179 Chapter 4 Configuring and Managing a Terminal Services Infrastructure This chapter moves beyond the topic of deploying a terminal server and discusses how to con- figure the components that comprise an entire Terminal Services infrastructure—clients, serv- ers, gateways, and applications. Even more than other Microsoft Windows Server technologies, Terminal Services components are best understood by working with them directly. With this idea in mind, be sure to perform the extensive practices at the end of each lesson to develop the skills you need for both the exam and the real world. Exam objectives in this chapter: Q Configuring Terminal Services T Configure Terminal Services client connections. T Configure Terminal Services Gateway. T Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). T Configure and monitor Terminal Services resources. Lessons in this chapter: Q Lesson 1: Configuring and Managing Terminal Services Clients . . . . . . . . . . . . . . . . .181 Q Lesson 2: Deploying Terminal Services Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Q Lesson 3: Publishing Applications with TS RemoteApp . . . . . . . . . . . . . . . . . . . . . . . . .217 180 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Before You Begin To complete the lessons in this chapter, you must have: Q A computer running Windows Server 2008 named Server1 that is a domain controller in a domain named Contoso.com. Q A computer running Windows Server 2008 named Server2 that is a member server in the Contoso.com domain. On Server2, the Terminal Server role service is installed, but no other role services in the Terminal Services role are installed. Q Three domain administrator accounts, named ContosoAdmin1, ContosoAdmin2, and ContosoAdmin3. Real World JC Mackin Virtualization is a big IT trend these days, and Terminal Services represents a part of this trend by offering what has been called presentation virtualization. Anything related to virtualization sounds like a cool thing today, but what’s the actual purpose of this technology? What problem is it trying to fix? Beyond the hype, a real-world benefit of a presentation virtualization is its ability to assist in server consolidation. Recently, many IT departments have started to consolidate their application servers with a view to improving efficiency and lowering costs. Server con- solidation is essentially the process of centralizing the resources of many servers onto as few physical servers as possible. Terminal Services is a key component of such an appli- cation consolidation strategy because it enables many users to access many applications on a single server. Lesson 1: Configuring and Managing Terminal Services Clients 181 Lesson 1: Configuring and Managing Terminal Services Clients A Terminal Services (TS) infrastructure includes many areas for client configuration, areas such as user profiles, client session options, resource allocation, and the TS client program (Mstsc) itself. This lesson introduces you to tools you can use to administer these and other aspects of TS cli- ents connections. After this lesson, you will be able to: Q Understand the configuration options available in Remote Desktop Connection. Q Manage connections to Terminal Services. Estimated lesson time: 50 minutes Configuring Terminal Services Client Settings The Terminal Services client, Remote Desktop Connection (RDC), is highly configurable. For example, you can configure the client to display remote desktops with a certain screen resolu- tion or to make certain local drives available in the session. These features can be configured in the client application itself or at the domain level by using a Group Policy Object (GPO). Configuring Remote Desktop Connection Options RDC, also known as Mstsc.exe, is the primary client program used to connect to Terminal Services. The other client program is Remote Desktops, which is available as a snap-in through Microsoft Management Console (MMC). Through its options tabs, RDC enables you to cus- tomize a Terminal Services connection within the limitations set at the server or in Group Policy. To explore the configuration options available through RDC, open RDC, and then click the Options button, as shown in Figure 4-1. 182 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4-1 Accessing RDC options tabs This step reveals the six RDC options tabs. The following section describes the features you can configure on these RDC options tabs. Q General The General tab, shown in Figure 4-2, enables you to define a target computer and a set of authentication credentials for the connection. It also enables you to save the options defined for the connection in an RDP (Remote Desktop) file. Figure 4-2 RDC General tab Q Display The Display tab, shown in Figure 4-3, enables you to define the screen resolu- tion and color bit depth for the TS client window. Lesson 1: Configuring and Managing Terminal Services Clients 183 Figure 4-3 RDC Display tab Q Local Resources The Local Resources tab enables you to choose which local resources (such as the Clipboard, any locally defined printers, and any local drives) should be made available within the TS session. This tab also enables you to determine the behav- ior of features such as sounds and keystrokes in the TS session. The Local Resources tab is shown in Figure 4-4. Figure 4-4 RDC Local Resources tab Q Programs This tab enables you to define any program you want to start automatically when the TS connection begins. The Programs tab is shown in Figure 4-5. 184 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4-5 RDC Programs tab Q Experience The Experience tab, shown in Figure 4-6, enables you to choose which optional graphical user interface (GUI) effects you want to display from the terminal server. For example, the Desktop background and font smoothing features visually enhance the TS session but can also strain network resources and slow TS client perfor- mance. Performance settings will be selected automatically, as a suggestion, when you choose a connection type. Figure 4-6 RDC Experience tab Q Advanced The Advanced tab, shown in Figure 4-7, enables you to configure client behavior for the Server Authentication and Terminal Services Gateway (TS Gateway) fea- tures. Server Authentication is a feature, native to Windows Vista and Windows Server Lesson 1: Configuring and Managing Terminal Services Clients 185 2008, through which a terminal server can confirm that its identity is the computer spec- ified by the TS client. On the Advanced tab, you can configure a TS client to warn, block, or enable a connection to a server on which Server Authentication has failed. The Terminal Services Gateway feature enables a TS client to traverse a corporate fire- wall and connect to any number of terminal servers in an organization. This feature and its configuration are described in detail in Lesson 2, “Deploying Terminal Services Gateway.” Figure 4-7 RDC Advanced tab Saving RDP Files After you have defined the desired options for a TS client in RDC, these settings are saved auto- matically in the Documents folder to a hidden file named Default.rdp. This file contains the settings used for RDC when you open the program from the Start menu. However, you can also save TS client configuration settings in custom .rdp files by clicking the Save As button on the General tab. These .rdp files can then be used to initiate TS sessions with specific client options (such as server name and authentication information). Exam Tip On the 70-643 exam, expect to see a question about saving RDC settings in an .rdp file. Be sure to review the settings on all the RDC options tabs so that you understand the kind of configuration details that can be saved in such a file. 186 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Configuring Terminal Services Clients Through Group Policy Group Policy enables you to enforce settings centrally on users or computers in an Active Directory environment. As a way to manage many TS clients, you can use a GPO to ensure that Remote Desktop Connection is always configured with the settings you choose. In many cases, this is the most efficient and effective way to manage TS clients. In the Computer Configuration section of a GPO, you can specify client settings such as whether the passwords should be saved in RDC, whether the client should always be prompted for cre- dentials, how server authentication should be performed, and which resources should be redi- rected to the TS session. You can explore these settings in a GPO by browsing to Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services. In the User Configuration section of a GPO, you can configure settings related to session time limits, remote control, and the remote session environment. You can explore these settings in a GPO by browsing to User Configuration\Policies\Administrative Templates\Windows Components\Terminal Services. Single Sign-on A particularly useful Terminal Services client feature that you can configure in Group Policy is Single Sign-on (SSO). In an Active Directory domain environment, you can use SSO to eliminate the need to enter user credentials when you use RDC to connect to a ter- minal server. With SSO, instead of prompting for your credentials, RDC automatically uses the credentials of the user currently logged on to the local computer running Microsoft Windows. To configure SSO, enable the Allow Delegating Saved Credentials policy setting, which you can find in Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation. After enabling the policy, you then need to create in the same policy a server list that specifies the terminal servers that will accept SSO credentials. Add each server name in the form TERMSRV/<Your server name>. To enable all terminal servers within the scope of the policy to accept SSO credentials, you can add the entry TERMSRV/*. Exam Tip For the 70-643 exam, you need to understand only that Group Policy provides the best method to enforce a TS or RDC configuration for many users and computers. You do not need to memorize all the configurable options or where to find them. However, it is still a good idea to browse through these options to get a sense of the ones that are enforceable in an Active Direc- tory environment. Lesson 1: Configuring and Managing Terminal Services Clients 187 Configuring User Profiles for Terminal Services In general terms, a user profile simply refers to the collection of data that comprises a user’s individual environment—data including a user’s individual files, application settings, and desktop configuration. In more specific terms, a user profile also refers to the contents of the personal folder, automatically created by Windows, that bears the name of an individual user. By default, this personal folder is created in the C:\Users folder when a user logs on for the first time to a computer running Windows Vista or Windows Server 2008. It contains subfold- ers such as Documents, Desktop, and Downloads as well as a personal data file named Ntuser.dat. For example, by default, a user named StefanR will store the data that makes up his personal environment in a folder named C:\Users\StefanR. In a Terminal Services environment, user profiles are stored on the terminal server by default. This point is important because when many users access the terminal server, profiles are cen- tralized and can consume a large amount of server disk space. If storage space on the terminal server is insufficient, plan to store user data and profiles on a disk that is separate from the operating system installation disk drive. Also consider using disk quotas to limit the amount of space available to each user. (You can configure disk quotas through the properties of the drive on the terminal server where the profiles are stored.) Exam Tip For the 70-643 exam, you need to know you can use disk quotas to limit the size of user profiles in Terminal Services. Another way to manage TS user profiles is to configure users with a Terminal Services–specific roaming user profile that is stored on a central network share. Such a profile is downloaded to the user’s TS session whenever and wherever such a session is initiated. This TS-specific roaming user profile can be defined on the Terminal Services Profile tab of a user account’s properties, as shown in Figure 4-8. Alternatively, you can use Group Policy to define these TS roaming user profiles. (You can find Terminal Services profile settings in a GPO in Com- puter Configuration \Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles. The specific policy setting used to configure TS-specific roaming user profiles is named Set Path For TS Roaming User Profile.) 188 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4-8 Configuring a TS-specific roaming user profile CAUTION Roaming user profiles and Terminal Services Ordinary roaming user profiles are those that follow a user as he or she logs on and off from vari- ous computers in a Windows domain. Ordinary roaming user profiles should not be used for Ter- minal Services sessions because they can lead to unexpected data loss or corruption. If you have configured roaming user profiles in your organization, be sure to implement TS-specific user pro- files as well. Configuring Home Folders When a user chooses to save a file, the default path points to a location known as the home folder. For Terminal Services, the home folder by default is located on the terminal server. How- ever, it is usually helpful to configure the home folder either on the local disk drive or on a net- work share. Configuring the home folder in this way ensures that users can locate their saved files easily. As with TS-specific roaming user profiles, you can define home folder locations for Terminal Services either in the properties of the user account or in Group Policy. (Home folder settings for Terminal Services can be found in a Group Policy object in Computer Configuration \Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles. The policy setting used to configure home folders is named Set TS User Home Directory.) [...]... tab, click the Settings button in the Connect From Anywhere section, as shown in Figure 4- 2 0 Figure 4- 2 0 Configuring RDC to use TS Gateway, step 1 210 Chapter 4 Configuring and Managing a Terminal Services Infrastructure This procedure opens the Gateway Server Settings dialog box, as shown in Figure 4- 2 1 Figure 4- 2 1 Configuring RDC to use TS Gateway, step 2 In the Gateway Server Settings dialog box, select... the RDP connection to the appropriate internal resource (point 4) This method provides the advantage of protecting Active Directory information within the corporate network 2 04 Chapter 4 Configuring and Managing a Terminal Services Infrastructure 4 Terminal servers Internal firewall— optional (port 44 3 and 80 open) External firewall (port 44 3 open) 2 ISA Server used for SSL termination RDP 3 TS Gateway... an alternative to the basic scenario illustrated in Figure 4- 1 3, you can use Internet Security and Acceleration (ISA) Server instead of a TS Gateway server to serve as the SSL/HTTPS endpoint for the incoming TS client connection In this scenario, illustrated in Figure 4- 1 4, ISA Server (point 2) serves as either an HTTPS-to-HTTPS or an HTTPS-to-HTTP bridge to the TS Gateway server (point 3), and the TS... application is hanging in a user session and is causing a screen freeze To end a process for this reason or any other, simply right-click the process in question, and then click End, as shown in Figure 4- 1 2 1 94 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4- 1 2 Ending a process in a TS user session To end a process within a terminal services user session, you can also use the... TCP port 44 3, which is normally open for SSL traffic (By default, RDP traffic communicates over TCP port 3389.) In a basic TS Gateway deployment, shown in Figure 4- 1 3, a user on a home computer (point 1) connects over the Internet to TS Gateway (point 2) located behind an external corporate firewall Lesson 2: Deploying Terminal Services Gateway 203 3 Terminal servers External firewall (port 44 3 open)... RDP 3 TS Gateway RDP 1 Home laptop RDP over SSL RDP over SSL – or – RDP over HTTP 4 Computers with Remote Desktop enabled Active Directory Domain Services Internet Perimeter network Corporate/private network Figure 4- 1 4 TS Gateway with ISA Server used for SSL termination Exam Tip When you use ISA Server as an HTTPS-to-HTTPS bridge to TS Gateway, remember to export the server certificate used for SSL... end of this lesson Figure 4- 1 5 shows the page in the wizard on which you can specify or create a server certificate for SSL encryption Figure 4- 1 5 Choosing a server certificate for SSL encryption TS CAP A TS CAP essentially is a policy that specifies which external users or computers can connect to TS Gateway The Add Role Services Wizard enables you only to create 206 Chapter 4 Configuring and Managing... Groups That Can Connect Through 208 Chapter 4 Configuring and Managing a Terminal Services Infrastructure TS Gateway page should be granted access to all terminal servers on the network or merely a subset, defined by an Active Directory security group The Create A TS RAP For TS Gateway page of the Add Role Services Wizard is shown in Figure 4- 1 8 Figure 4- 1 8 Creating a TS RAP in the Add Role Services... Lesson 1: Configuring and Managing Terminal Services Clients 191 Managing User Sessions To manage user sessions in TSM, simply right-click a user shown on the Users tab, and then select any of the seven command options available on the shortcut menu Alternatively, you can select a user, and then click an action available on the Actions menu Both of these options are shown in Figure 4- 1 0 Figure 4- 1 0 The... of the Start menu, type mmc, and then press Enter 3 From the File menu, click Add/Remove Snap-In 4 In the Add Or Remove Snap-Ins window, click Certificates from the list of available snapins, and then click Add 5 On the Certificates Snap-In page, select Computer Account, and then click Next 6 On the Select Computer page, click Finish 7 In the Add Or Remove Snap-Ins window, click OK 8 Use the File menu . is shown in Figure 4- 5 . 1 84 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4- 5 RDC Programs tab Q Experience The Experience tab, shown in Figure 4- 6 , enables you to. other, simply right-click the process in question, and then click End, as shown in Figure 4- 1 2. 1 94 Chapter 4 Configuring and Managing a Terminal Services Infrastructure Figure 4- 1 2 Ending a process. enables you to determine the behav- ior of features such as sounds and keystrokes in the TS session. The Local Resources tab is shown in Figure 4- 4 . Figure 4- 4 RDC Local Resources tab Q Programs