23 Windows Server 2008 Reviewers Guide 2.03 Server Core In Windows Server 2008, administrators can now choose to install a minimal environment that avoids extra overhead. Although this option limits the roles that can be performed by the server, it can improve security and reduce management. This type of installation is called a Server Core installation option. For more information on the Server Core installation option, please see section 7.05 Server Core under Section 7: Server Management. To learn more, please turn to 7.05 Server Core. 24 Windows Server 2008 Reviewers Guide Section 3: Centralized Application Access Section 3: Centralized Application Access 24 3.01 Centralized Application Access Introduction 25 Scenario Value Proposition 25 Special Hardware Requirements 25 3.02 Terminal Services Core Functionality 26 Remote Desktop Connection 6.1 26 Plug and Play Device Redirection for Media Players and Digital Cameras 27 Microsoft Point of Service for .NET Device Redirection 27 Configuring a Remote Desktop Protocol File 28 Using Redirected Microsoft POS for .NET Devices 28 Remote Desktop Connection Display 28 Custom Display Resolutions 29 Monitor Spanning 29 Desktop Experience 29 Desktop Composition 30 Adjusting Additional Settings 30 Client Configuration 30 Font Smoothing 31 Display Data Prioritization 31 Single Sign-On 32 Prerequisites for Deploying Single Sign-On 32 Recommended Configuration of a Terminal Server When Using Single Sign-On 33 3.03 Terminal Services Gateway 34 TS CAPs 37 Computer Groups Associated With TS RAPs 37 TS RAPs 38 Monitoring Capabilities 38 Group Policy Settings for TS Gateway 39 3.04 Terminal Services RemoteApp 41 Additional References 42 3.05 Terminal Services Web Access 43 Lets You Easily Deploy RemoteApps Over the Web 44 Deployment 44 List of RemoteApps Is Dynamically Updated 44 Includes the TS Web Access Web Part 45 3.06 Terminal Services Printing 46 Group Policy Settings 47 3.07 Terminal Services Session Broker 49 Group Policy Settings 50 Additional Information 51 3.08 Terminal Services Licensing 52 3.09 Windows System Resource Manager 54 Installing Terminal Server 54 Resource-Allocation Policies 54 Monitoring Performance 55 35 Windows Server 2008 Reviewers Guide can include software requirements, security update requirements, required computer configurations, and other settings. For information about how to configure TS Gateway to use NAP for health policy enforcement for Terminal Services clients that connect to TS Gateway servers, see the TS Gateway Server Step-by-Step Setup Guide (http://go.microsoft.com/fwlink/?linkid=79605). You can use TS Gateway server with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing. For information about how to configure ISA Server as an SSL termination device for TS Gateway server scenarios, see the TS Gateway Server Step-by-Step Setup Guide (http://go.microsoft.com/fwlink/?linkid=79605). The TS Gateway Manager snap-in console provides tools to help you monitor TS Gateway connection status, health and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes. If your organization makes Terminal Services-based applications and computers that run Remote Desktop available to users from outside your network perimeter, TS Gateway can simplify network administration and reduce your exposure to security risks. TS Gateway can also make it easier for users because they do not have to configure VPN connections and can access nextref_ts_gateway servers from sites that can otherwise block outbound RDP or VPN connections. You should review this section and the additional supporting documentation about TS Gateway if you are in any of the following groups: IT administrators, planners and analysts who are evaluating remote access and mobile solution products Enterprise IT architects and designers for organizations Early adopters Security architects who are responsible for implementing trustworthy computing IT professionals who are responsible for terminal servers or remote access to desktops For TS Gateway to function correctly, you must meet these prerequisites: You must have a server with Windows Server 2008 installed. You must be a member of the Administrators group on the computer that you want to configure as a TS Gateway server. The following role services and features must be installed and running for TS Gateway to function: 36 Windows Server 2008 Reviewers Guide o The remote procedure call (RPC) over HTTP Proxy service o Web Server (IIS) (Internet Information Services 7.0). (IIS 7.0 must be installed and running for the RPC over HTTP Proxy service to function.) o Network Policy Server (NPS) service. If an NPS server —formerly known as a Remote Authentication Dial-In User Service (RADIUS) server — is already deployed for remote access scenarios such as VPN and dial-up networking, you can use the existing NPS server for TS Gateway scenarios as well. By using NPS for TS Gateway, you can centralize the storage, management, and validation of Terminal Services connection authorization policies (TS CAPs). When you use Server Manager to install the TS Gateway role service, these additional role services and features are automatically installed. You must obtain an SSL certificate for the TS Gateway server if you do not have one already. By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS service use TLS 1.0 to encrypt communications between clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TS Gateway server. The certificate must meet these requirements: o The name in the Subject line of the server certificate (certificate name, or CN) must match the name that is configured on the TS Gateway server. o The certificate is a computer certificate. o The intended purpose of the certificate is server authentication. The Extended Key Usage (EKU) is Server Authentication (1.3.6.1.5.5.7.3.1). o The certificate has a corresponding private key. o The certificate has not expired. We recommend that the certificate be valid one year from the date of installation. o A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an 40 Windows Server 2008 Reviewers Guide Note TS Gateway can route connections to any Terminal Services–based session, including those on Windows Server 2008, Windows Server 2003, Windows Vista and Windows XP–based computers. To access RemoteApp programs that are deployed as .rdp files or as Windows Installer packages, the client computer must be running Remote Desktop Connection (RDC) 6.0 or RDC 6.1. (RDC 6.1 supports Remote Desktop Protocol 6.1.) A supported version of the RDC client is included with Windows Vista and Windows Server 2008. Note The RDC version 6.0 software is available for use on Windows XP with SP2 and Windows Server 2003 with SP1. You can download the installer package from article 925876 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373). To access RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1. RDC 6.1 is included with Windows Server 2008 and Windows Vista with SP1. . 23 Windows Server 20 08 Reviewers Guide 2. 03 Server Core In Windows Server 20 08, administrators can now choose to install a minimal. please see section 7.05 Server Core under Section 7: Server Management. To learn more, please turn to 7.05 Server Core. 24 Windows Server 20 08 Reviewers Guide Section 3: Centralized. including those on Windows Server 20 08, Windows Server 20 03, Windows Vista and Windows XP–based computers. To access RemoteApp programs that are deployed as .rdp files or as Windows Installer