Understanding Terminal Services
Terminal
Services enables remote users to establish interactive desktops or
application sessions on a computer running Windows Server 2008. During
a Terminal Services session,
Terminal Services clients offload virtually the entire processing load
for that session to the terminal server. This functionality offered by
Terminal Services thus enables an organization to distribute the
resources of a central server among many users or clients. For example,
Terminal Services is often used to offer a single installation of an
application to many users throughout an organization. This option can
be especially useful for companies deploying line-of-business (LOB)
applications and other programs responsible for tracking inventory.
Figure 1 illustrates how a terminal server can make a central application available to remote clients.
Comparing Terminal Services and Remote Desktop
Microsoft
Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008
all include a feature called Remote Desktop, which, like Terminal
Services, enables users to establish an interactive desktop session on
a remote computer. Remote Desktop and Terminal Services are in fact
closely related. First, both technologies use the same client software,
named Remote Desktop Connection (also called Terminal Services Client
or Mstsc.exe). This client software is built into all versions of
Windows since Windows XP can be installed on virtually any
Windows-based or non-Windows–based computer. From the remote user’s
perspective, then, the procedure of connecting to a terminal server is
identical to connecting to a remote desktop. Second, the server
component of both features is also essentially the same. Both Terminal
Services and Remote Desktop rely on the same service, called the
Terminal Services service. Finally, both Remote Desktop and Terminal
Services establish sessions by means of the same protocol, called Remote Desktop Protocol (RDP), and through the same TCP port, 3389.
Despite
these similarities, the differences between Remote Desktop and Terminal
Services are significant in that Terminal Services offers much greater
scalability and a number of important additional features. For example,
on a computer running Windows Server 2008 on which Remote Desktop is
enabled, only two users can be connected concurrently to an active
desktop session (including any active local user console session).
However, no such limitation exists for a server on which Terminal
Services has been installed and configured.
Note: Connections vs. sessions
Strictly speaking, what is the difference between a Terminal Services connection
and session? A Terminal Services connection is merely an open Remote
Desktop Connection window displaying a desktop on a remote computer. A
Terminal Services session, however, is a continuous period during which
a user is logged on to a remote computer. If you closed a Remote
Desktop Connection window without logging off from a remote computer,
the connection would end, but (provided that the server settings allow
it) the session would continue. If you then reconnected to the remote
server, you would find the same session in progress with the open
programs and files exactly as you had left them. The console session,
as you might guess from its name, is not a Terminal Services session at
all. It is instead the particular desktop session that is active at the
physical computer.
Terminal
Services in Windows Server 2008 also includes the following additional
features beyond those available in Remote Desktop:
Multiuser capability
Terminal Services includes two modes: Execute mode (for the normal
running of applications) and Install mode (for installing programs).
When you install an application on a terminal server in Install mode,
settings are written to the Registry or to .ini files in a way that
supports multiple users. Unlike Terminal Services, the Remote Desktop
feature in Windows does not include an Install mode or provide
multiuser support for applications.
RemoteApp
In Windows Server 2008, the RemoteApp component of Terminal Services
enables you to deploy an application remotely to users as if the
application were running on the end user’s local computer. Instead of
providing the entire desktop of the remote terminal server within a
resizable window, RemoteApp enables a remote application to be
integrated with the user’s own desktop. The application deployed
through Terminal Services thus runs in its own resizable window with
its own entry in the taskbar.
TS Web Access
TS Web Access enables you to make applications hosted on a remote
terminal server available to users through a Web browser. When TS Web
Access is configured, users visit a Web site (either from the Internet
or from the organization’s intranet) and view a list of all the
applications available through RemoteApp. To start one of the listed
applications, users simply click the program icon on the Web page.
TS Session Broker
By using Network Load Balancing (NLB) or DNS round-robin distribution,
you can deploy a number of terminal servers in a farm that, from the
perspective of remote users, emulates a single server. A terminal
server farm is the best way to support many users, and to enhance the
functionality of such a farm, you can use the Terminal Services Session
Broker (TS Session Broker) role service. The TS Session Broker
component ensures that clients connecting to a terminal server farm can
reconnect to disconnected sessions.
TS Gateway
TS Gateway enables authorized users on the Internet to connect to
remote desktops and terminal servers located on a private corporate
network. TS Gateway provides
security for these connections by tunneling each RDP session inside an
encrypted Hypertext Transfer Protocol Secure (HTTPS) session. By
providing authorized users broad access to internal computers over an
encrypted connection, TS Gateway can eliminate the need for a VPN in
many cases.
Advantages of Remote Desktop
The
main advantage of Remote Desktop, compared to Terminal Services, is
that its functionality is built into Windows Server 2008 and does not
require the purchase of any Terminal Services client access licenses (TS CALs).
If you don’t purchase any TS CALs for Terminal Services, the feature
will stop working after 120 days. After this period, Terminal Services
functionality will revert to that of Remote Desktop.
Another
advantage of Remote Desktop, compared to Terminal Services, is that the
feature is very easy to implement. Whereas enabling Terminal Services
requires installing and configuring a new server role, enabling Remote
Desktop requires you to select only a single option in the System
Properties dialog box.
Note: Remote Desktop vs. Remote Desktop for Administration
In Windows Server 2003 and Windows Server 2008, the built-in Remote Desktop feature is often referred to as Remote Desktop for Administration (RDA).
The difference between RDA and the Remote Desktop feature in Windows XP
and Windows Vista is that RDA in Windows Server 2008 enables two active
desktop sessions to the RDA-enabled server: either two remote sessions,
or one remote session and one console session. Windows XP and Windows
Vista, however, do not allow concurrent desktop sessions. Only one
Remote Desktop user can connect at a time and, when a remote user does
connect, any locally logged-on user must first be logged off.
Tip
In
Windows Server 2008, the Remote Desktop feature typically is used for
remote administration, and Terminal Services is used to host
applications. However, the main difference between these two features
is scale, and the purposes of their implementations do overlap. You can
use the Remote Desktop feature to connect to a seldom-used application
just as you can administer a server remotely on which Terminal Services
has been installed. Remember also that the core client and server
components of these technologies are shared, so do not be surprised if
you hear the terms used interchangeably.
Enabling Remote Desktop
By
default, Windows Server 2008 does not accept connections from any
Remote Desktop clients. To enable the Remote Desktop feature in Windows
Server 2008, use the Remote tab of the System Properties dialog box. To
access this tab, you can open System located in Control Panel and then click the Remote Settings link, or you can type control sysdm.cpl in the Run box and then, after the System Properties dialog box opens, click the Remote tab.
On the Remote tab, if you want to require a high standard of security from RDP connections, select the option to require Network Level Authentication (NLA), as shown in Figure 2.
This selection will enable connections only from Remote Desktop
Connection clients running Windows Vista or later. Alternatively, you
can select the option to allow connections from computers running any
version of Remote Desktop.
In
Windows Server 2008, when you use the System Properties dialog box to
allow Remote Desktop connections, a Windows Firewall exception for RDP
traffic is created automatically. Therefore, you do not have to create
the exception manually to allow connections from Remote Desktop clients.
Note: What is Network Level Authentication?
NLA
is a feature of Remote Desktop Protocol 6.0 that ensures that user
authentication occurs before a Remote Desktop connection is fully
established between two computers. With earlier versions of RDP, a user
could enter a username and password for authentication only after a Log
On To Windows screen from the remote computer appeared in the Remote
Desktop session. Because every attempt to authenticate a session
demanded relatively significant resources from the server, this
behavior in earlier versions of RDP made Remote Desktop–enabled and
Terminal Services–enabled computers susceptible to denial-of-service
attacks.
Also
important to know is that, by default, Remote Desktop Connection 6.0
(also known as Terminal Services Client 6.0 or mstsc.exe) does not
support NLA on computers running Windows XP. However, this version of
the Remote Desktop client can be made to support NLA on Windows XP SP2
if you download and install the Terminal Services Client 6.0 update for
Windows XP (KB925876), available on the Microsoft Web site.
Enabling Remote Desktop on a Server Core Installation
A
Server Core installation of Windows Server 2008 does not support the
full Terminal Services role. However, you can enable the Remote Desktop
feature on a Server Core installation by using the Server Core Registry
Editor script, Scregedit.wsf. Scregedit.wsf provides a simplified way
of configuring the most commonly used features in a Server Core
installation of Windows Server 2008.
Important: Where can you find Scregedit.wsf?
Scregedit.wsf is located in the %SystemRoot%\System32 folder of every Server Core installation.
To
use the Scregedit.wsf script to enable Remote Desktop, use Cscript.exe
to invoke the script, and then pass the /AR switch a value of 0, which
allows Remote Desktop connections. (By default, the /AR value is set to
1, which disables Remote Desktop connections.) The full command to
enable Remote Desktop is shown here:
Cscript.exe C:\Windows\System32\Scregedit.wsf /AR 0
By
default, enabling Remote Desktop on the Server Core installation in
this way configures the server to accept Remote Desktop connections
only from clients running Windows Vista or later. To enable the server
to accept Remote Desktop connections from earlier versions of RDP, you
need to relax the security requirements of the server by using the
Scregedit.wsf script with the /CS switch and a value of 0, as shown:
Cscript.exe C:\Windows\System32\Scregedit.wsf /CS 0
Note: Connecting to a Server Core through Remote Desktop
When
you connect to a Server Core installation by means of Remote Desktop,
you receive the same interface that you would receive as if you were
seated locally at the server. A Remote Desktop connection to a computer
running Windows Server 2008 Server Core, in other words, does not
provide you with access to any additional graphical tools to manage the
server.
Installing Terminal Services
Unlike
Remote Desktop, the full implementation of Terminal Services requires
you to add the Terminal Services server role. As with any server role,
the simplest way to install Terminal Services on a full installation of
Windows Server 2008 is to click Add Roles in Server Manager.
Clicking
Add Roles launches the Add Roles Wizard. On the Select Server Roles
page, select the Terminal Services check box, as shown in Figure 3.
Click
Next on the Add Roles Wizard page to open the Terminal Services page.
This page provides a brief explanation of the Terminal Services role.
Then, click Next on the Terminal Services page to open the Select Role
Services page.
Selecting Role Services
On
the Select Role Services page of the Add Roles Wizard, you can select
any of the following five role services associated with the Terminal
Services role:
Terminal Server This role service provides the basic functionality of Terminal Services, including the RemoteApp feature.
TS Licensing
You need to install this role service only if you have purchased
Terminal Services client access licenses (TS CALs) and can activate a
license server. Terminal Services has a 120-day grace period: if you
have not purchased any TS CALs and installed them on a Terminal
Services license server, Terminal Services will stop functioning after
this many days. (For information about how to install and configure
Terminal Services Licensing (TS Licensing) Terminal Services, “Configuring Terminal Services,” of this chapter.)
TS Session Broker Install and configure this role service when you plan to implement Terminal Services in a server farm. As mentioned in the “Comparing Terminal Services and Remote Desktop”
section earlier in this lesson, this role service enhances the
functionality of the server farm by ensuring that clients are able to
reconnect to disconnected sessions.
TS Gateway
Install this role service if you want to make a number of terminal
servers accessible to authorized external clients beyond a firewall or
Network Address Translation (NAT) device.
TS Web Access
Install this role service if you want to make applications deployed
through Terminal Services available to clients through a Web page.
The Select Role Services page is shown in Figure 4.
The following sections describe the process of installing the Terminal Services role services.
Uninstalling Applications
After
you select the Terminal Services role service, the Add Roles Wizard
reminds you that any applications that you want to deploy to users
through Terminal Services should be installed after you add the
Terminal Services role. If you have already installed any applications
you want to deploy, you should uninstall and reinstall them later (in
Terminal Services Install mode) if you want them to be available to
multiple users. This reminder is shown in Figure 5.
