Windows Server 2008 Terminal ServicesConfiguration WalkthroughJeff AlexanderIT Pro EvangelistMicrosoft Australia

SVR309

Session Objectives and Key TakeawaysSession Objective(s):

Learn about Terminal Services RemoteApp™Learn about TS GatewayLearn About TS Web AccessLearn about TS Easy PrintLearn About the TS Session BrokerUnderstand the importance of x64 for TS

Terminal Services is a Rich Client TechnologyTerminal Services can reduce application deployment and management overheadTS isn’t just about WAN links

Terminal Services

Centralized application accessApplication deployment Branch officeSecure anywhere accessCompliance and security

Enabling technologiesTS GatewayTS Remote ProgramsSSO for managed clients

TS in Windows Server 2008 designed for low-complexity scenarios

Central Location

Mobile WorkerIn Airport

Branch Office

Home Office

Terminal Services RemoteApp™

Terminal Services

Gateway Server

Remote programs integrated with local computerCentrally configure a terminal server with the Terminal Server Configuration console

RemoteApp console used to make application availableAlso used to make programs available via TS Web Access

Programs look like they are running locallyOnly supported by Remote Desktop client 6.0, or newer

Remote Desktop

client required

Remote Rogue Execution ?!Remote Programs …

Look and feel like local apps…Access to local resources with redirection…A vector of attack against the client..

Solution: RDPSign

Cryptographically signing RDP filePublisher certificate identifies originNew security UI to help decide trustGP’s to control trust decisions left to users

Who will get your password?...

RDPSign PoliciesDefault client behavior:

No publisher is Trusted.Signed RDPs Green PromptInteractive user on TS client Green PromptUnsigned RDPs Yellow WarningExpired, invalid, corrupt Red - Blocked

Group Policy options:Define Trusted publishersBlock Unsigned RDPsBlock user & signed RDPs

RDPSign DeploymentsZero

DeploymentBasic

Signing Known RDPs

Only(recommended)

Lockdown

(No user decisions)

Admin Steps

None •Obtain signing certificate.•Sign RDPs with TS admin tools.

•Obtain signing certificate.•Sign RDPs with TS admin tools.•Push out certificate to clients using a GP list.•Set a GP flag to block unsigned files.

•Obtain signing certificate.•Sign RDPs with TS admin tools.•Push out certificate to clients using a GP list.•Set a GP flag to block unsigned files.•Set a GP flag to block user-created files.

RDPs from Admin

Warning Prompt No prompt No Prompt

Interactive User

Prompt Prompt Prompt Blocked

Third Party RDPs (signed)

Prompt Prompt Prompt Blocked

Legacy RDPs Warning Warning Blocked Blocked

Unknown RDPs

Warning Warning Blocked Blocked

Terminal Services RemoteApp™

demo

Configuring TS Remote ProgramsUsing the RDP & MSI file creation toolSetting 32-bit Colour

TS Remote Programs Deployment Best Practices

Put common application on same serverMicrosoft Office system

Consider putting individual applications on separate servers when:

Application has compatibility issuesA single application and associated users may fill server capacityCreate load-balanced ‘farm’ for single applications that exceed 1 server

Use Microsoft SoftGrid to improve server usage and application compatibility

TS Web Access

Provide a simple solution and infrastructureSolution

Provides simple Web interface for launching applications

TS Gateway Provides the HTTPS transport, NOT Web Access

Two modes of configurationSingle Terminal Server modeAD Mode (queries group policies for published MSI packages)

Ideal for low complexity scenarios

InfrastructureVisual Studio Web PartActiveX ControlSamples

TS Web Access

demo

Enabling an application for Web AccessUsing the Web Access default Web site

TS Web AccessDeployment Best Practices

TS Web Access default is good for single server deploymentsUse AD mode for multi-server deployments when customers used to AD MSI deploymentWhen customer has no AD MSI experience use custom ASP scripting solutions or third-party solutions

TS GatewayAllows secure seamless connection without VPN

Tunnels RDP over HTTPS Place TS behind multiple firewalls without opening multiple firewall ports other than 443Uses same infrastructure as Outlook over RPC/HTTPS

Allows access to:Terminal Server Remote Desktops and ProgramsClient Remote DesktopServer Remote Desktop

When should TS Gateway be used in place of VPN?

When no local copy of data is requiredWhen a quicker connection time is requiredWhen bandwidth or application data size makes VPN experiences suck

Requirements and Policy Control

SSL Certificate for the TS GatewayIIS 7.0Network Policy Server

TS CAP (Client Access Policy)States who and what machine can access

TS RAP (Resource Access Policy)States what resource they can accessAssociated with the above

TS Gateway Remote AccessPerimeter Network

Internet Corp LAN

Terminal Server

HotelExte

rnal Fi

rew

all

Inte

rnal Fi

rew

all

Home

Business Partner/Client Site

Other RDPHosts

TerminalServer

Internet

Terminal Services Gateway Server

Network Policy Server

Active Directory DC

Tunnels RDP over

RPC/HTTPS

Passes RDP/SSL

traffic to TS

Strips off RPC/HTTPS

Terminal Services Gateway

demo

Configuring the server Configuring the client

TS Gateway Best Practices

Use root-signed SSL certificateDon’t rely on TSG to block devicesUse a dedicated TSG Server

Can co-exist with Outlook RPC/HTTP

Consider placing behind ISABetter than just port based firewall

Use SSL terminator in DMZ and put TS Gateway in main network

Great if network admin is nervous of domain joined Windows servers in the DMZ

TS Easy Print

Issues have arisen with TS and PrintingEnhanced device redirection does not require driver on TS Server

Matching drivers were needed or issues would arise

Printer configuration follows to TS session

Same printers as appears locally

TS easy print installed by defaultLeverages the Microsoft document format XPS

High quality printer rendering systemAgnostic to the printer it is sent to

TS Session Broker

Used to be Terminal Services Session DirectoryIndexes previously disconnected sessionsGreat for TS farmsProvides load balancing capabilityDoes not matter if you connect from a different clientIncluded in Windows Server 2008 StandardAllows uninterrupted user experience

Windows Platform Investments

Big investments across the board, in Windows, in terms of eliminating security vulnerabilitiesRe-write of Windows Multi-User CoreRe-engineering of WINLOGONFaster login and logoff Profile corruption scenarios addressedApplication Compatibility

Improve compatibilityLeverage UAC

Other New Experience Features

Large display support / Custom resolutions Span multiple monitorsPnP Device Redirection Framework

POS Device RedirectionWindows Portable Device Redirection

Windows Server 2008 Audio Mixer SupportWindows Presentation Foundation (WPF) Remoting (Remote Desktop Only)32-bit color and new RDP compressionDisplay Data Prioritization

Other New Security Features

Terminal Services GatewayNAP SupportDevice Redirection HintsConnection Monitoring

Network AuthenticationSingle sign-on (SS)) for domain-joined clientsCredUI / CredMan / CredSSP integration Ability to block pre-RDP 6.0 clientPer-session and direct attached device isolation

Other New Manageability & Scalability Features

Role Management ToolDisplay Data PrioritizationNew compression improvementsSpooler scalability improvementsImproved performance countersDebug Logging available in all buildsFull IPv6 supportPer-user license trackingSingle unified Win32 and ActiveX Client integrated into platform and Windows Update

Custom Display Resolutions

Today in Windows Server 2003, TS Display resolutions are constrained:

4:3 resolutions1600(w) & 1200(h) maximums

This constraint was imposed due to virtual memory limitations New 16:9 & 16:10 displays entering market now

1680x10501920x1200

Customers have clients with multiple monitors

Most common is 2 or 3 monitors in horizontal layout Mstsc.exe /span or h:xxxx y: commands + new RDP file parameters

RDP6.1: Getting even richer DWM and Desktop Composition for Remote Desktop scenarios

Vista Client to Vista Client or Longhorn server(single session)Clear Type remoting (a.k.a. Font smoothing)Color depth: from 16, 24* to 32 bpp

Profile 32 24 16

PPT1 73,052365 112,359183.7 73,320620.3

PPT2 1,182144 2,060018.667 1,225201

WORD 4,871323.3 4,258341.333 3,299331

WORD3 3,603849.7 11,238595.67 7,438361

IE-Word 11,609604 20,830233.67 12,773213.3

Explorer 1,716492 2,249739 ,978692

Display Data Prioritization

Automatically controls virtual channel (VC) traffic so that display data, keyboard and mouse data is prioritized over other VC dataVCs are used for printing, copy & paste and file transfersThis prioritization ensures there is always sufficient traffic prioritization to ensure the user keeps workingThis feature only affects client RDP-mapped resources

Citrix and Microsoft

Citrix is a two-time Gold Certified ISV PartnerCitrix Presentation Server

Value-add to TS & MicrosoftExtends TS functionalityCitrix MOM pack available

Signed 5-year Joint Technology Agreement in 2004“Constellation Technologies” will add new value in the Windows Server 2008 timeframe

TS Partners

Based on Initial Internal Testingx86 & x64 Performance Tip: Registry Setting to Reduce Microsoft® Outlook® 2003 Periodic Polling:HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\RPC [dword] ConnManagerPoll = 0x600

Why Is x64 so Important for TS?

Knowledge Worker

x86 & x64 TS User Capacity Scaling

2003 x64

4cores

2003 x64

8 coresWindows Server 2000 32 Bit Baseline

2003 x86

4 cores

2000 x86

4 cores

~ x2

~ x4

~ x6Up to 4x improvement in users/server on comparable hardware and price pointPerformance comparisons are entirely dependent on scenarioYour mileage WILL VaryWhitepaper @ http://www.microsoft.com/ts

Benefits of x64 Architecture

Runs 32-bit software without being recompiledRuns 64-bit Windows, drivers and software specifically compiled for the x64 instruction setCan act like an x86 processor when an x64 system is booted into a 32-bit operating system and as such runs all 32-bit versions of Windows commercially available today

Runs 32-bit apps at high performance4 GB User VA for large memory-aware processes

Runs 64-bit applications8 terabyte Virtual Address Space

Reduction in mapping and soft page faults in most casesEases migration to 64-bit infrastructure

Features Not Supported in 64-bit Windows

32-bit device driversPrinter driversSoftware kernel driver components

SubsystemsMicrosoft DOS (NTVDM / Command.com)

CMD processor still present16-bit WOWPortable Operating System Interface for UNIX (POSIX)

Services for UNIX (SFU) for x64 available H2’05

Legacy transport protocolsAppleTalk, Services for MacintoshDLC LAN, NetBEUI

IrDA, OSPF

x64 and Terminal Server Recommendations

x64 ideal for current deployments that are kernel VA-limitedx64 provides opportunities to significantly scale-up with new multi-core processors and increase user density on Terminal Services-based systemsExpected sweet spot for TS moves to 4 cores or moreWhen driver compatibility is an issue consolidate onto Windows Server 2003 x86 SP1 and Citrix Presentation Server 4.0 with 2 to 4 coresConsider x64-based hardware for all deploymentsRemember, x64 needs more resources for same workload set

Preparing for Windows Server 2008 Terminal Services

Understand your applications and current scalability limitationsRe-evaluate hardware purchasing choices

4 to 8 cores are compelling price / performance for TSEnsure hardware has potential for memory and CPU upgrades you might needCan use 32-bit Windows until moving to x64 is possible

Start deprecating 16-bit applicationsTest application compatibility on Beta 2 releaseConsider using SoftGrid on Windows Server 2003

Summary

Centralized application access using TS is about more than just remote accessNew Terminal Services features bring TS to new customers and scenariosTS Remote Programs and TS Gateway provide a complete solution for low complexity scenariosExpect third-party value to still be required for many scenarios in Windows Server 2008 and beyondConsolidation on Windows Server 2003 and x64 represents significant current opportunities

TS ResourcesTS Blog: http://blogs.msdn.com/ts

TS Newsgroup: microsoft.public.windows.terminal_services

TS x64 Scalability Whitepaper: http://www.microsoft.com/downloads/details.aspx?familyid=9B1A8518-D693-4BBB-9AF8-B91BBC0D2D55&displaylang=en

TS Windows Server 2008 Web Forum: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=580&SiteID=17

Windows System Resource Manager:http://www.microsoft.com/windowsserver2003/technologies/management/wsrm/default.mspx

Application Compatibility Toolkit:http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx

MSDN:http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnanchor/html/anch_terminalservices.asp?frame=true

TS Main Page: http://ww.microsoft.com/ts

ResourcesTechnical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx

Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet

Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx

Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx

Evaluation Forms

Questions?

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.