Windows 2008 Terminal Services
- Published: Thursday, 17 April 2008
In February 2008 Microsoft launched the long awaited Windows Server 2008. From the start it was already known that the Terminal Services functionality would be extended and through the time those new functionalities were introduced in the several beta versions which were launched and even some functionalities even disappeared again. Finally the following new features are available in the final version:
Terminal Services RemoteApp
Terminal Services Web Access
Terminal Services Gateway
Terminal Services User Based Session Broker
Terminal Services Easy Print
Plug and Play redirection for Media Players and Digital Camera's
Single SignOn for Terminal Services
In this review of Windows 2008 Terminal Services I first would show you the installation process of these components, followed by a brief overview of the new features and other changes to components that were already available within Windows 2003 Terminal Services.
First of all I must admit that Microsoft did a good job with the complete installation of Windows 2008. It is really easy to install the operating system with just a few questions. Also the new implementation of adding the product key after the installation is a good thing. In this way you can use evaluate the product without the need for a special test version or something similar. When the installation of Windows 2008 is finished, the Server Manager will be started. This Server Manager is a kind of entrance point for administrating and maintaining your Windows 2008. In Windows 2008 roles, services and features are introduced. Within this hierarchy Terminal Services is a role where most options are available like Terminal Services, Terminal Services Licensing, TS Session Broker, TS Gateway and TS Web Access. What I like is that check Microsoft built in with these services. For example the TS Session Broker cannot be selected if the computer is not a member of the domain and if you select for example the TS Web Access a Windows will be displayed which other services are required and with a single click those settings are also added.
The installation is again Wizard driven where you configure the basic Terminal Server settings like the usage of Network Level Authentication (a new feature within Vista and Windows 2008), the licensing mode (user [which is now really enforced), device or to be specified later), the user allowed to contact the server using RDP and other questions depending which services you checked for installation on this server. After the wizard the components are added to the operating system and after a restart you are ready for the configuration of the services.
Within the Server Manager the new role with corresponding services is embedded. In other words the corresponding MMC are incorporated within the Server Manager view. Of course they are also available in the administrative tools folder, within a dedicated folder named Terminal Services.
First let's take a look at the configuration options within the Terminal Services Configuration. The first thing you will notice is that this part is graphically redesigned. Centrally there is still the option to configure the settings for the RDP protocol. Not many new things will be found within these configuration windows and also the display of the settings is pretty similar in comparison with 2003 Terminal Services. You will find one of the new features on the tab called Client Settings. There you can disable or enable the virtual channel for mapping plug and play devices like photo cameras and media players. Also on the tab general you can enable/disable the option that only the latest RDP client (with Network Level Authentication) can connect or also older client are allowed to setup a connection.
Within the Terminal Services Configuration you will also find the option to enable the enhanced Session Broker. Session Broker is a separate role that needs to be installed on a server (preferred on a non Terminal Server). Within the Terminal Services Configuration you can enable the specific Terminal Server to join a TS Session Broker. You need to specify the server/IP-address hosting the Session Broker service and the name of the "farm" (collection of servers). You can also give a relative weight to the server if you have servers with different specifications. How higher the weight how more users it can handle in comparison with the other servers. Do not forget to add the servers to DNS for dividing the load to set-up a connection between the servers and as a fail over if the Session Broker stops function. On the server hosting the Session Broker you need to add the server to the local group Session Directory Computers. It is pretty basic, but finally there is a user based solution. You can setup a maximum of users per server via a registry key on a per server basis. Unfortunate there is no way to create a fault tolerant Session Broker at this moment. The session broker is described in detail in this article by Michel Roth. The last new part in this MMC is the user logon mode. There is a new option available everyone was asking for. Beside the default option to enable or disable user logons there are new two options: Allow reconnections, but prevent new logons and Allow reconnections, but prevent new logons until the server is restarted. With this option you can add your server out of production without hurting any user with a disconnected session.
A complete new MMC is the TS RemoteApp Manager. This is Microsoft's equivalent of Published Applications. Besides creating new images this MMC also gives an overview of the available other services and their current status of their configuration. In the below pane the Remote Applications can be defined, where via a right mouse button the small wizard can be started. The wizard will show the installed applications on this server or you can browse to the executable. There are just a few settings that can be configured: the application is (not) available in the TS Web Access, startup parameters behind the executable, location of the executable and the icon. Yes, you are correct. There is no possibility to add a group or user to the Remote Applications so the application can be started by everyone that is member of the Remote Desktop Users group. A Remote Application need to be defined on every Terminal Server individually (there is no option to select which servers are hosting the application), but there is a possibility to export the Remote Application configuration to another server via the Export function. Here you can create the Remote Application directly on a server or save it as file to import it later. I'm waiting for the first freeware tool that can do this import/export part to multiple servers at once.
Further you see in the main pane the most important settings of the other Terminal Server services with a link to the configuration part if available on the server. If you want to display the applications of this server in the TS Web Access you need to add the server hosting the service TS Web Access in the local group TS Web Access Computers (on every Terminal Server).
This takes us to the next new component the TS Web Access. The TS Web Access is the component that will display the available Remote Applications via a website to your end-user to access them. The TS Web Access is a very simple component. In the TS Web Access component you configure which servers are available hosting applications which can be started out of the TS Web Access. Within the TS RemoteApp Manager you can specify per application if this application may be displayed within the TS Web Access webpage. On the TS Web Access there is also an option to start a desktop Remote Desktop session via the Remote Desktop tab. Because you cannot specify groups to the Remote Applications all applications allowed to be visible in the TS Web Access will appear on the webpage. Comparable configuration options are available as within the RDP client. The RDP client will be started with these settings after pushing the connect button.
The TS Web Access can be extended with the TS Gateway role service. With the TS Gateway the RDP protocol will be encapsulated in SSL traffic. Microsoft calls it RDP over HTTPS, just like Outlook can be used over the Internet via RPC over HTTPS. The TS Gateway is carrying out the same function as the Citrix Secure Gateway (software based) in a kind of light version. Logically a certificate is necessary for the HTTPS connection. Beside the certificate you need to configure at least one TS CAP (Terminal Server Connection Authorization Policy) and one TS RAP (Terminal Server Resource Authorization Policy) need to be defined. Within the TS CAP policy you can define which users (based on User Group Membership), from which client (via client group membership within AD or local on the TS Gateway server), via which authentication method (password and/or smartcard) and which device redirections are allowed via the TS Gateway. Secondly a TS RAP should also be available to start a connection via the TS Gateway. Within a TS RAP you specify based on user group membership which Terminal Servers are allowed for this users to create a Remote Session with it (based on AD security group or local group on the TS Gateway server). More TS CAP and TS RAP policies can be defined to create different access and authorization sets of different users. Do not forget to add the Terminal Servers to the TS Gateway configuration via the TS Gateway Manager MMC. Some settings can be stored on a central location to be used by more TS Gateway servers at the same moment.
Beside the TS Web Access there are also two other options to give users access to the Remote Applications. You can distribute the configuration of the Remote Applications via the RemoteApp Manager. Within this MMC you can create a RDP or a MSI file per Remote Application. The RDP file can logically be started directly and you should define you own method to distribute those files. The MSI file can be used to distribute the connections using an Electronic Software Deployment product. During the creation of the MSI you can also specify where shortcuts (Desktop and Start Menu) should be places when the MSI file will be installed.
Beside the above mentioned role services there are also several other enhancements available within the Terminal Server space. Two other important enhancements are Single Sign On and Easy Print. Both enhancements don't have a MMC to configure those settings. Basically these enhancements are integrated into Windows 2008 Terminal Services.
For Easy Print you do not need to configure anything. The only requirement is that on the client is RDP 6.1 and .Net Framework 3 SP1 are available and Easy Print can be used. With Easy Print the necessity to install printer drivers on the Terminal Server is eliminated. The Easy Print Driver on the Terminal Server will render the job in the XPS format and will transfer this to the client. The client will translate the XPS to a format of the printer device. This can be used for both locally as network printers connected via device redirection. This is similar to the EMF based method of Citrix Presentation Server / XenApp. Via Group Policies the behavior of the Easy Print behavior can be adjusted.
Using the Single Sign On (SSO) the Terminal Server need to be configured to Negotiate or SS in the security layer and on the client the Terminal Servers need to be added to the Credentials Delegation policy. Servers added to this policy will use the logon information of the client, so the user does not need to specify his username and password again. This is only supported within Windows Vista or Windows Server 2008 as client.
For some more interesting smaller enhancement like monitor spanning, remote administrative session and other RDP enhancement I recommend reading this article.
As already mentioned before Windows 2008 TS does not provide you with a console in which all settings can be centrally managed. There are some enhancements to import and export configuration settings to another Terminal Server, but there is not possibility to view all the settings from all Terminal Server out of one console.
If we look to the possibilities to monitor and maintain the Terminal Server environment no big changes can be found. The Terminal Services Manager has an updated GUI, but the functionality is almost the same. New is that you can group the Terminal Servers into groups for a logical separation.
The connections via the TS Gateway can be monitored via the TS Gateway Manager MMC. Also you can configure which events on the TS Gateway need to be logged in the event viewer.
Within Microsoft Terminal Server 2008 lots of enhancements and new features are introduced like Remote Applications, TS Web Access, TS Gateway, EasyPrint, SSON and much other RDP Enhancements, which makes the product much value-add for small business implementations. For larger organizations most features are to mature to use Windows 2008 Terminal Services only. The lack of a central management, the possibility to assign user (groups) to Remote Applications, the very limited Web Access feature are a couple of reasons that such kind of infrastructures still need an add-on product. There are already some companies which are developing addition tooling to extend the platform. Examples are visionapp WorkSpace Management portal and the option in RES PowerFuse to centrally create Remote Applications. But I'm pleased to see that Microsoft puts such efforts in the development of Terminal Services and mentioning/showing these enhancements in many presentations.