installation prerequisites1. Before you install the TS Licensing role service, join your computer to Active Directory

Domain Services (AD DS). If you want your license server to be available to terminal servers

within a domain, you can join it to that domain. If you want your license server to be available

across domains, you must join your computer to the top node in the forest.

2. Before you install your license server, arrange for the credentials that are required to

configure license server discovery scope:

Note

39


For the license server to be accessible to terminal servers within the domain, you need to

have domain administrator permissions.

For the license server to be accessible to terminal servers within the forest, you need to

have enterprise administrator permissions.

If you install the TS Licensing role service without the appropriate credentials, an error

appears that describes the level of access necessary to complete the installation.

Install the TS Licensing role serviceFollowing are the recommended configurations for a new TS Licensing deployment. If you are

configuring a license server for an existing deployment, your choices may be different. Verify that

the settings are correct before you install the new license server.



2. In the left pane, right-click Roles, and then click Add Roles.

3. In the Add Roles Wizard, on the Before You Begin page, click Next.

4. On the Select Server Roles page, under Roles, select the Terminal Services check

box, and then click Next.

Note

If Terminal Services is already installed on the server, the Terminal Services

check box will be selected and dimmed.

5. On the Terminal Services page, click Next.

6. On the Select Role Services page, select the TS Licensing check box.

7. On the Configure Discovery Scope for TS Licensing page, select This Domain or

This Forest, verify that the location of the TS Licensing database is correct, and then

click Next.

Note

If your account does not have sufficient permissions for the selected discovery

scope, you will see an alert at the bottom of the page describing the level

needed. If you continue, the TS Licensing role service will install. You can

configure discovery scope by using Review Configuration in the TS Licensing

Manager tool.

8. On the Confirm Installation Selections page, verify that the TS Licensing role service

will be installed, and then click Install.

On the Installation Progress page, installation progress will be noted.

9. On the Installation Results page, confirm that the installation succeeded, and then click

Close.

Note To install the TS Licensing role service

40




3. Right-click Terminal Services, and then click Add Role Services.

4. On the Select Role Services page, select the TS Licensing check box, and then click

Next.

5. On the Configure Discovery Scope for TS Licensing page, select This Domain or

This Forest, verify that the location of the TS Licensing database is correct, and then

click Next.

Note

If your account does not have sufficient permissions for the selected discovery

scope, you will see an alert at the bottom of the page describing the level

needed. If you continue, the TS Licensing role service will install. You can

configure discovery scope by using Review Configuration in the TS Licensing

Manager tool.

6. On the Confirm Installation Selections page, verify that the TS Licensing role service

will be installed, and then click Install.

On the Installation Progress page, installation progress will be noted.

7. On the Installation Results page, confirm that installation for the TS Licensing role

service succeeded, and then click Close.

Connecting to a Terminal Services License Server

After installing TS Licensing, you can use the TS Licensing Manager tool to connect to and

manage Terminal Services license servers.

If you want to use TS Licensing Manager from another computer running Windows Server 2008,

see Installing TS Licensing Manager.


complete this procedure.

1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS

Licensing Manager.

2. On the Action menu, click Connect.

3. In the Server box, type the name of the license server to which you want to connect, and

then click Connect.

To install the TS Licensing role service (when Terminal Services is already installed)To connect to a Terminal Services license server

41

When TS Licensing Manager opens, it tries to find all the license servers in the workgroup or

domain that are automatically discoverable and to which the user has the appropriate

administrative permissions.

Install TS Licensing Manager

The TS Licensing Manager tool in Windows Server 2008 is automatically installed on any

computer on which the TS Licensing role service is installed. If you want to manage your license

servers from a remote computer running Windows Server 2008, you can install TS Licensing

Manager on that computer by using the following procedure.


configure, is the minimum required to complete this procedure.



2. In the left pane, right-click Features, and then click Add Features.

3. On the Select Features page, expand Remote Server Administration Tools, expand

Role Administration Tools, and then expand Terminal Services Tools.

4. Select the TS Licensing Tools check box, and then click Next.

5. On the Confirm Installation Selections page, click Install.


7. On the Installation Results page, confirm that installation of TS Licensing Manager

succeeded, and then click Close.

8. To run TS Licensing Manager, click Start, point to Administrative Tools, point to

Terminal Services, and then click TS Licensing Manager.

Activating a Terminal Services License Server

A Terminal Services license server must be activated to certify the server and to allow the license

server to issue Terminal Services client access licenses (TS CALs). You can activate a license

server by using the Activate Server Wizard in the TS Licensing Manager tool.

Use one of the following methods to activate your license server:

Activate a Terminal Services License Server Automatically This method requires Internet

connectivity from the computer running TS Licensing Manager. Internet connectivity is not

To install TS Licensing Manager by using Server Manager

42

required from the license server itself. This method uses TCP/IP (TCP port 443) to connect

directly to the Microsoft Clearinghouse.

Activate a Terminal Services License Server by Using a Web Browser You can use the Web

method when the computer running TS Licensing Manager does not have Internet

connectivity, but you have access to the Web by means of a Web browser from another

computer. The URL for the Web method is displayed in the Activate Server Wizard.

Activate a Terminal Services License Server by Using the Telephone The telephone method

allows you to talk to a Microsoft customer service representative to complete the activation

process. The appropriate telephone number is determined by the country/region that you

choose in the Activate Server Wizard and is displayed by the wizard.

When you activate the license server, Microsoft provides the server with a limited-use digital

certificate that validates server ownership and identity. Microsoft uses an X.509 industry standard

certificate for this purpose. By using this certificate, a license server can make subsequent

transactions with Microsoft.

If a license server is not activated, the license server can only issue temporary TS Per Device

CALs that are valid for 90 days, or TS Per User CALs.

Activate a Terminal Services License Server Automatically

The automatic activation method requires Internet connectivity from the computer running the

TS Licensing Manager tool. Internet connectivity is not required from the license server itself. This

method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse.

Membership in the local Administrators group, or equivalent, on the license server, is the

minimum required to complete this procedure.


Licensing Manager.

2. Right-click the license server that you want to activate, and then click Activate Server.

The Activate Server Wizard starts.

3. Click Next.

4. On the Connection Method page, in the Connection method list, select Automatic

connection (recommended), and then click Next.

5. On the Company Information page, type your name, company, and country/region

information, and then click Next.

6. Specify any other information that you want, such as e-mail and company address. This

information is optional.

7. Click Next. Your license server is activated.

To activate a Terminal Services license server automatically

43

8. On the Completing the Activate Server Wizard page, do one of the following:

To install Terminal Services client access licenses (TS CALs) onto your license

server, ensure that the Start Install Licenses Wizard now check box is selected,

click Next, and then follow the instructions.

To install TS CALs later, clear the Start Install Licenses Wizard now check box,

and then click Finish.

Activate a Terminal Services License Server by Using a Web Browser

The Web activation method can be used when the computer running the TS Licensing Manager

tool does not have Internet connectivity, but you have access to the Web by means of a Web

browser from another computer. The URL for the Web method is displayed in the Activate Server

Wizard.




Licensing Manager.



3. Click Next.

4. On the Connection Method page, in the Connection method list, select Web Browser,

and then click Next.

5. On the License Server Activation page, click the hyperlink to connect to the Terminal

Server Licensing Web site.

If you are running TS Licensing Manager on a computer that does not have Internet

connectivity, note the address for the Terminal Server Licensing Web site, and then

connect to the Web site from a computer that has Internet connectivity.

6. Under Select Option, click Activate a license server, and then click Next.

7. In the Product ID boxes, type your Product ID. Your Product ID is displayed on the

License Server Activation page of the Activate Server Wizard. You must also complete

the name, company, and country/region fields. Specify any other information that you

want to provide, such as e-mail and company address, and then click Next.

8. Confirm your entries, and then click Next. Your license server ID is displayed. Write down

the license server ID or print the Web page.

9. On the License Server Activation page of the Activate Server Wizard, type the license

To activate a Terminal Services license server by using a Web browser

44

server ID that you received in the previous step, and then click Next. Your license server

is activated.

10. On the Completing the Activate Server Wizard page, do one of the following:






Activate a Terminal Services License Server by Using the Telephone

The telephone activation method allows you to talk to a Microsoft customer service representative

to complete the activation process. The appropriate telephone number is determined by the

country/region that you choose in the Activate Server Wizard and is displayed by the wizard.




Licensing Manager.



3. Click Next.

4. On the Connection Method page, in the Connection method list, select Telephone,


5. On the Country or Region Selection page, click your country/region, and then click

Next to display the appropriate telephone number to call.

6. Call Microsoft by using the telephone number that is displayed on the License Server

Activation page, and then provide the Microsoft customer support representative with

the Product ID that is displayed on your screen. The representative will also ask you to

provide your name and the name of your company. The representative processes your

request to activate the license server, and creates a unique ID for your license server.

7. On the License Server Activation page, type the license server ID that the

representative provides, and then click Next. Your license server is activated.

8. On the Completing the Terminal Server License Server Activation Wizard page, do

one of the following:


To activate a Terminal Services license server by telephone

45





Installing Terminal Services Client Access Licenses

Using the Install Licenses Wizard in the TS Licensing Manager tool, you can use one of three

methods to install Terminal Services client access licenses (TS CALs) onto your license server:

Install Terminal Services Client Access Licenses Automatically This method requires Internet

connectivity from the computer running TS Licensing Manager. Internet connectivity is not

required from the license server itself. This method uses TCP/IP (TCP port 443) to connect

directly to the Microsoft Clearinghouse.

Install Terminal Services Client Access Licenses by Using a Web Browser You can use the

Web method when the computer running TS Licensing Manager does not have Internet

connectivity, but you have access to the Web by means of a Web browser from another

computer. The URL for the Web installation method is displayed in the Install Licenses

Wizard.

Install Terminal Services Client Access Licenses by Using the Telephone The telephone

method allows you to talk to a Microsoft customer service representative to complete the

installation process. The appropriate telephone number is determined by the country/region

that you chose in the Activate Server Wizard and is displayed by the wizard.

Before you install TS CALs onto your license server, note the following:

You must activate your Terminal Services license server before you can install TS CALs onto

your license server. For more information, see Activating a Terminal Services License Server.

You need a license code to install TS CALs onto your license server. A license code is

provided when you purchase your TS CALs. For more information, see Purchase Client

Access Licenses (http://go.microsoft.com/fwlink/?LinkID=81077).

Install Terminal Services Client Access Licenses Automatically

The automatic installation method requires Internet connectivity from the computer running

TS Licensing Manager to complete the Terminal Services client access license (TS CAL)

46



installation process. Internet connectivity is not required from the license server itself. This

method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse.




Licensing Manager.

2. Verify that the connection method for the Terminal Services license server is set to

Automatic connection (recommended) by right-clicking the license server on which

you want to install TS CALs, and then clicking Properties. On the Connection Method

tab, change the connection method if necessary, and then click OK.

3. In the console tree, right-click the Terminal Services license server on which you want to

install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then

click Next.

4. On the License Program page, select the appropriate program through which you

purchased your TS CALs, and then click Next.

5. The License Program that you selected on the previous page in the wizard will

determine what information you will need to provide on this page. In most cases, you will

have to provide either a license code or an agreement number. Consult the

documentation provided when you purchased your TS CALs.

6. After you have entered the required information, click Next.

7. On the Product Version and License Type page, select the appropriate product version,

license type, and quantity of TS CALs for your environment based on your TS CAL

purchase agreement, and then click Next.

8. The Microsoft Clearinghouse is automatically contacted and processes your request. The

TS CALs are then automatically installed onto the license server.

9. On the Completing the Install Licenses Wizard page, click Finish. The Terminal

Services license server can now issue TS CALs to clients that connect to a terminal

server.

Install Terminal Services Client Access Licenses by Using a Web Browser

The Web method can be used to complete the Terminal Services client access license (TS CAL)

installation process when the computer running the TS Licensing Manager tool does not have

Internet connectivity, but you have access to the Web by means of a Web browser from another

computer. The URL for the Web installation method is displayed in the Install Licenses Wizard.

To install Terminal Services client access licenses automatically

47




Licensing Manager.

2. Verify that the connection method for the Terminal Services license server is set to Web

Browser by right-clicking the license server on which you want to install TS CALs, and

then clicking Properties. On the Connection Method tab, change the connection

method if necessary, and then click OK.



click Next.

4. On the Obtain Client License Key Pack page, click the hyperlink to connect to the

Terminal Server Licensing Web site.

If you are running TS Licensing Manager on a computer that does not have Internet

connectivity, note the address for the Terminal Server Licensing Web site, and then

connect to the Web site from a computer that has Internet connectivity.

5. On the Windows Terminal Services Web page, under Select Option, click Install Client

Access License tokens, and then click Next.

6. Provide the following required information:

License Server ID A 35-digit number, in groups of 5 numerals, which is displayed

on the Obtain Client License Key Pack page in the Install Licenses Wizard.

License Program Select the appropriate program through which you purchased

your TS CALs.

Last name or surname

First name or given name

Company name

Country/region

You can also provide the optional information requested, such as company address, e-

mail address, and phone number. In the organizational unit field, you can describe the

unit within your organization that this license server will serve.

7. Click Next.

8. The License Program that you selected on the previous page will determine what

information you will need to provide on this page. In most cases, you will have to provide

either a license code or an agreement number. Consult the documentation provided

when you purchased your TS CALs. In addition, you will need to specify which type of

TS CAL (for example, Windows Server 2008 TS Per Device CAL) and the quantity that

you want to install on the license server.

9. After you have entered the required information, click Next.

To install Terminal Services client access licenses by using a Web browser

48

10. Verify that all of the information that you have entered is correct. To submit your request

to the Microsoft Clearinghouse, click Next. The Web page then displays a license key

pack ID generated by the Microsoft Clearinghouse.

Important

Retain a copy of the license key pack ID. Having this information with you will

facilitate communications with the Microsoft Clearinghouse should you need

assistance with recovering TS CALs.

11. In the Install Licenses Wizard, on the Obtain Client License Key Pack page, enter the

license key pack ID that you received in the previous step in the boxes provided, and

then click Next. The TS CALs are installed on your Terminal Services license server.



server.

Install Terminal Services Client Access Licenses by Using the Telephone

The telephone installation method allows you to talk to a Microsoft customer service

representative to complete the Terminal Services client access license (TS CAL) installation

process. The appropriate telephone number is displayed in the Install Licenses Wizard and is

determined by the country/region that you have specified.




Licensing Manager.

2. Verify that the connection method for the Terminal Services license server is set to

Telephone by right-clicking the license server on which you want to install TS CALs, and

then clicking Properties. On the Connection Method tab, change the connection

method if necessary. On the Required Information tab, change the country/region if

necessary, and then click OK.



click Next.

4. On the Obtain client license key pack page, use the telephone number that is

displayed to call the Microsoft Clearinghouse, and give the representative your Terminal

Services license server ID and the required information for the licensing program through

To install client access licenses by using the telephone

49

which you purchased your TS CALs. The representative then processes your request to

install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to

as the license key pack ID.

Important

Retain a copy of the license key pack ID. Having this information with you will

facilitate communications with the Microsoft Clearinghouse should you need

assistance with recovering TS CALs.

5. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the

license key pack ID provided by the representative into the boxes provided, and then

click Next. The TS CALs are installed on your Terminal Services license server.



server.

Configuring License Settings on a Terminal Server

After you install and configure the Terminal Services license server, you need to configure your

terminal server by doing the following:

Specify the Terminal Services licensing mode

Specify the license server discovery mode

Specify the Terminal Services licensing modeThe Terminal Services licensing mode determines the type of Terminal Services client access

licenses (TS CALs) that a terminal server requests from a license server on behalf of a client

computer that is connecting to the terminal server.

The Terminal Services licensing mode that is configured on a terminal server must match

the type of TS CALs that are available on the license server.

For more information about TS CALs, see Terminal Services Client Access Licenses (TS CALs).

The Terminal Services licensing mode for the terminal server can be set in the following ways:


Licensing Mode page in the Add Roles Wizard.

On the Specify Licensing Mode page, you can select Configure later if you are unsure

during the installation whether to select Per Device or Per User. If you select Configure

later, each time you log on as an administrator to the terminal server, a message will appear

Important

50

in the lower-right corner of the desktop reminding you that you need to configure the licensing

mode for the terminal server.

By configuring the Terminal Services licensing mode for the terminal server by using the

Terminal Services Configuration tool.

If the Specify the Terminal Services licensing mode choices are dimmed and you cannot

make a selection, the Set Terminal Services licensing mode Group Policy setting has been

enabled and has been applied to the terminal server.

By applying the Set Terminal Services licensing mode Group Policy setting.




Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is




Use the following procedure to specify the Terminal Services licensing mode on a terminal server

by using Terminal Services Configuration.



1. On the terminal server, open Terminal Services Configuration. To open Terminal Services

Configuration, click Start, point to Administrative Tools, point to Terminal Services,

and then click Terminal Services Configuration.

2. Under Licensing, double-click Terminal Services licensing mode.

3. Select either Per Device or Per User, depending on which is appropriate for your

environment, and then click OK.

Specify the license server discovery modeA terminal server must be able to contact (discover) a Terminal Services license server to request

Terminal Services client access licenses (TS CALs) for users or computing devices that are

connecting to the terminal server.

The license server discovery mode for the terminal server can be set in the following ways:

By configuring License Server discovery mode for the terminal server in the Terminal


If the Specify the license server discovery mode choices are dimmed and you cannot

make a selection, the Use the specified Terminal Services license servers Group Policy

setting has been enabled and has been applied to the terminal server.

By applying the Use the specified Terminal Services license servers Group Policy setting.

To specify the Terminal Services licensing mode on a terminal server by using Terminal Services Configuration

51






Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is


For more information about the license server discovery process, see Terminal Services License

Server Discovery.

To see which license servers the terminal server discovers, and to be alerted to possible


Services Configuration. For more information about Licensing Diagnosis, see

Troubleshooting TS Licensing Installation.



Use the following procedure to specify the license server discovery mode on a terminal server by

using Terminal Services Configuration.



1. On the terminal server, open Terminal Services Configuration. To open Terminal Services

Configuration, click Start, point to Administrative Tools, point to Terminal Services,

and then click Terminal Services Configuration.

2. Under Licensing, double-click License server discovery mode.

3. Select either of the following, depending on which is appropriate for your environment:

Automatically discover a license server

Use the specified license servers

For more information about the license server discovery process, see Terminal Services

License Server Discovery.

4. After you have made a selection, click OK.

Tracking the Issuance of Terminal Services Per User Client Access Licenses

In Windows Server 2008, you can use the TS Licensing Manager tool to generate reports to track

the TS Per User CALs that have been issued by a Terminal Services license server.

Consider the following when using TS Per User CAL tracking and reporting in Windows

Server 2008:

Important To specify the license server discovery mode on a terminal server by using Terminal

Services Configuration

52



TS Per User CAL tracking and reporting can only be used for TS Per User CALs in Windows

Server 2008. You cannot track and report on TS Per User CALs in Windows Server 2003.

TS Per User CAL tracking and reporting is supported only in domain-joined scenarios; that is,

the terminal server and the license server must be members of a domain.

TS Per User CAL tracking and reporting is not supported in workgroup mode.

Active Directory Domain Services (AD DS) is used for TS Per User CAL tracking. The

information about the TS Per User CAL that has been issued to a user is stored as part of the

user account in AD DS.

AD DS can be Windows Server 2008-based or Windows Server 2003-based.

The computer account for the license server must be a member of the Terminal Server

License Servers group in the domain. If the license server is installed on a domain controller,

the Network Service account must also be a member of the Terminal Server License Servers

group.

To issue TS Per User CALs to users in other domains, there must be a two-way trust

between the domains, and the license server must be a member of the Terminal

Server License Servers group in those domains.

To determine if the license server is correctly configured for TS Per User CAL tracking and

reporting, you can use Review Configuration. For more information about Review

Configuration, see Troubleshooting TS Licensing Installation.

Because the information about the TS Per User CALs that have been issued to users is stored in

AD DS, the only way to get the most current information about the TS Per User CALs that have

been issued by the license server is to create a report by using TS Licensing Manager. When you

create a report, the necessary information is pulled from AD DS and is compiled together into a

report.

Because TS Licensing Manager cannot dynamically update the number of TS Per User

CALs that are currently issued and available, those columns are left blank in some areas

of TS Licensing Manager. Instead there is a Generate Report hyperlink that takes you to

this topic. In the Report node, you can view information from reports that have been

created, but that information is specific to the date and time when the report was created.

Use the following procedure to create a report about the TS Per User CALs that have been

issued by a license server.




Licensing Manager.

2. Select the license server for which you want to generate a report.

3. On the Action menu, point to Create Report, and then click Per User CAL Usage.

4. In the Create Per User CAL Usage Report dialog box, select one of the following:

Important Note To create a report about the TS Per User CALs that have been issued by a license server

53

Entire domain This is the domain in which the license server is a member.

Organizational Unit This is any OU within the domain in which the license server is

a member.

Entire domain and all trusted domains This can include domains in other forests.

Selecting this option can increase the time that it takes to create the report.

The selection that you make determines which user accounts in AD DS will be searched

for TS Per User CAL information to generate the report.

5. Click Create Report. The report will be created and a message will appear to confirm

that the report was successfully created. Click OK to close the message.

6. The report that you created will appear in the Reports section under the node for the

license server. The report provides the following information:

Date and time the report was created

The scope of the report (for example, Domain, OU=Sales, or All trusted domains)

The number of TS Per User CALs that are installed on the license server

The number of TS Per User CALs that have been issued by the license server

specific to the scope of the report

7. You can also save the report as a CSV file to a folder location on the computer. To save

the report, right-click the report that you want to save, click Save As, and then specify the

file name and location to save the report.

Reports that you create are listed in the Reports node under the node for the license server in

TS Licensing Manager. If you no longer need a report, you can delete the report.

Use the following procedure to delete a report in TS Licensing Manager.




Licensing Manager.

2. Expand the All Servers node, expand the node for the license server for which the report

was created, and then click Reports.

3. If there is a specific report that you want to delete, right-click the report, and then click

Delete Report. To confirm that you want to delete the report, click Yes.

4. If you want to delete all the reports or only reports older than a certain number of days,

on the Action menu, click Delete Reports.

5. In the Delete Reports dialog box, select either to delete all reports or only reports older

than the number of days that you specify, and then click OK. The reports will be deleted

immediately, and you will not be prompted to confirm the deletion.

To delete a report in TS Licensing Manager

54

Troubleshooting TS Licensing Installation

You can check the configuration of your Terminal Services license server and identify common

licensing problems for a terminal server by using the following:

Review Configuration in the TS Licensing Manager tool

Licensing Diagnosis in the Terminal Services Configuration tool

Review the configuration of your license serverAfter you install and configure the TS Licensing role service on a computer running Windows

Server 2008, you can use Review Configuration in the TS Licensing Manager tool to review the

configuration of the license server and to help identify possible TS Licensing configuration

problems that would prevent the license server from doing the following:

Being discovered by terminal servers

Issuing Terminal Services client access licenses (TS CALs) to users or devices that are

connecting to a terminal server

Tracking and reporting the issuance of TS Per User CALs

Review Configuration is used to identify possible TS Licensing configuration problems on

a license server, not configuration problems on a terminal server. To be alerted to

possible licensing discovery and configuration issues on a terminal server, use Licensing

Diagnosis in the Terminal Services Configuration tool. For information about Licensing

Diagnosis, see Diagnose licensing problems on your terminal server.

To use Review Configuration, the license server must be a member of an Active Directory

domain.

You can use Review Configuration to do the following:

Check discovery scope settings:

If the discovery scope for a license server is set to Domain, Review Configuration checks if

the license server is installed on a domain controller.

If the discovery scope for a license server is set to Forest, Review Configuration checks if the

license server is published in Active Directory Domain Services (AD DS).

If the discovery scope for a license server is set to Domain or Forest, Review Configuration

checks if the license server is a member of the Terminal Server License Servers group in

AD DS.

Change the discovery scope of the license server by clicking Change Scope. For more

information, see Change the Discovery Scope of a Terminal Services License Server in the

TS Licensing Manager Help in the Windows Server 2008 Technical Library


Find the location of the TS Licensing database.

Check if the License server security group Group Policy setting is enabled and applied to

the license server. For more information about the License server security group Group

Note Important

55


Policy setting, see Control the Issuance of Terminal Services Client Access Licenses

(TS CALs) in the TS Licensing Manager Help in the Windows Server 2008 Technical Library


Use the following procedure to review the configuration of a license server by using TS Licensing

Manager.




Licensing Manager.

2. In the left pane, click All servers. In the right pane, in the Configuration column, you

see either OK or Review. Review indicates that there is a possible configuration issue

with the license server.

3. To review the configuration details of a license server, do one of the following:

Select the license server that you want to review, and then on the Action menu, click

Review Configuration.

Right-click the license server that you want to review, and then click Review

Configuration.

If Review is displayed in the Configuration column for a license server, click Review.

4. In the Configuration dialog box, a list of messages provides you with information about

the configuration of the license server and identifies possible configuration issues.

For certain configuration issues, you can correct the problem from within the

Configuration dialog box if you have the appropriate administrative privileges. For

example, if the license server is not published in AD DS and you have Enterprise

Admins privileges in AD DS, you can click Publish in AD DS to correct the problem.

Diagnose licensing problems on your terminal serverEach user or computing device that connects to a terminal server must have a valid Terminal

Services client access license (TS CAL) issued by a Terminal Services license server. A terminal

server must be able to discover a Terminal Services license server to request TS CALs for users

or computing devices that are connecting to the terminal server.

Terminal Services Configuration for Windows Server 2008 includes the Licensing Diagnosis tool,

which provides information to help identify possible licensing problems for the terminal server,

including the following:

Determines which license servers the terminal server can discover

Determines whether those license servers have TS CALs available to issue to users or

computing devices that are connecting to the terminal server

To review the configuration of a license server by using TS Licensing Manager

56



Tries to identify possible licensing problems and provide resolutions to those problems

Use the following procedure to run the Licensing Diagnosis tool.



1. Open Terminal Services Configuration. To open Terminal Services Configuration, click

Start, point to Administrative Tools, point to Terminal Services, and then click


2. In the left pane, click Licensing Diagnosis. Licensing Diagnosis automatically runs and

tries to discover license servers and identify licensing configuration problems, and then

displays the results.

The Licensing Diagnosis results include the following:

Terminal Server Configuration Details, which displays configuration information about the

terminal server, including the licensing mode and discovery mode that have been specified

for the terminal server.

Licensing Diagnosis Information, which displays any licensing problems that were

identified along with suggested resolutions to the problems.

Terminal Services License Server Information, which displays the license servers that

were discovered by the terminal server.

License Server Configuration Details, which displays configuration information about a

license server, including the type and version of TS CALs installed and available on that

license server.

To view the configuration details of a selected license server, the account that you are logged on

as needs administrator privileges on the license server. If your account does not have

administrator privileges on the license server, you can use Provide Credentials in the Licensing

Diagnosis tool to provide credentials that have administrative privileges on the license server.

To view the configuration details of a Windows 2000 or a Windows Server 2003 license

server, you must provide the credentials of the built-in local Administrator account on the

license server. The credentials of any other account, even if that account has

administrator privileges on the license server, will not allow you to view the configuration

details.

Deploying TS Session Broker

Terminal Services Session Broker (TS Session Broker) is a role service that keeps track of user

sessions in a load-balanced terminal server farm. The TS Session Broker database stores

session state information that includes session IDs, their associated user names, and the name

of the server where each session resides. TS Session Broker uses this information to redirect

users who have an existing session to the terminal server where their session exists.

To run the Licensing Diagnosis toolImportant

57

If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the

number of user sessions on each terminal server in the farm, and directs new sessions to the

terminal server with the fewest sessions.

To install and configure a TS Session Broker server, see the following topics:

Installation Prerequisites for TS Session Broker

Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker

Installing TS Session Broker

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group

Configuring a Terminal Server to Join a Farm in TS Session Broker

Configuring DNS for TS Session Broker Load Balancing

Configuring Dedicated Redirectors (optional)

Installation Prerequisites for TS Session Broker

To participate in TS Session Broker Load Balancing, the following system requirements apply:

The TS Session Broker server and the terminal servers in the farm must be running Windows

Server 2008. TS Session Broker is available in the following operating systems: Windows

Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008

Datacenter.

Windows Server 2003-based terminal servers cannot use the TS Session Broker

Load Balancing feature.

All terminal servers in the load-balanced farm must be configured identically, with the same

available programs.

Client computers must be running Remote Desktop Connection (RDC) version 5.2 or later.

In addition, we recommend that you configure all terminal servers in the farm to restrict each user

to a single session. To do this, use either of the following methods:

Configure the Restrict Terminal Services users to a single remote session Group Policy

setting. This policy setting is available in the Computer Configuration\Policies\

Administrative Templates\Windows Components\Terminal Services\Terminal Server\

Connections node of the Group Policy Management Console (GPMC) on a Windows

Server 2008-based domain controller. It is a best practice to group the terminal servers that

are in the same terminal server farm into a single organizational unit (OU), and then configure

this policy setting in a Group Policy object (GPO) that applies to the OU.

If you are using the Local Group Policy Editor, Policies is not part of the node path.

Configure the Restrict each user to a single session setting on each terminal server by

using Terminal Services Configuration. This setting appears under Edit settings, in the

General section.

Note Note

58

TS Session Broker componentsThe following are two TS Session Broker components to consider:

TS Session Broker server, which is the server that runs the Terminal Services Session

Broker service and tracks user sessions for one or more load-balanced terminal server farms.

TS Session Broker uses a farm name to determine which servers are in the same terminal

server farm.

Terminal servers that use TS Session Broker, which are load-balanced terminal servers

that are members of a farm in TS Session Broker.

Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker

With a load-balanced terminal server farm, you can scale the performance of a single terminal

server by distributing Terminal Services sessions across multiple servers. You can configure a

load-balanced farm by using the TS Session Broker Load Balancing feature, Network Load

Balancing (NLB), or a non-Microsoft solution. TS Session Broker also enables a user to

reconnect to their existing session in a load-balanced terminal server farm.

This checklist shows the steps that are required to create and configure a load-balanced terminal

server farm by using TS Session Broker Load Balancing.

The TS Session Broker Load Balancing feature is only supported on terminal servers that

are running Windows Server 2008.

Task Reference

Install the TS Session Broker role service on

the server that you want to use to track user

sessions for a farm.


Add the terminal servers in the farm to the

Session Directory Computers local group on

the TS Session Broker server.

Adding Each Terminal Server in the Farm to the

Session Directory Computers Local Group

Configure the terminal servers in the farm to

join a farm in TS Session Broker, and to

participate in TS Session Broker Load

Balancing.

Configuring a Terminal Server to Join a Farm in

TS Session Broker

Configure DNS round robin entries for terminal

servers in the farm.

Configuring DNS for TS Session Broker Load

Balancing

Important

59


You must install the TS Session Broker role service on a server (running Windows Server 2008)

that you want to use to track user session information for a load-balanced terminal server farm.

The server where you install the TS Session Broker role service does not have to be a terminal

server or have Remote Desktop enabled.

You can use a single TS Session Broker server to track user sessions across multiple farms

because there is minimal performance overhead.

When you install the TS Session Broker role service, the following changes occur on the local

computer:

The Terminal Services Session Broker service is installed. By default, the service is set to

Started and to Automatic.

The Session Directory Computers local group is created.

Installation prerequisitesThe server where you install TS Session Broker must be a member of a domain.

If you install the TS Session Broker role service on a domain controller, the Session

Directory Computers group will be a domain local group and available on all domain

controllers.

Install the TS Session Broker role serviceMembership in the local Administrators group is the minimum required to complete this

procedure.



2. If the Terminal Services role is already installed:

a. Under Roles Summary, click Terminal Services.

b. Under Role Services, click Add Role Services.

c. On the Select Role Services page, select the TS Session Broker check box, and

then click Next.

If the Terminal Services role is not already installed:

a. Under Roles Summary, click Add Roles.

b. On the Before You Begin page of the Add Roles Wizard, click Next.

c. On the Select Server Roles page, select the Terminal Services check box, and

then click Next.

d. On the Terminal Services page, click Next.

Note To install the TS Session Broker role service

60

e. On the Select Role Services page, select the TS Session Broker check box, and

then click Next.

3. On the Confirm Installation Selections page, confirm that TS Session Broker is listed,

and then click Install.

4. On the Installation Results page, click Close.

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group

For terminal servers to use TS Session Broker, you must add the computer account for each

terminal server in the farm to the Session Directory Computers local group on the TS Session

Broker server.

Membership in the local Administrators group is the minimum required to complete this

procedure.

You must perform this procedure on the server where you installed the TS Session

Broker role service.

1. On the TS Session Broker server, click Start, point to Administrative Tools, and then

click Computer Management.

2. In the left pane, expand Local Users and Groups, and then click Groups.

3. In the right pane, right-click the Session Directory Computers group, and then click

Properties.

4. Click Add.

5. In the Select Users, Computers or Groups dialog box, click Object Types.

6. Select the Computers check box, and then click OK.

7. Locate and then add the computer account for each terminal server that you want to add.

8. When you finish, click OK.

Important To add terminal servers to the Session Directory Computers local group

61

Configuring a Terminal Server to Join a Farm in TS Session Broker

You can configure a terminal server to join a farm in TS Session Broker and to participate in

TS Session Broker Load Balancing by using Group Policy or the Terminal Services Configuration

tool. However, you must use Terminal Services Configuration to configure the following settings:

The IP addresses to be used for reconnection

The relative weight of the server when using TS Session Broker Load Balancing

For information about how to configure the settings by using Group Policy, see Configure TS

Session Broker Settings by Using Group Policy. Configuring the settings by using Group Policy is

a recommended best practice.

For information about how to configure the settings by using Terminal Services Configuration, see

Configure TS Session Broker Settings by Using Terminal Services Configuration.

Group Policy settings take precedence over configuration settings in the Terminal

Services Configuration snap-in and settings that are made by using the Terminal Services

WMI provider.

Configure TS Session Broker Settings by Using Group Policy

You can use Group Policy to configure TS Session Broker settings. However, to configure the IP

addresses to be used for reconnection, or to configure the relative server weight when using

TS Session Broker Load Balancing, you must use Terminal Services Configuration.

To assign TS Session Broker settings through Group Policy, it is a best practice to group the

terminal servers that are in the same terminal server farm into a single organizational unit (OU) in

Active Directory Domain Services (AD DS). Then, configure the TS Session Broker settings in a

Group Policy object (GPO) that applies to the OU.

For the TS Session Broker settings to be effective on a server, the server must have the

Terminal Server role service installed.

The following procedure describes how to configure TS Session Broker Group Policy settings by

using the Group Policy Management Console (GPMC).

To change Group Policy settings for a domain or an OU, you must be logged on as a member of

the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners

group, or have been delegated the appropriate authority over Group Policy to complete this

procedure.

1. To start the GPMC, click Start, point to Administrative Tools, and then click Group

Policy Management.

Important Note To apply TS Session Broker settings to an Active Directory OU

62

2. In the left pane, locate the OU that contains the terminal servers.

3. To modify an existing GPO for the OU, expand the OU, and then click the GPO.

To create a new GPO, follow these steps:

a. Right-click the OU, and then click Create a GPO in this domain, and link it here.

b. In the Name box, type a name for the GPO, and then click OK.

c. In the left pane, locate and then click the new GPO.

4. In the right pane, click the Settings tab.

5. Right-click Computer Configuration, and then click Edit.

6. In the left pane, under Computer Configuration, expand Policies, Administrative

Templates, Windows Components, Terminal Services, Terminal Server, and then

click TS Session Broker.

7. In the right pane, double-click the Join TS Session Broker policy setting, click Enabled,

and then click OK.

8. Double-click the Configure TS Session Broker farm name policy setting, and then do

the following:

a. Click Enabled.

b. In the TS Session Broker farm name box, type the name of the farm in TS Session

Broker that you want to join, and then click OK.

Important

TS Session Broker uses a farm name to determine which servers are in the

same terminal server farm. You must use the same farm name for all servers

that are in the same load-balanced terminal server farm. Although the farm

name in TS Session Broker does not have to be registered in AD DS, it is

recommended that you use the same name that you will use in DNS for the

terminal server farm. (The terminal server farm name in DNS represents the

virtual name that clients will use to connect to the terminal server farm.) If

you type a new farm name, a new farm is created in TS Session Broker and

the server is joined to the farm. If you type an existing farm name, the server

joins the existing farm in TS Session Broker.

9. Double-click the Configure TS Session Broker server name policy setting, and then do

the following:

a. Click Enabled.

b. In the TS Session Broker server name box, type the name of the server where you

installed the TS Session Broker role service, and then click OK.

10. To use TS Session Broker Load Balancing, double-click the Use TS Session Broker

load balancing policy setting, click Enabled, and then click OK.

11. Optionally, if you have a hardware load balancer that supports TS Session Broker token

redirection, double-click Use IP Address Redirection and configure the setting. For

more information, see the Group Policy Explain text and Configuring Dedicated

63

Redirectors (optional).

To configure TS Session Broker settings by using local Group Policy, use the Local Group

Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type

gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a

member of the Administrators group on the local computer or you must have been

delegated the appropriate authority.

Configure TS Session Broker Settings by Using Terminal Services Configuration

You can configure a terminal server to join a farm in TS Session Broker and to participate in

TS Session Broker Load Balancing by using Terminal Services Configuration.

The following steps are only applicable if the Terminal Server role service is installed.


procedure.

1. Start Terminal Services Configuration. To do this, click Start, point to Administrative

Tools, point to Terminal Services, and then click Terminal Services Configuration.

2. In the Edit settings area, under TS Session Broker, double-click Member of farm in

TS Session Broker.

3. On the TS Session Broker tab, click to select the Join a farm in TS Session Broker

check box.

4. In the TS Session Broker server name or IP address box, type the name or the IP

address of the TS Session Broker server.

Note

The TS Session Broker server is the server where you installed the TS Session

Broker role service.

5. In the Farm name in TS Session Broker box, type the name of the farm that you want

to join in TS Session Broker.

Important

TS Session Broker uses a farm name to determine which servers are in the

same terminal server farm. You must use the same farm name for all servers that

are in the same load-balanced terminal server farm. Although the farm name in

TS Session Broker does not have to be registered in AD DS, it is recommended

that you use the same name that you will use in DNS for the terminal server

farm. (The terminal server farm name in DNS represents the virtual name that

clients will use to connect to the terminal server farm.) If you type a new farm

name, a new farm is created in TS Session Broker and the server is joined to the

Note Note To configure TS Session Broker settings by using Terminal Services Configuration

64

farm. If you type an existing farm name, the server joins the existing farm in

TS Session Broker.

6. To participate in TS Session Broker Load Balancing, select the Participate in Session

Broker Load-Balancing check box.

7. Optionally, in the Relative weight of this server in the farm box, modify the server

weight. By default, the value is 100. The server weight is relative. Therefore, if you assign

one server a value of 100, and one a value of 200, the server with a relative weight of

200 will receive twice the number of sessions.

8. Verify that you want to use IP address redirection. By default, the Use IP address

redirection (recommended) setting is enabled. If you clear the check box, the server

switches to token redirection mode.

9. In the Select IP addresses to be used for reconnection box, click to select the check

box next to each IP address that you want to use. When you select the IP addresses to

use, consider the following:

Only the first selected IPv4 address will be used by clients that are running RDC 5.2

and earlier.

Using IPv6 addresses is not recommended if the terminal server farm contains

servers that are running Windows Server 2003.


Configuring DNS for TS Session Broker Load Balancing

To configure DNS round robin entries for TS Session Broker Load Balancing, you must map the

IP address of each terminal server in the farm to the terminal server farm name in DNS.

The following procedure provides the steps to configure DNS on a Windows Server 2008-based

domain controller.

You must be a member of the Domain Admins, Enterprise Admins, or the DnsAdmins group

to complete this procedure.

1. Click Start, point to Administrative Tools, and then click DNS.

2. Expand the server name, expand Forward Lookup Zones, expand the domain name,

and then click the appropriate zone.

3. Right-click the zone, and then click New Host (A or AAAA).

4. In the Name (uses parent domain name if blank) box, type the terminal server farm

name.

The farm name is the virtual name that clients will use to connect to the terminal server

To add DNS entries for each terminal server in the farm

65

farm. For management purposes, it is recommended that you use the same farm name

that you specified when you configured the terminal servers to join a farm in TS Session

Broker.

Important

Do not use the name of an existing server for the farm name.

5. In the IP address box, type the IP address of a terminal server in the farm.

6. Click Add Host, and then click OK when you receive the message that the host record

was successfully created.

7. Repeat steps three through six for each terminal server in the farm.

Important

You must specify the same farm name in the Name (uses parent domain name

if blank) box for each DNS entry.

For example, if you have three terminal servers in a farm named FARM1, with IP

addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would look

similar to the following:

Farm1 Host(A) 192.168.1.20

Farm1 Host(A) 192.168.1.21

Farm1 Host(A) 192.168.1.22

8. When you finish, click Done.

By default, a DNS round robin entry is enabled when using DNS on a Windows

Server 2008-based domain controller. The Enable round robin setting is available on

the Advanced tab when you view the properties of the server in DNS.

Configuring Dedicated Redirectors (optional)

If you use Domain Name System (DNS) round robin as the front-end load balancer, when you

register the IP address of each terminal server in the farm to a single terminal server farm name

in DNS, incoming Terminal Services clients try to connect to the first IP address for the farm name

that is returned by DNS. The terminal server that receives this initial connection request acts as

the redirector.

To increase session redirection performance in a large terminal server farm, you can configure

terminal servers to be dedicated redirectors. These servers process incoming requests, but they

do not accept user sessions.

To configure dedicated redirectors, you must do the following:

1. Create DNS round robin entries for the terminal servers that you want to use as dedicated

redirectors. When you do so, you must map the IP address of each terminal server that you

want to use as a dedicated redirector to the terminal server farm name in DNS. (The farm

Note

66

name is the virtual name that clients use to connect to the terminal server farm.) The farm

name must not match an existing server name in Active Directory Domain Services (AD DS).

Only the dedicated redirectors should have host resource records in DNS that map to

the terminal server farm name.

2. Configure the terminal servers that you want to use as dedicated redirectors to deny new

user logon requests. For more information about how to deny new user logon requests, see

Deny Logon Requests to a Terminal Server.

Deploying TS Gateway

Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users

to connect to resources on an internal corporate or private network, from any Internet-connected

device that can run the Remote Desktop Connection (RDC) client. The network resources can be

terminal servers, terminal servers running RemoteApp programs, or computers with Remote

Desktop enabled.

TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a

Secure Sockets Layer (SSL) connection. In this way, TS Gateway helps improve security by

establishing an encrypted connection between remote users on the Internet and the internal

network resources on which their productivity applications run.

To install, configure, and manage a TS Gateway server, see the following topics:

Installation Prerequisites for TS Gateway

Understanding Requirements for Connecting to a TS Gateway Server

Checklist: Deploying TS Gateway

Installing TS Gateway

Configuring a Certificate for the TS Gateway Server

Creating a Terminal Services Connection Authorization Policy

Creating a Terminal Services Resource Authorization Policy

Configuring the Terminal Services Client for TS Gateway

Limiting the Maximum Number of Simultaneous Connections Through TS Gateway

Using Group Policy to Manage Client Connections Through TS Gateway

Installation Prerequisites for TS Gateway

For TS Gateway to function correctly, you must meet these prerequisites:

You must have a server running Windows Server 2008.

You must obtain an SSL certificate for the TS Gateway server if you do not have one already.

By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS

Note

67

service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients

and TS Gateway servers over the Internet. For TLS to function correctly, you must install an

SSL certificate on the TS Gateway server.

You do not need a certification authority (CA) infrastructure within your organization if

you can use another method to obtain an externally trusted certificate that meets the

requirements for TS Gateway. If your company does not maintain a stand-alone CA

or an enterprise CA and you do not have a compatible certificate from a trusted public

CA, you can create and import a self-signed certificate for your TS Gateway server

for technical evaluation and testing purposes.

For information about certificate requirements for TS Gateway and how to obtain and install a

certificate, see "Obtain a certificate for the TS Gateway server" in Configuring the TS

Gateway Core Scenario.

TS Gateway servers must be joined to an Active Directory domain in the following cases:

If you configure a TS Gateway authorization policy that requires that users be domain

members to connect to the TS Gateway server.

If you configure a TS Gateway authorization policy that requires that client computers be

domain members to connect to the TS Gateway server.

If you are deploying a load-balanced TS Gateway server farm.

Role, role service, and feature dependenciesTo function correctly, TS Gateway requires several role services and features to be installed and

running. When you use Server Manager to install the TS Gateway role service, the following

additional roles, role services, and features are automatically installed and started, if they are not

already installed:

Remote Procedure Call (RPC) over HTTP Proxy

Web Server (IIS) [Internet Information Services 7.0]

IIS 7.0 must be installed and running for the RPC over HTTP Proxy feature to function.

Network Policy and Access Services

You can also configure TS Gateway to use Terminal Services connection authorization

policies (TS CAPs) that are stored on another server that runs the Network Policy Server

(NPS) service. By doing this, you are using the server that is running Network Policy Server

(NPS)—formerly known as a Remote Authentication Dial-In User Service (RADIUS) server—

to centralize the storage, management, and validation of TS CAPs. If you have already

deployed a server running NPS for remote access scenarios such as VPN and dial-up

networking, using the existing server running NPS for TS Gateway scenarios as well can

enhance your deployment.

Administrative credentialsYou must be a member of the Administrators group on the computer that you want to configure as

a TS Gateway server.

Note

68

Understanding Requirements for Connecting to a TS Gateway Server

Users on Terminal Services client computers must meet specific requirements before they can

connect to TS Gateway. These requirements include the following:

Supported Windows authentication method (required). You can configure the

authentication methods that the TS Gateway server allows by using TS Gateway Manager.

On clients, you can configure the authentication method to be used to connect to the

TS Gateway server by using Group Policy.

A client and the TS Gateway server to which the client connects must have at least

one common authentication method, or the client’s attempt to connect to the

TS Gateway server will fail.

If you configure the authentication method on the client by using Group Policy, the

Group Policy settings for Terminal Services client connections can be applied in one

of two ways. These policy settings can either be suggested (that is, they can be

enabled, but not enforced) or they can be enabled and enforced. For more

information, see Using Group Policy to Manage Client Connections Through TS

Gateway.

User group membership (required). You configure the user group membership requirement

by using TS Gateway Manager.

Client computer group membership (optional). You configure the client computer group

membership requirement by using TS Gateway Manager.

In TS Gateway Manager, you configure these requirements on the Requirements tab of a

Terminal Services connection authorization policy (TS CAP). For more information, see Creating

a Terminal Services Connection Authorization Policy.

Supported Windows authentication methodsIf you configure the supported Windows authentication method by using TS Gateway Manager,

you can specify that a user must use a password or a smart card, or both. If you select both

methods, either can be used to connect.

If you configure the supported Windows authentication method by using Group Policy, the

following options are available:

Ask for credentials, use NTLM protocol (a Windows NT® challenge/response protocol).

For information about the NTLM protocol, see Logon and Authentication Technologies

(http://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM


Ask for credentials, use Basic protocol. The Basic authentication method is a widely used

industry-standard method for collecting user name and password information. It is less

secure, however, because the passwords are transmitted in Base64-encoded form, not

Important Note

69



encrypted. For more information, see Basic Authentication (http://go.microsoft.com/fwlink/?

LinkId=94217).

Use locally logged-on credentials. In this case, the same credentials that users provide to

log on to their local computer are used to connect to the TS Gateway server. If you select this

option, but users have previously connected to the same TS Gateway server and they have

selected the Remember my credentials check box in the TS Gateway Server Settings

dialog box on their client computer, their saved credentials are used to connect to the

TS Gateway server.

Use smart card. Smart cards contain a microcomputer and a small amount of memory, and

they provide secure, tamper-proof storage for private keys and X.509 security certificates. A

smart card is a form of two-factor authentication that requires the user to have a smart card

and know the PIN to gain access to network resources. For more information, see The

Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/?

LinkId=94218).

If all these credentials are available to users, and if users have specified to save their credentials

when connecting to the TS Gateway server, their credentials are used in the following order:

1. Saved credentials

2. Locally logged-on credentials

3. Other password or smart card credentials supplied by the user


The following steps are required to successfully set up and demonstrate the TS Gateway core

scenario. This scenario enables you to configure a TS Gateway server so that a remote user can

access an internal network resource over the Internet through the TS Gateway server. In this

scenario, the internal network resource can be a terminal server, a terminal server running

RemoteApp programs, or a computer with Remote Desktop enabled.

To configure the TS Gateway server, complete the following tasks.

Task Reference/Step-by-step instructions

Install the TS Gateway role service. Installing TS Gateway

Configure a certificate for the TS Gateway

server.

Configuring a Certificate for the TS Gateway

Server

Create a Terminal Services connection

authorization policy (TS CAP).

Creating a Terminal Services Connection

Authorization Policy

Create a Terminal Services resource

authorization policy (TS RAP).

Creating a Terminal Services Resource


Configure the Terminal Services client for Configuring the Terminal Services Client for TS

70




Task Reference/Step-by-step instructions

TS Gateway. Gateway

Installing TS Gateway

Follow these steps to install the TS Gateway role service. Optionally, during the role service

installation process, you can select an existing certificate (or create a new self-signed certificate),

and you can create a Terminal Services connection authorization policy (TS CAP) and a Terminal

Services resource authorization policy (TS RAP).

Install the TS Gateway role serviceUse the following procedure to install the TS Gateway role service.



2. If the Terminal Services role is not already installed:

a. In Server Manager, under Roles Summary, click Add roles.

b. In the Add Roles Wizard, if the Before You Begin page appears, click Next. This

page will not appear if you have already installed other roles and you have selected

the Skip this page by default check box.

c. On the Select Server Roles page, under Roles, select the Terminal Services check

box, and then click Next.

d. On the Terminal Services page, click Next.

e. On the Select Role Services page, in the Role services list, select the TS Gateway

check box.

f. If prompted to specify whether you want to install the additional role services required

for TS Gateway, click Add Required Role Services.

g. On the Select Role Services page, confirm that TS Gateway is selected, and then

click Next.

If the Terminal Services role is already installed:



c. On the Select Role Services page, select the TS Gateway check box, and then click

Next.

d. If prompted to specify whether you want to install the additional role services required

for TS Gateway, click Add Required Role Services.

To install the TS Gateway role service

71

e. On the Select Role Services page, click Next.

3. On the Choose a Server Authentication Certificate for SSL Encryption page, specify

whether to choose an existing certificate for SSL encryption (recommended), create a

self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later.

If you are completing an installation for a new server that does not yet have certificates,

see Obtain a Certificate for the TS Gateway Server for certificate requirements and

information about how to obtain and install a certificate.

Under the Choose an existing certificate for SSL encryption (recommended) option,

only certificates that have the intended purpose (server authentication) and Enhanced

Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the

TS Gateway role service will appear in the list of certificates. If you select this option, click

Import, and then import a new certificate that does not meet these requirements, the

imported certificate will not appear in the list.

4. On the Create Authorization Policies for TS Gateway page, specify whether you want

to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role

service installation process or later. If you select Later, follow the procedures in Creating

a Terminal Services Connection Authorization Policy to create this policy. If you select

Now, do the following:

a. On the Select User Groups That Can Connect Through TS Gateway page, click

Add to specify additional user groups. In the Select Groups dialog box, specify the

user group location and name, and then click OK as needed to check the name and

to close the Select Groups dialog box.

b. To specify more than one user group, do either of the following: Type the name of

each user group, separating the name of each group with a semi-colon; or add

additional groups from different domains by repeating the first part of this step for

each group.

c. After you finish specifying additional user groups, on the Select User Groups that

Can Connect Through TS Gateway page, click Next.

d. On the Create a TS CAP for TS Gateway page, accept the default name for the

TS CAP (TS_CAP_01) or specify a new name, select one or more supported

Windows authentication methods, and then click Next.

e. On the Create a TS RAP for TS Gateway page, accept the default name for the

TS RAP (TS_RAP_01) or specify a new name, and then do one of the following:

Specify whether to allow users to connect only to computers in one or more computer

groups, and then specify the computer groups; or specify that users can connect to

any computer on the network. Click Next.

5. On the Network Policy and Access Services page (which appears if this role service is

not already installed), review the summary information, and then click Next.

6. On the Select Role Services page, verify that Network Policy Server is selected, and

then click Next.

7. On the Web Server (IIS) page (which appears if this role service is not already installed),

72

review the summary information, and then click Next.

8. On the Select Role Services page, accept the default selections for Web Server (IIS),


9. On the Confirm Installation Options page, verify that the following roles, role services,

and features will be installed:

Terminal Services\TS Gateway

Network Policy and Access Services\Network Policy Server

Web Server (IIS)\Web Server\Management Tools

RPC over HTTP Proxy

Windows Process Activation Service\Process Model\Configuration APIs

10. Click Install.


If any of these roles, role services, or features has already been installed, installation

progress will be noted only for the new roles, role services, or features that are being

installed.

12. On the Installation Results page, confirm that installation was successful, and then click

Close.

Verify successful role service installation and TS Gateway service statusUse the following procedure to verify that the TS Gateway role service and dependent roles, role

services, and features are installed correctly and running.



2. In the console tree, expand Roles, and then double-click Terminal Services.

3. On the Terminal Services summary page, in the System Services area, verify that the

status of Terminal Services Gateway is Running and that the startup type is set to Auto.

4. Close Server Manager.

5. Open Internet Information Services (IIS) Manager. To open IIS Manager, click Start, point

to Administrative Tools, and then click Internet Information Services (IIS) Manager.

6. In the console tree, expand <TS Gateway_Server_Name>\Sites\Default Web Site, and

then click Default Web Site.

7. Right-click Default Web Site, point to Manage Web Site, and then click Advanced

Settings.

8. In the Advanced Settings dialog box, under (General), verify that Start Automatically

is set to True. If it is not set to True, click the drop-down arrow to display the list, and then

click True.

To verify that installation was successful

73

9. Click OK.

10. Close IIS Manager.

Configuring a Certificate for the TS Gateway Server

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between

Terminal Services clients and TS Gateway servers over the Internet. For TLS to function correctly,

you must install a Secure Sockets Layer-compatible X.509 certificate on the TS Gateway server.

You can obtain this certificate in one of the following ways:

You can generate and submit a certificate request to obtain a certificate from a stand-alone or

an enterprise certification authority (CA).

You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the

trusted public CAs that participate in the Microsoft Root Certificate Program Members

program, as listed in article 931125 in the Microsoft Knowledge Base

(http://go.microsoft.com/fwlink/?LinkID=59547).

You can use the Add Roles Wizard to create a self-signed certificate when you install the

TS Gateway role service, or you can use TS Gateway Manager to do this after TS Gateway is

installed.

We recommend that you use a self-signed certificate only for testing and evaluation

purposes.

This section describes certificate requirements for the TS Gateway server and provides more

information about the methods that you can use to obtain a certificate. The following topics are

included:

Obtain a Certificate for the TS Gateway Server

Create a Self-Signed Certificate for the TS Gateway Server

Install a Certificate on the TS Gateway Server

Map the TS Gateway Certificate

View or Modify Certificate Properties

Obtain a Certificate for the TS Gateway Server

This section assumes an understanding of certificate trust chaining, certificate signing, and

general certificate configuration principles.

Note

74


For information about public key infrastructure (PKI) configuration in Windows Server 2008, see

ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008


For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure

(http://go.microsoft.com/fwlink/?LinkID=54917).

By default TLS 1.0 is used to encrypt communications between Terminal Services clients and

TS Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web

communications on the Internet or intranets. TLS is the latest and most secure version of the SSL

protocol. For more information about TLS, see:

SSL/TLS in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkID=19646)

RFC 2246: The TLS Protocol Version 1.0 (http://go.microsoft.com/fwlink/?LinkID=40979)

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the

TS Gateway server.

Certificate requirements for TS GatewayCertificates for TS Gateway must meet the following requirements:

The name in the Subject line of the server certificate (certificate name, or CN) must match the

DNS name that the client uses to connect to the TS Gateway server, unless you are using

wildcard certificates or the SAN attributes of certificates. If your organization issues

certificates from an enterprise certification authority (CA), a certificate template must be

configured so that the appropriate name is supplied in the certificate request. If your

organization issues certificates from a stand-alone CA, you do not need to do this.

If you are using the SAN attributes of certificates, clients that connect to the

TS Gateway server must be running Remote Desktop Connection (RDC) 6.1.

(RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included

with Windows Server 2008, Windows Vista SP1, and Windows XP SP3.

The certificate is a computer certificate.

The intended purpose of the certificate is server authentication. The enhanced key usage is

Server Authentication (1.3.6.1.5.5.7.3.1).

The certificate has a corresponding private key.

The certificate has not expired. We recommend that the certificate be valid one year from the

date of installation.

A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the

certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the

certificate if at least one of the following key usage values is also set:

CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE,

and CERT_DATA_ENCIPHERMENT_KEY_USAGE.

For more information about these values, see Advanced Certificate Enrollment and

Management (http://go.microsoft.com/fwlink/?LinkID=74577).

Note

75







The certificate must be trusted on clients. That is, the public certificate of the CA that signed

the TS Gateway server certificate must be located in the Trusted Root Certification Authorities

store on the client computer.

Using existing certificatesIf you already have a certificate, you can reuse it for the TS Gateway server if the certificate:

Is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate

Program Members program, as listed in article 931125 in the Microsoft Knowledge Base

(http://go.microsoft.com/fwlink/?LinkID=59547); and

Meets the certificate requirements for TS Gateway server .

If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for

example, if you create and install a self-signed certificate on the TS Gateway server and you do

not manually configure the certificate to trust the Terminal Services client computer), a warning

appears when the client attempts to connect through the TS Gateway server, stating that you do

not have a trusted certificate and the connection will not succeed. To prevent this error from

occurring, install the certificate onto the computer certificate store on the client computer before

the client attempts to connect through the TS Gateway server.

Certificate installation and configuration process overviewThe process of obtaining, installing, and configuring a certificate for the TS Gateway server

involves the following steps.

1. Obtain a certificateObtain a certificate for the TS Gateway server by doing one of the following:

If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-

compatible X.509 certificates that meet TS Gateway requirements, you can generate and

submit a certificate request in several ways, depending on the policies and configuration of

your organization's CA. Methods for obtaining a certificate include:

Initiating auto-enrollment from the Certificates snap-in.

Requesting certificates by using the Certificate Request Wizard.

Requesting a certificate over the Web.

If you have a Windows Server 2003 CA, be aware that the Windows Server 2003

Certificate Services Web enrollment functionality relies on an ActiveX® control

that is named Xenroll. This ActiveX control is available in Microsoft

Windows 2000, Windows Server 2003, and Windows XP.

However, Xenroll has been deprecated in Windows Server 2008 and

Windows Vista. The sample certificate enrollment Web pages that are included

Notes

76


with the original release version of Windows Server 2003, Windows Server 2003

Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not

designed to handle the change in how Windows Server 2008 and Windows Vista

perform Web-based certificate enrollment operations.

For information about the steps that you can take to address this issue, see

article 922706 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?

LinkId=94472).

Using the Certreq command-line tool.

For more information about using any of these methods to obtain certificates for Windows

Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the

"Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates

snap-in Help topics, click Start, click Run, type hh certmgr.chm, and then click OK. For

information about how to request certificates for Windows Server 2003, see Requesting

Certificates (http://go.microsoft.com/fwlink/?LinkID=19638).

A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA

that participates in the Microsoft Root Certification Program Members program

(http://go.microsoft.com/fwlink/?LinkID=59547). Otherwise, users connecting from home

computers or kiosks might not be able to connect to TS Gateway servers. These connections

might fail because the enterprise CA-issued root might not be trusted by computers that are

not members of domains, such as home computers or kiosks.

If your company does not maintain a stand-alone or enterprise CA that is configured to issue

SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA

that participates in the Microsoft Root Certificate Program Members program

(http://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer

certificates at no cost on a trial basis.

Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do

not have a compatible certificate from a trusted public CA, you can create and import a self-

signed certificate for your TS Gateway server for technical evaluation and testing purposes.

For step-by-step instructions, see Create a Self-Signed Certificate for the TS Gateway

Server.

In the example configurations described in this guide, a self-signed certificate is used.

If you use either of the first two methods to obtain a certificate (that is, if you obtain a

certificate from a stand-alone or enterprise CA or a trusted public CA), you must also

install the certificate on the TS Gateway server and map the certificate. However, if you

create a self-signed certificate by using the Add Roles Wizard during installation of the

TS Gateway role service or by using TS Gateway Manager after installation (as

described in Create a Self-Signed Certificate for the TS Gateway Server), you do not

need to install or map the certificate to the TS Gateway server. In this case, the certificate

is automatically created, installed in the correct location on the TS Gateway server, and

mapped to the TS Gateway server.

Important

77






Terminal Services clients must have the certificate of the CA that issued the server

certificate in their Trusted Root Certification Authorities store. Therefore, if you create a

self-signed certificate by following the procedure in this guide, you must copy the

certificate to the client computer (or to a network share that can be accessed from the

client computer) and then install the certificate in the Trusted Root Certification Authorities

store on the client computer. For step-by-step instructions, see Install the TS Gateway

Server Root Certificate on the Terminal Services Client (Optional).

If you use one of the first two methods to obtain a certificate and the Terminal Services client

computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the

server certificate in the client computer certificate store. For example, you do not need to install

the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public,

trusted CA certificate is installed on the TS Gateway server.

If you use the third method to obtain a certificate (that is, if you create a self-signed certificate),

you do need to copy the certificate of the CA that issued the server certificate to the client

computer. Then, you must install that certificate in the Trusted Root Certification Authorities store

on the client computer. For more information, see Install the TS Gateway Server Root Certificate

on the Terminal Services Client (Optional).

2. Install the certificateInstall a Certificate on the TS Gateway Server. Use this procedure, described later in this guide,

to install the certificate on your TS Gateway server.

3. Map the certificateMap the TS Gateway Certificate. This procedure, described later in this guide, allows you to

specify that the existing certificate be used by the TS Gateway server.

Create a Self-Signed Certificate for the TS Gateway Server

This procedure describes how to use TS Gateway Manager to create a self-signed certificate for

technical evaluation and testing purposes, if you did not already create one by using the Add

Roles Wizard when you installed the TS Gateway role service.

We recommend that you use self-signed certificates only for testing and evaluation

purposes. After you create the self-signed certificate, you must copy it to the client

computer (or to a network share that can be accessed from the client computer), and

then install it in the Trusted Root Certification Authorities store on the client computer.

If you create a self-signed certificate by using the Add Roles Wizard during installation of the

TS Gateway role service, or by using TS Gateway Manager after installation (as described in this

procedure), you do not need to install or map the certificate to the TS Gateway server.

Note Important

78

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you




1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to

Administrative Tools, point to Terminal Services, and then click TS Gateway

Manager.

2. In the console tree, click to select the node that represents your TS Gateway server,

which is named for the computer on which the TS Gateway server is running.

3. In the results pane, under Configuration Status, click View or modify certificate

properties.

4. On the SSL Certificate tab, click Create a self-signed certificate for SSL encryption,

and then click Create Certificate.

5. In the Create Self-Signed Certificate dialog box, do the following:

a. Under Certificate name, verify that the correct common name (CN) is specified for

the self-signed certificate, or specify a new name. The CN must match the DNS

name that the client uses to connect to the TS Gateway server, unless you are using

wildcard certificates or the SAN attributes of certificates.

b. Under Certificate location, to store the root certificate in a specified location so that

you can manually distribute the root certificate to clients, verify that the Store the

root certificate check box is selected, and then specify where to store the certificate.

By default, this check box is selected and the certificate is stored under the %Windir

%\Users\<Username>\Documents folder.

c. Click OK.

6. If you selected the Store the root certificate check box and specified a location for the

certificate, a message will appear stating that TS Gateway has successfully created the

self-signed certificate, and confirming the location of the stored certificate. Click OK to

close the message.

7. Click OK again to close the TS Gateway server Properties dialog box.

Install a Certificate on the TS Gateway Server

After you obtain a certificate, use this procedure to install the certificate in the correct location on

the TS Gateway server, if the certificate is not already installed. After you complete this

procedure, you must Map the TS Gateway Certificate.

This procedure is not required if you created a self-signed certificate by using the Add

Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway

To create a self-signed certificate for the TS Gateway serverNote

79


Manager after installation, as described in Create a Self-Signed Certificate for the TS

Gateway Server. In either case, a certificate is automatically created, installed in the

correct location on the TS Gateway server, and mapped to the TS Gateway server.





1. Open the Certificates snap-in console. If you have not already added the Certificates

snap-in console, you can do so by doing the following:

a. Click Start, click Run, type mmc, and then click OK.

b. On the File menu, click Add/Remove Snap-in.

c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click

Certificates, and then click Add.

d. In the Certificates snap-in dialog box, click Computer account, and then click

Next.

e. In the Select Computer dialog box, click Local computer: (the computer this

console is running on), and then click Finish.

f. In the Add or Remove snap-ins dialog box, click OK.

2. In the Certificates snap-in console, in the console tree, expand Certificates (Local

Computer), and then click Personal.

3. Right-click the Personal folder, point to All Tasks, and then click Import.

4. On the Welcome to the Certificate Import Wizard page, click Next.

5. On the File to Import page, in the File name box, specify the name of the certificate that

you want to import, and then click Next.

6. On the Password page, do the following:

a. If you specified a password for the private key associated with the certificate earlier,

type the password.

b. If you want to mark the private key for the certificate as exportable, ensure that Mark

this key as exportable is selected.

c. If you want to include all extended properties for the certificate, ensure that Include

all extended properties is selected.

d. Click Next.

7. On the Certificate Store page, accept the default option, and then click Next.

8. On the Completing the Certificate Import Wizard page, confirm that the correct

certificate has been selected.

9. Click Finish.

10. After the certificate import has successfully completed, a message appears confirming

To install a certificate on the TS Gateway server

80


that the import was successful. Click OK.

11. With Certificates selected in the console tree, in the details pane, verify that the correct

certificate appears in the list of certificates on the TS Gateway server. The certificate

must be under the Personal store of the local computer.

Map the TS Gateway Certificate

You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a

TS Gateway server certificate by using any other method, TS Gateway will not function correctly.

This procedure is not required if you created a self-signed certificate by using the Add

Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway

Manager after installation, as described in Create a Self-Signed Certificate for the TS

Gateway Server.







Manager.

2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and


3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption

(recommended), and then click Browse Certificates.

4. In the Install Certificate dialog box, click the certificate that you want to use, and then

click Install.

5. Click OK to close the Properties dialog box for the TS Gateway server.

6. If this is the first time that you have mapped the TS Gateway certificate, after the

certificate mapping is completed, you can verify that the mapping was successful by

viewing the TS Gateway Server Status area in TS Gateway Manager. Under

Configuration Status and Configuration Tasks, the warning stating that a server

certificate is not yet installed or selected and the View or modify certificate properties

hyperlink are no longer displayed.

Note To map a certificate to the local TS Gateway server

81


View or Modify Certificate Properties







Manager.



3. Right-click the local TS Gateway server, and then click Properties.

4. On the SSL Certificate tab, click Select an existing certificate for SSL encryption

(recommended), click Browse Certificates, and then do one of the following in the

Install Certificate dialog box:

To map a different certificate to the TS Gateway server, select the certificate that you

want this TS Gateway server to use, and then click Install. On the SSL Certificates

tab, review the Issued to, Issued by, and Expiration date fields to verify that the

correct certificate is mapped to the TS Gateway server.

To view the properties for a certificate that is installed on the TS Gateway server,

select the certificate that you want to view, and then click View Certificate. In the

Certificate dialog box, review the certificate properties, click OK to close the

Certificate dialog box, and then click Cancel to close the Install Certificate dialog

box.

5. Click OK to close the TS Gateway server Properties dialog box.

Creating a Terminal Services Connection Authorization Policy

This procedure describes how to use TS Gateway Manager to create a custom Terminal Services

connection authorization policy (TS CAP) for TS Gateway. Alternatively, you can use the

Authorization Policies Wizard to create a TS CAP.

If you configure more than one TS CAP, TS Gateway uses the following policy lookup

behavior: Policies are applied in the numerical order that appears in the TS Gateway

Manager results pane, and access to the TS Gateway server is granted by the first

matching policy. That is, if a client does not meet the requirements of the first TS CAP in

To view or modify certificate propertiesImportant

82


the list, TS Gateway evaluates the second policy in the list, and so on, until it locates a

TS CAP whose requirements are met. If a client does not meet the requirements of any

TS CAP in the list, TS Gateway denies access to the client.



Manager.

2. In the console tree, click to select the node that represents the TS Gateway server, which

is named for the computer on which the TS Gateway server is running.

3. In the console tree, expand Policies, and then click Connection Authorization Policies.

4. Right-click the Connection Authorization Policies folder, click Create New Policy, and

then click Custom.

5. On the General tab, type a name for the policy, and then verify that the Enable this

policy check box is selected.

6. On the Requirements tab, under Supported Windows authentication methods, select

one or both of the following check boxes:

Password

Smart card

When both of these options are selected, clients that use either authentication method

are allowed to connect.

7. Under User group membership (required), click Add Group, and then specify a user

group whose members can connect to the TS Gateway server. You must specify at least

one user group.

8. In the Select Groups dialog box, specify the user group location and name, and then

click OK as needed to check the name and to close the Select Groups dialog box. To

specify more than one user group, do either of the following:

Type the name of each user group, separating the name of each group with a semi-

colon.

Add additional groups from different domains by repeating this step for each group.

9. To specify computer domain membership criteria that client computers should meet

(optional), on the Requirements tab, under Client computer group membership

(optional), click Add Group, and then specify the computer groups. In the example

configurations, no computer group is specified.

To specify computer groups, you can use the same steps that you used to specify user

groups.

10. On the Device Redirection tab, select one of the following options to enable or disable

redirection for remote client devices:

To permit all client devices to be redirected when connecting through the TS Gateway

server, click Enable device redirection for all client devices. By default, this option

To create a TS CAP for the TS Gateway server

83

is selected.

To disable device redirection for all client devices except for smart cards when

connecting through the TS Gateway server, click Disable device redirection for all

client devices except for smart card.

To disable device redirection for only certain device types when connecting through

the TS Gateway server, click Disable device redirection for the following client

device types, and then select the check boxes that correspond to the client device

types for which device redirection should be disabled.

Important

Device redirection settings can be enforced only for Microsoft Remote

Desktop Connection (RDC) clients.

11. Click OK.

12. The new TS CAP that you created appears in the TS Gateway Manager results pane.

When you click the name of the TS CAP, the policy details appear in the lower pane.

Creating a Terminal Services Resource Authorization Policy

This procedure describes how to use TS Gateway Manager to create a custom Terminal Services

resource authorization policy (TS RAP) for TS Gateway, and to specify computers that users can

connect to through the TS Gateway server. Alternatively, you can use the Authorization Policies

Wizard to complete these tasks.

If users are connecting to members of a terminal server farm, you must configure a

TS RAP that explicitly specifies the name of the terminal server farm. To do so, when you

create the TS RAP, on the Computer Group tab, click the Select existing TS Gateway-

managed computer group or create a new one option, and then specify the name of

the terminal server farm. If the name of the terminal server farm is not specified, users

will not be able to connect to members of the farm.

For optimal security and ease of administration, to specify the terminal servers that are

members of the farm, create a second TS RAP. On the Computer Group tab, click the

Select an Active Directory security group option, and then specify the security group

that contains the terminal servers in the farm. Doing this optimizes security by ensuring

that the members of the farm are trusted members of an Active Directory security group.



Manager.

Important To create a TS RAP and specify computers that users can connect to through the

TS Gateway server

84



3. In the console tree, expand Policies, and then click Resource Authorization Policies.

4. Right-click the Resource Authorization Policies folder, click Create New Policy, and

then click Custom.

5. On the General tab, in the Policy name box, enter a name that is no longer than 64

characters.

6. In the Description box, enter a description for the new TS RAP.

7. On the User Groups tab, click Add to select the user groups to which you want this

TS RAP to apply.

8. In the Select Groups dialog box, specify the user group location and name, and then

click OK. To specify more than one user group, do either of the following:

Type the name of each user group, separating the name of each group with a semi-

colon.

Add additional groups from different domains by repeating Step 7 for each group.

9. On the Computer Group tab, specify the computer group that users can connect to

through TS Gateway by doing one of the following:

To specify an existing security group, click Select an existing Active Directory

security group, and then click Browse. In the Select Group dialog box, specify the

user group location and name, and then click OK. Note that you can select a security

group in Local Users and Groups rather than in Active Directory Domain Services.

To specify a TS Gateway-managed computer group, click Select an existing

TS Gateway-managed computer group or create a new one, and then click

Browse. In the Select a TS Gateway-managed Computer Group dialog box, do

one of the following:

Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box.

Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed Computer Group dialog box, click the name of the new computer group, and then click OK to close the dialog box.

Important

When you add an internal network computer to the list of TS Gateway-

managed computers, if you want to allow remote users to connect to the

computer by specifying either its computer name or its IP address, you must

85

add the computer to the computer group twice (by specifying the computer

name of the computer and adding it to the computer group, and then

specifying the IP address of the computer and adding it to the computer

group again). If you specify only an IP address for a computer when you add

it to a computer group, users must also specify the IP address of that

computer when they connect to that computer through TS Gateway.

To ensure that remote users connect to the internal network computers that

you intend, we recommend that you do not specify IP addresses for the

computers if the computers are not configured to use static IP addresses. For

example, you should not specify IP addresses if your organization uses

DHCP to dynamically reconfigure IP addresses for the computers.

To specify any network resource, click Allow users to connect to any network

resource, and then click OK.

10. After you specify a computer group, the new TS RAP that you created appears in the

TS Gateway Manager results pane. When you click the name of the TS RAP, the policy

details appear in the lower pane.

Configuring the Terminal Services Client for TS Gateway

This section provides procedures for configuring your Terminal Services client computers to

connect to internal network resources through TS Gateway. It includes the following topics:

Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)

Configure Remote Desktop Connection Settings

Verify Connectivity Through TS Gateway

Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)

The client computer must verify and trust the identity of the TS Gateway server before the client

can send the user's password and logon credentials securely and complete the authentication

process. To establish this trust, the clients must trust the root certificate of the server. That is,

clients must have the certificate of the certification authority (CA) that issued the server certificate

in their Trusted Root Certification Authorities store. You can view this store by using the

Certificates snap-in.

86

This procedure is not required if:

A certificate that is issued by one of the trusted public CAs that participate in the Microsoft

Root Certificate Program Members program is installed on the TS Gateway server; for a list

of trusted public CAs, see article 931125 in the Microsoft Knowledge Base

(http://go.microsoft.com/fwlink/?LinkID=59547); and

The Terminal Services client computer already trusts the CA that issued the certificate.

If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and

the certificate is recognized and trusted by your client computer, proceed to complete the steps in

the Configure remote desktop connection settings section.

Do not install certificates from any untrusted sources or individuals.

If you are configuring the Terminal Services client for use with Network Access Protection

(NAP), you must install the TS Gateway server root certificate by using the computer

account. If not, you can install the TS Gateway server root certificate by using the user

account.

Before you complete the steps in the following procedure, you must have already copied the

certificate to the client computer. For example, if you created a self-signed certificate for the

TS Gateway server by using TS Gateway Manager, you must have already copied that certificate

from the TS Gateway server to the client computer.

1. Open the Certificates snap-in console. If you have not already added the Certificates

snap-in console, you can do so by doing the following:

a. Click Start, click Run, type mmc, and then click OK.

b. On the File menu, click Add/Remove Snap-in.

c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click

Certificates, and then click Add.

d. In the Certificates snap-in dialog box, to open the snap-in for a computer account,

click Computer account, and then click Next. To open the snap-in for a user

account, click My user account, and then click Finish.

e. If you opened the Certificates snap-in for a computer account, in the Select

Computer dialog box, click Local computer: (the computer this console is

running on), and then click Finish.

f. In the Add or Remove snap-ins dialog box, click OK.

2. In the Certificates snap-in console, in the console tree, expand Certificates (Local

Computer), expand Trusted Root Certification Authorities, right-click Certificates,

point to All Tasks, and then click Import.

3. On the Welcome to the Certificate Import Wizard page, click Next.

4. On the File to Import page, in the File name box, browse to the TS Gateway server root

certificate, click Open, and then click Next.

Important Note To install the TS Gateway server root certificate in the Trusted Root Certification

Authorities store on the Terminal Services client

87


5. On the Certificate Store page, accept the default option (Place all certificates in the

following store - Trusted Root Certification Authorities), and then click Next.

6. On the Completing the Certificate Import Wizard page, confirm that the following

certificate settings appear:

Certificate Store Selected by User: Trusted Root Certification Authorities

Content: Certificate

File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name>

is the name of the TS Gateway server root certificate.

7. Click Finish.

8. After the certificate import has successfully completed, a message appears confirming

that the import was successful. Click OK.

9. With Certificates selected in the console tree, in the details pane, verify that the root

certificate of the TS Gateway server appears in the list of certificates on the client. Ensure

that the certificate appears under the Trusted Root Certification Authorities store.

Configure Remote Desktop Connection Settings





1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection

client, click Start, point to All Programs, point to Accessories, and then click Remote

Desktop Connection.

2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box

and view settings.

3. On the Advanced tab, in the Connect from anywhere area, click Settings.

4. In the TS Gateway Server Settings dialog box, select the appropriate options:

Automatically detect TS Gateway server settings (default). If you select this

option, the Terminal Services client attempts to use Group Policy settings that

determine the behavior of client connections to TS Gateway servers or TS Gateway

server farms, if these settings have been configured and enabled. For more

information, see the "Using Group Policy to Manage Client Connections Through

TS Gateway" topic in the TS Gateway Help.

Use these TS Gateway server settings. If a TS Gateway server name or

To configure Remote Desktop Connection settings for TS Gateway

88


TS Gateway server farm name and a logon method are not already enabled and

enforced by Group Policy, you can select this option and specify the name of the

TS Gateway server or TS Gateway server farm that you want to connect to and the

logon method to use for the connection. The name that you specify for the server

must match the name in the Issued to field of the TS Gateway server certificate. If

you create a self-signed certificate by using the Add Roles Wizard during installation

of the TS Gateway role service or by using TS Gateway Manager after installation,

specify the fully qualified domain name (FQDN) of the TS Gateway server.

Bypass TS Gateway server for local addresses. This option is selected by default.

If you want the Terminal Services client to automatically detect when TS Gateway is

required, select this check box. If you use a mobile computer, selecting this option will

optimize client connectivity performance and minimize latency because TS Gateway

will only be used when it is required. If your computer is always connected to the

local area network (LAN) or if it is hosted inside the internal network firewall,

TS Gateway will not be used. If you are outside the internal network and connecting

to the internal network over the Internet, TS Gateway will be used.If you are in a LAN,

but want to test connectivity through a TS Gateway server or

TS Gateway server farm, clear this check box. Otherwise, the client will not connect

through the TS Gateway server or TS Gateway server farm in this case.

Do not use a TS Gateway server. Select this option if your computer is always

connected to the LAN or if it is hosted inside the internal network firewall. This option

is appropriate if you know that you do not need to use TS Gateway to traverse a

firewall.

5. Do one of the following:

To save the settings and close the Remote Desktop Connection dialog box, click

Save, and then click Cancel. The settings will be saved as an RDP file to a default

location (by default, the file is saved to Drive:\<Username>\Documents).

To save the RDP file to a specified location (you can customize and distribute the file

later to multiple clients as needed), click Save As. In the Save as dialog box, in the

File name box, specify the file name and location, and then click Save.

To proceed with a connection to an internal network resource, click Save, click

Connect, and then proceed to Step 5 in the next procedure ("Verify that end-to-end

connectivity through TS Gateway is functioning correctly").

Verify Connectivity Through TS Gateway

Use the following procedure to verify the functionality of the TS Gateway deployment.

To verify the functionality of the TS Gateway deployment

89

1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection

client, click Start, point to All Programs, point to Accessories, and then click Remote

Desktop Connection.

2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box

and view settings.

3. On the General tab, type the name of the computer (terminal server or computer running

Remote Desktop) to which you want to connect remotely through TS Gateway.

4. Click Connect.

5. In the Enter your credentials dialog box, select the user account that you want to use to

log on remotely to the computer, enter the required credentials, and then click OK.

6. In the Gateway server credentials dialog box, select the user name that you want to

use to log on to the TS Gateway server, enter the required credentials, and then click OK.

7. After a few moments, the connection completes and a connection will be established

through the TS Gateway server to the computer.

Limiting the Maximum Number of Simultaneous Connections Through TS Gateway

By default, with the exception of TS Gateway servers that are running the Windows Server 2008

Standard operating system, no limit is set for the number of simultaneous connections that clients

can make to internal network resources through a TS Gateway server. To optimize TS Gateway

server performance or to ensure compliance with the connection and security policies of your

organization, you can set a limit for the number of simultaneous connections that clients can

make to network resources through a TS Gateway server.

For TS Gateway servers that are running Windows Server 2008 Standard, a maximum of

250 simultaneous connections is supported.



Manager.



3. In the console tree, expand Monitoring.

4. With the Monitoring folder selected, right-click the Monitoring folder, and then click Edit

Connection Limit.

Note To limit the maximum number of allowable connections for TS Gateway

90

5. On the General tab, under Maximum Connections, do one of the following:

To set a limit for the maximum number of simultaneous connections that Terminal

Services clients can make to internal network resources through TS Gateway, click

Limit maximum allowed simultaneous connections to, and then specify the

number of allowable connections.

To set no limit on the number of allowable connections between clients and internal

network resources through TS Gateway, click Allow the maximum supported

simultaneous connections. This is the default option. For TS Gateway servers that

are running Windows Server 2008 Standard, a maximum of 250 simultaneous

connections is supported.

To prevent new connections from being made between clients and internal network

resources through TS Gateway, click Disable new connections. If you select this

option, only new connection attempts will be rejected. Current connections will not be

ended by TS Gateway.

6. Click OK.

Using Group Policy to Manage Client Connections Through TS Gateway

You can use Group Policy and Active Directory Domain Services to centralize and simplify the

administration of TS Gateway Group Policy settings. You use the Local Group Policy Editor to

configure these policy settings, which are contained within Group Policy objects (GPOs). You use

the Group Policy Management Console (GPMC) to link GPOs to sites, domains, or organizational

units (OUs) in Active Directory Domain Services.

The Local Group Policy Editor operates as an extension to the GPMC. When you edit a GPO

from within the GPMC, the Local Group Policy Editor appears, displaying the policy settings for

that particular GPO. You must have editing rights on a GPO to open it in the Local Group Policy

Editor.

The Default Domain Policy GPO and Default Domain Controllers Policy GPO are vital to

the health of any domain. As a best practice, you should not edit the Default Domain

Controllers Policy GPO or the Default Domain Policy GPO, except in the following cases:

If it is required that account policy settings be configured in the Default Domain GPO.

If you install applications on domain controllers that require modifications to the User Rights

or Audit policy settings, you must modify the policy settings in the Default Domain Controllers

Policy GPO.

Group Policy settings for Terminal Services client connections through TS Gateway can be

applied in one of two ways. These policy settings can be suggested (that is, they can be enabled,

but not enforced), or they can be enabled and enforced.

Important

91

To suggest a policy setting for TS Gateway, enable the policy setting in Group Policy, but do not

clear the Allow users to change this setting check box. Doing this allows users on the client to

enter alternate TS Gateway connection settings. To specify alternate policy settings, users select

the Use these TS Gateway server settings option in the TS Gateway Server Settings dialog

box on the client, and then specify the alternate TS Gateway connection settings.

To enforce a policy setting for TS Gateway, enable the policy setting in Group Policy and clear the

Allow users to change this setting check box. When you do this, users cannot change the

TS Gateway connection setting, even if they select the Use these TS Gateway server settings

option on the client. For information about how to configure Terminal Services client settings, see

Configuring the Terminal Services Client for TS Gateway.

This section provides procedures for using Group Policy to manage Terminal Services client

connections to the network through TS Gateway. It includes the following topics:

Set the TS Gateway Server Authentication Method

Enable Connections Through TS Gateway

Set the TS Gateway Server Address

Set the TS Gateway Server Authentication Method

The following procedure describes how to use the Group Policy Management Console (GPMC) to

set an authentication method for Terminal Services clients that connect to internal network

resources through a TS Gateway server.

To manage Group Policy on a Windows Server 2008-based domain controller, you must

first add the Group Policy Management Console feature. To do this, start Server

Manager, and then under Feature Summary, click Add Features. On the Select

Features page, select the Group Policy Management check box. Follow the on-screen

instructions to complete the installation.

To change Group Policy settings for a domain or an organizational unit (OU), you must be logged

on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy

Creator Owners group, or have been delegated the appropriate authority over Group Policy.

1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click

Group Policy Management.

2. In the left pane, locate the OU that you want to edit.

3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then

click the GPO.

4. To create a new GPO, follow these steps:


Note To set the TS Gateway server authentication method

92


c. In the left pane, locate and click the new GPO.


6. Right-click User Configuration, and then click Edit.

7. In the left pane, under User Configuration, expand Administrative Templates, expand

Windows Components, expand Terminal Services, and then click TS Gateway.

8. In the right pane, in the settings list, right-click Set TS Gateway authentication method,

and then click Properties.

9. On the Setting tab, do one of the following:

Click Not Configured. The authentication method that is specified by the user is

used. If an authentication method is not specified, the NTLM protocol that is enabled

on the client or a smart card can be used for authentication.

Click Enabled, and then select the authentication method. By default, the Allow

users to change this setting check box is selected, meaning that the authentication

method setting is suggested, and that users on the client can specify an alternate

authentication method. To enforce the authentication method, clear this check box.

For information about supported Windows authentication methods for TS Gateway,

see Understanding Requirements for Connecting to a TS Gateway Server.

Click Disabled. The authentication method that is specified by the user is used. If an

authentication method is not specified, the NTLM protocol that is enabled on the

client or a smart card can be used for authentication.

10. Click OK.

To configure TS Gateway Group Policy settings by using the local computer policy, use

the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click

Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you

must be a member of the Administrators group on the local computer or you must have

been delegated the appropriate authority.

Enable Connections Through TS Gateway


enable connections through TS Gateway. When this policy setting is enabled, and when Terminal

Services clients cannot connect directly to an internal network resource, the clients will attempt to

connect to the computer through the TS Gateway server that is specified in the Set TS Gateway

server address policy setting.




Note Note

93










click the GPO.









8. In the right pane, in the settings list, right-click Enable connection through TS

Gateway, and then click Properties.

9. On the Settings tab, do one of the following:

Click Not Configured. Terminal Services clients will not use the TS Gateway server

address that is specified in the Set TS Gateway server address policy setting. If a

TS Gateway server is specified by the user, a client connection attempt will be made

through that TS Gateway server.

Click Enabled. When Terminal Services clients cannot connect directly to an internal

network resource, the clients will attempt to connect to the internal network resource

through the TS Gateway server that is specified in the Set TS Gateway server

address policy setting.

Click Disabled. Terminal Services clients will not use the TS Gateway server address

that is specified in the Set TS Gateway server address policy setting. If a

TS Gateway server is specified by the user, a client connection attempt will be made

through that TS Gateway server.

10. Click OK.




To enable connections through TS GatewayNote

94



Set the TS Gateway Server Address


specify the TS Gateway server that Terminal Services clients use when connecting to internal

network resources through a TS Gateway server.

By default, Terminal Services clients automatically detect when TS Gateway is required.













click the GPO.









8. In the right pane, in the list of policy settings, right-click Set TS Gateway server

address, and then click Properties.

9. On the Settings tab, do one of the following:

Click Not Configured. Terminal Services clients automatically detect when

TS Gateway is required. When a connection through TS Gateway is required, the

TS Gateway server or the TS Gateway server farm specified by the user is used.

Click Enabled, and then specify a valid, fully qualified domain name (FQDN) of the

Note To set the TS Gateway server address

95

TS Gateway server or TS Gateway server farm that clients are to use when

connecting to internal network resources. The name must match the name that

appears in the Secure Sockets Layer (SSL) certificate for the TS Gateway server.

By default, the Allow users to change this setting check box is selected, meaning

that this policy setting is suggested, and users can specify an alternate TS Gateway

server or TS Gateway server farm. To enforce this policy setting so that users cannot

specify an alternate TS Gateway server or TS Gateway server farm, clear this check

box.

Click Disabled. Terminal Services clients automatically detect when TS Gateway is

required.

Important

If you disable or do not configure this policy setting, but enable the Enable

connections through TS Gateway policy setting, client connection attempts

to any internal network resource will fail, if the client cannot connect directly

to the internal network resource.

10. Click OK.






Deploying TS RemoteApp

Terminal Services RemoteApp (TS RemoteApp) is a feature that enables you to deploy

RemoteApp programs to users. RemoteApp programs are applications that are accessed

remotely through Terminal Services and appear as if they are running on the end user's local

computer. Instead of being presented to the user on the desktop of the remote terminal server,

the RemoteApp program is integrated with the client's desktop, running in its own resizable

window with its own entry in the taskbar.

Users can run RemoteApp programs side-by-side with their local programs. If a user is running

more than one RemoteApp program on the same terminal server, the RemoteApp programs

share the same Terminal Services session.

To install, configure, and manage TS RemoteApp, see the following topics:

Installation Prerequisites for TS RemoteApp

Checklist: Configuring TS RemoteApp

Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution

Mechanism

Checklist: Making RemoteApp Programs Available from the Internet

Note

96

Configuring the Server That Will Host RemoteApp Programs

Adding RemoteApp Programs and Configuring Global Deployment Settings

Creating an .rdp File from a RemoteApp Program

Creating a Windows Installer Package from a RemoteApp Program

Managing RemoteApp Programs and Settings

Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session


Installation Prerequisites for TS RemoteApp

To access RemoteApp programs that are deployed as .rdp files or as Windows Installer

packages, the client computer must be running Remote Desktop Connection (RDC) 6.0 or

RDC 6.1. A supported version of the RDC client is included with Windows Server 2008 and

Windows Vista. To download RDC 6.0 for Windows Server 2003 with Service Pack 1 (SP1),

Windows Server 2003 with Service Pack 2 (SP2), or Windows XP with SP2, see article 925876 in

the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373).

RDC 6.1 (6.0.6001) supports Remote Desktop Protocol 6.1.

Client requirementsTo access RemoteApp programs through TS Web Access, the client computer must be running

RDC 6.1. RDC 6.1 is included with the following operating systems:

Windows Server 2008

Windows Vista with Service Pack 1 (SP1)

Windows XP with Service Pack 3 (SP3)


You can make programs on a terminal server available to users through TS RemoteApp. You can

deploy RemoteApp programs to users through .rdp files or Windows Installer packages, or you

can use TS Web Access to make the programs available through a Web page.

The following checklist applies to an environment where you are using a single terminal

server to host RemoteApp programs.

Task Reference

Configure the server that will host RemoteApp

programs.

Configuring the Server That Will Host

RemoteApp Programs

Note Note

97


Task Reference

Add programs to the RemoteApp Programs list. Add Programs to the RemoteApp Programs List

Configure global deployment settings. Configure Global Deployment Settings

Configure TS Web Access if you are going to

distribute RemoteApp programs through a Web

page.

Checklist: Deploying RemoteApp Programs

Through TS Web Access

Configure RemoteApp programs if you are

going to distribute them through .rdp files or

Windows Installer packages.


Through a File Share or Other Distribution

Mechanism

Manage the RemoteApp Programs list

(optional).


Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism

Instead of using TS Web Access, you can deploy RemoteApp programs through .rdp files or

Windows Installer packages that are made available through file sharing, or through other

distribution mechanisms such as Microsoft System Center Configuration Manager or Active

Directory software distribution. These methods enable you to distribute RemoteApp programs to

users without using TS Web Access.

If you distribute RemoteApp programs through Windows Installer packages, you can also

configure whether the terminal server takes over client file name extensions for the

RemoteApp programs. If this is the case, a user can double-click a file where the file

name extension is associated with a RemoteApp program.

You must complete the following tasks to configure RemoteApp programs for distribution through

a file share or some other distribution mechanism. After you create .rdp files or Windows Installer

packages, you can distribute them to users.

Task Reference


programs. This includes installing Terminal

Server, installing programs, and verifying

remote connection settings.


RemoteApp Programs

Add RemoteApp programs and configure global Add Programs to the RemoteApp Programs

Note

98

Task Reference

deployment settings. List

Configure Global Deployment Settings

Create .rdp files or Windows Installer packages

from RemoteApp programs.

Creating an .rdp File from a RemoteApp

Program

Creating a Windows Installer Package from

a RemoteApp Program

Checklist: Making RemoteApp Programs Available from the Internet

By using TS RemoteApp with TS Gateway, you can enable users to connect from the Internet to

individual programs on a terminal server without first establishing a virtual private network (VPN)

connection. Depending on the deployment method that you choose, remote users can connect to

a program by opening an .rdp file, by clicking a shortcut to a Windows Installer package on their

desktop or Start menu, or by accessing a RemoteApp program on a Web page through TS Web

Access.

This checklist shows the steps that are required to make RemoteApp programs available from the

Internet through TS Gateway. Alternatively, if you do not want to deploy TS Gateway, you can

make RemoteApp programs available through a VPN solution.

Task Reference

Ensure that you meet the following

prerequisites:

You have deployed RemoteApp programs

on the terminal server.

You have successfully deployed TS Web

Access in an intranet environment (if you

want to make RemoteApp programs

available from the Internet through TS Web

Access).



Through TS Web Access

Review information about TS Gateway. TS Gateway Server Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=85872)

Deploy and configure TS Gateway. When you

configure TS Gateway, ensure that you do the

following:

TS Gateway Server Step-by-Step Guide


LinkId=85872)

99



Task Reference

Create a Terminal Services connection

authorization policy (TS CAP) to define the

list of user groups that can connect to the

terminal servers that host the RemoteApp

programs.

Create a Terminal Services resource

authorization policy (TS RAP) that provides

access to the terminal servers that host the

RemoteApp programs. When you create

the TS RAP, add the user groups that you

defined in the TS CAP.

Create a new TS Gateway-managed

computer group that contains both the

NetBIOS names and the fully qualified

domain names (FQDNs) of the terminal

servers or the terminal server farm that

hosts the RemoteApp programs.

Overview of TS Gateway


LinkId=179869)


Creating a Terminal Services Connection


Creating a Terminal Services Resource


Configure TS Gateway settings in

TS RemoteApp Manager (either in the global

deployment settings or when you create an .rdp

file or Windows Installer package).

Configure TS Gateway Settings

Ensure that existing .rdp files or Windows

Installer packages were created with the

correct TS Gateway settings if you want to use

them to access RemoteApp programs over the

Internet. If they were not, you must create new

files with the correct settings, and then

distribute them to users.

Creating an .rdp File from a RemoteApp

Program

Creating a Windows Installer Package from

a RemoteApp Program

Configure firewall and authentication settings if

you want to allow Internet access to

RemoteApp programs through TS Web Access.

Configure the TS Web Access Server to Allow

Access from the Internet

Configuring the Server That Will Host RemoteApp Programs

Before you can deploy RemoteApp programs to users, you must configure the server to host

RemoteApp programs. You must make sure that the Terminal Server role service is installed,

100


install programs on the server, and verify remote connection settings. This process includes the

following procedures:

Install the Terminal Server role service

Install programs on the terminal server

Verify remote connection settings

To perform these procedures, you must be a member of the Administrators group on the

terminal server.

Install the Terminal Server role serviceTo use TS RemoteApp, the Terminal Server role service must be installed. The TS RemoteApp

feature is automatically installed as part of the Terminal Server role service. For more information,

see Install the Terminal Server Role Service.

Install programs on the terminal serverWe recommend that you install programs on the terminal server after you install the Terminal

Server role service. If you install a program from a Windows Installer package, the program

automatically installs in Terminal Server Install mode. If you are installing from another kind of

setup package, use either of the following methods to put the server into Install mode:

To install the program, use the Install Application on Terminal Server option in Control

Panel.

Before you install a program, run the change user /install command from the command line.

After the program is installed, run the change user /execute command to exit from Install

mode.

If you have programs that are related or have dependencies, we recommend that you install the

programs on the same terminal server. For example, we recommend that you install Microsoft

Office as a suite instead of installing individual Office programs on separate terminal servers.

You should consider putting individual programs on separate terminal servers in the following

circumstances:

The program has compatibility issues that may affect other programs.

A single program and the number of associated users may fill server capacity.

Verify remote connection settingsBy default, remote connections are enabled after you install the Terminal Server role service. You

can use the following procedure to add users and groups that need to connect to the terminal

server, and to verify or change remote connection settings.

1. Start the System tool. To do this, click Start, click Run, type control system in the Open

To verify remote connection settings

101

box, and then click OK.


3. In the System Properties dialog box, on the Remote tab, ensure that the Remote

Desktop connection setting is configured correctly, depending on your environment. You

can select either of the following options:


(less secure)



For more information about the two options, on the Remote tab, click the Help me

choose link.

4. To add the users and groups that need to connect to the terminal server by using Remote

Desktop, click Select Users, and then click Add.

The users and groups that you add are added to the Remote Desktop Users group.

Note


listed.

5. When you are finished, click OK to close the System Properties dialog box.

Adding RemoteApp Programs and Configuring Global Deployment Settings

After you have prepared the terminal server to host RemoteApp programs, you can use

TS RemoteApp Manager to do the following:

Add Programs to the RemoteApp Programs List


In TS RemoteApp Manager, you can also delete or modify RemoteApp programs, import

RemoteApp programs and settings from another terminal server, or export RemoteApp programs

and settings to another terminal server. For more information, see Managing RemoteApp

Programs and Settings.

102

Add Programs to the RemoteApp Programs List

To make a RemoteApp program available to users through any distribution mechanism, you must

add the program to the RemoteApp Programs list. By default, programs that you add to the list

are configured to be available through TS Web Access.

1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools,

point to Terminal Services, and then click TS RemoteApp Manager.

2. In the Actions pane, click Add RemoteApp Programs.

3. On the Welcome to the RemoteApp Wizard page, click Next.

4. On the Choose programs to add to the RemoteApp Programs list page, select the

check box next to each program that you want to add to the RemoteApp Programs list.

You can select multiple programs.

Note

The programs that are shown on the Choose programs to add to the

RemoteApp Programs list page are the programs that are found on the All

Users Start menu on the terminal server. If the program that you want to add to

the RemoteApp Programs list is not in the list on that page, click Browse, and

then specify the location of the program's .exe file.

5. To configure the properties for a RemoteApp program, click the program name, and then

click Properties. You can configure the following:

The program name that will appear to users. To change the name, type a new name

in the RemoteApp program name box.

The path of the program executable file. To change the path, type the new path in the

Location box, or click Browse to locate the .exe file.

Note

You can use system environment variables in the path name. For example,

you can substitute %windir% for the explicit path of the Windows folder (such

as C:\Windows). You cannot use per user environment variables.

The alias for the RemoteApp program. The alias is a unique identifier for the program

that defaults to the program's file name (without the extension). We recommend that

you do not change this name.

Whether the RemoteApp program is available through TS Web Access. By default,

the RemoteApp program is available through TS Web Access setting is enabled.

To change the setting, select or clear the check box.

Whether command-line arguments are allowed, not allowed, or whether to always

use the same command-line arguments.

To add a program to the RemoteApp Programs list

103

The program icon that will be used. To change the icon, click Change Icon.

6. When you are finished configuring program properties, click OK, and then click Next.

7. On the Review Settings page, review the settings, and then click Finish.

The programs that you selected should appear in the RemoteApp Programs list.


You can configure global deployment settings that apply to all RemoteApp programs that appear

in the RemoteApp Programs list. These settings apply to any RemoteApp program that you make

available through TS Web Access. Additionally, these settings are used as the default settings if

you create .rdp files or Windows Installer packages from any of the listed RemoteApp programs.

Any changes to deployment settings that you make when you use TS RemoteApp

Manager to create .rdp files or Windows Installer packages override the global settings.

These global deployment settings include:

Configure Terminal Server Settings


Configure Common RDP Settings (Optional)

Configure Custom RDP Settings (Optional)

Configure Digital Signature Settings (Optional)

Configure Terminal Server Settings

To define how users will connect to the terminal server (or terminal server farm) to access

RemoteApp programs, you can configure terminal server deployment settings.

1. In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings. (Or, in

the Overview pane, next to Terminal Server Settings, click Change.)

2. On the Terminal Server tab, under Connection settings, accept or modify the server or

farm name, the RDP port number, and server authentication settings.

Important

If the Require server authentication check box is selected, consider the

following:

If any client computers are running Windows Server 2003 with SP1 or Windows XP

with SP2, you must configure the terminal server to use a Secure Sockets Layer

(SSL) certificate. (You cannot use a self-signed certificate.)

Note To configure terminal server settings

104

If the RemoteApp program is for intranet use, and all client computers are running

either Windows Server 2008 or Windows Vista, you do not have to configure the

terminal server to use an SSL certificate. In this case, Network Level Authentication is

used.

3. To provide a link to the full terminal server desktop through TS Web Access, under

Remote desktop access, select the Show a remote desktop connection to this

terminal server in TS Web Access check box.

4. Under Access to unlisted programs, choose either of the following:

Do not allow users to start unlisted program on initial connection

(recommended)

To help protect against malicious users, or a user unintentionally starting a program

from an .rdp file on initial connection, we recommend that you select this setting.

Important

This setting does not prevent users from starting unlisted programs remotely

after they connect to the terminal server by using the RemoteApp program.

For example, if Microsoft Word is in the RemoteApp Programs list and

Microsoft Internet Explorer® is not, if a user starts a remote Word session,

and then clicks a hyperlink in a Word document, they can start Internet

Explorer.

Allow users to start both listed and unlisted programs on initial connection

Caution

If you choose this option, users can start any program remotely from an .rdp

file on initial connection, not just those programs in the RemoteApp

Programs list. To help protect against malicious users, or a user

unintentionally starting a program from an .rdp file, we recommend that you

do not select this setting.



To define whether users will connect to the terminal server across a firewall through TS Gateway,

you can configure TS Gateway deployment settings. For more information about TS Gateway,

see the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=85872).

1. In the Actions pane of TS RemoteApp Manager, click TS Gateway Settings. (Or, in the

Overview pane, next to TS Gateway Settings, click Change.)

2. On the TS Gateway tab, configure the desired TS Gateway behavior. You can configure

To configure TS Gateway settings

105


whether to automatically detect TS Gateway server settings, to use TS Gateway server

settings that you specify, or to not use a TS Gateway server.

If you select Automatically detect TS Gateway server settings, the client tries to use

Group Policy settings to determine the behavior of client connections to TS Gateway.

Note

For more information about client Group Policy settings, see Using Group Policy

to Manage Client Connections Through TS Gateway.

If you select Use these TS Gateway server settings, do the following:

a. Configure the TS Gateway server name and the logon method.

Important

The server name must match what is specified in the SSL certificate for the

TS Gateway server.

b. If you want the connection to try to use the same user credentials to access both the

TS Gateway server and the terminal server, select the Use the same user

credentials for TS Gateway and terminal server check box. However, users may

still receive two prompts for credentials if conflicting credentials exist from any source

such as Group Policy settings, and those credentials do not work. They may also

receive two prompts for credentials if default credentials are used for the connection

and those credentials do not work.

c. If you want the client computer to automatically detect when TS Gateway is required,

select the Bypass TS Gateway server for local addresses check box. (Selecting

this option optimizes client performance.)

To always use a TS Gateway server for client connections, clear the Bypass TS

Gateway server for local addresses check box.


Configure Common RDP Settings (Optional)

You can specify common Remote Desktop Protocol (RDP) settings for RemoteApp connections,

such as device and resource redirection and some user display settings. These settings apply

when a user connects to a RemoteApp program through TS Web Access, or when you create

an .rdp file or a Windows Installer package from an existing RemoteApp program.

1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change.

2. Under Devices and resources, configure which devices and resources on the client

computer you want to make available in the remote session.

3. Under User experience, choose whether to enable font smoothing and the desired color

To configure common RDP settings

106

depth.

4. When you are finished, click Apply.

Note

To configure additional RDP settings, such as audio redirection, click the Custom

RDP Settings tab. For more information, see Configure Custom RDP Settings

(Optional).

5. To close the RemoteApp Deployment Settings dialog box, click OK.

If you do not sign .rdp files with a digital signature, or if you sign .rdp files with a digital

signature that clients do not recognize (such as a certificate from a private certification

authority), the client computer may override some redirection settings that you specify in

TS RemoteApp Manager. For example, if you enable all the redirection settings on the

Common RDP Settings tab, and a user connects to an .rdp file that is not signed, disk

drives and supported Plug and Play devices are not redirected automatically. These

devices and resources are only redirected if the user enables these redirection settings in

the RemoteApp warning dialog box that appears when they try to connect. This default

behavior helps reduce potential security vulnerabilities. (Note that the same behavior

occurs if you enable serial port redirection on the Custom RDP Settings tab.)

Configure Custom RDP Settings (Optional)

You can specify custom RDP settings for RemoteApp connections, such as audio redirection.

These settings apply when a user connects to a RemoteApp program through TS Web Access, or

when you create a Windows Installer package or .rdp file from an existing RemoteApp program.

You can use custom RDP settings to configure the working directory for RemoteApp

programs. By default, the working directory for a RemoteApp program is the same

location as the program executable file. If you configure the working directory as a

custom RDP setting, the setting applies to all RemoteApp programs that are available

through TS Web Access, and to any .rdp files or Windows Installer packages that you

create from a RemoteApp program. If you want to customize the working directory for

RemoteApp programs that you plan to distribute as .rdp files or Windows Installer

packages, you can add the working directory as a custom RDP setting, create the files

from the RemoteApp programs, and then clear the working directory custom RDP setting.

1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change.

2. On the Custom RDP Settings tab, type or copy the custom RDP settings that you want

to use into the Custom RDP settings box.

To copy settings from an existing .rdp file, open the file in a text editor such as Notepad,

and then copy the desired settings.

Note Note To specify custom RDP settings

107

Important

You cannot override settings that are available in the global deployment settings

in TS RemoteApp Manager. If you do so, you will be prompted to remove those

settings when you click Apply.

To create an .rdp file to copy the settings from, follow these steps:

a. Open the RDC client, and then click Options.

b. Configure the settings that you want, such as audio redirection.

c. When you are finished, on the General tab, click Save As, and then save the .rdp

file.

d. Open the .rdp file in Notepad, and then copy the desired settings into the Custom

RDP settings box on the Custom RDP Settings tab.

3. When you have finished adding the settings that you want, click Apply.

4. If the Error with Custom RDP Settings dialog box appears, do the following:

a. Click Remove to automatically remove the settings that are not valid or cannot be

overridden, or click OK to remove the settings manually.

b. After the settings are removed, click Apply again.

5. To close the RemoteApp Deployment Settings dialog box, click OK.

Configure Digital Signature Settings (Optional)

You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the

terminal server. This includes the .rdp files that are used for connections through TS Web Access

to RemoteApp programs on the terminal server and to the terminal server desktop.

To connect to a RemoteApp program by using a digitally signed .rdp file, the client must

be running Remote Desktop Connection (RDC) 6.1. The RDC 6.1 (6.0.6001) client

supports Remote Desktop Protocol 6.1.

If you use a digital certificate, the cryptographic signature on the connection file provides

verifiable information about your identity as its publisher. This enables clients to recognize your

organization as the source of the RemoteApp program or the remote desktop connection, and

allows the clients to make more informed trust decisions about whether to start the connection.

This helps protect against the use of .rdp files that were altered by a malicious user.

You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication

certificate (SSL certificate) or a Code Signing certificate. You can obtain SSL and Code Signing

certificates from public certification authorities (CAs) or from an enterprise CA in your public key

infrastructure hierarchy.

Important

108

If you already use an SSL certificate for terminal server or TS Gateway connections, you can use

the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from

public or home computers, you must use either of the following:

A certificate from a public certification authority (CA) that participates in the Microsoft Root

Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547)

An enterprise CA-issued certificate that is co-signed by a public CA that participates in the

Microsoft Root Certification Program Members program

1. In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings. (Or, in

the Overview pane, next to Digital Signature Settings, click Change.)

2. Select the Sign with a digital certificate check box.

3. In the Digital certificate details box, click Change.

4. In the Select Certificate dialog box, select the certificate that you want to use, and then

click OK.

Note

The Select Certificate dialog box is populated by certificates that are located in

the local computer's certificates store or in your personal certificate store. The

certificate that you want to use must be located in one of these stores.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp fileYou can use Group Policy settings to configure clients to always trust RemoteApp programs from

a particular publisher. You can also configure whether clients will block RemoteApp programs and

remote desktop connections from external or unknown sources. By using these policy settings,

you can reduce the number and complexity of security decisions that users face. This reduces the

chances of inadvertent user actions that may lead to security vulnerabilities.

The relevant Group Policy settings are located in the Local Group Policy Editor at the following

location, in the Computer Configuration node and in the User Configuration node:

Administrative Templates\Windows Components\Terminal Services\Remote Desktop

Connection Client

The available policy settings include the following:

Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate

thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any

certificate with a SHA1 thumbprint that matches a thumbprint on the list is trusted.

Allow .rdp files from valid publishers and user’s default .rdp settings

This policy setting allows you to specify whether users can run .rdp files from a publisher that

signed the file with a valid certificate. This policy setting also controls whether the user can

To configure the digital certificate to use

109



start an RDP session by using default .rdp settings, such as when a user directly opens the

RDC client without specifying an .rdp file.

Allow .rdp files from unknown publishers

This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp

files from unknown publishers on the client computer.

To use these Group Policy settings, the client computer must be running RDC 6.1.

For more information about these policy settings, view the Group Policy Explain text in the Local

Group Policy Editor.

Creating an .rdp File from a RemoteApp Program

You can use the RemoteApp Wizard to create an .rdp file from any program in the RemoteApp

Programs list.



2. In the RemoteApp Programs list, click the program that you want to create an .rdp file

for. To select multiple programs, press and hold the CTRL key when you click each

program name.

3. In the Actions pane for the program or selected programs, click Create .rdp file.

Note

If you selected multiple programs, the settings described in the rest of this

procedure apply to all of the selected programs. A separate .rdp file is created for

each program.

4. On the Welcome to the Remote App Wizard page, click Next.

5. On the Specify Package Settings page, do the following:

a. In the Enter the location to save the packages box, accept the default location or

click Browse to specify a new location to save the .rdp file.

b. In the Terminal server settings area, click Change to modify the terminal server or

farm name, the RDP port number, and the Require server authentication setting.

(For more information about these settings, see Configure Terminal Server Settings.)

When you finish, click OK.

c. In the TS Gateway settings area, click Change to modify or to configure whether

clients will use a TS Gateway server to connect to the target terminal server across a

firewall. (For more information about these settings, see Configure TS Gateway

Settings.) When you finish, click OK.

d. To digitally sign the .rdp file, in the Certificate Settings section, click Change to

Important To create an .rdp file

110

select or to change the certificate to use. Select the certificate that you want to use,

and then click OK. (For more information about these settings, see Configure Digital

Signature Settings (Optional).)

6. When you finish, click Next.

7. On the Review Settings page, click Finish.

When the wizard is finished, the folder where the .rdp file was saved opens in a new

window. You can confirm that the .rdp file was created.

Creating a Windows Installer Package from a RemoteApp Program

You can use the RemoteApp Wizard to create a Windows Installer (.msi) package from any

program in the RemoteApp Programs list.



2. In the RemoteApp Programs list, click the program that you want to create a Windows

Installer package for. To select multiple programs, press and hold the CTRL key when

you click each program name.

3. In the Actions pane for the program or selected programs, click Create Windows

Installer package.

Note

If you selected multiple programs, the settings described in the rest of this

procedure apply to all of the selected programs. A separate Windows Installer

package is created for each program.

4. On the Welcome to the RemoteApp Wizard page, click Next.

5. On the Specify Package Settings page, do the following:

a. In the Enter the location to save the packages box, accept the default location or

click Browse to specify a new location to save the Windows Installer package.

b. In the Terminal server settings area, click Change to modify the terminal server or

farm name, the RDP port number, and the Require server authentication setting.

(For more information about these settings, see Configure Terminal Server Settings.)

When you finish, click OK.

c. In the TS Gateway settings area, click Change to modify or to configure whether

clients will use a TS Gateway server to connect to the target terminal server across a

firewall. (For more information about these settings, see Configure TS Gateway

To create a Windows Installer package

111

Settings.) When you finish, click OK.

d. To digitally sign the file, in the Certificate Settings section, click Change to select or

to change the certificate to use. Select the certificate that you want to use, and then

click OK. (For more information about these settings, see Configure Digital Signature

Settings (Optional).)

6. When you finish, click Next.

7. On the Configure Distribution Package page, do the following:

a. In the Shortcut icons area, specify where the shortcut icon for the program will

appear on client computers.

b. In the Take over client extensions area, configure whether to take over client file

name extensions for the program.

If you associate the file name extensions on the client computer with the RemoteApp

program, all file name extensions that are handled by the program on the terminal

server will also be associated on the client computer with the RemoteApp program.

For example, if you add Microsoft Word as a RemoteApp program, and you configure

the option to take over client file name extensions, any file name extensions on the

client computer that Word takes over will be associated with Remote Word. This

means that any existing program on the client computer will no longer handle file

name extensions such as .doc and .dot. Note that users are not prompted whether

the terminal server should take over file extensions for the program.

To view what file name extensions are associated with a program on the terminal

server, click Start, click Control Panel, and then double-click Default Programs.

Click Associate a file type or protocol with a program to view the file name

extensions and their default associated program.

Caution

Do not install Windows Installer packages that were created with this setting

enabled on the terminal server itself. If you do, clients that use the Windows

Installer package may not be able to start the associated RemoteApp

program.

8. After you have configured the properties of the distribution package, click Next.

9. On the Review Settings page, click Finish.

When the wizard is finished, the folder where the Windows Installer package was saved

opens in a new window. You can confirm that the Windows Installer package was

created.

112


In TS RemoteApp Manager, you can make changes to an existing RemoteApp program, or you

can remove the program from the list. Additionally, you can export or import the RemoteApp

Programs list and the global deployment settings to or from another terminal server. This section

includes the following topics:

Change or Delete a RemoteApp Program

Export or Import RemoteApp Programs and Settings

Change or Delete a RemoteApp Program

After you have added a program to the RemoteApp Programs list, you can change the

deployment settings for all RemoteApp programs, change the properties of a single RemoteApp

program, or delete the RemoteApp program from the list.

To change deployment settings for all RemoteApp programs, in the Actions pane of

TS RemoteApp Manager, click Terminal Server Settings, TS Gateway Settings, or

Digital Signature Settings. (Or, click one of the Change options in the Overview pane.

You can also change custom RDP settings in the Overview pane.)

Important

If you make any changes, the changes do not affect .rdp files or Windows

Installer packages that you already created by using TS RemoteApp Manager.

To change the properties of a single RemoteApp program, click the program in the

RemoteApp Programs list, and then in the Actions pane for the program, click

Properties.

Note

You cannot change the properties of an existing .rdp file or Windows Installer

package by using TS RemoteApp Manager. Instead, you must click Create .rdp

File or Create Windows Installer Package in the Actions pane to create a

new .rdp file or Windows Installer package that has the desired properties.

To change whether the RemoteApp program is available from TS Web Access, click the

program, and then in the Actions pane, click Show in TS Web Access or Hide in TS

Web Access.

To delete a program in the RemoteApp Programs list, click the RemoteApp program, and

then in the Actions pane for the program, click Remove. Click Yes to confirm the

deletion.

To change or delete a RemoteApp program

113

Note

When you delete a program in the RemoteApp Programs list, any .rdp files or

Windows Installer packages that you created from the RemoteApp program are

not deleted.

Export or Import RemoteApp Programs and Settings

You can copy the RemoteApp Programs list and deployment settings from one terminal server to

another terminal server. This allows you to configure multiple terminal servers identically to host

RemoteApp programs, such as in a terminal server farm.



2. In the Actions pane, click Export RemoteApp Settings.

3. Select either of the following options:

Export the RemoteApp Programs list and settings to another terminal server

If you select this option, in the Terminal server name box, enter the name of the

terminal server that you want to export the settings to, and then click OK. (For the

export operation to succeed, the source terminal server must have Windows

Management Instrumentation (WMI) access to the target terminal server.)

Important

When you click OK, the RemoteApp Programs list and deployment settings

will be automatically overwritten on the target terminal server.

Export the RemoteApp Programs list and settings to a file

If you select this option, click OK. In the Save As dialog box, specify a location to

save the .tspub file, and then click Save.



2. In the Actions pane, click Import RemoteApp Settings.

3. Select either of the following options:

Import the RemoteApp Programs list and settings from another terminal server

If you select this option, in the Terminal server name box, enter the name of the

terminal server that you want to import the settings from, and then click OK. The

To export the RemoteApp Programs list and deployment settingsTo import the RemoteApp Programs list and deployment settings

114

settings are imported directly into TS RemoteApp Manager. (For the import operation

to succeed, the source terminal server must have WMI access to the target terminal

server.)

Import the RemoteApp Programs list and settings from a file

If you select this option, click OK. In the Open dialog box, locate and then click

the .tspub file that you want to import, and then click Open.

If you import a configuration, and the target terminal server does not have a program in the

RemoteApp Programs list installed or the program is installed in a different folder, the program

will appear in the RemoteApp Programs list. However, the name will be displayed with

strikethrough text.

Only the RemoteApp Programs list and deployment settings are exported or imported.

Any .rdp files or Windows Installer packages that were created from the programs are not

exported or imported. You must create new .rdp files or Windows Installer packages on

each terminal server unless the server is a member of a terminal server farm. If you

specified a farm name when you created the .rdp files or Windows Installer packages,

and the server where you want to copy the files is a member of the same terminal server

farm, you can manually copy the files.

Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session

If a user has administrative access to the terminal server where the RemoteApp programs are

installed, when the user starts a RemoteApp program, the Server Manager tool and Initial

Configuration Tasks also start in the RemoteApp session.

You can control this behavior by using the following Group Policy settings in the Computer

Configuration\Administrative Templates\System\Server Manager node of the Local Group

Policy Editor on the terminal server:

Do not display Initial Configuration Tasks window automatically at logon

You must enable this policy setting to prevent the Initial Configuration Tasks window from

opening when a user with administrative access starts a RemoteApp session.

Do not display Server Manager automatically at logon

You must enable this policy setting to prevent Server Manager from opening when a user with

administrative access starts a RemoteApp session.

Note

115


TS Web Access and TS RemoteApp allow you to deploy a single Web site to allow users to run

programs, access the full terminal server desktop, or connect remotely to the desktop of any

computer in the internal network where they have the appropriate permissions.

To install and configure TS Web Access, see the following topics:

Checklist: Deploying RemoteApp Programs Through TS Web Access

Enable RemoteApp Programs for TS Web Access

Install the TS Web Access Role Service

Populate the TS Web Access Computers Security Group

Specify the Data Source for TS Web Access

Connect to TS Web Access

Configure the TS Web Access Server to Allow Access from the Internet

Configure Remote Desktop Web Connection Behavior

Change the Install Location of the TS Web Access Web Site

Checklist: Deploying RemoteApp Programs Through TS Web Access

If you use TS Web Access, you can deploy RemoteApp programs from a single terminal server or

terminal server farm, or from a link to the terminal server desktop, directly through TS Web

Access. All RemoteApp programs on the terminal server or terminal server farm that are

configured for TS Web Access will appear on the TS Web Access Web site.

TS Web Access includes the Remote Desktop Web Connection feature, which allows

users to connect from a Web browser to the remote desktop of any server or client

computer where they have Remote Desktop access. You can determine whether you

want this feature to be available to users. For more information, see Configure Remote

Desktop Web Connection Behavior.

To deploy RemoteApp programs by using TS Web Access, complete the following tasks.

Task Reference


programs. This includes installing Terminal

Server, installing programs, and verifying

remote connection settings.


RemoteApp Programs

Add RemoteApp programs that are enabled for

TS Web Access, and configure global

Add Programs to the RemoteApp Programs

List

Note

116

Task Reference

deployment settings. Configure Global Deployment Settings

Install TS Web Access on the server that you

want users to connect to over the Web to

access RemoteApp programs.


Add the computer account of the TS Web

Access server to the TS Web Access

Computers group on the terminal server.

Populate the TS Web Access Computers

Security Group

Configure the TS Web Access server to

populate its list of RemoteApp programs from a

single terminal server or single terminal server

farm.


After you complete this checklist, users can access the TS Web Access site from an intranet. To

make the TS Web Access Web site available from the Internet, see Checklist: Making

RemoteApp Programs Available from the Internet.

Enable RemoteApp Programs for TS Web Access

By default, a RemoteApp program is enabled for TS Web Access when you add a program to the

RemoteApp Programs list on a terminal server.




LinkId=83477).

1. On the terminal server where the RemoteApp programs are configured, start

TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to

Terminal Services, and then click TS RemoteApp Manager.

2. In the RemoteApp Programs list, verify that a Yes value appears in the TS Web Access

column next to the program that you want to make available through TS Web Access.

3. To change whether a RemoteApp program is available through TS Web Access, do either

of the following:

To enable a RemoteApp program for TS Web Access, click the program name, and

then in the Actions pane, click Show in TS Web Access.

To disable a RemoteApp program for TS Web Access, click the program name, and

To determine if a RemoteApp program is enabled for TS Web Access

117


then in the Actions pane, click Hide in TS Web Access.

If TS Web Access is configured to populate its list of RemoteApp programs from the terminal

server, RemoteApp programs that are enabled for TS Web Access automatically appear on the

TS Web Access Web site. For more information, see Specify the Data Source for TS Web

Access.


You must install the TS Web Access role service on the server that you want users to connect to

over the Web to access RemoteApp programs. When you install the TS Web Access role service,

Microsoft Internet Information Services (IIS) 7.0 is also installed.

The server where you install TS Web Access acts as the Web server. The server does not have

to be a terminal server.

By default, when you install TS Web Access, the TS Web Access Web site installs to the

Default Web Site in IIS. To change the default install location of the site, you can

configure a different location in the registry. You must do this before you install the

TS Web Access role service. For more information, see Change the Install Location of

the TS Web Access Web Site.


procedure.



2. If the Terminal Services role is already installed:



c. On the Select Role Services page, select the TS Web Access check box.

If the Terminal Services role is not already installed:

a. Under Roles Summary, click Add Roles.

b. On the Before You Begin page, click Next.

c. On the Select Server Roles page, select the Terminal Services check box, and

then click Next.

d. Review the Terminal Services page, and then click Next.

e. On the Select Role Services page, select the TS Web Access check box.

3. Review the information about the required role services, and then click Add Required

Role Services.

4. Click Next.

Note To install TS Web Access

118

5. Review the Web Server (IIS) page, and then click Next.

6. On the Select Role Services page, where you are prompted to select the role services

that you want to install for IIS, click Next.

7. On the Confirm Installation Selections page, click Install.

8. On the Installation Results page, confirm that the installation succeeded, and then click

Close.

Populate the TS Web Access Computers Security Group

If the TS Web Access server and the terminal server that hosts the RemoteApp programs are

separate servers, you must add the computer account of the TS Web Access server to the

TS Web Access Computers security group on the terminal server.

1. On the terminal server, click Start, point to Administrative Tools, and then click

Computer Management.

2. In the left pane, expand Local Users and Groups, and then click Groups.

3. In the right pane, double-click TS Web Access Computers.

4. In the TS Web Access Computers Properties dialog box, click Add.

5. In the Select Users, Computers, or Groups dialog box, click Object Types.

6. In the Object Types dialog box, select the Computers check box, and then click OK.

7. In the Enter the object names to select box, specify the computer account of the

TS Web Access server, and then click OK.

8. Click OK to close the TS Web Access Computers Properties dialog box.


You can configure TS Web Access to populate the list of RemoteApp programs that appear in the

Web Part from a specific terminal server or terminal server farm. By default, TS Web Access

populates its list of RemoteApp programs from a single terminal server and points to the local

host. The Web Part is populated by all RemoteApp programs that are enabled for TS Web Access

on that terminal server's RemoteApp Programs list.

To add the computer account of the TS Web Access server to the security group

119

To complete the following procedure, you must log on to the TS Web Access server by using the

local Administrator account or an account that is a member of the TS Web Access

Administrators group on the TS Web Access server.

1. Connect to the TS Web Access Web site. To do this, use either of the following methods:

On the TS Web Access server, click Start, point to Administrative Tools, point to

Terminal Services, and then click TS Web Access Administration.

Use Internet Explorer to connect to the TS Web Access Web site. By default, the

Web site is located at the following address, where server_name is the name of the

TS Web Access server:

http://server_name/ts

Note

If you have configured the Web site to use Secure Sockets Layer (SSL),

connect to https://server_name/ts.

2. Log on to the site by using either the local Administrator account, or an account that is a

member of the local TS Web Access Administrators group. (If you are already logged on

to the computer as one of these accounts, you are not prompted for credentials.)

3. On the title bar, click the Configuration tab.

Note

If you access the TS Web Access Web site by using the TS Web Access

Administration option, the page automatically opens to the Configuration tab.

4. In the Editor Zone area, in the Terminal server name box, enter the name of the

terminal server or terminal server farm that you want to use as the data source.

5. Click Apply to apply the changes.

To test TS Web Access, see Connect to TS Web Access.

Connect to TS Web Access

By default, you can access the TS Web Access Web site at the following location, where

server_name is the NetBIOS name or the fully qualified domain name of the Web server where

you installed TS Web Access:

http://server_name/ts

If you have configured the Web site to use Secure Sockets Layer (SSL), connect to

https://server_name/ts.

If you connect to TS Web Access from a public computer, such as a computer in an "Internet

café," you should clear the I am using a private computer that complies with my

To specify which terminal server or terminal server farm to use as the data sourceNote

120

organization's security policy check box that appears in the lower-right corner of the Web Part.

In public mode, you are not provided with the option to save your credentials.

Client requirements and configurationTo connect to TS Web Access, the client computer must be running RDC 6.1 (6.0.6001). RDC 6.1

is included with the following operating systems:

Windows Server 2008

Windows Vista with SP1

Windows XP with SP3

The client computer must be running Internet Explorer 6 or a later version. Additionally, the

Terminal Services ActiveX Client control must be enabled. The ActiveX control is included with

RDC 6.1.

If you are running Windows Server 2008 or Windows Vista with SP1, and you receive a warning

message on the Internet Explorer Information bar about the site being restricted from showing

certain content, click the message line, point to Add-on Disabled, and then click Run ActiveX

Control. When you do this, you may see a security warning. Before you click Run, make sure

that the publisher for the ActiveX control is "Microsoft Corporation."

If the Internet Explorer Information bar does not appear, and you cannot connect to

TS Web Access, you can enable the Terminal Services ActiveX control by using the

Manage Add-ons tool on the Tools menu of Internet Explorer. The add-on appears as

Microsoft Terminal Services Client Control.

If you are running Windows XP with SP3, when you first access the TS Web Access site, the

page displays an ActiveX control not installed or not enabled error message. Use the

following procedure to enable the ActiveX control.

1. Connect to the TS Web Access site, and then enter your logon credentials.

2. Do either of the following, depending on the version of Internet Explorer that you are

running.

If you are using Internet Explorer 7, on the Tools menu, point to Manage Add-ons,

and then click Enable or Disable Add-ons.

If you are using Internet Explorer 6, on the Tools menu, click Manage Add-ons.

The Manage Add-ons dialog box appears. Make sure that the Show list is set to Add-

ons currently loaded in Internet Explorer.

3. Under Disabled, click either Microsoft Terminal Services Client Control (redist) or

Microsoft RDP Client Control (redist)—whichever is listed.

4. Under Settings, click Enable. (If you are running Internet Explorer 6, click OK in

response to the message saying that you may need to restart Internet Explorer for the

changes to take effect.)

Note To enable the ActiveX control in Windows XP with SP3

121

Note

If the ActiveX control is listed two times, enable both instances.

5. Click OK to close the Manage Add-ons dialog box. (If you are running Internet

Explorer 7, click OK in response to the message saying that you may need to restart

Internet Explorer for the changes to take effect.)

Any available RemoteApp programs should appear on the TS Web Access Web site.

Configure the TS Web Access Server to Allow Access from the Internet

To allow users to access the TS Web Access server from the Internet through TS Gateway, the

recommended configuration is to place both the TS Gateway server and the TS Web Access

server in the perimeter network, and to place the terminal servers that host RemoteApp programs

behind the internal firewall.

Alternatively, you can deploy TS Web Access on the internal network, and then make the Web

site available through Microsoft Internet Security and Acceleration (ISA) Server. For more

information about Web publishing through ISA Server 2006, see Publishing Concepts in ISA

Server 2006 (http://go.microsoft.com/fwlink/?LinkId=86359).

If you deploy TS Web Access in the perimeter network, you must configure your firewall to allow

Windows Management Instrumentation (WMI) traffic from the TS Web Access server to the

terminal server. You must ensure that TCP port 135 is open for WMI-related DCOM traffic. To

control the other ports that are used for WMI traffic, you can configure a fixed port. For

information about how to do this, see Setting Up a Fixed Port for WMI on MSDN®

(http://go.microsoft.com/fwlink/?LinkId=109867). To use this procedure on a Windows

Server 2008-based server, note the following additional information:

If you are not logged on by using the local Administrator account, you must run the

commands from an elevated command prompt. To open an elevated command prompt, click

Start, right-click Command Prompt, and then click Run as administrator.

The procedure shows how to configure TCP port 24158 for WMI traffic. By default, the

winmgmt -standalonehost command moves the Windows Management Instrumentation

service (Winmgmt) to a standalone Svchost process that has a fixed DCOM endpoint of

"ncacn_ip_tcp.0.24158".

To specify a different port number, do not use the winmgmt -standalonehost command.

Instead, you must use the following procedure.

1. Use Component Services to configure the fixed DCOM endpoint for WMI to the port that

you want. To do this, follow these steps:

To specify a port number that is different from the default

122




a. Open Component Services. To do this, click Start, point to Administrative Tools,

and then click Component Services.

b. In the console tree, expand Component Services, expand Computers, expand My

Computer, and then click DCOM Config.

c. In the middle pane, right-click Windows Management and Instrumentation, and


d. On the Endpoints tab, click either Properties or Add, depending on whether an

existing custom entry already exists.

e. Click Use static endpoint, enter the port number to use, and then click OK two

times.

2. Restart the Winmgmt service for the change to take effect. To restart the service, run the

commands net stop winmgmt and net start winmgmt from the command line.

3. Run the netsh command with the port parameter set to the same port that you specified

in Component Services.

When you run the netsh command to create a firewall rule, you must include the

protocol parameter and specify TCP as the protocol type. The following is an example of

the command syntax: netsh firewall add portopening protocol=TCP port=24158

profile=domain name=WMIFixedPort

Note

The profile parameter indicates whether the firewall rule applies to the Domain,

Private, or Public profile. For more information, see "Understanding Windows

Firewall with Advanced Security Profiles" in the Windows Firewall with Advanced

Security Help.

Additionally, the TS Web Access Web site must be configured to use Windows authentication. By

default, Windows authentication is enabled for the TS Web Access Web site.

1. On the TS Web Access server, click Start, point to Administrative Tools, and then click

Internet Information Services (IIS) Manager.

2. In the left pane of Internet Information Services (IIS) Manager, expand the server name,

expand Sites, expand Default Web Site, and then click TS.

3. In the middle pane, under IIS, double-click Authentication.

4. Ensure that Windows Authentication is set to Enabled. If it is not, right-click Windows

Authentication, and then click Enable.

Note

If you placed TS Web Access in a custom Web site, you must ensure that the

authentication method that is used for the Web site can map to the user's

Windows account. You can do this by using integrated Windows authentication

on the custom Web site.

To verify that Windows authentication is enabled

123

Configure Remote Desktop Web Connection Behavior

Terminal Services Remote Desktop Web Connection enables a user to connect to the desktop of

a remote computer from the TS Web Access Web site. To connect to a remote computer, the

following conditions must be true:

The remote computer must be configured to accept Remote Desktop connections.

The user must be a member of the Remote Desktop Users group on the remote computer.

A user can access Remote Desktop Web Connection by clicking the Remote Desktop tab on the

TS Web Access page. As an administrator, you can configure whether the Remote Desktop tab

is available to users. Additionally, you can configure settings such as which TS Gateway server to

use, and the default device and resource redirection options.



1. On the TS Web Access server, start Internet Information Services (IIS) Manager. To do

this, click Start, point to Administrative Tools, and then click Internet Information

Services (IIS) Manager.

2. In the left pane, expand the server name, expand Sites, expand Default Web Site, and

then click TS.

3. In the middle pane, under ASP.NET, double-click Application Settings.

4. To change Remote Desktop Web Connection settings, modify the values in the

Application Settings pane.

To configure a default TS Gateway server, double-click DefaultTSGateway, enter the

fully qualified domain name of the server in the Value box (for example,

server1.contoso.com), and then click OK.

To specify the TS Gateway authentication method, double-click

GatewayCredentialsSource, type the number that corresponds to the desired

authentication method in the Value box, and then click OK. The possible values

include:

0 = Ask for password (NTLM)

1 = Smart card

4 = Allow user to select later

To configure whether the Remote Desktop tab appears on the TS Web Access

page, double-click ShowDesktops. In the Value box, type true to show the Remote

Desktop tab, or type false to hide the Remote Desktop tab. When you are finished,

To configure Remote Desktop Web Connection behavior

124

click OK.

To configure default device and resource redirection settings, double-click the setting

that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection,

xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable

the redirection setting by default, or type false to disable the redirection setting by

default, and then click OK.

5. When you finish, close IIS Manager.

Your changes should take effect immediately on the TS Web Access Web site. If the Web

page is open, refresh the page to view the changes.

You can also configure these settings by modifying the %windir%\Web\ts\Web.config file

directly by using a text editor such as Notepad.

Change the Install Location of the TS Web Access Web Site

By default, when you install TS Web Access, the TS Web Access Web site installs to the Default

Web Site in IIS (to the /TS virtual path). To specify a different Web site to install TS Web Access,

you can configure a different target Web site in the registry. You must do this before you install the

TS Web Access role service.

Serious problems might occur if you modify the registry incorrectly by using Registry

Editor or by using another method. These problems might require that you reinstall the

operating system. Microsoft cannot guarantee that these problems can be solved. Modify

the registry at your own risk.

1. If you do not already have IIS installed, install IIS. To do this, follow these steps:

a. Start Server Manager. To open Server Manager, click Start, point to Administrative


b. Under Roles Summary, click Add Roles.

c. On the Before You Begin page, click Next.

d. On the Select Server Roles page, select the Web Server (IIS) check box, click Add

Required Features, and then click Next.

e. On the Web Server (IIS) page, click Next.

f. On the Select Role Services page, click Next.

g. On the Confirm Installation Selections page, click Install.

h. On the Installation Results page, verify that the installation succeeded, and then

click Close.

2. Click Start, point to Administrative Tools, and then click Internet Information Services

Note Caution To change the location of the TS Web Access Web site

125

(IIS) Manager.

3. In Internet Information Services (IIS) Manager, expand the server name, right-click Sites,

and then click Add Web Site.

4. In the Add Web Site dialog box, add the information for the new Web site, such as the

site name. Ensure that you do the following:

In the Physical path box, specify the path C:\Windows\Web, where "C:" represents

the drive where you installed Windows.

To not conflict with the Default Web Site, you should either specify a different IP

address in the IP address list, or specify a port other than port 80 in the Port box. (If

you specify another port, ensure that the firewall is configured to permit HTTP or

HTTPS traffic on that port, depending on your configuration.)


6. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and

then press ENTER.

7. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

8. To specify a new install location for the TS Web Access Web site, do the following:

a. Right-click Microsoft, point to New, and then click Key.

b. Type Terminal Server Web Access as the subkey name, and then press ENTER.

c. Right-click Terminal Server Web Access, point to New, and then click String Value.

d. Type Website as the entry name, and then press ENTER.

e. Right-click Website, and then click Modify.

f. In the Value data box, type the name of the Web site where you want to install the

TS Web Access Web site (the site name that you specified in step 4 of this

procedure), and then click OK.

9. Close Registry Editor.

10. Install TS Web Access. For more information, see Install the TS Web Access Role

Service.

Deploying Terminal Services Printing

Terminal Services printing has been enhanced in Windows Server 2008 by the addition of the

Terminal Services Easy Print printer driver and a Group Policy setting that enables you to redirect

only the default client printer. The Terminal Services Easy Print driver enables users to reliably

print from a Terminal Services RemoteApp program or from a Terminal Services desktop session

to the correct printer on their client computer. It also enables users to have a much more

consistent printing experience between local and remote sessions.

126

To install and configure Terminal Services Printing, see the following topics:

Using Terminal Services Easy Print Driver

Installing the Printer Driver on the Server

Creating a Custom Printer Mapping File

Configuring Printer Redirection Settings

Using Terminal Services Printing-Related Group Policy Settings

Using Terminal Services Easy Print Driver

By default, a Windows Server 2008-based terminal server is configured to use the Terminal

Services Easy Print printer driver first when a client tries to print, and then it tries to use a

matching printer driver on the server if the client does not support Terminal Services Easy Print.

To change this default behavior, modify the Use Terminal Services Easy Print printer driver

first Group Policy setting. If you set this policy setting to Disabled, the terminal server first tries to

find a suitable printer driver to install the client printer. If the terminal server does not have a

printer driver that matches the client printer, the server tries to use the Terminal Services

Easy Print driver to install the client printer. For more information, see Using Terminal Services

Printing-Related Group Policy Settings.

This policy setting is available in the Computer Configuration node and the User

Configuration node.

Client requirementsTo use the Terminal Services Easy Print driver, clients must be running both of the following:

Remote Desktop Connection 6.1 [The RDC 6.1 (6.0.6001) client supports Remote Desktop

Protocol 6.1.]

At least Microsoft .NET Framework 3.0 Service Pack 1 (SP1)

The following list provides information about which operating systems support the Terminal

Services Easy Print driver, and whether additional configuration is required.

Windows Vista with SP1 includes both of the required components. By default,

Windows Vista with SP1 supports the Terminal Services Easy Print driver with no additional

configuration.

Windows XP with Service Pack 3 (SP3) includes RDC 6.1. However, you must install a

supported version of the .NET Framework separately. You can download Microsoft .NET

Framework 3.5 (which includes .NET Framework 3.0 SP1) from the Microsoft Download

Center (http://go.microsoft.com/fwlink/?LinkId=109422).

Windows Server 2008 includes both of the required components. However, by default, NET

Framework 3.0 SP1 is not installed. Therefore, to use the Terminal Services Easy Print driver

on a Windows Server 2008-based server (that is acting as the client), you must add .NET

Note

127



Framework 3.0 SP1 by using Server Manager or by adding the feature from the command

line.

1. Start Server Manager. To open Server Manager, click Start, point to Administrative


2. In the left pane of Server Manager, right-click Features, and then click Add

Features.

3. On the Select Features page, expand .NET Framework 3.0.

4. Select the .NET Framework 3.0 Features and the XPS Viewer check boxes, and

then click Next.

5. Click Install.

1. Start the command prompt with elevated privileges. To do this, click Start, right-click

Command Prompt, and then click Run as administrator.

2. At the command prompt, type the following, and then press ENTER:

pkgmgr.exe /iu:NetFx3

The installation occurs silently, and may take several minutes.

Additional informationWhen you use the Terminal Services Easy Print driver, users cannot save printing preferences

from Printers in Control Panel. Instead, printing preferences can only be applied and saved per

application.

Installing the Printer Driver on the Server

If some client computers do not support the Terminal Services Easy Print driver, you can install

matching printer drivers on the terminal server.

If the printer driver that is installed on the client computer is an OEM driver, and a driver is

available from the printer's manufacturer, replace the OEM driver with the driver that is available

from the printer’s manufacturer. If you are installing a non-Microsoft driver, make sure that the

driver is a Windows Hardware Quality Labs (WHQL)-signed driver.

After you install a printer driver, terminal server clients must log off and then log on to the

terminal server before the printer driver change takes effect.

To add .NET Framework 3.0 SP1 by using Server ManagerTo add .NET Framework 3.0 SP1 by using the command lineNote

128

To install the printer driver, use either of the following methods. To perform these procedures, you

must have membership in the local Administrators group, or you must have been delegated the

appropriate authority.

Method 1: Run the printer's Setup program to install the printer driver .inf file on the terminal

server.

Method 2: Install the printer driver by using the Add Printer Driver Wizard.

1. On the terminal server, click Start.

2. In the Start Search box, type control printers and then press ENTER.

3. On the File menu, click Server Properties.

4. On the Drivers tab, click Add, and then follow the instructions in the Add Printer Driver

Wizard to install the printer driver .inf file.

Creating a Custom Printer Mapping File

You can create or modify an existing custom printer mapping file to define mappings from client-

side drivers to server-side drivers on the terminal server.

To perform the following procedures on the terminal server, you must have membership in the

local Administrators group, or you must have been delegated the appropriate authority.

Step one: Create or modify an .inf fileUsing a text editor such as Notepad, create or modify an .inf file to include the user-defined

mappings from the client-side driver to the server-side driver. Follow the format used in the

following example:

;NTPRINTSUBS.INF

;Printer mapping file for client-side to server-side drivers

[Printers]

"OEM Printer Driver Name" = "Windows Server 2008 Driver Name"

For example:

"HP DeskJet 720C Series v10.3" = "HP DeskJet 722C"

The left side of the equation is the exact name of the printer driver that is associated with the

client-side print queue that is being redirected to the server.

1. On the client computer, in Control Panel, open Printers.

2. Right-click the printer that you want to use, and then click Properties.

To install the printer driver by using the Add Printer Driver WizardTo obtain the exact name of the client-side driver

129

The exact name of the printer driver appears on the General tab, next to Model.

Note

You can also click the Advanced tab and view the driver name in the Driver list.

The right side of the equation is the exact name of the server-side driver equivalent that is

installed on the terminal server.

1. On the terminal server, in Control Panel, open Printers.

2. On the File menu, click Server Properties.

3. The exact name of the printer driver is listed on the Drivers tab in the Name column.

Note

If the server-side printer driver that you want to use is not installed, click Add,

and then follow the instructions in the Add Printer Driver Wizard to install the

printer driver.

Step two: Configure the registryAfter you create the printer mapping file, you must configure the registry to point to the printer

mapping .inf file, and to the correct section of the printer mapping file that contains the user-

defined mappings.

Incorrectly editing the registry might severely damage your system. Before you make

changes to the registry, you should back up any valued data.

1. On the terminal server, open Registry Editor. To do this, click Start, type regedit in the

Start Search box, and then press ENTER.

2. If the User Account Control dialog box appears, confirm that the action it displays is

what you want, and then click Continue.

3. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\

Wds\rdpwd

4. Create a registry entry for the printer mapping file name. To do this, follow these steps:

a. Right-click the rdpwd subkey, point to New, and then click String Value.

b. Type PrinterMappingINFName as the entry name, and then press ENTER.

c. Right-click PrinterMappingINFName, and then in the Value data box, enter the path

and name of the .inf file to which you want to redirect lookups. For example, type c:\

windows\inf\ntprintsubs.inf.

d. When you finish, click OK.

5. Create a registry entry for the section of the .inf file to which you want to redirect lookups.

To do this, follow these steps:

To obtain the exact name of the server-side driverCaution

To use a custom printer mapping file

130

a. Right-click the rdpwd subkey, point to New, and then click String Value.

b. Type PrinterMappingINFSection as the entry name, and then press ENTER.

c. Right-click PrinterMappingINFSection, and then in the Value data box, enter the

name of the section in the .inf file that contains the user-defined mappings. For

example, type Printers.

d. When you finish, click OK.

6. Close Registry Editor.

For the changes to take effect, you must restart the Print Spooler service on the terminal

server.

Configuring Printer Redirection Settings

As an administrator, you can configure printer redirection settings for terminal server connections

as a whole (per connection) or on a per user basis.

Configure printer redirection settings per connection

By using Group Policy (best practice)To configure Group Policy settings for a domain or an organizational unit (OU), you must be

logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group

Policy Creator Owners group, or have been delegated the appropriate authority over Group

Policy.

To configure Group Policy settings by using the Local Group Policy Editor, membership in the

local Administrators group, or equivalent, is the minimum required to complete this procedure.

1. In either the Group Policy Management Console or the Local Group Policy Editor, locate

the following node:

Computer Configuration\Policies\Administrative Templates\Windows Components\

Terminal Services\Terminal Server\Printer Redirection

2. Configure the desired printer redirection settings:

To disable client printer redirection, enable the Do not allow client printer

redirection policy setting.

To use the default printer of the server as the default printer for all client sessions,

enable the Do not set default client printer to be default printer in a session

policy setting.

Important To configure per connection printer redirection settings on a terminal server by using

Group Policy

131

By using Terminal Services ConfigurationMembership in the local Administrators group, or equivalent, is the minimum required to


1. Click Start, point to Administrative Tools, point to Terminal Services, and then click


2. In the middle pane, under Connections, right-click the connection, and then click

Properties.

3. On the Client Settings tab, under Redirection, configure the desired printer redirection

settings:

To disable client printer redirection, select the Windows Printer check box.

To use the default printer of the server as the default printer for all client sessions,

select the Default to main client printer check box. To print to the default printer of

the client, clear this check box.

Configure printer redirection settings per userYou can configure per user printer redirection settings by using either Local Users and Groups or

Active Directory Users and Computers. These settings override client-specified settings.

To configure per user printer redirection settings by using Active Directory Users and Computers,

you must be logged on as a member of the Domain Admins group, or have been delegated the

appropriate authority.

To configure per user printer redirection settings by using Local Users and Groups, membership

in the local Administrators group, or equivalent, is the minimum required to complete this

procedure.

1. Do either of the following, depending on whether you are configuring settings for a

domain user or for a local user on the terminal server.

To configure settings for a domain user, on a domain controller, click Start, point to

Administrative Tools, and then click Active Directory Users and Computers.

To configure settings for a local user, on a terminal server, click Start, point to

Administrative Tools, click Computer Management, and then expand Local Users

and Groups.

2. In the console tree, locate the user for whom you want to configure printer redirection

settings.

3. Right-click the user name, and then click Properties.

4. On the Environment tab, configure the following settings:

Connect client printers at logon

To configure per connection printer redirection settings on a terminal server by using Terminal Services Configuration

To configure per user printer redirection settings

132

If you clear this check box, client printers are not automatically connected. However,

a user can still manually map their client printer.

Default to main client printer

Select this check box to print to the default printer of the client. If you clear this check

box, the default printer of the server is used as the default printer for all client

sessions.

Note

By default, both of these check boxes are selected.


Use client-specified printer redirection settingsUsers can also control printer redirection settings through the Remote Desktop Connection (RDC)

client, or when starting a connection to a RemoteApp program.

1. Start the Remote Desktop Connection client.

2. Click Options.

3. On the Local Resources tab, under Local devices and resources, select or clear the

Printers check box.

Using Terminal Services Printing-Related Group Policy Settings

There are several Group Policy settings that you can configure to help control Terminal Services

printing behavior. These settings are located in the following node of the Group Policy

Management Console:

Computer Configuration\Policies\Administrative Templates\Windows Components\

Terminal Services\Terminal Server\Printer Redirection

Some of the policy settings are available in both the Computer Configuration node and

the User Configuration node.

Following are the available Group Policy settings for Terminal Services printing.

Name Description Requirements

Do not allow client printer

redirection

This policy setting allows you to

specify whether to prevent the

mapping of client printers in

At least Windows XP

Professional or Windows

Server 2003 family

To control printer redirection through the RDC clientNote

133


Terminal Services sessions.

You can use this policy setting to

prevent users from redirecting

print jobs from the remote

computer to a printer attached to

their local (client) computer. By

default, Terminal Services allows

this client printer mapping.

If you enable this policy setting,

users cannot redirect print jobs

from the remote computer to a

local client printer in Terminal

Services sessions.

If you disable this policy setting,

users can redirect print jobs with

client printer mapping.

If you do not configure this policy

setting, client printer mapping is

not specified at the Group Policy

level. However, an administrator

can still disable client printer

mapping by using the Terminal


Do not set default client

printer to be default printer

in a session


specify whether the client default

printer is automatically set as the

default printer in a Terminal

Services session.

By default, Terminal Services

automatically designates the

client default printer as the

default printer in a Terminal

Services session. You can use

this policy setting to override this

behavior.


the default printer is the printer

specified on the remote

computer.

At least Windows XP

Professional or Windows

Server 2003

134



the terminal server automatically

maps the client default printer

and sets it as the default printer

upon connection.


setting, the default printer is not

specified at the Group Policy

level. However, an administrator

can configure the default printer

for client sessions by using the

Terminal Services Configuration

tool.

Redirect only the default

client printer


specify whether the default client

printer is the only printer

redirected in Terminal Services

sessions.


only the default client printer is

redirected in Terminal Services

sessions.

If you disable or do not configure

this policy setting, all client

printers are redirected in Terminal

Services sessions.

At least Windows Server 2008

Specify terminal server

fallback printer driver

behavior


specify the terminal server

fallback printer driver behavior.

By default, the terminal server

fallback printer driver is disabled.

If the terminal server does not

have a printer driver that matches

the client's printer, no printer will

be available for the terminal

server session.


the fallback printer driver is

enabled, and the default behavior

Windows Server 2003 with

Service Pack 1 only

135


is for the terminal server to find a

suitable printer driver. If one is

not found, the client's printer is

not available. You can choose to

change this default behavior. The

available options are:

Do nothing if one is not

found If there is a printer driver

mismatch, the server will attempt

to find a suitable driver. If one is

not found, the client's printer is

not available. This is the default

behavior.

Default to PCL if one is not

found If no suitable printer driver

can be found, default to the

Printer Control Language (PCL)

fallback printer driver.

Default to PS if one is not

found If no suitable printer driver

can be found, default to the

PostScript (PS) fallback printer

driver.

Show both PCL and PS if one

is not found If no suitable driver

can be found, show both PS and

PCL-based fallback printer

drivers.


the terminal server fallback driver

is disabled and the terminal

server will not attempt to use the

fallback printer driver.


setting, the fallback printer driver

behavior is off by default.

Note

If the Do not allow

client printer

136


redirection policy setting

is enabled, this policy

setting is ignored and the

fallback printer driver is

disabled.

Use Terminal Services

Easy Print printer driver

first


specify whether the Terminal

Services Easy Print printer driver

is used first to install all client

printers.

If you enable or do not configure

this policy setting, the terminal

server first tries to use the

Terminal Services Easy Print

printer driver to install all client

printers. If for any reason the


printer driver cannot be used, a

printer driver on the terminal

server that matches the client

printer is used. If the terminal

server does not have a printer

driver that matches the client

printer, the client printer is not

available for the Terminal

Services session.


the terminal server tries to find a

suitable printer driver to install

the client printer. If the terminal

server does not have a printer

driver that matches the client

printer, the server tries to use the


printer driver to install the client

printer. If for any reason the


printer driver cannot be used, the

client printer is not available for

the Terminal Services session.

At least Windows Server 2008

137


Note

If the Do not allow

client printer

redirection policy setting

is enabled, the Use

Terminal Services Easy

Print printer driver first

policy setting is ignored.

138