Upload
majid-hussain-buledi
View
219
Download
0
Embed Size (px)
Citation preview
8/8/2019 Windows Server 2008 Centralized Application Access
1/17
Windows Server 2008 CentralizedApplication Access
Microsoft Virtual Labs
8/8/2019 Windows Server 2008 Centralized Application Access
2/17
Windows Server 2008 Centralized Application Access
Table of Contents
Windows Server 2008 Centralized Application Access ............................................................. 1Exercise 1 Implementing Terminal Services Gateway ........... .......... ........... .......... ........... ........... .......... ........... .......... ... 2Exercise 2 Implementing Terminal Services RemoteApp ............................................................................................. 9Exercise 3 Implementing Terminal Services Web Access .......... ........... .......... ........... .......... ........... .......... ........... ...... 13Exercise 4 Using Windows System Resource Manager with Terminal Services (Optional) .......... ........... .......... ........ 15
8/8/2019 Windows Server 2008 Centralized Application Access
3/17
Windows Server 2008 Centralized Application Access
Page 1 of 15
Windows Server 2008 Centralized
Application Access
ObjectivesAfter completing this lab, you will be better able to: Implement a Terminal Services Gateway
Implement Terminal Services RemoteApp
Utilize Windows System Resources Manager on a Terminal Services Server
ScenarioIn this lab, you perform the function of an administrator for a company that has
users who work both within the corporate network and remotely. Some of the
users who work remotely, access the internet via shared computers. These users
only require access to specific applications. You need to allow authorized users
on an Internet-connected computer running Microsoft Windows Vista to easily
and securely connect to remote computers on the corporate network through a
Terminal Services Gateway. In addition, you need to provide access to standard
Microsoft Windows programs from virtually any location to any Windows
device with Internet access.As a Terminal Server administrator you will also configure policies on the server
to ensure that all users connecting to the server have an equal share of the
servers resources and ensure a consistent and predictable experience for users of
applications and services. To achieve this goal you will implement a resource
management policy on the server using Windows Server Resource Manager.
PrerequisitesBefore working on this lab, you must have:
Experience (level 200+) with Windows Server 2000 and/or Windows
Server 2003
A MCSA/MCSA Certification or equivalent knowledge. You should be
familiar with basic networking concepts and Active Directory concepts.
Estimated Time toComplete This Lab
90 Minutes
Computer used in this LabNYC-DC-01
NYC-CLI-01
NYC-CLI-02
NYC-DC-01-2
NYC-CLI-01-2
NYC-CLI-02-2
8/8/2019 Windows Server 2008 Centralized Application Access
4/17
Windows Server 2008 Centralized Application Access
Page 2 of 15
Exercise 1Implementing Terminal Services Gateway
ScenarioIn this exercise, you will configure a Terminal Services Gateway Server and a Terminal Services Gateway Client.You will configure the Terminal Services Gateway Server by first obtaining, importing and mapping a security
certificate for the server. You will then configure the server with a Connection Authorization Policy, a Resource
Group and a Resource Authorization Policy.
After configuring the Terminal Services Gateway Server, you will then configure a Terminal Services Gateway
Client and then establish a connection to the Terminal Services Gateway Server.
Note: This exercise uses the following computers:NYC-DC-01 andNYC-CLI-01
Note:Before you begin this exercise, you must start and log on to the computers.
Note: The Terminal Services Gateway Server has already had the Terminal Services Gateway role installed.
Tasks Detailed StepsComplete the following 3
tasks on:
NYC-DC-01
1. Confirm the
Terminal Server
Gateway Server
services have started
Note:In this task you will confirm that the required services to run Terminal Services
Gateway Server have been installed and have started correctly. In the case that you
have been given a pre-configured server this should always be your first action to
ensure that the relevant services have successfully started. These services are required
for clients to connect via the Terminal Services Gateway. You will also confirm that
the default Web Site is configured to start automatically. The web site on the Terminal
Services Gateway server is used by clients to establish the connection to the Terminal
Server. The gateway enables users to connect using a secure web connection port
(port 443) rather than using the standard Terminal Services port (port 3389).
Note: This task uses the following computer: NYC-DC-01 and NYC-CLI-01
a. Log on to NYC-DC-01 as Administrator with the password ofP@ssw0rd.
b. On the Start menu, navigate to All Programs/Administrative Tools and thenclickServer Manager.
c. In Server Manager, in the Explorer pane, expand Roles and then selectTerminalServices.
d. In the Contents pane, examine the contents of the SystemServices area.
Note: The services required for terminal services should all be shown as running. This
is confirmed by the heading of System Services: All Running
e. In the Explorer pane, expand Roles/Web Server (IIS) and then select InternetInformation Services (IIS) Manager.
f. In the Connections pane, navigate to NYC-DC-01(WOODGROVEBANK\administrator)/Sitesand then select Default Web Site.
g. In the Action pane, clickAdvanced Settings.
h. In the Advanced Settings window, confirm that Start Automatically is set toTrue and then clickOK.
i. In Server Manager, in the File menu, clickExit to close the Server Managerwindow.
j. A dialog box may occur during this step. IfServer Manager Error Dialog popsup clickCancel to close the dialog box.
Note: The reason for ensuring that the web services are set to start automatically is
that connections to the Gateway server are managed by Internet Information Services.
8/8/2019 Windows Server 2008 Centralized Application Access
5/17
Windows Server 2008 Centralized Application Access
Page 3 of 15
Tasks Detailed Steps
2. Create and Map a
certificate for the
Terminal Services
Gateway Server
Note:In this task you will use the Terminal Services Gateway management console
snap-in to create and map a certificate to the Terminal Services Gateway server. In
order to be able to use a server as a Terminal Services Gateway server, you must first
install a SSL Compatible X.509 certificate. This ensures that the Terminal Services
Gateway will use this certificate when providing connection security. This task uses a
self-signed certificate. Self signed certificates are appropriate for use in environments
that do not have an established public key infrastructure, or do not wish to create one.Note: The use of a self signed certificate is recommended in environments that do not
have an established public key infrastructure.
a. On the Start menu, navigate to All Programs/ Administrative Tools/Terminal
Services and then clickTS Gateway Manager.
b. In TS Gateway Manager, in the Explorer pane, select NYC-DC-01 (Local).
c. On the Action menu, clickProperties.
d. In the NYC-DC-01 Properties dialog box, select the SSL Certificate tab, andthen select Create a self-signed certificate for SSL encryption, and then click
Create Certificate.
e. In the Create Self-Signed Certificate dialog box, in File name, type
C:\Public\NYC-DC-01.cer and then and then clickOK.
f. In the TS Gateway dialog box, clickOK.
Note: The Issued to, Issued By and Expiration date fields now have values. This
indicates that you have successfully installed the certificate.
g. Click on OK to close the NYC-DC-01 Properties dialog box.
h. On the Start Menu, in Start Search, type MMC and then press ENTER.
i. In Console1, on the File menu, select Add/Remove Snap-in.
j. In the Add or Remove Snap-ins dialog box, select Certificates, and then click
Add.
k. In the Certificates snap-in dialog box, select Computer account, and then click
Next.
l. In the Select Computer dialog box, ensure Local computer is selected, and thenclickFinish.
m.In the Add or Remove Snap-ins dialog box, clickOK.
n. In Console1, navigate to Console Root/Certificates (Local Computer)/Trusted
Root Certification Authorities and then select Certificates.
o. In the Action menu, select All Tasks and then Import.
p. In the Certificate Import Wizard, clickNext.
q. In the Certificate Import Wizard, on the File to Import Page, in the File nametext box, enter C:\Public\NYC-DC-01.cer, and then clickNext.
r. In the Certificate Import Wizard, on the Certificate Store page, ensure Place all
certificates in the following store is selected and then clickNext.
s. In the Certificate Import Wizard, on the Completing the Certificate ImportWizard, clickFinish.
t. On the Certificate Import Wizard dialog box, clickOK.
u. In Console1, on the File menu, clickExit, Do not save changes.
3. Configure Group
Policy to distribute
Security Certificate
Note:In this task you will use group policy to ensure that the security certificate for
your company is installed automatically on all client computers. This will ensure that
use and installation of the security certificates are uniform across the business
environment.
8/8/2019 Windows Server 2008 Centralized Application Access
6/17
Windows Server 2008 Centralized Application Access
Page 4 of 15
Tasks Detailed Steps
Note: This task uses the following computer:NYC-DC-01
a. On the Start navigate to Start Search, and type GPMC.MSC.
b. In Group Policy Management, in the Explorer pane, navigate to Group Policy
Management/Forest:
Woodgrovebank.com/Domains/Woodgrovebank.com/Group Policy Objects
and then select Default Domain Policy.
c. In Group Policy Management, on the Action menu, clickEdit.
d. In Group Policy Management Editor, navigate to ComputerConfiguration/Windows Settings/Security Settings/Public Key Policies and
then select Trusted Root Certification Authorities.
e. In Group Policy Management Editor, on the Action menu, clickImport.
f. In the Certificate Import Wizard dialog box, clickNext.
g. In the Certificate Import Wizard, on the File to Import page, clickBrowse.
h. In the Open dialog box, in File Name type, \\NYC-DC-01\Public\and then click
Open.
i. In the Open dialog box, select NYC-DC-01 and then clickOpen.
j. In the Certificate Import Wizard, on the File to Import page, clickNext.
k. In the Certificate Import Wizard dialog box, on the Certificate Store page,
ensure Place all certificates in the following store is selected and then click
Next.
l. In the Certificate Import Wizard dialog box, on the Completing the CertificateImport Wizard page, clickFinish.
m.In the Certification Import Wizard dialog box, clickOK.
n. In Group Policy Management Editor, on the File menu, clickExit.
o. Close Group Policy Management.
Complete the following
task on:
NYC-CLI-02
4. Client Configuration
Note:In this task you will configure the computer that will be hosting the remote
applications. For this purpose configurations will be made that allow other
computers to connect via RDP.
Note: This task uses the following computer:NYC-CLI-02
a. Log on to NYC-CLI-02 as Woodgrovebank\Administrator using the password
P@ssw0rd.
b. On NYC-CLI-02, in the Start menu, right clickComputer and select properties
c. On the System dialog select Remote Settings (upper left of dialog)
d. On the System Properties Dialog select the Remote Tab.
e. In the Remote Desktop Region select Allow Connections from computersrunning any version of Remote Desktop radio button.
f. System Properties Dialog, ClickOK.
g. System Dialog, ClickFile, Close
h. Log Off from NYC-CLI-02
Complete the following
task on:
NYC-CLI-01
5. Force application of
the Group Policy
settings to client
Note:In this task you will force the application of the newly created group policy
settings by using the GPUPDATE command on the client machines. This will ensure
that the self-signed certificate is available for the clients to use in the following
exercises.
Note: This task uses the following computers:NYC-CLI-01
a. The NYC-CLI-01 has been prelogged in as Woodgrovebank\DonHall using the
password P@ssw0rd.
8/8/2019 Windows Server 2008 Centralized Application Access
7/17
Windows Server 2008 Centralized Application Access
Page 5 of 15
Tasks Detailed Steps
machines b. On NYC-CLI-01, in the Start menu, in Start Search, type CMD and press
ENTER.
c. In the command prompt window, typethe following command, and then press
ENTER.
GPUPDATE /FORCE
d. Log off NYC-CLI-01
Complete the following 3
tasks on:
NYC-DC-01
6. Create a Connection
Authorization Policy
(CAP)
Note:In this task you will create a Connection Authorization Policy (CAP) that will
allow you to control who can connect to the Terminal Services Gateway server. A
CAP allows you to specify detailed connection requirements, including requirements
such as group membership, domain membership, and the requirement to use a smart
card.
Note: This task use the following computer:NYC-DC-01
a. In TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01
(Local)/Polices and then select Connection Authorization Policies.
b. In the Actions pane, clickCreate New Policy and then clickWizard.
c. In the AuthorizationPolicies dialog box, ensure that Create only a TS CAP is
selected, and then clickNext.
d. Complete the Authorization Policies with the following values:
Setting Value
Name for the TS CAP: Remote User Access
Windows authenticationmethod:
Password
User groupmembership(required):
Remote Application Users
Client computer group
membership (optional):
No group selected
TS Gateway device redirection Enable device redirection for all clientdevices
e. In the Authorization Policies dialog box, clickFinish to complete the policycreation.
f. ClickClose to close the AuthorizationPolicies dialog box.
7. Create a computer
group to control
access to the
Terminal Services
Gateway
Note:In this task you will create a group containing computers that can connect
remotely through the Terminal Services Gateway. If a computer tries to connect to the
Terminal Services Gateway that is not part of this group they will be denied access.
a. In the TS Gateway Manager, In the Explorer pane, expand NYC-DC-01(Local), Polices and then select Resource Authorization Policies.
b. In the Actions pane, clickManage Local Computer Groups.c. In the Manage locally stored computer groups dialog box, clickCreate group.
d. In the New TS Gateway-Managed Computer Group dialog box, on the Generaltab, enter the following values, do not clickOK.
Setting Value
Name: Remote Access Computers
8/8/2019 Windows Server 2008 Centralized Application Access
8/17
Windows Server 2008 Centralized Application Access
Page 6 of 15
Tasks Detailed Steps
Description: Computers allowed to connect to TSGateway
e. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, type NYC-CLI-01 and then clickAdd.
f. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, enter NYC-CLI-02 and then clickAdd.
g. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, enter NYC-DC-01 and then clickAdd.
h. In the New TS Gateway-Managed Computer Group dialog box, clickOK.
i. In the Managelocallystoredcomputergroups dialog box, clickClose.
Note: You are only adding the computers that will access the Gateway server
remotely. Normally you would not add the Gateway server to the policy. As the
gateway server is NYC-DC-01 and in this lab is used to host the terminal servicesit is
requiredto be added.
8. Create a Resource
Authorization Policy
(RAP)
Note:In this task you will create Resource Authorization Policy (RAP). The RAP is
used to identify which computers users that connect to a Terminal Services Gateway
can connect to. In order to connect to a computer using the Terminal Services
Gateway, the client must meet the conditions of one CAP and one RAP.a. In the TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01
(Local)/Polices and then select Resource Authorization Policies.
b. In the Actions pane, clickCreate New Policy and then clickWizard.
c. In the Authorization Policies dialog box, ensure that Create only a TS RAP is
selected, and then clickNext.
d. Complete the Authorization Policies with the following values:
Setting Value
Name for the TS RAP: Remote Resource Access
User group membership: Remote Application UsersComputer Group: Select an existing TS Gateway-managed
computer group or create a new one
Select an existing TSGateway-managed computergroup
Remote Access Computers
Allowed Ports Allow connections only through TCPport 3389
e. In the Authorization Policies dialog box, clickFinish to complete the policy
creation
f. ClickClose to close the Authorization Policies dialog box.
Complete the followingtask on:
NYC-CLI-01
9. Configure Remote
Desktop Connection
Settings on the Client
Computer
Note:In this task, you will modify the Remote Desktop Connection settings on NYC-CLI-01 to connect through the Terminal Services Gateway that you have configured.
You will first attempt to connect directly to NYC-CLI-02 using the default settings of
Remote Desktop Connection. NYC-CLI-02 has had the default Windows Firewall
settings modified to only accept connections from the IP address of NYC-DC-01.
Note:In order to connect to NYC-CLI-02 you will need to modify the settings of the
Remote Desktop Connection to use the Terminal Services Gateway to connect
through.
Note: This task uses the following computers:NYC-CLI-01, NYC-CLI-02 and NYC-
8/8/2019 Windows Server 2008 Centralized Application Access
9/17
Windows Server 2008 Centralized Application Access
Page 7 of 15
Tasks Detailed Steps
DC-01
a. Log on to the NYC-CLI-01 as DonHall with a password ofP@ssw0rd.
b. On the Start menu, navigate to Start/All Programs/Accessories, and then click
Remote Desktop Connection.
c. In Remote Desktop Connection, in the Computer text box, type NYC-CLI-
02.Woodgrovebank.com and then clickConnect.
d. In the Windows Security box, use the following values and then clickOK.
Setting Value
User Name: Woodgrovebank\DonHall
Password: P@ssw0rd
Note: There will be a delay and then the connection will fail. This is because the
Windows Firewall on NYC-CLI-02 is configured to only accept Remote Desktop
connections from NYC-DC-01.
e. In the Remote Desktop Disconnected dialog box, clickOK.
f. In the Remote Desktop Connection dialog box, clickOptions, and then click theAdvanced tab.
g. In the Remote Desktop Connection dialog box, in Connect from anywhere,clickSettings.
h. In the Gateway Server Settings dialog box, select Use these TS Gateway serversettings:.
i. In the Gateway Server Settings dialog box, in the Server name, type NYC-DC-01.Woodgrovebank.com and select Logon method: Ask for password (NTLM).
j. In the Gateway Server Settings dialog box, uncheckBypass TS Gateway serverfor local addresses.
k. ClickOK to accept the settings.
l. In Remote Desktop Connection, click on the General tab.
m.In the Computer text box, type NYC-CLI-02.Woodgrovebank.com and thenclickConnect.
n. In the Windows Security box, use the following values:
Setting Value
User Name: Woodgrovebank\DonHall
Password: P@ssw0rd
o. ClickOK.
Note: There will be a slight delay before the next step appears. When the next box
appears, observe that this is for the Gateway Server Credentials.
p. In the Windows Security box, use the following values:
Setting Value
User Name: DonHall
Password: P@ssw0rd
q. ClickOK.
Note: There will be a slight delay before the desktop of NYC-CLI-02 appears. When it
8/8/2019 Windows Server 2008 Centralized Application Access
10/17
Windows Server 2008 Centralized Application Access
Page 8 of 15
Tasks Detailed Steps
does appear, you can observe in the connection toolbar, the padlock which symbolizes
that the connection is using security.
r. If you are prompted that there is a user RDPed into the NYC-CLI-02 machine, log
off the other user and log on.
s. Log off the NYC-CLI-02 remote session.
8/8/2019 Windows Server 2008 Centralized Application Access
11/17
Windows Server 2008 Centralized Application Access
Page 9 of 15
Exercise 2Implementing Terminal Services RemoteApp
ScenarioRemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if theyare running on a user's local computer. Users can run RemoteApp applications side-by-side with their local
programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share
the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available
through a Web site.
In this exercise, you will configure NYC-DC-01 to be able to publish remote applications. In addition you will
create packages for deploying remote applications to the client machines and then distribute these packages.
You will also test the connection of the remote program application from a client machine. In order to test these
RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.
Note: This exercise uses the following computers:NYC-DC-01, NYC-CLI-01, NYC-DC-01-2, and NYC-CLI-01-2
Tasks Detailed Steps
Complete the following 4
tasks on:
NYC-DC-01
1. Install Terminal
Server Role Service
Note:In this task you will add the Terminal Server role to NYC-DC-01.
Note: This task uses the following computer:NYC-DC-01
a. On the Start menu, navigate to All Programs/Administrative Tools/ServerManager.
b. In Server Manager, in the Explorer pane, navigate to Roles/Terminal Services.
c. In Server Manager, in the Contents pane, under Role Services, clickAdd RolesServices.
d. In the Add Role Services dialog box, in the Select Role Services page, select
Terminal Server.
e. In the Add Role Services dialog box, clickInstall Terminal Services anyway(not recommended).
f. In the Add Role Services dialog box, clickNext.
g. In the Add Role Services dialog box, in the Uninstall and Reinstall Applicationsfor Compatibility page, clickNext.
h. In the Add Role Services dialog box, in the Select RDP Version page, selectRequire Network Level Authentication then clickNext.
i. In the Add Role Services dialog box, in the Specify the Terminal ServicesLicensing Mode page, select Configure later then clickNext.
j. In the Add Role Services dialog box, in the Select User Groups Allowed Accessto This Terminal Server page, clickNext.
k. In the Add Role Services dialog box, in the Confirm Installation Selections screen,clickInstall.
Note: On the Confirm Installation Selections screen, there is one warning. The
warning is advising that you may need to reinstall applications. In the lab it is safe to
ignore, however in a production environment it is important to remember that
applications may need to be reinstalled. The reason for the need to reinstall the
applications is that on a Terminal Server applications are installed into a different
section of the registry. This is so that the applications can be safely accessed by
multiple users simultaneously.
The installation process will take approximately 5 minutes. After this you will need to
8/8/2019 Windows Server 2008 Centralized Application Access
12/17
Windows Server 2008 Centralized Application Access
Page 10 of 15
Tasks Detailed Steps
restart NYC-DC-01.
l. In the Add Role Services dialog box, in the Installation Results screen, click
Close.
m.In the Add Role Services dialog box, clickYes to begin the restart.
n. It takes a couple of minutes to restart the NYC-DC-01. Due to the networklimitation of machine reboot in the Virtual environment, please continue the rest of
the exercises on the NYC-DC-01-2 machine.
Note: The reboot will take several minutes. After completing the log in the Post-
Reboot Configuration Wizard will appear to confirm that the Terminal Services role
has been installed successfully.
Complete the following 3
tasks on:
NYC-DC-01-2
2. Add a program to the
Allow list
Note:In this task you will add two existing program to the Allow list for Terminal
Services RemoteApp. In order for a user to be able to access a program with
RemoteApp the application must be on the Allow List. The Allow List settings also
includes the ability to change settings for the remote applications, such as additional
command line arguments and changes to the default icons. You will use a sample
program named OnTheServer.exe and in addition will add WordPad to the Allow List.
a. The NYC-DC-01-2 machine has been prelogged in as Administrator with the
password ofP@ssw0rd.
b. In the Post-Reboot Configuration Wizard dialog box, clickClose.
c. On the Start menu, navigate to All Programs/Administrative Tools/Terminal
Services/TS RemoteApp Manager.
d. In RemoteApp, in the Action menu, clickAddRemoteApps.
e. In the RemoteApp Wizard, clickNext.
f. In the Choose RemoteApp to add to the allow list, clickBrowse.
g. In the Choose a program dialog box, in File name type
C:\Public\OnTheServer.exe, and then clickOpen.
h. In the RemoteApp Wizard, in the Choose programs to add to the RemoteAppslist page, clickNext.
i. In the RemoteApp Wizard, in the Review Settings page, clickFinish.j. In the RemoteApp console, in the Contents pane, select OnTheServer.exe.
k. In the RemoteApp console, in the Actions pane, clickProperties.
l. In the RemoteApp Demo Properties, in the RemoteApp name text box, change
OnTheServer.exe to Demo Application and clickOK.
m.In RemoteApp, in the Action pane, clickAddRemoteApps.
n. In the RemoteApp Wizard, clickNext.
o. In the Choose programs to add to the RemoteApps list, check the box next to
WordPad and then clickNext.
p. In the RemoteApp Wizard, in the Review Settings page, clickFinish.
3. Create a RDP file
that publishes aconnection to an
application
Note:In this task you will create a RDP file that can then be distributed to clients
either via e-email or USB Flash Disk (UFD). This will then enable users to connectremotely to the remote program that was added to the allow list. Any settings that
have been added to the application in the allow list will also be added to the RDP file.
a. In TS RemoteApp Manager, select Demo Application in the Contents pane,
b. In TS RemoteApp Manager, in the Actions pane, clickCreate .rdp File.
c. In the RemoteApp Wizard, clickNext.
d. In the RemoteApp Wizard, in the Specify Packages Settings page, modify thelocation for saving the package to C:\Public\
8/8/2019 Windows Server 2008 Centralized Application Access
13/17
Windows Server 2008 Centralized Application Access
Page 11 of 15
Tasks Detailed Steps
e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TSGateway Settings, clickChange.
f. In the Configure TS Gateway Settings dialog box, select Use these TS GatewayServer settings: and enter the following settings and then clickOK.
Setting ValueServer name: NYC-DC-01.Woodgrovebank.com
Logon method: Ask for password (NTLM)
Use the same usercredentials for TS Gatewayand TS Server
Checked
Bypass TS Gateway Serverfor local addresses
Unchecked
g. In the RemoteApp Wizard, in the Specify Packages Settings page, clickNext.
h. In the RemoteApp Wizard, in the Review Settings page, clickFinish.
Note: Windows Explorer will now appear displaying the created RDP file. The
created file is named OnTheServer.rdp
4. Create a MSI file that
installs an
application
Note:In this task you will create a MSI file that can be distributed as an installation
package. This package could be distributed for users to manually install or installed
as part of a Group Policy Object. As part of the configuration of an MSI package it is
possible to define where the remote program will appear in the Users environment
and also to associate the remote program with client file associations. An example of
using this would be to publish Microsoft Word to be intergrated into the users Start
Menu and to be opened when they click on a Word Document. This gives a seamless
integration for the users to the remote program. Any settings that have been added to
the application in the allow list will also be added to the MSI file.
a. In TS RemoteApp Manager, in the Contents pane, select WordPad
b. In the Actions pane, clickCreate Windows Installer Package.
c. In the RemoteApp Wizard, clickNext.
d. In the RemoteApp Wizard, in the SpecifyPackagesSettings page, modify the
location for saving the package to C:\Public\
e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS
Gateway Settings, clickChange.
f. In the Configure TS Gateway Settings dialog box, select Use these TS Gateway
Server settings: and enter the following settings and then clickOK. Then click
Next.
Setting Value
Server name: NYC-DC-01.Woodgrovebank.com
Logon method: Ask for password (NTLM)
Use the same user
credentials for TS
Gateway and TS
Server
Checked
8/8/2019 Windows Server 2008 Centralized Application Access
14/17
Windows Server 2008 Centralized Application Access
Page 12 of 15
Tasks Detailed Steps
Bypass TS Gateway
Server for local
addresses
Unchecked
g. In the RemoteApp Wizard, in the Configure Distribution Package page, accept
the default settings by clicking Next.
h. In the RemoteApp Wizard, in the Review Settings page, clickFinish.Note: Windows Explorer will now appear displaying the created installation file. The
created file is named wordpad.rap.msi
Complete the following
task on:
NYC-CLI-01-2
5. Using RemoteApp
Access
Note:In this task, you will use the RDP file and the MSI file that you created in the
previous tasks. This will be achieved by accessing the files on the Public share on
NYC-DC-01.
Note: This task uses the following computer: NYC-CLI-01-2
Note:Log on toNYC-CLI-01-2 as Woodgrovebank\Administrator with the password
ofP@ssw0rd
a. On the Start menu, in StartSearch, type \\NYC-DC-01\Public and then press
ENTER.
b. In Windows Explorer, double clickOnTheServer.RDP.
c. In the Windows Security dialog box, enter the following values:
Setting Value
User Name: DonHall
Password: P@ssw0rd
d. CheckRemember my credentials and then clickOK.
e. In the RemoteApp dialog box, checkDont prompt me again for connections tothis computer, and then clickYes.
Note: The application now launches. When the application launches successfully it
will display on the screen as On The Server. This is the remote application running on
the server.
f. Close the On The Server remote program.
g. In Windows Explorer, double clickWordPad.rap.msi.
Note: The remote WordPad application now installs. Observe the name of the
application matches the name that was entered during the creation of the MSI file.
h. After the application has completed installation, on the Start menu, navigate to AllPrograms RemoteApp WordPad.
Note: The application now launches. When the application launches successfully it
will display on the screen as WordPad.
i. In the remote WordPad application, in the File menu, clickExit to close.
8/8/2019 Windows Server 2008 Centralized Application Access
15/17
Windows Server 2008 Centralized Application Access
Page 13 of 15
Exercise 3Implementing Terminal Services Web Access
ScenarioTS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web Access, auser can visit a Web siteeither from the Internet or from an intranetto access a list of available RemoteApp
applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started on the terminal
server that hosts the Remote Program.
TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the Web. The
Web page consists of a frame and a customizable Web Part, where the list of RemoteApp application is displayed.
In this exercise, you will configure the terminal server to support Terminal Services Web Access and then configure
an application to be made unavailable via the web interface.
Note: This exercise uses the following computers:NYC-DC-01-2 andNYC-CLI-02-2
Tasks Detailed Steps
Complete the following
task on:
NYC-DC-01-2
1. Install Terminal
Server Web Access
Role Service
Note:In this task you will modify NYC-DC-01-2 to include the Terminal Server Web
Access role. This will then extend our Terminal Server to now be able to provide
Remote Applications via a web interface.
Note: This task uses the following computer: NYC-DC-01-2
Note:Log on toNYC-DC-01-2 using the usernameAdministrator and the password
P@ssw0rd.
a. On the Start menu, navigate to All Programs/Administrative Tools/ServerManager.
b. In the Explorer pane, navigate to Roles/TerminalServices.
c. In the Contents pane, in Role Services, clickAdd Roles Services.
d. In the Select Role Services dialog box, checkTS Web Access.
e. In the Add Role Services dialog box, select Add Required Role Services.
f. In the Add Role Services dialog box, in the Select Role Services page, clickNext.
g. In the Add Role Services dialog box, in the Web Server (IIS) page, clickNext.
h. In the Add Role Services dialog box, in the Select Role Services page, clickNext.
i. In the Add Role Services dialog box, in the Confirm Installation Selections
page, clickInstall.
Note: The installation process will take approximately 5 minutes. Wait until the
installation has completed before continuing to the next task.
Complete the following
task on:
NYC-CLI-02-2
2. Connect to Terminal
Server Web Access
and launch
application
Note:In this task, use the Terminal Server Web Access to access to the applications
that you have previously published.
Note: This task uses the following computer: NYC-CLI-02-2a. On the Start menu, clickInternetExplorer.
b. In the address bar, enter the address http://NYC-DC-01/ts and then press
ENTER. (The TS site may not be created . If this fails, continue with next
exercise.)
c. In the Connect to nyc-dc-01 dialog box, enter the User nameWoodgrovebank\Administrator and the password P@ssw0rd.
Note: The TS Web Access page is now displayed. There is two programs displayed
8/8/2019 Windows Server 2008 Centralized Application Access
16/17
Windows Server 2008 Centralized Application Access
Page 14 of 15
Tasks Detailed Steps
the Demo Application and the WordPad that you published in an earlier task.
d. ClickDemo Application in the TS Web Access webpage.
e. In the Trust Warning pop-up, clickYes.
f. In the RemoteApp dialog box, clickYes
g. In the Windows Security dialog box, enter the username
Woodgrovebank\donhall and the password P@ssw0rd, and then press ENTER.Note: The application now launches. When the application launches successfully it
will display on the screen as On The Server.
8/8/2019 Windows Server 2008 Centralized Application Access
17/17
Windows Server 2008 Centralized Application Access
Page 15 of 15
Exercise 4Using Windows System Resource Manager with TerminalServices (Optional)
ScenarioWindows System Resource Manager (WSRM) is a feature of Windows Server 2008. Using WSRM, administrators
can control how CPU resources are allocated to applications, services, and processes. Managing these resources
improves system performance and reduces the chance that these applications, services, or processes will interfere
with the rest of the system. WSRM also creates a more consistent and predictable experience for users. In the
terminal services environment it is even more important as it ensures a consistent experience for all users of the
server.
In this exercise, you will add Windows System Resource Manager to NYC-DC-01-2 and then configure a resource
allocation policy.
Note: This exercise uses the following computer:NYC-DC-01-2
Tasks Detailed Steps
Complete the following
task on:
NYC-DC-01-2
1. Implement a
Windows System
Resource Manager
Policy
Note:In this task, you will implement a Windows System Resource Manager Policy
that will ensure that all sessions will share equal processor time. This will ensure that
the access to the terminal server by all users is not affected by a single user running
an application that may attempt to take more server resources.
Note:Log on toNYC-DC-01-2 using the usernameAdministrator and the password
P@ssw0rd.
a. On the Start menu, navigate to All Programs\Administrative Tools and then
clickServices.
b. In the Contents pane, double clickWindows System Resource Manager.
c. In the Windows System Resource Manager Properties (Local Computer) dialogbox, in Startup type, select Manual, clickApply, and then clickStart.
d. ClickOK to close the Windows System Resource Manager (Local Computer)dialog box.
e. In the Start menu, navigate to All Programs\Administrative Tools\WindowsSystem Resource Manager.
f. In the Connect to computer dialog box, select Connect.
g. In Windows System Resource Manager, expand Resources Allocation Policies.
h. In the Contents pane, select Equal_Per_Session {Manage}
i. In the Action pane, select Set as Managing Policy.
j. In the Warning dialog box, clickOK.
k. In Windows System Resource Manager, in the Explorer pane, select ResourceMonitor.
Note:In the Resource Monitor, there is a counter that has been added, System
Managed CPU% with an instance of Equal_Per_Session. This is the display of WSRM
monitoring that all sessions are obtaining equal access to the CPU.