Terminal Services Deployment Guide

Microsoft Corporation Published: December 2009

Abstract
The Terminal Services server role in Windows Server 2008 provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the full Windows desktop. With Terminal Services, users can access a terminal server from within a corporate network or from the Internet.

This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Active Directory, ActiveX, Internet Explorer, ClearType, MSDN, Microsoft, RemoteApp, Windows, Windows Media, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
Terminal Services Deployment Guide.............................................................................................1 Abstract....................................................................................................................................1 Contents..........................................................................................................................................3 Terminal Services Deployment Guide.............................................................................................9 About this guide...........................................................................................................................9 In this guide.................................................................................................................................9 Role Services and Features in a Terminal Services Deployment....................................................9 What are the role services and features in a Terminal Services deployment?........................10 Deploying Terminal Server............................................................................................................12 Installation Prerequisites for Terminal Server................................................................................12 Using Remote Desktop.................................................................................................................14 Installing Terminal Server on a Domain Controller........................................................................15 Terminal Services and Windows Firewall......................................................................................16 Checklist: Configuring Terminal Server.........................................................................................17 Configuring Terminal Server..........................................................................................................18 Install the Terminal Server Role Service.......................................................................................18 Install the Terminal Server role service (when Terminal Services is already installed)...............20 Configure License Settings for a Terminal Server.........................................................................21 Specify the Terminal Services Licensing Mode.............................................................................22 Specify the License Server Discovery Mode.................................................................................23 Configure the Network Level Authentication Setting for a Terminal Server...................................24 Install Programs on a Terminal Server..........................................................................................25 Additional considerations....................................................................................................26 Configure the Remote Desktop Users Group................................................................................26 Managing Terminal Server............................................................................................................27 Change Remote Connection Settings...........................................................................................27

Enable Single Sign-On for Terminal Services...............................................................................28 Manage User Profiles for Terminal Services.................................................................................29 Install Desktop Experience on a Terminal Server..........................................................................30 Install Desktop Experience........................................................................................................30 Uninstall Desktop Experience....................................................................................................31 Configure Font Smoothing for Remote Sessions..........................................................................32 Monitor a Terminal Server with Windows System Resource Manager..........................................33 Resource-Allocation Policies.....................................................................................................33 Resource Monitor......................................................................................................................34 Uninstall the Terminal Server Role Service...................................................................................34 Deny Logon Requests to a Terminal Server..................................................................................35 Deploying TS Licensing................................................................................................................36 Installation Prerequisites for TS Licensing....................................................................................36 Terminal Services Client Access Licenses (TS CALs)..................................................................37 Terminal Services License Server Discovery................................................................................38 Checklist: Deploying TS Licensing................................................................................................39 Installing TS Licensing..................................................................................................................40 Installation prerequisites............................................................................................................40 Install the TS Licensing role service..........................................................................................40 Connecting to a Terminal Services License Server.......................................................................42 Install TS Licensing Manager........................................................................................................42 Activating a Terminal Services License Server.............................................................................43 Activate a Terminal Services License Server Automatically..........................................................44 Activate a Terminal Services License Server by Using a Web Browser........................................45 Activate a Terminal Services License Server by Using the Telephone..........................................46 Installing Terminal Services Client Access Licenses.....................................................................47 Install Terminal Services Client Access Licenses Automatically....................................................47 Install Terminal Services Client Access Licenses by Using a Web Browser..................................48 Install Terminal Services Client Access Licenses by Using the Telephone....................................50

Configuring License Settings on a Terminal Server.......................................................................51 Specify the Terminal Services licensing mode...........................................................................51 Specify the license server discovery mode................................................................................52 Tracking the Issuance of Terminal Services Per User Client Access Licenses.............................53 Troubleshooting TS Licensing Installation.....................................................................................56 Review the configuration of your license server........................................................................56 Diagnose licensing problems on your terminal server...............................................................58 Deploying TS Session Broker.......................................................................................................59 Installation Prerequisites for TS Session Broker...........................................................................60 TS Session Broker components................................................................................................60 Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker...........61 Installing TS Session Broker.........................................................................................................61 Installation prerequisites............................................................................................................62 Install the TS Session Broker role service.................................................................................62 Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group.......63 Configuring a Terminal Server to Join a Farm in TS Session Broker............................................64 Configure TS Session Broker Settings by Using Group Policy.....................................................64 Configure TS Session Broker Settings by Using Terminal Services Configuration........................66 Configuring DNS for TS Session Broker Load Balancing..............................................................67 Configuring Dedicated Redirectors (optional)...............................................................................69 Deploying TS Gateway.................................................................................................................69 Installation Prerequisites for TS Gateway.....................................................................................70 Role, role service, and feature dependencies........................................................................70 Administrative credentials......................................................................................................71 Understanding Requirements for Connecting to a TS Gateway Server........................................71 Supported Windows authentication methods.............................................................................72 Checklist: Deploying TS Gateway.................................................................................................73 Installing TS Gateway...................................................................................................................73 Install the TS Gateway role service...........................................................................................73 Verify successful role service installation and TS Gateway service status.............................76 Configuring a Certificate for the TS Gateway Server....................................................................76 Obtain a Certificate for the TS Gateway Server............................................................................77

Certificate requirements for TS Gateway...................................................................................78 Using existing certificates..........................................................................................................78 Certificate installation and configuration process overview........................................................79 1. Obtain a certificate.............................................................................................................79 2. Install the certificate............................................................................................................81 3. Map the certificate..............................................................................................................81 Create a Self-Signed Certificate for the TS Gateway Server........................................................81 Install a Certificate on the TS Gateway Server.............................................................................82 Map the TS Gateway Certificate...................................................................................................84 View or Modify Certificate Properties............................................................................................84 Creating a Terminal Services Connection Authorization Policy.....................................................85 Creating a Terminal Services Resource Authorization Policy........................................................87 Configuring the Terminal Services Client for TS Gateway.............................................................89 Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)..........89 Configure Remote Desktop Connection Settings..........................................................................91 Verify Connectivity Through TS Gateway......................................................................................93 Limiting the Maximum Number of Simultaneous Connections Through TS Gateway...................93 Using Group Policy to Manage Client Connections Through TS Gateway....................................94 Set the TS Gateway Server Authentication Method......................................................................95 Enable Connections Through TS Gateway...................................................................................97 Set the TS Gateway Server Address.............................................................................................98 Deploying TS RemoteApp...........................................................................................................101 Installation Prerequisites for TS RemoteApp..............................................................................101 Client requirements..................................................................................................................102 Checklist: Configuring TS RemoteApp........................................................................................102 Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism..............................................................................................................................103 Checklist: Making RemoteApp Programs Available from the Internet.........................................103 Configuring the Server That Will Host RemoteApp Programs.....................................................105 Install the Terminal Server role service....................................................................................105

Install programs on the terminal server....................................................................................105 Verify remote connection settings............................................................................................106 Adding RemoteApp Programs and Configuring Global Deployment Settings.............................107 Add Programs to the RemoteApp Programs List........................................................................107 Configure Global Deployment Settings.......................................................................................108 Configure Terminal Server Settings.............................................................................................109 Configure TS Gateway Settings..................................................................................................110 Configure Common RDP Settings (Optional)..............................................................................111 Configure Custom RDP Settings (Optional)................................................................................112 Configure Digital Signature Settings (Optional)...........................................................................113 Using Group Policy settings to control client behavior when opening a digitally signed .rdp file .............................................................................................................................................114 Creating an .rdp File from a RemoteApp Program......................................................................115 Creating a Windows Installer Package from a RemoteApp Program..........................................116 Managing RemoteApp Programs and Settings...........................................................................117 Change or Delete a RemoteApp Program...................................................................................118 Export or Import RemoteApp Programs and Settings.................................................................119 Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session..................120 Deploying TS Web Access..........................................................................................................120 Checklist: Deploying RemoteApp Programs Through TS Web Access.......................................121 Enable RemoteApp Programs for TS Web Access.....................................................................122 Install the TS Web Access Role Service.....................................................................................123 Populate the TS Web Access Computers Security Group..........................................................124 Specify the Data Source for TS Web Access..............................................................................124 Connect to TS Web Access.........................................................................................................125 Client requirements and configuration.....................................................................................126 Configure the TS Web Access Server to Allow Access from the Internet....................................127 Configure Remote Desktop Web Connection Behavior..............................................................129

Change the Install Location of the TS Web Access Web Site.....................................................130 Deploying Terminal Services Printing..........................................................................................132 Using Terminal Services Easy Print Driver..................................................................................132 Client requirements..................................................................................................................132 Additional information..............................................................................................................133 Installing the Printer Driver on the Server...................................................................................134 Creating a Custom Printer Mapping File.....................................................................................134 Step one: Create or modify an .inf file......................................................................................134 Step two: Configure the registry..............................................................................................135 Configuring Printer Redirection Settings.....................................................................................136 Configure printer redirection settings per connection...............................................................137 By using Group Policy (best practice)..................................................................................137 By using Terminal Services Configuration............................................................................137 Configure printer redirection settings per user.........................................................................138 Use client-specified printer redirection settings.......................................................................138 Using Terminal Services Printing-Related Group Policy Settings................................................139

Terminal Services Deployment Guide

Deploying Terminal Services in your Windows Server 2008 environment provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the full Windows desktop. By using Terminal Services, users can access a terminal server from within a corporate network or from the Internet. Terminal Services enables you to efficiently deploy and maintain software in an enterprise environment from a central location. Because you install the programs on the terminal server and not on the client computer, programs are easier to upgrade and to maintain.

About this guide

This guide is intended for use by system administrators and system engineers who are responsible for deploying the Terminal Services role services and features. It provides detailed guidance for deploying a Terminal Services design that is preselected by you, an infrastructure specialist, or a system architect in your organization. For related information about Terminal Services, visit the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).

In this guide
Role Services and Features in a Terminal Services Deployment Deploying Terminal Server Deploying TS Licensing Deploying TS Session Broker Deploying TS Gateway Deploying TS RemoteApp Deploying TS Web Access Deploying Terminal Services Printing

Role Services and Features in a Terminal Services Deployment

The following figure shows the network diagram for the Terminal Services role services and features that are covered in this deployment guide. This diagram isolates specific functionality on separate servers, instead of running multiple services on the same server. Your deployment design will vary according to your resources and requirements.

What are the role services and features in a Terminal Services deployment?
Terminal Services is a server role that consists of several sub-components, known as "role services." In Windows Server 2008, Terminal Services consists of the following role services: Terminal Server The Terminal Server role service enables a server to host Windowsbased programs or the full Windows desktop. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. TS Licensing Terminal Services Licensing (TS Licensing) manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server. Important You must have a correctly configured license server within 120 days after your terminal server accepts its first connection. TS Session Broker Terminal Services Session Broker (TS Session Broker) supports session load balancing between terminal servers in a farm, and reconnection to an existing session in a load-balanced terminal server farm. To use the built-in TS Session Broker Load Balancing feature, terminal servers in the Important farm must be running Windows Server 2008. 10

 TS Web Access Terminal Services Web Access (TS Web Access) enables users to access RemoteApp programs and a Remote Desktop connection to the terminal server through a Web site. TS Web Access also includes Remote Desktop Web Connection, which enables users to remotely connect to any computer where they have Remote Desktop access. TS Gateway Terminal Services Gateway (TS Gateway) enables authorized remote users to connect to resources on an internal corporate network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. Your deployment might also include the following: Remote Desktop Connection (RDC) client The RDC client must be installed on client computers for users to start Terminal Services sessions. To access most of the new features in Windows Server 2008, the client must be running RDC 6.0 or RDC 6.1. Active Directory Domain Services If you deploy TS Session Broker, the server where you install the TS Session Broker role service must be a member of an Active Directory domain. If you deploy terminal servers or terminal server farms, the servers must be members of the same Active Directory domain as the license servers, or the license servers must be deployed at the forest level. Network Access Protocol (NAP) You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Server 2008, Windows Vista, Windows Vista Service Pack 1 (SP1), and Windows XP Service Pack 3 (SP3). With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings. Network Firewall The Terminal Services role services are typically deployed within the corporate network behind a firewall. If TS Gateway is deployed, it may be hosted in a perimeter network. TS Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario. In earlier versions of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls. Front-end load balancer If you deploy TS Session Broker, a front-end load balancer is required. Depending on your requirements, you can use the Domain Name System (DNS) round robin feature, Network Load Balancing (NLB), or a hardware load balancer.

11

Deploying Terminal Server

Terminal Server is one of the role services provided by the Terminal Services server role. You install Terminal Server on a server to host Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs (including RemoteApp programs), save files, and use network resources if they have appropriate permissions. To install, configure, and manage a terminal server, see the following topics: Installation Prerequisites for Terminal Server Checklist: Configuring Terminal Server Configuring Terminal Server Managing Terminal Server

Installation Prerequisites for Terminal Server

A terminal server is the server that hosts Windows-based programs or the full Windows desktop for Terminal Services client computers. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. Users can access a terminal server by using Remote Desktop Connection or by using TS RemoteApp. The following checklist provides tasks that an administrator should perform before installing and configuring a terminal server. Note Installing a terminal server on an Active Directory domain controller is not recommended. For more information, see Installing Terminal Server on a Domain Controller.
Task Reference

Determine if you need a terminal server.

To allow remote connections for administrative purposes only, you do not need to install a terminal server. For more information about remote connections for administrative purposes, see Using Remote Desktop.

Review licensing requirements for a terminal server.

Each user or computing device that connects to a terminal server must have a valid Terminal Services client access license (TS CAL). A terminal server running Windows Server 2008 can only communicate with a Terminal Services license server running Windows Server 2008, and the license server must have Windows 12

Task

Reference

Server 2008 TS CALs installed. For more information about licensing requirements for Terminal Services, see the TS Licensing Step-by-Step Guide on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=85873). Decide which programs you want to host on the You should install the Terminal Server role terminal server. service on the computer before you install any programs that you want to make available to users. If you install the Terminal Server role service on a computer that already has programs installed, some of the existing programs may not work correctly in a multiple user environment. Uninstalling and then reinstalling the affected programs may resolve these issues. For more information, see Install Programs on a Terminal Server. Review information about: Hardware requirements Capacity and scaling See the Checklist: Terminal Server Installation Prerequisites on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/? LinkId=101636). See the TS Session Broker Load Balancing Step-by-Step Guide on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=92670). The Terminal Services licensing mode that is configured on a terminal server must match the type of TS CALs that are available on the Terminal Services license server. See Specify the Terminal Services Licensing Mode on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/? LinkId=101638 ). Determine how the terminal server will discover A terminal server must be able to contact a a license server. Terminal Services license server to request TS CALs for users or computing devices that are connecting to the terminal server. For more information about license server 13

Determine if you need to deploy a loadbalanced terminal server farm.

Determine the Terminal Services licensing mode that the terminal server will use.

Task

Reference

discovery, see the TS Licensing Step-by-Step Guide on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=85873). Determine which users will be able to remotely connect to the terminal server. The Remote Desktop Users group on a terminal server is used to give users and groups permission to log on remotely to a terminal server. For more information, see Configure the Remote Desktop Users Group. Determine if the terminal server will require Network Level Authentication. You can enhance terminal server security by providing user authentication early in the connection process when a client connects to a terminal server. This early user authentication method is referred to as Network Level Authentication. For more information, see Configure the Network Level Authentication Setting for a Terminal Server. Review information about Windows Firewall. The installation of the Terminal Server role service changes the configuration of Windows Firewall. For more information, see Terminal Services and Windows Firewall.

Using Remote Desktop

To allow remote connections for administrative purposes only, you do not have to install a terminal server. Instead, you can enable Remote Desktop on the computer that you want to remotely administer. Note Remote Desktop supports only two concurrent remote connections to the computer. You do not need Terminal Services client access licenses (TS CALs) for these connections. You can use the following procedure to enable Remote Desktop on a computer running Windows Server 2008. Membership in the local Administrators group, or equivalent, on the computer that you plan to configure, is the minimum required to complete this procedure. Review details about using the 14

appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To enable Remote Desktop 1. Start the System tool. To start the System tool, click Start, click Run, type control system and then click OK. 2. Under Tasks, click Remote settings. 3. In the System Properties dialog box, on the Remote tab, click either of the following, depending on your environment: Allow connections from computers running any version of Remote Desktop (less secure) Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) For more information about the two options, click the Help me choose link on the Remote tab. 4. Click Select Users to add the users and groups that need to connect to the computer by using Remote Desktop. The users and groups that you add are added to the Remote Desktop Users group. Note Members of the local Administrators group can connect even if they are not listed.

Installing Terminal Server on a Domain Controller

Installing a terminal server on an Active Directory domain controller is not recommended. Allowing users to run programs on a domain controller could create security risks and performance issues. If the Terminal Server role service is installed on a domain controller, the security settings of the domain controller need to be adjusted to allow users remote access to the server. This remote access is controlled by the "Allow log on through Terminal Services" user rights assignment, which can be configured by using the Group Policy Management Console (GPMC). On a domain controller, by default, only the Administrators group is granted the "Allow log on through Terminal Services" user right. To allow remote access to the terminal server for users who are not members of the Administrators group, you should grant the Remote Desktop Users group the "Allow log on through Terminal Services" user right. For more information about using GPMC to configure user rights assignments, see the Windows Server 2008 Group Policy Management Console Help. 15

Note Installing the TS Licensing role service on a domain controller is recommended in certain circumstances. If a Terminal Services license server is installed on a domain controller, terminal servers in the same domain as the license server will automatically be able to discover the license server. Because users are not connecting directly to the license server to run programs on the license server, the security risks and performance issues can be mitigated. For more information about license server discovery and configuring TS Licensing, see the TS Licensing documentation on the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).

Terminal Services and Windows Firewall

Windows Firewall is on by default in Windows Server 2008. Windows Firewall helps control which programs or ports can be used to communicate between the server running Windows Server 2008 and other computers on the network or the Internet. To allow a program or port to communicate through Windows Firewall, you need to enable an exception. If you enable Remote Desktop, Windows Firewall automatically enables the Remote Desktop exception. When the Terminal Server role service is installed, Windows Firewall automatically enables the following exceptions: Remote Desktop Terminal Services

If you install other Terminal Services role services, Windows Firewall automatically enables other exceptions. For example, when you install the TS Licensing role service, Windows Firewall enables the Terminal Services Licensing Server exception. When you uninstall a role service from the computer, Windows Firewall automatically removes the exception for that role service. Important When the Terminal Server role service is uninstalled, only the Terminal Services exception is removed. The Remote Desktop exception is not removed. Use the following procedure to view Windows Firewall exceptions. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/? LinkId=83477).

16

To view Windows Firewall exceptions 1. Click Start, and then click Control Panel. 2. Click Security, and then click Windows Firewall. 3. Click Change Settings, and then, in the Windows Firewall Settings dialog box, click the Exceptions tab. 4. If the check box associated with the program or port listed is selected, the Windows Firewall exception for that program or port is enabled. Some programs only appear in the list when the role service is installed. For example, the Terminal Services Licensing Server program only appears in the list when the TS Licensing role service is installed on the computer. To view more detailed information about Windows Firewall settings, use the Windows Firewall with Advanced Security snap-in. Use the following procedure to use Windows Firewall with Advanced Security. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/? LinkId=83477). To use the Windows Firewall with Advanced Security snap-in 1. Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. 2. To view detailed information about Windows Firewall settings, click either of the following nodes in the left pane: Inbound rules Outbound rules

For more information about configuring Windows Firewall, see the Windows Server 2008 Windows Firewall with Advanced Security Help. For more information about Terminal Services-specific Windows Firewall exceptions, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Checklist: Configuring Terminal Server

A terminal server is the server that hosts Windows-based programs or the full Windows desktop for Terminal Services clients. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. Users can access a terminal server by using Remote Desktop Connection or by using TS RemoteApp. This checklist provides tasks that an administrator needs to complete to install and configure a terminal server. 17

Please note the following: Installing the Terminal Server role service requires the computer to be restarted. Installing a terminal server on an Active Directory domain controller is not recommended. For more information, see Installing Terminal Server on a Domain Controller. Installing the Terminal Server role service on the computer before you install any programs that you want to make available to users is recommended. For more information, see Install Programs on a Terminal Server.
Task Reference

Review prerequisites for installing a terminal server. Install the Terminal Server role service. Configure the license settings on the terminal server. Configure the Network Level Authentication setting for the terminal server. Install programs on the terminal server. Configure which users can remotely connect to the terminal server.

Installation Prerequisites for Terminal Server Install the Terminal Server Role Service Configure License Settings for a Terminal Server Configure the Network Level Authentication Setting for a Terminal Server Install Programs on a Terminal Server Configure the Remote Desktop Users Group

Configuring Terminal Server

This section provides procedures for configuring a terminal server. It includes the following topics: Install the Terminal Server Role Service Configure License Settings for a Terminal Server Configure the Network Level Authentication Setting for a Terminal Server Install Programs on a Terminal Server Configure the Remote Desktop Users Group

Install the Terminal Server Role Service

In Windows Server 2008, you can use Server Manager to install the Terminal Server role service. For more information about other ways to install the Terminal Server role service, including by using servermanagercmd.exe, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).

18

Use the following procedure to install the Terminal Server role service by using Server Manager if Terminal Services is not already installed on the server. If Terminal Services is already installed on the server, see Install the Terminal Server role service (when Terminal Services is already installed). To install the Terminal Server role service 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, right-click Roles, and then click Add Roles. 3. In the Add Roles Wizard, on the Before You Begin page, click Next. 4. On the Select Server Roles page, under Roles, select the Terminal Services check box. Note If Terminal Services is already installed on the server, the Terminal Services check box will be selected and dimmed. 5. Click Next. 6. On the Terminal Services page, click Next. 7. On the Select Role Services page, select the Terminal Server check box, and then click Next. Note If you are installing the Terminal Server role service on a domain controller, you will receive a warning message because installing the Terminal Server role service on a domain controller is not recommended. For more information, see Installing Terminal Server on a Domain Controller. 8. On the Uninstall and Reinstall Applications for Compatibility page, click Next. 9. On the Specify Authentication Method for Terminal Server page, select the appropriate authentication method for the terminal server, and then click Next. For more information about authentication methods, see Configure the Network Level Authentication Setting for a Terminal Server. 10. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal server, and then click Next. For more information about licensing modes, see Specify the Terminal Services Licensing Mode. 11. On the Select User Groups Allowed Access To This Terminal Server page, add the users or user groups that you want to be able to remotely connect to this terminal server, and then click Next. For more information, see Configure the Remote Desktop Users Group. 12. On the Confirm Installation Selections page, verify that the Terminal Server role service will be installed, and then click Install. 13. On the Installation Progress page, installation progress will be noted. 19

14. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes to restart the server. 15. If you are prompted that other programs are still running, do either of the following: To close the programs manually and restart the server later, click Cancel. To automatically close the programs and restart the server, click Restart now.

16. After the server restarts and you log on to the computer, the remaining steps of the installation will finish. When the Installation Results page appears, confirm that the installation of Terminal Server succeeded. You can also confirm that Terminal Server is installed by following these steps: a. Start Server Manager. b. Under Roles Summary, click Terminal Services. c. Under System Services, confirm that Terminal Services has a status of Running. d. Under Role Services, confirm that Terminal Server has a status of Installed.

Install the Terminal Server role service (when Terminal Services is already installed)
Use the following procedure to install the Terminal Server role service when Terminal Services is already installed on the server. Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). Important The installation of the Terminal Server role service requires the computer to be restarted. To install the Terminal Server role service when Terminal Services is already installed 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, expand Roles. 3. Right-click Terminal Services, and then click Add Role Services. 4. On the Select Role Services page, select the Terminal Server check box, and then click Next. Note If you are installing the Terminal Server role service on a domain controller, you will receive a warning message because installing the Terminal Server role service on a domain controller is not recommended. For more information, see 20

Installing Terminal Server on a Domain Controller. 5. On the Uninstall and Reinstall Applications for Compatibility page, click Next. 6. On the Specify Authentication Method for Terminal Server page, select the appropriate authentication method for the terminal server, and then click Next. For more information about authentication methods, see Configure the Network Level Authentication Setting for a Terminal Server. 7. On the Specify Licensing Mode, select the appropriate licensing mode for the terminal server, and then click Next. For more information about licensing modes, see Specify the Terminal Services Licensing Mode. 8. On the Select User Groups Allowed Access To This Terminal Server page, add the users or user groups that you want to be able to remotely connect to this terminal server, and then click Next. For more information, see Configure the Remote Desktop Users Group. 9. On the Confirm Installation Selections page, verify that the Terminal Server role service will be installed, and then click Install. 10. On the Installation Progress page, installation progress will be noted. 11. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes to restart the server. 12. If you are prompted that other programs are still running, do either of the following: To close the programs manually and restart the server later, click Cancel. To automatically close the programs and restart the server, click Restart now.

13. After the server restarts and you log on to the computer, the remaining steps of the installation will finish. When the Installation Results page appears, confirm that the installation of Terminal Server succeeded. You can also confirm that Terminal Server is installed by following these steps: a. Start Server Manager. b. Under Roles Summary, click Terminal Services. c. Under System Services, confirm that Terminal Services has a status of Running. d. Under Role Services, confirm that Terminal Server has a status of Installed.

Configure License Settings for a Terminal Server

Each user or computing device that connects to a terminal server must have a valid Terminal Services client access license (TS CAL) issued by a Terminal Services license server.

21

To ensure that a terminal server can contact (discover) a Terminal Services license server to request TS CALs for client computers, you need to do the following on the terminal server: Specify the Terminal Services Licensing Mode Specify the License Server Discovery Mode

Specify the Terminal Services Licensing Mode

The Terminal Services licensing mode determines the type of Terminal Services client access licenses (TS CALs) that a terminal server will request from a license server on behalf of a client that is connecting to the terminal server. Important The Terminal Services licensing mode that is configured on a terminal server must match the type of TS CALs that are available on the license server. There are two types of TS CALs: TS Per Device CAL, which permits one device (used by any user) to connect to a terminal server. TS Per User CAL, which gives one user the right to access terminal servers from an unlimited number of client computers or devices. The Terminal Services licensing mode for the terminal server can be set in the following ways: During the installation of the Terminal Server role service in Server Manager, on the Specify Licensing Mode page in the Add Roles Wizard. On the Specify Licensing Mode page, you can select Configure later if you are unsure during the installation whether to select Per Device or Per User. If you select Configure later, each time that you log on to the terminal server, a message appears in the lower-right corner of the desktop reminding you that you need to configure the licensing mode for the terminal server. By using the Terminal Services Configuration tool to configure the Terminal Services licensing mode for the terminal server. If the Specify the Terminal Services licensing mode choices are dimmed and you cannot make a selection, the Set Terminal Services licensing mode Group Policy setting has been enabled and applied to the terminal server. By applying the Set Terminal Services licensing mode Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Licensing and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting takes precedence over the setting configured in Terminal Services Configuration. 22

For more information about TS CALs and configuring TS Licensing, see the TS Licensing documentation on the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931). For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Specify the License Server Discovery Mode

A terminal server must be able to contact (discover) a Terminal Services license server to request Terminal Services client access licenses (TS CALs) for users or computing devices that are connecting to the terminal server. You can set the license server discovery mode for the terminal server in the following ways: By configuring License Server discovery mode for the terminal server in the Terminal Services Configuration tool. If the Specify the license server discovery mode choices are dimmed and you cannot make a selection, the Use the specified Terminal Services license servers Group Policy setting has been enabled and has been applied to the terminal server. By applying the Use the specified Terminal Services license servers Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Licensing and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting takes precedence over the setting configured in Terminal Services Configuration. In the license server discovery process, a terminal server in a Windows Server-based domain attempts to contact a license server in the following order: License servers that are specified in Terminal Services Configuration A license server that is installed on the same computer as the terminal server License servers that are published in Active Directory Domain Services

License servers that are installed on domain controllers in the same domain as the terminal server Important To see which license servers the terminal server discovers and to be alerted to possible licensing discovery and configuration issues, use Licensing Diagnosis in Terminal Services Configuration. For information about Licensing Diagnosis, see the topic "Identify Possible Licensing Problems for the Terminal Server" in the Windows Server 2008 Terminal Services Configuration Help (http://go.microsoft.com/fwlink/? Linkid=118659).

23

For more information about license server discovery and configuring TS Licensing, see the TS Licensing documentation on the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931). For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Configure the Network Level Authentication Setting for a Terminal Server

You can enhance terminal server security by providing user authentication early in the connection process when a client connects to a terminal server. This early user authentication method is referred to as Network Level Authentication. Network Level Authentication completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. The advantages of using Network Level Authentication are: It requires fewer remote computer resources initially. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions. It reduces the risk of denial-of-service attacks. On the client computer, use at least Remote Desktop Connection 6.0. To use Network Level Authentication, you need to meet all of the following requirements: On the client computer, use an operating system, such as Windows Vista, that supports the Credential Security Support Provider (CredSSP) protocol. On the terminal server, use Windows Server 2008. You can configure a terminal server to only support connections from client computers running Network Level Authentication. The Network Level Authentication setting for a terminal server can be set in the following ways: During the installation of the Terminal Server role service in Server Manager, on the Specify Authentication Method for Terminal Server page in the Add Roles Wizard. On the Remote tab in the System Properties dialog box on a terminal server. For more information, see Change Remote Connection Settings. If the Allow connections from computers running any version of Remote Desktop (less secure) is not selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the terminal server. On the General tab of the Properties dialog box for a connection in the Terminal Services Configuration tool by selecting the Allow connections only from computers running Remote Desktop with Network Level Authentication check box. 24

If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the terminal server. By applying the Require user authentication for remote connections by using Network Level Authentication Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting takes precedence over the setting configured in Terminal Services Configuration or on the Remote tab. To determine whether a computer is running a version of Remote Desktop Connection that supports Network Level Authentication, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase "Network Level Authentication supported." For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931). For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Install Programs on a Terminal Server

You should install the Terminal Server role service on the computer before you install any programs that you want to make available to users. If you install the Terminal Server role service on a computer that already has programs installed, some of the existing programs may not work correctly in a multiple user environment. Uninstalling and then reinstalling the affected programs may resolve these issues. To ensure that an application is installed correctly to work in a multiple user environment, you must put the terminal server into a special installation mode before you install the application on the terminal server. This special installation mode ensures that the correct registry entries and .ini files that are needed to support running the application in a multiple user environment are created during the installation process. You can put a terminal server into this special installation mode by using either of the following: Install Application on Terminal Server tool under Programs in Control Panel. This tool runs a wizard to help install the application. Change user /install command at a command prompt. You will have to start the installation of the application manually. After the application is installed, you must put the terminal server into execution mode before remote users begin using the application. The Install Application on Terminal Server tool will automatically put the terminal server into execution mode when it is finished running. To put the 25

terminal server into execution mode from a command prompt, use the change user /execute command.

Additional considerations
Some programs may require minor setup modifications to run correctly on a terminal server. If you have programs that are related to each other or have dependencies on each other, you should install the programs on the same terminal server. For example, you should install Microsoft Office as a suite on the same terminal server instead of installing individual Office programs on separate terminal servers. You should consider installing individual programs on separate terminal servers in the following circumstances: The program has compatibility issues that may affect other programs. A single program and the number of associated users may fill server capacity.

For more information about the change user command-line tool, see the Terminal Services Command Reference (http://go.microsoft.com/fwlink/?LinkId=89674). For more information about deploying programs on a terminal server, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/? LinkId=79608).

Configure the Remote Desktop Users Group

The Remote Desktop Users group on a terminal server is used to give users and groups permission to remotely connect to a terminal server. You can add users and groups to the Remote Desktop Users group by using one of the following: Local Users and Groups snap-in Active Directory Users and Computers snap-in, if the terminal server is installed on a domain controller The Remote tab in the System Properties dialog box on a terminal server You can use the following procedure to add users and groups to the Remote Desktop Users group by using the Remote tab in the System Properties dialog box on a terminal server. Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To add users and groups to the Remote Desktop Users group by using the Remote tab 1. Start the System tool. To start the System tool, click Start, click Run, type control system and then click OK. 26

2. Under Tasks, click Remote settings. 3. In the System Properties dialog box, on the Remote tab, click Select Users. Add the users or groups that need to connect to the terminal server by using Remote Desktop. The users and groups that you add are added to the Remote Desktop Users group. Note Members of the local Administrators group can connect even if they are not listed. If you select Don't allow connections to this computer on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.

Managing Terminal Server

This section provides procedures for managing a terminal server. It includes the following topics: Change Remote Connection Settings Enable Single Sign-On for Terminal Services Manage User Profiles for Terminal Services Install Desktop Experience on a Terminal Server Configure Font Smoothing for Remote Sessions Monitor a Terminal Server with Windows System Resource Manager Uninstall the Terminal Server Role Service Deny Logon Requests to a Terminal Server

Change Remote Connection Settings

On the terminal server, on the Remote tab in the System Properties dialog box, you can change the following remote connection settings: Network Level Authentication requirement for Remote Desktop connections Membership of the Remote Desktop Users group

Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

27

To change remote connections settings 1. Start the System tool. To start the System tool, click Start, click Run, type control system and then click OK. 2. Under Tasks, click Remote settings. 3. In the System Properties dialog box, on the Remote tab, click either of the following, depending on your environment: Allow connections from computers running any version of Remote Desktop (less secure) Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) For more information about the two options, click the Help me choose link on the Remote tab. On the Remote tab, if you select Don't allow connections to this computer, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group. 4. Click Select Users to add the users and groups that need to connect to the computer by using Remote Desktop. The users and groups that you add are added to the Remote Desktop Users group. Note Members of the local Administrators group can connect even if they are not listed.

Enable Single Sign-On for Terminal Services

Single sign-on (SSO) is an authentication method that allows users with a domain account to log on once, by using a password or smart card, and then gain access to remote servers without being asked for their credentials again. To implement single sign-on functionality in Terminal Services, ensure that you meet the following requirements: You can only use single sign-on for remote connections from a computer running Windows Vista to a terminal server running Windows Server 2008. You can also use single sign-on for remote connections from one server running Windows Server 2008 to another server running Windows Server 2008. The user accounts that are used for logging on have appropriate rights to log on to both the terminal server and the Windows Vista client computer. Your client computer and terminal server must be joined to a domain. To configure the recommended settings for your terminal server, complete the following steps: 28

Configure authentication on the terminal server.

Configure the computer running Windows Vista to allow default credentials to be used for logging on to the specified terminal servers. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/? LinkId=83477). To configure authentication on the terminal server 1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and then click Properties. 3. In the Properties dialog box, on the General tab, verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0). 4. On the Log on Settings tab, ensure that the Always prompt for password check box is not selected, and then click OK. To allow default credential usage for single sign-on 1. On the Windows Vista-based computer, open the Local Group Policy Editor. To open the Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and then press ENTER. 2. In the left pane, expand the following: Computer Configuration, Administrative Templates, System, and then click Credentials Delegation. 3. Double-click Allow Delegating Default Credentials. 4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show. 5. In the Show Contents dialog box, click Add to add servers to the list. 6. In the Add Item dialog box, in the Enter the item to be added box, type the prefix termsrv/ followed by the name of the terminal server; for example, termsrv/Server1, and then click OK. 7. Click OK to close the Properties dialog box. For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).

Manage User Profiles for Terminal Services

A user profile describes the configuration for a specific user, including the users environment and preference settings. Unless you carefully plan and manage user profiles in a terminal server 29

environment, user profiles can become large in size and can cause problems, such as slow logon times, when a user connects to a terminal server. User profile management is also important when users connect to several terminal servers or connect to terminal servers in remote locations. You can specify a Terminal Services-specific profile path and home folder for a user connecting to a terminal server. This profile and home folder will only be used for Terminal Services sessions. You should assign a separate profile for Terminal Services sessions because many of the common options that are stored in profiles, such as screen savers and animated menu affects, are not desirable when using Terminal Services. You can manually configure these settings on the Terminal Services Profile tab on the Properties sheet of a user account in the Local Users and Groups snap-in or the Active Directory Users and Computers snap-in. You can also use the following Group Policy settings to configure these settings: Set TS User Home Directory Set path for TS Roaming Profiles Use mandatory profiles on the terminal server

These Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles, and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). For more information about implementing user profiles for users connecting to a terminal server, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931). For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673).

Install Desktop Experience on a Terminal Server

When a user uses Remote Desktop Connection to connect to a terminal server, the desktop that exists on the terminal server is reproduced by default in the remote session. To make the remote session look and feel more like the user's local Windows Vista desktop experience, install the Desktop Experience feature on a terminal server running Windows Server 2008. Desktop Experience installs applications and features of Windows Vista, such as Windows Media Player, Windows Defender, and Windows Calendar.

Install Desktop Experience

Use the following procedure to install Desktop Experience on the server.

30

Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). Important After installing Desktop Experience, you need to restart the computer. To install Desktop Experience 1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager. 2. Under Features Summary, click Add Features. 3. On the Select Features page, select the Desktop Experience check box, and then click Next. 4. On the Confirm Installation Selections page, verify that the Desktop Experience feature will be installed, and then click Install. 5. On the Installation Progress page, installation progress will be noted. 6. On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes to restart the server. 7. After the server restarts and you log on to the computer, the remaining steps of the installation will finish. When the Installation Results page appears, confirm that the installation of Desktop Experience succeeded. You can also confirm that Desktop Experience is installed by following these steps: a. Start Server Manager. b. Under Features Summary, confirm that Desktop Experience is listed as installed. After you install Desktop Experience, the Windows Vista applications, such as Windows Calendar, will appear under All Programs on the Start menu. For more information about configuring the look and feel of remote sessions, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/? linkid=73931).

Uninstall Desktop Experience

Use the following procedure to uninstall Desktop Experience from the server. Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). After uninstalling Desktop Experience, you need to restart the computer. Important 31

To uninstall Desktop Experience 1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager. 2. Under Features Summary, click Remove Features. 3. On the Select Features page, clear the Desktop Experience check box, and then click Next. 4. On the Confirm Removal Selections page, click Remove. 5. On the Removal Progress page, removal progress will be noted. 6. On the Removal Results page, you are prompted to restart the server to finish the removal process. Click Close, and then click Yes to restart the server. 7. After the server restarts and you log on to the computer, the remaining steps of the removal process will finish. When the Removal Results page appears, confirm that the removal of Desktop Experience succeeded. You can also confirm that Desktop Experience is removed by following these steps: a. Start Server Manager. b. Under Features Summary, confirm that Desktop Experience is no longer listed as installed.

Configure Font Smoothing for Remote Sessions

Windows Server 2008 supports ClearType, which is a technology for displaying computer fonts so that they appear clear and smooth, especially when you are using an LCD monitor. A terminal server running Windows Server 2008 can provide ClearType functionality in a remote session when a client computer connects to the terminal server by using Remote Desktop Connection. Note ClearType functionality is referred to as font smoothing in Remote Desktop Connection. Font smoothing is available if the client computer is running any of the following: Windows Vista Windows Server 2003 with SP1 and at least Remote Desktop Connection 6.0 Windows XP with SP2 and at least Remote Desktop Connection 6.0

Using font smoothing in a remote session will increase the amount of bandwidth used Important

32

Use the following procedure on the client computer to make font smoothing available for a remote session. To make font smoothing available in a remote session 1. Open Remote Desktop Connection. To open Remote Desktop Connection on Windows Vista, click Start, point to All Programs, click Accessories, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options. 3. On the Experience tab, select the Font smoothing check box. 4. Configure any remaining connection settings, and then click Connect.

Monitor a Terminal Server with Windows System Resource Manager

Windows System Resource Manager (WSRM) on Windows Server 2008 allows you to control how CPU and memory resources are allocated to applications, services, and processes on the computer. Managing resources in this way improves system performance and reduces the chance that applications, services, or processes will take CPU or memory resources away from one another and slow down the performance of the computer. Managing resources also creates a more consistent and predictable experience for users of applications and services that are running on the computer. You can use WSRM to manage multiple applications on a single computer or to manage users on a computer on which Terminal Services is installed. Install the Terminal Server role service on your computer before you install and configure WSRM. To install WSRM, go to Features in Server Manager. For more information about installing, configuring, and using WSRM, see the Windows Server 2008 Windows System Resource Manager Help. There are two features of WSRM that are of particular interest to terminal server administrators: Resource-Allocation Policies Resource Monitor

Resource-Allocation Policies
WSRM uses resource-allocation policies to determine how computer resources, such as CPU and memory, are allocated to processes running on the computer. Two resource-allocation policies that are specifically designed for computers running Terminal Services are: Equal_Per_User Equal_Per_Session 33

Note The Equal_Per_Session resource-allocation policy is new for Windows Server 2008. If you implement the Equal_Per_Session resource-allocation policy, each user session (and its associated processes) gets an equal share of the CPU resources on the computer.

Resource Monitor
You should collect data about the performance of your terminal server before and after implementing the Equal_Per_Session resource-allocation policy (or making any other WSRMrelated configuration changes). You can use Resource Monitor in the Windows System Resource Manager snap-in to collect and view data about the usage of hardware resources and the activity of system services on the computer.

Uninstall the Terminal Server Role Service

Use the following procedure to uninstall the Terminal Server role service from the server. Membership in the local Administrators group, or equivalent, on the terminal server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). Important The removal of the Terminal Server role service from the server requires the computer to be restarted. To uninstall the Terminal Server role service 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, expand Roles. 3. Right-click Terminal Services, and then click Remove Role Services. 4. On the Select Role Services page, clear the Terminal Server check box, and then click Next. 5. On the Confirm Removal Selections page, click Remove. 6. On the Removal Progress page, removal progress will be noted. 7. On the Removal Results page, you are prompted to restart the server to finish the removal process. Click Close, and then click Yes to restart the server. 8. If you are prompted that other programs are still running, do either of the following: To close the programs manually and restart the server later, click Cancel. 34

To automatically close the programs and restart the server, click Restart now.

9. After the server restarts and you log on to the computer, the remaining steps of the removal process will finish. When the Removal Results page appears, confirm that the removal of Terminal Server succeeded. You can also confirm that Terminal Server is removed by following these steps: a. Start Server Manager. b. Under Roles Summary, click Terminal Services. c. Under Role Services, confirm that Terminal Server has a status of Not Installed.

Deny Logon Requests to a Terminal Server

In Windows Server 2008, you can configure a terminal server to deny logon requests from new users. With the ability to deny logon requests from new users to specific servers in a farm, you can maintain your terminal server environment without disrupting end-user service. If you configure a terminal server to deny new logon requests, the following behavior occurs: Users with existing sessions can still reconnect to the server. Only new logon requests to that server are denied. However, an administrator can still log on to the server locally to perform maintenance on the server. Note An administrator can also connect remotely by starting the RDC client from the command line with the /admin option (mstsc /admin). If you are using TS Session Broker Load Balancing, TS Session Broker will redirect new users to other servers in the farm, where new user logon requests are enabled. Before you take a server down for maintenance, you can notify users with existing sessions to log off from the server by using Terminal Services Manager to send a message. To deny new user logon requests 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. In the Edit settings area, double-click User logon mode under General. 3. On the General tab, click either of the following: Allow reconnections, but prevent new logons Allow reconnections, but prevent new logons until the server is restarted

4. Click OK. When you are finished doing maintenance, ensure that Allow all connections is 35

selected.

Deploying TS Licensing
The Terminal Services Licensing (TS Licensing) role service is part of the core Terminal Services environment. You use TS Licensing to install, issue, and track Terminal Services client access licenses (TS CALs) for your deployment. To install TS Licensing and configure a license server, see the following topics: Installation Prerequisites for TS Licensing Checklist: Deploying TS Licensing Installing TS Licensing Connecting to a Terminal Services License Server Activating a Terminal Services License Server Installing Terminal Services Client Access Licenses Configuring License Settings on a Terminal Server Tracking the Issuance of Terminal Services Per User Client Access Licenses Troubleshooting TS Licensing Installation

Installation Prerequisites for TS Licensing

TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and track the availability of TS CALs on a Terminal Services license server. This checklist provides tasks that an administrator should perform before installing and configuring TS Licensing.
Task Reference

Determine if a Terminal Services license server is needed.

Remote Desktop supports two concurrent connections to remotely administer a computer. You do not need a license server for these connections. TS Licensing in Windows Server 2008 supports terminal servers that run: Windows Server 2008 Windows Server 2003 R2 Windows Server 2003 36

Verify that the license server supports the operating system of the terminal servers.

Task

Reference

Windows 2000

A terminal server running Windows Server 2008 can only communicate with a license server running Windows Server 2008. Determine which type of TS CALs to use. Purchase the appropriate type and number of TS CALs. Determine the method of the Terminal Services license server discovery. Terminal Services Client Access Licenses (TS CALs) Purchase Client Access Licenses (http://go.microsoft.com/fwlink/?LinkID=81077) Terminal Services License Server Discovery

Terminal Services Client Access Licenses (TS CALs)

There are two types of Terminal Services client access licenses (TS CALs): TS Per Device CALs TS Per User CALs

Important The Terminal Services licensing mode configured on a terminal server must match the type of TS CALs that are available on the license server. For more information, see Configuring License Settings on a Terminal Server. When Per Device licensing mode is used, and a client computer or device connects to a terminal server for the first time, the client computer or device is issued a temporary license by default. When a client computer or device connects to a terminal server for the second time, if the license server is activated and enough TS Per Device CALs are available, the license server issues the client computer or device a permanent TS Per Device CAL. A TS Per User CAL gives one user the right to access a terminal server from an unlimited number of client computers or devices. TS Per User CALs are not enforced by TS Licensing. As a result, client connections can occur regardless of the number of TS Per User CALs that are installed on the license server. This does not absolve administrators from the Microsoft Software License Terms requirements to have a valid TS Per User CAL for each user. Failure to have a TS Per User CAL for each user, if Per User licensing mode is being used, is a violation of the license terms. To ensure that you are in compliance with the license terms, make sure that you track the number of TS Per User CALs that are being used in your organization, and ensure that you have a 37

sufficient number of TS Per User CALs installed on the license server to provide a TS Per User CAL for each user that needs to connect to the terminal server. In Windows Server 2008, you can use the TS Licensing Manager tool to track and generate reports on the issuance of TS Per User CALs. For more information, see Tracking the Issuance of Terminal Services Per User Client Access Licenses.

Terminal Services License Server Discovery

When you install the TS Licensing role service, you need to specify a discovery scope, which determines how the Terminal Services license server will be automatically discoverable by terminal servers. The three discovery scopes are: Workgroup Domain Forest

The recommended discovery scope for a license server is Forest. Note In Windows Server 2003, "forest discovery scope" was known as "enterprise scope." Workgroup discovery scope is only available when the computer on which you are installing the TS Licensing role service is not a member of a domain. If you configure workgroup discovery scope, terminal servers, without additional configuration, can automatically discover a license server in the same workgroup. Domain discovery scope and forest discovery scope are only available when the computer on which you are installing the TS Licensing role service is a member of a domain. Note If the license server is a member of a workgroup, and then you join the license server to an Active Directory domain, the discovery scope for the license server is automatically changed from Workgroup to Domain. If you configure domain discovery scope, terminal servers, without additional configuration, can automatically discover a license server in the same domain only if the license server is installed on a domain controller. You can install the TS Licensing role service on a non-domain controller, but the license server will not be automatically discoverable by terminal servers in the domain. To configure domain discovery scope, you must be logged on as a domain administrator to the domain in which the license server is a member. If you configure forest discovery scope, terminal servers, without additional configuration, can automatically discover a license server in the same forest, because the license server is published in Active Directory Domain Services. To configure forest discovery scope, you must be logged on as an enterprise administrator to the forest in which the license server is a member. 38

Important To issue TS Per User CALs to users in other domains, the license server must be a member of the Terminal Server License Servers group in those domains, regardless of whether the discovery scope for the license server is Domain or Forest. In the license server discovery process, a terminal server in a Windows Server-based domain attempts to contact a license server in the following order: License servers that are specified in the Terminal Services Configuration tool or by using Group Policy A license server that is installed on the same computer as the terminal server License servers that are published in Active Directory Domain Services

License servers that are installed on domain controllers in the same domain as the terminal server Important To see which license servers the terminal server discovers and to be alerted to possible licensing discovery and configuration issues, use Licensing Diagnosis in Terminal Services Configuration. For more information, see Troubleshooting TS Licensing Installation. You can change the discovery scope of the license server by using Review Configuration in the TS Licensing Manager tool. For more information, see Troubleshooting TS Licensing Installation.

Checklist: Deploying TS Licensing

TS Licensing manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and track the availability of TS CALs on a Terminal Services license server. This checklist provides the tasks that an administrator needs to complete to install and configure TS Licensing.
Task Reference

Review prerequisites for installing TS Licensing. Install the TS Licensing role service. Activate the Terminal Services license server. Install Terminal Services client access licenses (TS CALs) on the Terminal Services license server.

Installation Prerequisites for TS Licensing Installing TS Licensing Activating a Terminal Services License Server Installing Terminal Services Client Access Licenses

39

Task

Reference

Configure the terminal server to support TS Licensing.

Configuring License Settings on a Terminal Server

For more information, see TS Licensing Configuration Guidelines in the TS Licensing Manager Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/? LinkId=107352).

Installing TS Licensing
Use the following procedure to install the TS Licensing role service by using Server Manager. Note The installation of the TS Licensing role service does not require the computer to be restarted.

Installation prerequisites
1. Before you install the TS Licensing role service, join your computer to Active Directory Domain Services (AD DS). If you want your license server to be available to terminal servers within a domain, you can join it to that domain. If you want your license server to be available across domains, you must join your computer to the top node in the forest. 2. Before you install your license server, arrange for the credentials that are required to configure license server discovery scope: For the license server to be accessible to terminal servers within the domain, you need to have domain administrator permissions. For the license server to be accessible to terminal servers within the forest, you need to have enterprise administrator permissions. Note If you install the TS Licensing role service without the appropriate credentials, an error appears that describes the level of access necessary to complete the installation.

Install the TS Licensing role service

Following are the recommended configurations for a new TS Licensing deployment. If you are configuring a license server for an existing deployment, your choices may be different. Verify that the settings are correct before you install the new license server.

40

To install the TS Licensing role service 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, right-click Roles, and then click Add Roles. 3. In the Add Roles Wizard, on the Before You Begin page, click Next. 4. On the Select Server Roles page, under Roles, select the Terminal Services check box, and then click Next. Note If Terminal Services is already installed on the server, the Terminal Services check box will be selected and dimmed. 5. On the Terminal Services page, click Next. 6. On the Select Role Services page, select the TS Licensing check box. 7. On the Configure Discovery Scope for TS Licensing page, select This Domain or This Forest, verify that the location of the TS Licensing database is correct, and then click Next. Note If your account does not have sufficient permissions for the selected discovery scope, you will see an alert at the bottom of the page describing the level needed. If you continue, the TS Licensing role service will install. You can configure discovery scope by using Review Configuration in the TS Licensing Manager tool. 8. On the Confirm Installation Selections page, verify that the TS Licensing role service will be installed, and then click Install. On the Installation Progress page, installation progress will be noted. 9. On the Installation Results page, confirm that the installation succeeded, and then click Close. To install the TS Licensing role service (when Terminal Services is already installed) 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, expand Roles. 3. Right-click Terminal Services, and then click Add Role Services. 4. On the Select Role Services page, select the TS Licensing check box, and then click Next. 5. On the Configure Discovery Scope for TS Licensing page, select This Domain or This Forest, verify that the location of the TS Licensing database is correct, and then click Next.

41

Note If your account does not have sufficient permissions for the selected discovery scope, you will see an alert at the bottom of the page describing the level needed. If you continue, the TS Licensing role service will install. You can configure discovery scope by using Review Configuration in the TS Licensing Manager tool. 6. On the Confirm Installation Selections page, verify that the TS Licensing role service will be installed, and then click Install. On the Installation Progress page, installation progress will be noted. 7. On the Installation Results page, confirm that installation for the TS Licensing role service succeeded, and then click Close.

Connecting to a Terminal Services License Server

After installing TS Licensing, you can use the TS Licensing Manager tool to connect to and manage Terminal Services license servers. If you want to use TS Licensing Manager from another computer running Windows Server 2008, see Installing TS Licensing Manager. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To connect to a Terminal Services license server 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. On the Action menu, click Connect. 3. In the Server box, type the name of the license server to which you want to connect, and then click Connect. When TS Licensing Manager opens, it tries to find all the license servers in the workgroup or domain that are automatically discoverable and to which the user has the appropriate administrative permissions.

Install TS Licensing Manager

The TS Licensing Manager tool in Windows Server 2008 is automatically installed on any computer on which the TS Licensing role service is installed. If you want to manage your license 42

servers from a remote computer running Windows Server 2008, you can install TS Licensing Manager on that computer by using the following procedure. Membership in the local Administrators group, or equivalent, on the computer that you plan to configure, is the minimum required to complete this procedure. To install TS Licensing Manager by using Server Manager 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane, right-click Features, and then click Add Features. 3. On the Select Features page, expand Remote Server Administration Tools, expand Role Administration Tools, and then expand Terminal Services Tools. 4. Select the TS Licensing Tools check box, and then click Next. 5. On the Confirm Installation Selections page, click Install. 6. On the Installation Progress page, installation progress will be noted. 7. On the Installation Results page, confirm that installation of TS Licensing Manager succeeded, and then click Close. 8. To run TS Licensing Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager.

Activating a Terminal Services License Server

A Terminal Services license server must be activated to certify the server and to allow the license server to issue Terminal Services client access licenses (TS CALs). You can activate a license server by using the Activate Server Wizard in the TS Licensing Manager tool. Use one of the following methods to activate your license server: Activate a Terminal Services License Server Automatically This method requires Internet connectivity from the computer running TS Licensing Manager. Internet connectivity is not required from the license server itself. This method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse. Activate a Terminal Services License Server by Using a Web Browser You can use the Web method when the computer running TS Licensing Manager does not have Internet connectivity, but you have access to the Web by means of a Web browser from another computer. The URL for the Web method is displayed in the Activate Server Wizard. Activate a Terminal Services License Server by Using the Telephone The telephone method allows you to talk to a Microsoft customer service representative to complete the activation process. The appropriate telephone number is determined by the country/region that you choose in the Activate Server Wizard and is displayed by the wizard. 43

When you activate the license server, Microsoft provides the server with a limited-use digital certificate that validates server ownership and identity. Microsoft uses an X.509 industry standard certificate for this purpose. By using this certificate, a license server can make subsequent transactions with Microsoft. If a license server is not activated, the license server can only issue temporary TS Per Device CALs that are valid for 90 days, or TS Per User CALs.

Activate a Terminal Services License Server Automatically

The automatic activation method requires Internet connectivity from the computer running the TS Licensing Manager tool. Internet connectivity is not required from the license server itself. This method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To activate a Terminal Services license server automatically 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Right-click the license server that you want to activate, and then click Activate Server. The Activate Server Wizard starts. 3. Click Next. 4. On the Connection Method page, in the Connection method list, select Automatic connection (recommended), and then click Next. 5. On the Company Information page, type your name, company, and country/region information, and then click Next. 6. Specify any other information that you want, such as e-mail and company address. This information is optional. 7. Click Next. Your license server is activated. 8. On the Completing the Activate Server Wizard page, do one of the following: To install Terminal Services client access licenses (TS CALs) onto your license server, ensure that the Start Install Licenses Wizard now check box is selected, click Next, and then follow the instructions. To install TS CALs later, clear the Start Install Licenses Wizard now check box, and then click Finish.

44

Activate a Terminal Services License Server by Using a Web Browser

The Web activation method can be used when the computer running the TS Licensing Manager tool does not have Internet connectivity, but you have access to the Web by means of a Web browser from another computer. The URL for the Web method is displayed in the Activate Server Wizard. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To activate a Terminal Services license server by using a Web browser 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Right-click the license server that you want to activate, and then click Activate Server. The Activate Server Wizard starts. 3. Click Next. 4. On the Connection Method page, in the Connection method list, select Web Browser, and then click Next. 5. On the License Server Activation page, click the hyperlink to connect to the Terminal Server Licensing Web site. If you are running TS Licensing Manager on a computer that does not have Internet connectivity, note the address for the Terminal Server Licensing Web site, and then connect to the Web site from a computer that has Internet connectivity. 6. Under Select Option, click Activate a license server, and then click Next. 7. In the Product ID boxes, type your Product ID. Your Product ID is displayed on the License Server Activation page of the Activate Server Wizard. You must also complete the name, company, and country/region fields. Specify any other information that you want to provide, such as e-mail and company address, and then click Next. 8. Confirm your entries, and then click Next. Your license server ID is displayed. Write down the license server ID or print the Web page. 9. On the License Server Activation page of the Activate Server Wizard, type the license server ID that you received in the previous step, and then click Next. Your license server is activated. 10. On the Completing the Activate Server Wizard page, do one of the following: To install Terminal Services client access licenses (TS CALs) onto your license server, ensure that the Start Install Licenses Wizard now check box is selected, click Next, and then follow the instructions. To install TS CALs later, clear the Start Install Licenses Wizard now check box, and then click Finish. 45

Activate a Terminal Services License Server by Using the Telephone

The telephone activation method allows you to talk to a Microsoft customer service representative to complete the activation process. The appropriate telephone number is determined by the country/region that you choose in the Activate Server Wizard and is displayed by the wizard. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To activate a Terminal Services license server by telephone 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Right-click the license server that you want to activate, and then click Activate Server. The Activate Server Wizard starts. 3. Click Next. 4. On the Connection Method page, in the Connection method list, select Telephone, and then click Next. 5. On the Country or Region Selection page, click your country/region, and then click Next to display the appropriate telephone number to call. 6. Call Microsoft by using the telephone number that is displayed on the License Server Activation page, and then provide the Microsoft customer support representative with the Product ID that is displayed on your screen. The representative will also ask you to provide your name and the name of your company. The representative processes your request to activate the license server, and creates a unique ID for your license server. 7. On the License Server Activation page, type the license server ID that the representative provides, and then click Next. Your license server is activated. 8. On the Completing the Terminal Server License Server Activation Wizard page, do one of the following: To install Terminal Services client access licenses (TS CALs) onto your license server, ensure that the Start Install Licenses Wizard now check box is selected, click Next, and then follow the instructions. To install TS CALs later, clear the Start Install Licenses Wizard now check box, and then click Finish.

46

Installing Terminal Services Client Access Licenses

Using the Install Licenses Wizard in the TS Licensing Manager tool, you can use one of three methods to install Terminal Services client access licenses (TS CALs) onto your license server: Install Terminal Services Client Access Licenses Automatically This method requires Internet connectivity from the computer running TS Licensing Manager. Internet connectivity is not required from the license server itself. This method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse. Install Terminal Services Client Access Licenses by Using a Web Browser You can use the Web method when the computer running TS Licensing Manager does not have Internet connectivity, but you have access to the Web by means of a Web browser from another computer. The URL for the Web installation method is displayed in the Install Licenses Wizard. Install Terminal Services Client Access Licenses by Using the Telephone The telephone method allows you to talk to a Microsoft customer service representative to complete the installation process. The appropriate telephone number is determined by the country/region that you chose in the Activate Server Wizard and is displayed by the wizard. Before you install TS CALs onto your license server, note the following: You must activate your Terminal Services license server before you can install TS CALs onto your license server. For more information, see Activating a Terminal Services License Server. You need a license code to install TS CALs onto your license server. A license code is provided when you purchase your TS CALs. For more information, see Purchase Client Access Licenses (http://go.microsoft.com/fwlink/?LinkID=81077).

Install Terminal Services Client Access Licenses Automatically

The automatic installation method requires Internet connectivity from the computer running TS Licensing Manager to complete the Terminal Services client access license (TS CAL) installation process. Internet connectivity is not required from the license server itself. This method uses TCP/IP (TCP port 443) to connect directly to the Microsoft Clearinghouse. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To install Terminal Services client access licenses automatically 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 47

2. Verify that the connection method for the Terminal Services license server is set to Automatic connection (recommended) by right-clicking the license server on which you want to install TS CALs, and then clicking Properties. On the Connection Method tab, change the connection method if necessary, and then click OK. 3. In the console tree, right-click the Terminal Services license server on which you want to install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then click Next. 4. On the License Program page, select the appropriate program through which you purchased your TS CALs, and then click Next. 5. The License Program that you selected on the previous page in the wizard will determine what information you will need to provide on this page. In most cases, you will have to provide either a license code or an agreement number. Consult the documentation provided when you purchased your TS CALs. 6. After you have entered the required information, click Next. 7. On the Product Version and License Type page, select the appropriate product version, license type, and quantity of TS CALs for your environment based on your TS CAL purchase agreement, and then click Next. 8. The Microsoft Clearinghouse is automatically contacted and processes your request. The TS CALs are then automatically installed onto the license server. 9. On the Completing the Install Licenses Wizard page, click Finish. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.

Install Terminal Services Client Access Licenses by Using a Web Browser

The Web method can be used to complete the Terminal Services client access license (TS CAL) installation process when the computer running the TS Licensing Manager tool does not have Internet connectivity, but you have access to the Web by means of a Web browser from another computer. The URL for the Web installation method is displayed in the Install Licenses Wizard. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To install Terminal Services client access licenses by using a Web browser 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Verify that the connection method for the Terminal Services license server is set to Web Browser by right-clicking the license server on which you want to install TS CALs, 48

and then clicking Properties. On the Connection Method tab, change the connection method if necessary, and then click OK. 3. In the console tree, right-click the Terminal Services license server on which you want to install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then click Next. 4. On the Obtain Client License Key Pack page, click the hyperlink to connect to the Terminal Server Licensing Web site. If you are running TS Licensing Manager on a computer that does not have Internet connectivity, note the address for the Terminal Server Licensing Web site, and then connect to the Web site from a computer that has Internet connectivity. 5. On the Windows Terminal Services Web page, under Select Option, click Install Client Access License tokens, and then click Next. 6. Provide the following required information: License Server ID A 35-digit number, in groups of 5 numerals, which is displayed on the Obtain Client License Key Pack page in the Install Licenses Wizard. License Program Select the appropriate program through which you purchased your TS CALs. Last name or surname First name or given name Company name Country/region

You can also provide the optional information requested, such as company address, email address, and phone number. In the organizational unit field, you can describe the unit within your organization that this license server will serve. 7. Click Next. 8. The License Program that you selected on the previous page will determine what information you will need to provide on this page. In most cases, you will have to provide either a license code or an agreement number. Consult the documentation provided when you purchased your TS CALs. In addition, you will need to specify which type of TS CAL (for example, Windows Server 2008 TS Per Device CAL) and the quantity that you want to install on the license server. 9. After you have entered the required information, click Next. 10. Verify that all of the information that you have entered is correct. To submit your request to the Microsoft Clearinghouse, click Next. The Web page then displays a license key pack ID generated by the Microsoft Clearinghouse. Important Retain a copy of the license key pack ID. Having this information with you will facilitate communications with the Microsoft Clearinghouse should you need assistance with recovering TS CALs. 49

11. In the Install Licenses Wizard, on the Obtain Client License Key Pack page, enter the license key pack ID that you received in the previous step in the boxes provided, and then click Next. The TS CALs are installed on your Terminal Services license server. 12. On the Completing the Install Licenses Wizard page, click Finish. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.

Install Terminal Services Client Access Licenses by Using the Telephone

The telephone installation method allows you to talk to a Microsoft customer service representative to complete the Terminal Services client access license (TS CAL) installation process. The appropriate telephone number is displayed in the Install Licenses Wizard and is determined by the country/region that you have specified. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To install client access licenses by using the telephone 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Verify that the connection method for the Terminal Services license server is set to Telephone by right-clicking the license server on which you want to install TS CALs, and then clicking Properties. On the Connection Method tab, change the connection method if necessary. On the Required Information tab, change the country/region if necessary, and then click OK. 3. In the console tree, right-click the Terminal Services license server on which you want to install the TS CALs, click Install Licenses to open the Install Licenses Wizard, and then click Next. 4. On the Obtain client license key pack page, use the telephone number that is displayed to call the Microsoft Clearinghouse, and give the representative your Terminal Services license server ID and the required information for the licensing program through which you purchased your TS CALs. The representative then processes your request to install TS CALs, and gives you a unique ID for the TS CALs. This unique ID is referred to as the license key pack ID. Important Retain a copy of the license key pack ID. Having this information with you will facilitate communications with the Microsoft Clearinghouse should you need assistance with recovering TS CALs. 50

5. In the Install Licenses Wizard, on the Obtain client license key pack page, enter the license key pack ID provided by the representative into the boxes provided, and then click Next. The TS CALs are installed on your Terminal Services license server. 6. On the Completing the Install Licenses Wizard page, click Finish. The Terminal Services license server can now issue TS CALs to clients that connect to a terminal server.

Configuring License Settings on a Terminal Server

After you install and configure the Terminal Services license server, you need to configure your terminal server by doing the following: Specify the Terminal Services licensing mode Specify the license server discovery mode

Specify the Terminal Services licensing mode

The Terminal Services licensing mode determines the type of Terminal Services client access licenses (TS CALs) that a terminal server requests from a license server on behalf of a client computer that is connecting to the terminal server. Important The Terminal Services licensing mode that is configured on a terminal server must match the type of TS CALs that are available on the license server. For more information about TS CALs, see Terminal Services Client Access Licenses (TS CALs). The Terminal Services licensing mode for the terminal server can be set in the following ways: During the installation of the Terminal Server role service in Server Manager, on the Specify Licensing Mode page in the Add Roles Wizard. On the Specify Licensing Mode page, you can select Configure later if you are unsure during the installation whether to select Per Device or Per User. If you select Configure later, each time you log on as an administrator to the terminal server, a message will appear in the lower-right corner of the desktop reminding you that you need to configure the licensing mode for the terminal server. By configuring the Terminal Services licensing mode for the terminal server by using the Terminal Services Configuration tool. If the Specify the Terminal Services licensing mode choices are dimmed and you cannot make a selection, the Set Terminal Services licensing mode Group Policy setting has been enabled and has been applied to the terminal server. 51

By applying the Set Terminal Services licensing mode Group Policy setting.

This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Licensing and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is configured in Terminal Services Configuration. For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673). Use the following procedure to specify the Terminal Services licensing mode on a terminal server by using Terminal Services Configuration. Membership in the local Administrators group, or equivalent, on the computer that you plan to configure, is the minimum required to complete this procedure. To specify the Terminal Services licensing mode on a terminal server by using Terminal Services Configuration 1. On the terminal server, open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. Under Licensing, double-click Terminal Services licensing mode. 3. Select either Per Device or Per User, depending on which is appropriate for your environment, and then click OK.

Specify the license server discovery mode

A terminal server must be able to contact (discover) a Terminal Services license server to request Terminal Services client access licenses (TS CALs) for users or computing devices that are connecting to the terminal server. The license server discovery mode for the terminal server can be set in the following ways: By configuring License Server discovery mode for the terminal server in the Terminal Services Configuration tool. If the Specify the license server discovery mode choices are dimmed and you cannot make a selection, the Use the specified Terminal Services license servers Group Policy setting has been enabled and has been applied to the terminal server. By applying the Use the specified Terminal Services license servers Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Licensing and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that the Group Policy setting takes precedence over the setting that is configured in Terminal Services Configuration.

52

For more information about the license server discovery process, see Terminal Services License Server Discovery. Important To see which license servers the terminal server discovers, and to be alerted to possible licensing discovery and configuration issues, use Licensing Diagnosis in Terminal Services Configuration. For more information about Licensing Diagnosis, see Troubleshooting TS Licensing Installation. For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?Linkid=89673). Use the following procedure to specify the license server discovery mode on a terminal server by using Terminal Services Configuration. Membership in the local Administrators group, or equivalent, on the computer that you plan to configure, is the minimum required to complete this procedure. To specify the license server discovery mode on a terminal server by using Terminal Services Configuration 1. On the terminal server, open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. Under Licensing, double-click License server discovery mode. 3. Select either of the following, depending on which is appropriate for your environment: Automatically discover a license server Use the specified license servers

For more information about the license server discovery process, see Terminal Services License Server Discovery. 4. After you have made a selection, click OK.

Tracking the Issuance of Terminal Services Per User Client Access Licenses
In Windows Server 2008, you can use the TS Licensing Manager tool to generate reports to track the TS Per User CALs that have been issued by a Terminal Services license server. Consider the following when using TS Per User CAL tracking and reporting in Windows Server 2008:

53

 TS Per User CAL tracking and reporting can only be used for TS Per User CALs in Windows Server 2008. You cannot track and report on TS Per User CALs in Windows Server 2003. TS Per User CAL tracking and reporting is supported only in domain-joined scenarios; that is, the terminal server and the license server must be members of a domain. TS Per User CAL tracking and reporting is not supported in workgroup mode. Active Directory Domain Services (AD DS) is used for TS Per User CAL tracking. The information about the TS Per User CAL that has been issued to a user is stored as part of the user account in AD DS. AD DS can be Windows Server 2008-based or Windows Server 2003-based. The computer account for the license server must be a member of the Terminal Server License Servers group in the domain. If the license server is installed on a domain controller, the Network Service account must also be a member of the Terminal Server License Servers group. Important To issue TS Per User CALs to users in other domains, there must be a two-way trust between the domains, and the license server must be a member of the Terminal Server License Servers group in those domains. To determine if the license server is correctly configured for TS Per User CAL tracking and reporting, you can use Review Configuration. For more information about Review Configuration, see Troubleshooting TS Licensing Installation. Because the information about the TS Per User CALs that have been issued to users is stored in AD DS, the only way to get the most current information about the TS Per User CALs that have been issued by the license server is to create a report by using TS Licensing Manager. When you create a report, the necessary information is pulled from AD DS and is compiled together into a report. Note Because TS Licensing Manager cannot dynamically update the number of TS Per User CALs that are currently issued and available, those columns are left blank in some areas of TS Licensing Manager. Instead there is a Generate Report hyperlink that takes you to this topic. In the Report node, you can view information from reports that have been created, but that information is specific to the date and time when the report was created. Use the following procedure to create a report about the TS Per User CALs that have been issued by a license server. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To create a report about the TS Per User CALs that have been issued by a license server 1. Click Start, point to Administrative Tools, point to Terminal Services, and then 54

click TS Licensing Manager. 2. Select the license server for which you want to generate a report. 3. On the Action menu, point to Create Report, and then click Per User CAL Usage. 4. In the Create Per User CAL Usage Report dialog box, select one of the following: Entire domain This is the domain in which the license server is a member. Organizational Unit This is any OU within the domain in which the license server is a member. Entire domain and all trusted domains This can include domains in other forests. Selecting this option can increase the time that it takes to create the report. The selection that you make determines which user accounts in AD DS will be searched for TS Per User CAL information to generate the report. 5. Click Create Report. The report will be created and a message will appear to confirm that the report was successfully created. Click OK to close the message. 6. The report that you created will appear in the Reports section under the node for the license server. The report provides the following information: Date and time the report was created The scope of the report (for example, Domain, OU=Sales, or All trusted domains) The number of TS Per User CALs that are installed on the license server

The number of TS Per User CALs that have been issued by the license server specific to the scope of the report 7. You can also save the report as a CSV file to a folder location on the computer. To save the report, right-click the report that you want to save, click Save As, and then specify the file name and location to save the report. Reports that you create are listed in the Reports node under the node for the license server in TS Licensing Manager. If you no longer need a report, you can delete the report. Use the following procedure to delete a report in TS Licensing Manager. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure.

55

To delete a report in TS Licensing Manager 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. Expand the All Servers node, expand the node for the license server for which the report was created, and then click Reports. 3. If there is a specific report that you want to delete, right-click the report, and then click Delete Report. To confirm that you want to delete the report, click Yes. 4. If you want to delete all the reports or only reports older than a certain number of days, on the Action menu, click Delete Reports. 5. In the Delete Reports dialog box, select either to delete all reports or only reports older than the number of days that you specify, and then click OK. The reports will be deleted immediately, and you will not be prompted to confirm the deletion.

Troubleshooting TS Licensing Installation

You can check the configuration of your Terminal Services license server and identify common licensing problems for a terminal server by using the following: Review Configuration in the TS Licensing Manager tool Licensing Diagnosis in the Terminal Services Configuration tool

Review the configuration of your license server

After you install and configure the TS Licensing role service on a computer running Windows Server 2008, you can use Review Configuration in the TS Licensing Manager tool to review the configuration of the license server and to help identify possible TS Licensing configuration problems that would prevent the license server from doing the following: Being discovered by terminal servers Issuing Terminal Services client access licenses (TS CALs) to users or devices that are connecting to a terminal server Tracking and reporting the issuance of TS Per User CALs

Note Review Configuration is used to identify possible TS Licensing configuration problems on a license server, not configuration problems on a terminal server. To be alerted to possible licensing discovery and configuration issues on a terminal server, use Licensing Diagnosis in the Terminal Services Configuration tool. For information about Licensing Diagnosis, see Diagnose licensing problems on your terminal server. 56

Important To use Review Configuration, the license server must be a member of an Active Directory domain. You can use Review Configuration to do the following: Check discovery scope settings: If the discovery scope for a license server is set to Domain, Review Configuration checks if the license server is installed on a domain controller. If the discovery scope for a license server is set to Forest, Review Configuration checks if the license server is published in Active Directory Domain Services (AD DS). If the discovery scope for a license server is set to Domain or Forest, Review Configuration checks if the license server is a member of the Terminal Server License Servers group in AD DS. Change the discovery scope of the license server by clicking Change Scope. For more information, see Change the Discovery Scope of a Terminal Services License Server in the TS Licensing Manager Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=107404). Find the location of the TS Licensing database. Check if the License server security group Group Policy setting is enabled and applied to the license server. For more information about the License server security group Group Policy setting, see Control the Issuance of Terminal Services Client Access Licenses (TS CALs) in the TS Licensing Manager Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=107405). Use the following procedure to review the configuration of a license server by using TS Licensing Manager. Membership in the local Administrators group, or equivalent, on the license server, is the minimum required to complete this procedure. To review the configuration of a license server by using TS Licensing Manager 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click TS Licensing Manager. 2. In the left pane, click All servers. In the right pane, in the Configuration column, you see either OK or Review. Review indicates that there is a possible configuration issue with the license server. 3. To review the configuration details of a license server, do one of the following: Select the license server that you want to review, and then on the Action menu, click Review Configuration. Right-click the license server that you want to review, and then click Review Configuration. If Review is displayed in the Configuration column for a license server, click 57

Review. 4. In the Configuration dialog box, a list of messages provides you with information about the configuration of the license server and identifies possible configuration issues. For certain configuration issues, you can correct the problem from within the Configuration dialog box if you have the appropriate administrative privileges. For example, if the license server is not published in AD DS and you have Enterprise Admins privileges in AD DS, you can click Publish in AD DS to correct the problem.

Diagnose licensing problems on your terminal server

Each user or computing device that connects to a terminal server must have a valid Terminal Services client access license (TS CAL) issued by a Terminal Services license server. A terminal server must be able to discover a Terminal Services license server to request TS CALs for users or computing devices that are connecting to the terminal server. Terminal Services Configuration for Windows Server 2008 includes the Licensing Diagnosis tool, which provides information to help identify possible licensing problems for the terminal server, including the following: Determines which license servers the terminal server can discover Determines whether those license servers have TS CALs available to issue to users or computing devices that are connecting to the terminal server Tries to identify possible licensing problems and provide resolutions to those problems Use the following procedure to run the Licensing Diagnosis tool. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To run the Licensing Diagnosis tool 1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. In the left pane, click Licensing Diagnosis. Licensing Diagnosis automatically runs and tries to discover license servers and identify licensing configuration problems, and then displays the results. The Licensing Diagnosis results include the following: Terminal Server Configuration Details, which displays configuration information about the terminal server, including the licensing mode and discovery mode that have been specified for the terminal server. Licensing Diagnosis Information, which displays any licensing problems that were identified along with suggested resolutions to the problems.

58

 Terminal Services License Server Information, which displays the license servers that were discovered by the terminal server. License Server Configuration Details, which displays configuration information about a license server, including the type and version of TS CALs installed and available on that license server. To view the configuration details of a selected license server, the account that you are logged on as needs administrator privileges on the license server. If your account does not have administrator privileges on the license server, you can use Provide Credentials in the Licensing Diagnosis tool to provide credentials that have administrative privileges on the license server. Important To view the configuration details of a Windows 2000 or a Windows Server 2003 license server, you must provide the credentials of the built-in local Administrator account on the license server. The credentials of any other account, even if that account has administrator privileges on the license server, will not allow you to view the configuration details.

Deploying TS Session Broker

Terminal Services Session Broker (TS Session Broker) is a role service that keeps track of user sessions in a load-balanced terminal server farm. The TS Session Broker database stores session state information that includes session IDs, their associated user names, and the name of the server where each session resides. TS Session Broker uses this information to redirect users who have an existing session to the terminal server where their session exists. If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the number of user sessions on each terminal server in the farm, and directs new sessions to the terminal server with the fewest sessions. To install and configure a TS Session Broker server, see the following topics: Installation Prerequisites for TS Session Broker Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker Installing TS Session Broker

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group Configuring a Terminal Server to Join a Farm in TS Session Broker Configuring DNS for TS Session Broker Load Balancing Configuring Dedicated Redirectors (optional)

59

Installation Prerequisites for TS Session Broker

To participate in TS Session Broker Load Balancing, the following system requirements apply: The TS Session Broker server and the terminal servers in the farm must be running Windows Server 2008. TS Session Broker is available in the following operating systems: Windows Server 2008 Standard, Windows Server 2008 Enterprise, and Windows Server 2008 Datacenter. Note Windows Server 2003-based terminal servers cannot use the TS Session Broker Load Balancing feature. All terminal servers in the load-balanced farm must be configured identically, with the same available programs. Client computers must be running Remote Desktop Connection (RDC) version 5.2 or later. In addition, we recommend that you configure all terminal servers in the farm to restrict each user to a single session. To do this, use either of the following methods: Configure the Restrict Terminal Services users to a single remote session Group Policy setting. This policy setting is available in the Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections node of the Group Policy Management Console (GPMC) on a Windows Server 2008-based domain controller. It is a best practice to group the terminal servers that are in the same terminal server farm into a single organizational unit (OU), and then configure this policy setting in a Group Policy object (GPO) that applies to the OU. Note If you are using the Local Group Policy Editor, Policies is not part of the node path. Configure the Restrict each user to a single session setting on each terminal server by using Terminal Services Configuration. This setting appears under Edit settings, in the General section.

TS Session Broker components

The following are two TS Session Broker components to consider: TS Session Broker server, which is the server that runs the Terminal Services Session Broker service and tracks user sessions for one or more load-balanced terminal server farms. TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. 60

 Terminal servers that use TS Session Broker, which are load-balanced terminal servers that are members of a farm in TS Session Broker.

Checklist: Creating a Load-Balanced Terminal Server Farm by Using TS Session Broker

With a load-balanced terminal server farm, you can scale the performance of a single terminal server by distributing Terminal Services sessions across multiple servers. You can configure a load-balanced farm by using the TS Session Broker Load Balancing feature, Network Load Balancing (NLB), or a non-Microsoft solution. TS Session Broker also enables a user to reconnect to their existing session in a load-balanced terminal server farm. This checklist shows the steps that are required to create and configure a load-balanced terminal server farm by using TS Session Broker Load Balancing. Important The TS Session Broker Load Balancing feature is only supported on terminal servers that are running Windows Server 2008.
Task Reference

Install the TS Session Broker role service on the server that you want to use to track user sessions for a farm. Add the terminal servers in the farm to the Session Directory Computers local group on the TS Session Broker server. Configure the terminal servers in the farm to join a farm in TS Session Broker, and to participate in TS Session Broker Load Balancing. Configure DNS round robin entries for terminal servers in the farm.

Installing TS Session Broker

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group Configuring a Terminal Server to Join a Farm in TS Session Broker

Configuring DNS for TS Session Broker Load Balancing

Installing TS Session Broker

You must install the TS Session Broker role service on a server (running Windows Server 2008) that you want to use to track user session information for a load-balanced terminal server farm. 61

The server where you install the TS Session Broker role service does not have to be a terminal server or have Remote Desktop enabled. You can use a single TS Session Broker server to track user sessions across multiple farms because there is minimal performance overhead. When you install the TS Session Broker role service, the following changes occur on the local computer: The Terminal Services Session Broker service is installed. By default, the service is set to Started and to Automatic. The Session Directory Computers local group is created.

Installation prerequisites
The server where you install TS Session Broker must be a member of a domain. Note If you install the TS Session Broker role service on a domain controller, the Session Directory Computers group will be a domain local group and available on all domain controllers.

Install the TS Session Broker role service

Membership in the local Administrators group is the minimum required to complete this procedure. To install the TS Session Broker role service 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. If the Terminal Services role is already installed: a. Under Roles Summary, click Terminal Services. b. Under Role Services, click Add Role Services. c. On the Select Role Services page, select the TS Session Broker check box, and then click Next. If the Terminal Services role is not already installed: a. Under Roles Summary, click Add Roles. b. On the Before You Begin page of the Add Roles Wizard, click Next. c. On the Select Server Roles page, select the Terminal Services check box, and then click Next. d. On the Terminal Services page, click Next. e. On the Select Role Services page, select the TS Session Broker check box, and then click Next. 62

3. On the Confirm Installation Selections page, confirm that TS Session Broker is listed, and then click Install. 4. On the Installation Results page, click Close.

Adding Each Terminal Server in the Farm to the Session Directory Computers Local Group
For terminal servers to use TS Session Broker, you must add the computer account for each terminal server in the farm to the Session Directory Computers local group on the TS Session Broker server. Membership in the local Administrators group is the minimum required to complete this procedure. Important You must perform this procedure on the server where you installed the TS Session Broker role service. To add terminal servers to the Session Directory Computers local group 1. On the TS Session Broker server, click Start, point to Administrative Tools, and then click Computer Management. 2. In the left pane, expand Local Users and Groups, and then click Groups. 3. In the right pane, right-click the Session Directory Computers group, and then click Properties. 4. Click Add. 5. In the Select Users, Computers or Groups dialog box, click Object Types. 6. Select the Computers check box, and then click OK. 7. Locate and then add the computer account for each terminal server that you want to add. 8. When you finish, click OK.

63

Configuring a Terminal Server to Join a Farm in TS Session Broker

You can configure a terminal server to join a farm in TS Session Broker and to participate in TS Session Broker Load Balancing by using Group Policy or the Terminal Services Configuration tool. However, you must use Terminal Services Configuration to configure the following settings: The IP addresses to be used for reconnection The relative weight of the server when using TS Session Broker Load Balancing

For information about how to configure the settings by using Group Policy, see Configure TS Session Broker Settings by Using Group Policy. Configuring the settings by using Group Policy is a recommended best practice. For information about how to configure the settings by using Terminal Services Configuration, see Configure TS Session Broker Settings by Using Terminal Services Configuration. Important Group Policy settings take precedence over configuration settings in the Terminal Services Configuration snap-in and settings that are made by using the Terminal Services WMI provider.

Configure TS Session Broker Settings by Using Group Policy

You can use Group Policy to configure TS Session Broker settings. However, to configure the IP addresses to be used for reconnection, or to configure the relative server weight when using TS Session Broker Load Balancing, you must use Terminal Services Configuration. To assign TS Session Broker settings through Group Policy, it is a best practice to group the terminal servers that are in the same terminal server farm into a single organizational unit (OU) in Active Directory Domain Services (AD DS). Then, configure the TS Session Broker settings in a Group Policy object (GPO) that applies to the OU. Note For the TS Session Broker settings to be effective on a server, the server must have the Terminal Server role service installed. The following procedure describes how to configure TS Session Broker Group Policy settings by using the Group Policy Management Console (GPMC). To change Group Policy settings for a domain or an OU, you must be logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners

64

group, or have been delegated the appropriate authority over Group Policy to complete this procedure. To apply TS Session Broker settings to an Active Directory OU 1. To start the GPMC, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the left pane, locate the OU that contains the terminal servers. 3. To modify an existing GPO for the OU, expand the OU, and then click the GPO. To create a new GPO, follow these steps: a. Right-click the OU, and then click Create a GPO in this domain, and link it here. b. In the Name box, type a name for the GPO, and then click OK. c. In the left pane, locate and then click the new GPO. 4. In the right pane, click the Settings tab. 5. Right-click Computer Configuration, and then click Edit. 6. In the left pane, under Computer Configuration, expand Policies, Administrative Templates, Windows Components, Terminal Services, Terminal Server, and then click TS Session Broker. 7. In the right pane, double-click the Join TS Session Broker policy setting, click Enabled, and then click OK. 8. Double-click the Configure TS Session Broker farm name policy setting, and then do the following: a. Click Enabled. b. In the TS Session Broker farm name box, type the name of the farm in TS Session Broker that you want to join, and then click OK. Important TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. You must use the same farm name for all servers that are in the same load-balanced terminal server farm. Although the farm name in TS Session Broker does not have to be registered in AD DS, it is recommended that you use the same name that you will use in DNS for the terminal server farm. (The terminal server farm name in DNS represents the virtual name that clients will use to connect to the terminal server farm.) If you type a new farm name, a new farm is created in TS Session Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in TS Session Broker. 9. Double-click the Configure TS Session Broker server name policy setting, and then do the following: a. Click Enabled. 65

b. In the TS Session Broker server name box, type the name of the server where you installed the TS Session Broker role service, and then click OK. 10. To use TS Session Broker Load Balancing, double-click the Use TS Session Broker load balancing policy setting, click Enabled, and then click OK. 11. Optionally, if you have a hardware load balancer that supports TS Session Broker token redirection, double-click Use IP Address Redirection and configure the setting. For more information, see the Group Policy Explain text and Configuring Dedicated Redirectors (optional). Note To configure TS Session Broker settings by using local Group Policy, use the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a member of the Administrators group on the local computer or you must have been delegated the appropriate authority.

Configure TS Session Broker Settings by Using Terminal Services Configuration

You can configure a terminal server to join a farm in TS Session Broker and to participate in TS Session Broker Load Balancing by using Terminal Services Configuration. Note The following steps are only applicable if the Terminal Server role service is installed. Membership in the local Administrators group is the minimum required to complete this procedure. To configure TS Session Broker settings by using Terminal Services Configuration 1. Start Terminal Services Configuration. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. In the Edit settings area, under TS Session Broker, double-click Member of farm in TS Session Broker. 3. On the TS Session Broker tab, click to select the Join a farm in TS Session Broker check box. 4. In the TS Session Broker server name or IP address box, type the name or the IP address of the TS Session Broker server. Note The TS Session Broker server is the server where you installed the TS Session 66

Broker role service. 5. In the Farm name in TS Session Broker box, type the name of the farm that you want to join in TS Session Broker. Important TS Session Broker uses a farm name to determine which servers are in the same terminal server farm. You must use the same farm name for all servers that are in the same load-balanced terminal server farm. Although the farm name in TS Session Broker does not have to be registered in AD DS, it is recommended that you use the same name that you will use in DNS for the terminal server farm. (The terminal server farm name in DNS represents the virtual name that clients will use to connect to the terminal server farm.) If you type a new farm name, a new farm is created in TS Session Broker and the server is joined to the farm. If you type an existing farm name, the server joins the existing farm in TS Session Broker. 6. To participate in TS Session Broker Load Balancing, select the Participate in Session Broker Load-Balancing check box. 7. Optionally, in the Relative weight of this server in the farm box, modify the server weight. By default, the value is 100. The server weight is relative. Therefore, if you assign one server a value of 100, and one a value of 200, the server with a relative weight of 200 will receive twice the number of sessions. 8. Verify that you want to use IP address redirection. By default, the Use IP address redirection (recommended) setting is enabled. If you clear the check box, the server switches to token redirection mode. 9. In the Select IP addresses to be used for reconnection box, click to select the check box next to each IP address that you want to use. When you select the IP addresses to use, consider the following: Only the first selected IPv4 address will be used by clients that are running RDC 5.2 and earlier. Using IPv6 addresses is not recommended if the terminal server farm contains servers that are running Windows Server 2003. 10. When you finish, click OK.

Configuring DNS for TS Session Broker Load Balancing

To configure DNS round robin entries for TS Session Broker Load Balancing, you must map the IP address of each terminal server in the farm to the terminal server farm name in DNS.

67

The following procedure provides the steps to configure DNS on a Windows Server 2008-based domain controller. You must be a member of the Domain Admins, Enterprise Admins, or the DnsAdmins group to complete this procedure. To add DNS entries for each terminal server in the farm 1. Click Start, point to Administrative Tools, and then click DNS. 2. Expand the server name, expand Forward Lookup Zones, expand the domain name, and then click the appropriate zone. 3. Right-click the zone, and then click New Host (A or AAAA). 4. In the Name (uses parent domain name if blank) box, type the terminal server farm name. The farm name is the virtual name that clients will use to connect to the terminal server farm. For management purposes, it is recommended that you use the same farm name that you specified when you configured the terminal servers to join a farm in TS Session Broker. Important Do not use the name of an existing server for the farm name. 5. In the IP address box, type the IP address of a terminal server in the farm. 6. Click Add Host, and then click OK when you receive the message that the host record was successfully created. 7. Repeat steps three through six for each terminal server in the farm. Important You must specify the same farm name in the Name (uses parent domain name if blank) box for each DNS entry. For example, if you have three terminal servers in a farm named FARM1, with IP addresses of 192.168.1.20, 192.168.1.21, and 192.168.1.22, the entries would look similar to the following: Farm1 Farm1 Farm1 Host(A) Host(A) Host(A) 192.168.1.20 192.168.1.21 192.168.1.22

8. When you finish, click Done. Note By default, a DNS round robin entry is enabled when using DNS on a Windows Server 2008-based domain controller. The Enable round robin setting is available on the Advanced tab when you view the properties of the server in DNS.

68

Configuring Dedicated Redirectors (optional)

If you use Domain Name System (DNS) round robin as the front-end load balancer, when you register the IP address of each terminal server in the farm to a single terminal server farm name in DNS, incoming Terminal Services clients try to connect to the first IP address for the farm name that is returned by DNS. The terminal server that receives this initial connection request acts as the redirector. To increase session redirection performance in a large terminal server farm, you can configure terminal servers to be dedicated redirectors. These servers process incoming requests, but they do not accept user sessions. To configure dedicated redirectors, you must do the following: 1. Create DNS round robin entries for the terminal servers that you want to use as dedicated redirectors. When you do so, you must map the IP address of each terminal server that you want to use as a dedicated redirector to the terminal server farm name in DNS. (The farm name is the virtual name that clients use to connect to the terminal server farm.) The farm name must not match an existing server name in Active Directory Domain Services (AD DS). Note Only the dedicated redirectors should have host resource records in DNS that map to the terminal server farm name. 2. Configure the terminal servers that you want to use as dedicated redirectors to deny new user logon requests. For more information about how to deny new user logon requests, see Deny Logon Requests to a Terminal Server.

Deploying TS Gateway
Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be terminal servers, terminal servers running RemoteApp programs, or computers with Remote Desktop enabled. TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. In this way, TS Gateway helps improve security by establishing an encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run. To install, configure, and manage a TS Gateway server, see the following topics: Installation Prerequisites for TS Gateway Understanding Requirements for Connecting to a TS Gateway Server Checklist: Deploying TS Gateway 69

Installing TS Gateway Configuring a Certificate for the TS Gateway Server Creating a Terminal Services Connection Authorization Policy Creating a Terminal Services Resource Authorization Policy Configuring the Terminal Services Client for TS Gateway Limiting the Maximum Number of Simultaneous Connections Through TS Gateway Using Group Policy to Manage Client Connections Through TS Gateway

Installation Prerequisites for TS Gateway

For TS Gateway to function correctly, you must meet these prerequisites: You must have a server running Windows Server 2008. You must obtain an SSL certificate for the TS Gateway server if you do not have one already. By default, on the TS Gateway server, the RPC/HTTP Load Balancing service and the IIS service use Transport Layer Security (TLS) 1.0 to encrypt communications between clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install an SSL certificate on the TS Gateway server. Note You do not need a certification authority (CA) infrastructure within your organization if you can use another method to obtain an externally trusted certificate that meets the requirements for TS Gateway. If your company does not maintain a stand-alone CA or an enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For information about certificate requirements for TS Gateway and how to obtain and install a certificate, see "Obtain a certificate for the TS Gateway server" in Configuring the TS Gateway Core Scenario. TS Gateway servers must be joined to an Active Directory domain in the following cases: If you configure a TS Gateway authorization policy that requires that users be domain members to connect to the TS Gateway server. If you configure a TS Gateway authorization policy that requires that client computers be domain members to connect to the TS Gateway server. If you are deploying a load-balanced TS Gateway server farm.

Role, role service, and feature dependencies

To function correctly, TS Gateway requires several role services and features to be installed and running. When you use Server Manager to install the TS Gateway role service, the following

70

additional roles, role services, and features are automatically installed and started, if they are not already installed: Remote Procedure Call (RPC) over HTTP Proxy Web Server (IIS) [Internet Information Services 7.0] Network Policy and Access Services

IIS 7.0 must be installed and running for the RPC over HTTP Proxy feature to function. You can also configure TS Gateway to use Terminal Services connection authorization policies (TS CAPs) that are stored on another server that runs the Network Policy Server (NPS) service. By doing this, you are using the server that is running Network Policy Server (NPS)formerly known as a Remote Authentication Dial-In User Service (RADIUS) server to centralize the storage, management, and validation of TS CAPs. If you have already deployed a server running NPS for remote access scenarios such as VPN and dial-up networking, using the existing server running NPS for TS Gateway scenarios as well can enhance your deployment.

Administrative credentials
You must be a member of the Administrators group on the computer that you want to configure as a TS Gateway server.

Understanding Requirements for Connecting to a TS Gateway Server

Users on Terminal Services client computers must meet specific requirements before they can connect to TS Gateway. These requirements include the following: Supported Windows authentication method (required). You can configure the authentication methods that the TS Gateway server allows by using TS Gateway Manager. On clients, you can configure the authentication method to be used to connect to the TS Gateway server by using Group Policy. Important A client and the TS Gateway server to which the client connects must have at least one common authentication method, or the clients attempt to connect to the TS Gateway server will fail. Note If you configure the authentication method on the client by using Group Policy, the Group Policy settings for Terminal Services client connections can be applied in one of two ways. These policy settings can either be suggested (that is, they can be enabled, but not enforced) or they can be enabled and enforced. For more 71

information, see Using Group Policy to Manage Client Connections Through TS Gateway. User group membership (required). You configure the user group membership requirement by using TS Gateway Manager. Client computer group membership (optional). You configure the client computer group membership requirement by using TS Gateway Manager. In TS Gateway Manager, you configure these requirements on the Requirements tab of a Terminal Services connection authorization policy (TS CAP). For more information, see Creating a Terminal Services Connection Authorization Policy.

Supported Windows authentication methods

If you configure the supported Windows authentication method by using TS Gateway Manager, you can specify that a user must use a password or a smart card, or both. If you select both methods, either can be used to connect. If you configure the supported Windows authentication method by using Group Policy, the following options are available: Ask for credentials, use NTLM protocol (a Windows NT challenge/response protocol). For information about the NTLM protocol, see Logon and Authentication Technologies (http://go.microsoft.com/fwlink/?LinkId=94215) and Microsoft NTLM (http://go.microsoft.com/fwlink/?LinkId=94216). Ask for credentials, use Basic protocol. The Basic authentication method is a widely used industry-standard method for collecting user name and password information. It is less secure, however, because the passwords are transmitted in Base64-encoded form, not encrypted. For more information, see Basic Authentication (http://go.microsoft.com/fwlink/? LinkId=94217). Use locally logged-on credentials. In this case, the same credentials that users provide to log on to their local computer are used to connect to the TS Gateway server. If you select this option, but users have previously connected to the same TS Gateway server and they have selected the Remember my credentials check box in the TS Gateway Server Settings dialog box on their client computer, their saved credentials are used to connect to the TS Gateway server. Use smart card. Smart cards contain a microcomputer and a small amount of memory, and they provide secure, tamper-proof storage for private keys and X.509 security certificates. A smart card is a form of two-factor authentication that requires the user to have a smart card and know the PIN to gain access to network resources. For more information, see The Secure Access Using Smart Cards Planning Guide (http://go.microsoft.com/fwlink/? LinkId=94218). If all these credentials are available to users, and if users have specified to save their credentials when connecting to the TS Gateway server, their credentials are used in the following order: 1. Saved credentials 2. Locally logged-on credentials 72

3. Other password or smart card credentials supplied by the user

Checklist: Deploying TS Gateway

The following steps are required to successfully set up and demonstrate the TS Gateway core scenario. This scenario enables you to configure a TS Gateway server so that a remote user can access an internal network resource over the Internet through the TS Gateway server. In this scenario, the internal network resource can be a terminal server, a terminal server running RemoteApp programs, or a computer with Remote Desktop enabled. To configure the TS Gateway server, complete the following tasks.
Task Reference/Step-by-step instructions

Install the TS Gateway role service. Configure a certificate for the TS Gateway server. Create a Terminal Services connection authorization policy (TS CAP). Create a Terminal Services resource authorization policy (TS RAP). Configure the Terminal Services client for TS Gateway.

Installing TS Gateway Configuring a Certificate for the TS Gateway Server Creating a Terminal Services Connection Authorization Policy Creating a Terminal Services Resource Authorization Policy Configuring the Terminal Services Client for TS Gateway

Installing TS Gateway
Follow these steps to install the TS Gateway role service. Optionally, during the role service installation process, you can select an existing certificate (or create a new self-signed certificate), and you can create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP).

Install the TS Gateway role service

Use the following procedure to install the TS Gateway role service. To install the TS Gateway role service 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. If the Terminal Services role is not already installed: 73

a. In Server Manager, under Roles Summary, click Add roles. b. In the Add Roles Wizard, if the Before You Begin page appears, click Next. This page will not appear if you have already installed other roles and you have selected the Skip this page by default check box. c. On the Select Server Roles page, under Roles, select the Terminal Services check box, and then click Next. d. On the Terminal Services page, click Next. e. On the Select Role Services page, in the Role services list, select the TS Gateway check box. f. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services. g. On the Select Role Services page, confirm that TS Gateway is selected, and then click Next. If the Terminal Services role is already installed: a. Under Roles Summary, click Terminal Services. b. Under Role Services, click Add Role Services. c. On the Select Role Services page, select the TS Gateway check box, and then click Next. d. If prompted to specify whether you want to install the additional role services required for TS Gateway, click Add Required Role Services. e. On the Select Role Services page, click Next. 3. On the Choose a Server Authentication Certificate for SSL Encryption page, specify whether to choose an existing certificate for SSL encryption (recommended), create a self-signed certificate for SSL encryption, or choose a certificate for SSL encryption later. If you are completing an installation for a new server that does not yet have certificates, see Obtain a Certificate for the TS Gateway Server for certificate requirements and information about how to obtain and install a certificate. Under the Choose an existing certificate for SSL encryption (recommended) option, only certificates that have the intended purpose (server authentication) and Enhanced Key Usage (EKU) [Server Authentication (1.3.6.1.5.5.7.3.1)] that are appropriate for the TS Gateway role service will appear in the list of certificates. If you select this option, click Import, and then import a new certificate that does not meet these requirements, the imported certificate will not appear in the list. 4. On the Create Authorization Policies for TS Gateway page, specify whether you want to create authorization policies (a TS CAP and a TS RAP) during the TS Gateway role service installation process or later. If you select Later, follow the procedures in Creating a Terminal Services Connection Authorization Policy to create this policy. If you select Now, do the following: a. On the Select User Groups That Can Connect Through TS Gateway page, click Add to specify additional user groups. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name 74

and to close the Select Groups dialog box. b. To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon; or add additional groups from different domains by repeating the first part of this step for each group. c. After you finish specifying additional user groups, on the Select User Groups that Can Connect Through TS Gateway page, click Next. d. On the Create a TS CAP for TS Gateway page, accept the default name for the TS CAP (TS_CAP_01) or specify a new name, select one or more supported Windows authentication methods, and then click Next. e. On the Create a TS RAP for TS Gateway page, accept the default name for the TS RAP (TS_RAP_01) or specify a new name, and then do one of the following: Specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups; or specify that users can connect to any computer on the network. Click Next. 5. On the Network Policy and Access Services page (which appears if this role service is not already installed), review the summary information, and then click Next. 6. On the Select Role Services page, verify that Network Policy Server is selected, and then click Next. 7. On the Web Server (IIS) page (which appears if this role service is not already installed), review the summary information, and then click Next. 8. On the Select Role Services page, accept the default selections for Web Server (IIS), and then click Next. 9. On the Confirm Installation Options page, verify that the following roles, role services, and features will be installed: Terminal Services\TS Gateway Network Policy and Access Services\Network Policy Server Web Server (IIS)\Web Server\Management Tools RPC over HTTP Proxy Windows Process Activation Service\Process Model\Configuration APIs

10. Click Install. 11. On the Installation Progress page, installation progress will be noted. If any of these roles, role services, or features has already been installed, installation progress will be noted only for the new roles, role services, or features that are being installed. 12. On the Installation Results page, confirm that installation was successful, and then click Close.

75

Verify successful role service installation and TS Gateway service status

Use the following procedure to verify that the TS Gateway role service and dependent roles, role services, and features are installed correctly and running. To verify that installation was successful 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the console tree, expand Roles, and then double-click Terminal Services. 3. On the Terminal Services summary page, in the System Services area, verify that the status of Terminal Services Gateway is Running and that the startup type is set to Auto. 4. Close Server Manager. 5. Open Internet Information Services (IIS) Manager. To open IIS Manager, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 6. In the console tree, expand <TS Gateway_Server_Name>\Sites\Default Web Site, and then click Default Web Site. 7. Right-click Default Web Site, point to Manage Web Site, and then click Advanced Settings. 8. In the Advanced Settings dialog box, under (General), verify that Start Automatically is set to True. If it is not set to True, click the drop-down arrow to display the list, and then click True. 9. Click OK. 10. Close IIS Manager.

Configuring a Certificate for the TS Gateway Server

By default, Transport Layer Security (TLS) 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. For TLS to function correctly, you must install a Secure Sockets Layer-compatible X.509 certificate on the TS Gateway server. You can obtain this certificate in one of the following ways: You can generate and submit a certificate request to obtain a certificate from a standalone or an enterprise certification authority (CA). You can purchase a certificate (or obtain one at no cost on a trial basis) from one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members 76

program, as listed in article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547). You can use the Add Roles Wizard to create a self-signed certificate when you install the TS Gateway role service, or you can use TS Gateway Manager to do this after TS Gateway is installed. Note We recommend that you use a self-signed certificate only for testing and evaluation purposes. This section describes certificate requirements for the TS Gateway server and provides more information about the methods that you can use to obtain a certificate. The following topics are included: Obtain a Certificate for the TS Gateway Server Create a Self-Signed Certificate for the TS Gateway Server Install a Certificate on the TS Gateway Server Map the TS Gateway Certificate View or Modify Certificate Properties

Obtain a Certificate for the TS Gateway Server

This section assumes an understanding of certificate trust chaining, certificate signing, and general certificate configuration principles. For information about public key infrastructure (PKI) configuration in Windows Server 2008, see ITPROADD-204: PKI Enhancement in Windows Vista and Windows Server 2008 (http://go.microsoft.com/fwlink/?LinkId=93995). For information about PKI configuration in Windows Server 2003, see Public Key Infrastructure (http://go.microsoft.com/fwlink/?LinkID=54917). By default TLS 1.0 is used to encrypt communications between Terminal Services clients and TS Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. TLS is the latest and most secure version of the SSL protocol. For more information about TLS, see: SSL/TLS in Windows Server 2003 (http://go.microsoft.com/fwlink/?LinkID=19646) RFC 2246: The TLS Protocol Version 1.0 (http://go.microsoft.com/fwlink/?LinkID=40979)

For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the TS Gateway server.

77

Certificate requirements for TS Gateway

Certificates for TS Gateway must meet the following requirements: The name in the Subject line of the server certificate (certificate name, or CN) must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. If your organization issues certificates from an enterprise certification authority (CA), a certificate template must be configured so that the appropriate name is supplied in the certificate request. If your organization issues certificates from a stand-alone CA, you do not need to do this. Note If you are using the SAN attributes of certificates, clients that connect to the TS Gateway server must be running Remote Desktop Connection (RDC) 6.1. (RDC 6.1 [6.0.6001] supports Remote Desktop Protocol 6.1.). RDC 6.1 is included with Windows Server 2008, Windows Vista SP1, and Windows XP SP3. The certificate is a computer certificate. The intended purpose of the certificate is server authentication. The enhanced key usage is Server Authentication (1.3.6.1.5.5.7.3.1). The certificate has a corresponding private key. The certificate has not expired. We recommend that the certificate be valid one year from the date of installation. A certificate object identifier (also known as OID) of 2.5.29.15 is not required. However, if the certificate that you plan to use contains an object identifier of 2.5.29.15, you can only use the certificate if at least one of the following key usage values is also set: CERT_KEY_ENCIPHERMENT_KEY_USAGE, CERT_KEY_AGREEMENT_KEY_USAGE, and CERT_DATA_ENCIPHERMENT_KEY_USAGE. For more information about these values, see Advanced Certificate Enrollment and Management (http://go.microsoft.com/fwlink/?LinkID=74577). The certificate must be trusted on clients. That is, the public certificate of the CA that signed the TS Gateway server certificate must be located in the Trusted Root Certification Authorities store on the client computer.

Using existing certificates

If you already have a certificate, you can reuse it for the TS Gateway server if the certificate: Is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program, as listed in article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547); and Meets the certificate requirements for TS Gateway server. If the certificate is not trusted by the Microsoft Root Certificate Program Members program (for example, if you create and install a self-signed certificate on the TS Gateway server and you do not manually configure the certificate to trust the Terminal Services client computer), a warning 78

appears when the client attempts to connect through the TS Gateway server, stating that you do not have a trusted certificate and the connection will not succeed. To prevent this error from occurring, install the certificate onto the computer certificate store on the client computer before the client attempts to connect through the TS Gateway server.

Certificate installation and configuration process overview

The process of obtaining, installing, and configuring a certificate for the TS Gateway server involves the following steps.

1. Obtain a certificate
Obtain a certificate for the TS Gateway server by doing one of the following: If your company maintains a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates that meet TS Gateway requirements, you can generate and submit a certificate request in several ways, depending on the policies and configuration of your organization's CA. Methods for obtaining a certificate include: Initiating auto-enrollment from the Certificates snap-in. Requesting certificates by using the Certificate Request Wizard. Requesting a certificate over the Web. Notes If you have a Windows Server 2003 CA, be aware that the Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000, Windows Server 2003, and Windows XP. However, Xenroll has been deprecated in Windows Server 2008 and Windows Vista. The sample certificate enrollment Web pages that are included with the original release version of Windows Server 2003, Windows Server 2003 Service Pack 1 (SP1), and Windows Server 2003 Service Pack 2 (SP2) are not designed to handle the change in how Windows Server 2008 and Windows Vista perform Web-based certificate enrollment operations. For information about the steps that you can take to address this issue, see article 922706 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/? LinkId=94472). Using the Certreq command-line tool. For more information about using any of these methods to obtain certificates for Windows Server 2008, see the "Obtain a Certificate" topic in the Certificates snap-in Help and the "Certreq" topic in the Windows Server 2008 Command Reference. To review the Certificates snap-in Help topics, click Start, click Run, type hh certmgr.chm, and then click OK. For 79

information about how to request certificates for Windows Server 2003, see Requesting Certificates (http://go.microsoft.com/fwlink/?LinkID=19638). A stand-alone or enterprise CA-issued certificate must be co-signed by a trusted public CA that participates in the Microsoft Root Certification Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547). Otherwise, users connecting from home computers or kiosks might not be able to connect to TS Gateway servers. These connections might fail because the enterprise CA-issued root might not be trusted by computers that are not members of domains, such as home computers or kiosks. If your company does not maintain a stand-alone or enterprise CA that is configured to issue SSL-compatible X.509 certificates, you can purchase a certificate from a trusted public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547). Some of these vendors might offer certificates at no cost on a trial basis. Alternatively, if your company does not maintain a stand-alone or enterprise CA and you do not have a compatible certificate from a trusted public CA, you can create and import a self-signed certificate for your TS Gateway server for technical evaluation and testing purposes. For step-by-step instructions, see Create a Self-Signed Certificate for the TS Gateway Server. In the example configurations described in this guide, a self-signed certificate is used. Important If you use either of the first two methods to obtain a certificate (that is, if you obtain a certificate from a stand-alone or enterprise CA or a trusted public CA), you must also install the certificate on the TS Gateway server and map the certificate. However, if you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation (as described in Create a Self-Signed Certificate for the TS Gateway Server), you do not need to install or map the certificate to the TS Gateway server. In this case, the certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server. Note Terminal Services clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. Therefore, if you create a self-signed certificate by following the procedure in this guide, you must copy the certificate to the client computer (or to a network share that can be accessed from the client computer) and then install the certificate in the Trusted Root Certification Authorities store on the client computer. For step-by-step instructions, see Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional). If you use one of the first two methods to obtain a certificate and the Terminal Services client computer trusts the issuing CA, you do not need to install the certificate of the CA that issued the server certificate in the client computer certificate store. For example, you do not need to install 80

the certificate of the issuing CA in the client computer certificate store if a VeriSign or other public, trusted CA certificate is installed on the TS Gateway server. If you use the third method to obtain a certificate (that is, if you create a self-signed certificate), you do need to copy the certificate of the CA that issued the server certificate to the client computer. Then, you must install that certificate in the Trusted Root Certification Authorities store on the client computer. For more information, see Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional).

2. Install the certificate

Install a Certificate on the TS Gateway Server. Use this procedure, described later in this guide, to install the certificate on your TS Gateway server.

3. Map the certificate

Map the TS Gateway Certificate. This procedure, described later in this guide, allows you to specify that the existing certificate be used by the TS Gateway server.

Create a Self-Signed Certificate for the TS Gateway Server

This procedure describes how to use TS Gateway Manager to create a self-signed certificate for technical evaluation and testing purposes, if you did not already create one by using the Add Roles Wizard when you installed the TS Gateway role service. Important We recommend that you use self-signed certificates only for testing and evaluation purposes. After you create the self-signed certificate, you must copy it to the client computer (or to a network share that can be accessed from the client computer), and then install it in the Trusted Root Certification Authorities store on the client computer. If you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation (as described in this procedure), you do not need to install or map the certificate to the TS Gateway server. Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To create a self-signed certificate for the TS Gateway server 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway 81

Manager. 2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running. 3. In the results pane, under Configuration Status, click View or modify certificate properties. 4. On the SSL Certificate tab, click Create a self-signed certificate for SSL encryption, and then click Create Certificate. 5. In the Create Self-Signed Certificate dialog box, do the following: a. Under Certificate name, verify that the correct common name (CN) is specified for the self-signed certificate, or specify a new name. The CN must match the DNS name that the client uses to connect to the TS Gateway server, unless you are using wildcard certificates or the SAN attributes of certificates. b. Under Certificate location, to store the root certificate in a specified location so that you can manually distribute the root certificate to clients, verify that the Store the root certificate check box is selected, and then specify where to store the certificate. By default, this check box is selected and the certificate is stored under the %Windir %\Users\<Username>\Documents folder. c. Click OK. 6. If you selected the Store the root certificate check box and specified a location for the certificate, a message will appear stating that TS Gateway has successfully created the self-signed certificate, and confirming the location of the stored certificate. Click OK to close the message. 7. Click OK again to close the TS Gateway server Properties dialog box.

Install a Certificate on the TS Gateway Server

After you obtain a certificate, use this procedure to install the certificate in the correct location on the TS Gateway server, if the certificate is not already installed. After you complete this procedure, you must Map the TS Gateway Certificate. Note This procedure is not required if you created a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation, as described in Create a Self-Signed Certificate for the TS Gateway Server. In either case, a certificate is automatically created, installed in the correct location on the TS Gateway server, and mapped to the TS Gateway server. Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using 82

the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To install a certificate on the TS Gateway server 1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following: a. Click Start, click Run, type mmc, and then click OK. b. On the File menu, click Add/Remove Snap-in. c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. d. In the Certificates snap-in dialog box, click Computer account, and then click Next. e. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. f. In the Add or Remove snap-ins dialog box, click OK. 2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), and then click Personal. 3. Right-click the Personal folder, point to All Tasks, and then click Import. 4. On the Welcome to the Certificate Import Wizard page, click Next. 5. On the File to Import page, in the File name box, specify the name of the certificate that you want to import, and then click Next. 6. On the Password page, do the following: a. If you specified a password for the private key associated with the certificate earlier, type the password. b. If you want to mark the private key for the certificate as exportable, ensure that Mark this key as exportable is selected. c. If you want to include all extended properties for the certificate, ensure that Include all extended properties is selected. d. Click Next. 7. On the Certificate Store page, accept the default option, and then click Next. 8. On the Completing the Certificate Import Wizard page, confirm that the correct certificate has been selected. 9. Click Finish. 10. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK. 11. With Certificates selected in the console tree, in the details pane, verify that the correct certificate appears in the list of certificates on the TS Gateway server. The certificate must be under the Personal store of the local computer.

83

Map the TS Gateway Certificate

You must use TS Gateway Manager to map the TS Gateway server certificate. If you map a TS Gateway server certificate by using any other method, TS Gateway will not function correctly. Note This procedure is not required if you created a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service, or by using TS Gateway Manager after installation, as described in Create a Self-Signed Certificate for the TS Gateway Server. Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To map a certificate to the local TS Gateway server 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 2. In the TS Gateway Manager console tree, right-click the local TS Gateway server, and then click Properties. 3. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), and then click Browse Certificates. 4. In the Install Certificate dialog box, click the certificate that you want to use, and then click Install. 5. Click OK to close the Properties dialog box for the TS Gateway server. 6. If this is the first time that you have mapped the TS Gateway certificate, after the certificate mapping is completed, you can verify that the mapping was successful by viewing the TS Gateway Server Status area in TS Gateway Manager. Under Configuration Status and Configuration Tasks, the warning stating that a server certificate is not yet installed or selected and the View or modify certificate properties hyperlink are no longer displayed.

View or Modify Certificate Properties

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). 84

To view or modify certificate properties 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running. 3. Right-click the local TS Gateway server, and then click Properties. 4. On the SSL Certificate tab, click Select an existing certificate for SSL encryption (recommended), click Browse Certificates, and then do one of the following in the Install Certificate dialog box: To map a different certificate to the TS Gateway server, select the certificate that you want this TS Gateway server to use, and then click Install. On the SSL Certificates tab, review the Issued to, Issued by, and Expiration date fields to verify that the correct certificate is mapped to the TS Gateway server. To view the properties for a certificate that is installed on the TS Gateway server, select the certificate that you want to view, and then click View Certificate. In the Certificate dialog box, review the certificate properties, click OK to close the Certificate dialog box, and then click Cancel to close the Install Certificate dialog box. 5. Click OK to close the TS Gateway server Properties dialog box.

Creating a Terminal Services Connection Authorization Policy

This procedure describes how to use TS Gateway Manager to create a custom Terminal Services connection authorization policy (TS CAP) for TS Gateway. Alternatively, you can use the Authorization Policies Wizard to create a TS CAP. Important If you configure more than one TS CAP, TS Gateway uses the following policy lookup behavior: Policies are applied in the numerical order that appears in the TS Gateway Manager results pane, and access to the TS Gateway server is granted by the first matching policy. That is, if a client does not meet the requirements of the first TS CAP in the list, TS Gateway evaluates the second policy in the list, and so on, until it locates a TS CAP whose requirements are met. If a client does not meet the requirements of any TS CAP in the list, TS Gateway denies access to the client.

85

To create a TS CAP for the TS Gateway server 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 2. In the console tree, click to select the node that represents the TS Gateway server, which is named for the computer on which the TS Gateway server is running. 3. In the console tree, expand Policies, and then click Connection Authorization Policies. 4. Right-click the Connection Authorization Policies folder, click Create New Policy, and then click Custom. 5. On the General tab, type a name for the policy, and then verify that the Enable this policy check box is selected. 6. On the Requirements tab, under Supported Windows authentication methods, select one or both of the following check boxes: Password Smart card

When both of these options are selected, clients that use either authentication method are allowed to connect. 7. Under User group membership (required), click Add Group, and then specify a user group whose members can connect to the TS Gateway server. You must specify at least one user group. 8. In the Select Groups dialog box, specify the user group location and name, and then click OK as needed to check the name and to close the Select Groups dialog box. To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon. Add additional groups from different domains by repeating this step for each group. 9. To specify computer domain membership criteria that client computers should meet (optional), on the Requirements tab, under Client computer group membership (optional), click Add Group, and then specify the computer groups. In the example configurations, no computer group is specified. To specify computer groups, you can use the same steps that you used to specify user groups. 10. On the Device Redirection tab, select one of the following options to enable or disable redirection for remote client devices: To permit all client devices to be redirected when connecting through the TS Gateway server, click Enable device redirection for all client devices. By default, this option is selected. 86

 To disable device redirection for all client devices except for smart cards when connecting through the TS Gateway server, click Disable device redirection for all client devices except for smart card. To disable device redirection for only certain device types when connecting through the TS Gateway server, click Disable device redirection for the following client device types, and then select the check boxes that correspond to the client device types for which device redirection should be disabled. Important Device redirection settings can be enforced only for Microsoft Remote Desktop Connection (RDC) clients. 11. Click OK. 12. The new TS CAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS CAP, the policy details appear in the lower pane.

Creating a Terminal Services Resource Authorization Policy

This procedure describes how to use TS Gateway Manager to create a custom Terminal Services resource authorization policy (TS RAP) for TS Gateway, and to specify computers that users can connect to through the TS Gateway server. Alternatively, you can use the Authorization Policies Wizard to complete these tasks. Important If users are connecting to members of a terminal server farm, you must configure a TS RAP that explicitly specifies the name of the terminal server farm. To do so, when you create the TS RAP, on the Computer Group tab, click the Select existing TS Gatewaymanaged computer group or create a new one option, and then specify the name of the terminal server farm. If the name of the terminal server farm is not specified, users will not be able to connect to members of the farm. For optimal security and ease of administration, to specify the terminal servers that are members of the farm, create a second TS RAP. On the Computer Group tab, click the Select an Active Directory security group option, and then specify the security group that contains the terminal servers in the farm. Doing this optimizes security by ensuring that the members of the farm are trusted members of an Active Directory security group. To create a TS RAP and specify computers that users can connect to through the TS Gateway server 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to 87

Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running. 3. In the console tree, expand Policies, and then click Resource Authorization Policies. 4. Right-click the Resource Authorization Policies folder, click Create New Policy, and then click Custom. 5. On the General tab, in the Policy name box, enter a name that is no longer than 64 characters. 6. In the Description box, enter a description for the new TS RAP. 7. On the User Groups tab, click Add to select the user groups to which you want this TS RAP to apply. 8. In the Select Groups dialog box, specify the user group location and name, and then click OK. To specify more than one user group, do either of the following: Type the name of each user group, separating the name of each group with a semi-colon. Add additional groups from different domains by repeating Step 7 for each group. 9. On the Computer Group tab, specify the computer group that users can connect to through TS Gateway by doing one of the following: To specify an existing security group, click Select an existing Active Directory security group, and then click Browse. In the Select Group dialog box, specify the user group location and name, and then click OK. Note that you can select a security group in Local Users and Groups rather than in Active Directory Domain Services. To specify a TS Gateway-managed computer group, click Select an existing TS Gateway-managed computer group or create a new one, and then click Browse. In the Select a TS Gateway-managed Computer Group dialog box, do one of the following: Select an existing TS Gateway-managed computer group by clicking the name of the computer group that you want to use, and then click OK to close the dialog box. Create a new TS Gateway-managed computer group by clicking Create New Group. On the General tab, type a name and description for the new group. On the Network Resources tab, type the name or IP address of the computer or Terminal Services farm that you want to add, and then click Add. Repeat this step as needed to specify additional computers, and then click OK to close the New TS Gateway-Managed Computer Group dialog box. In the Select a TS Gateway-managed Computer Group dialog box, click the name of the new computer group, and then click OK to close the dialog box. Important When you add an internal network computer to the list of TS Gateway88

managed computers, if you want to allow remote users to connect to the computer by specifying either its computer name or its IP address, you must add the computer to the computer group twice (by specifying the computer name of the computer and adding it to the computer group, and then specifying the IP address of the computer and adding it to the computer group again). If you specify only an IP address for a computer when you add it to a computer group, users must also specify the IP address of that computer when they connect to that computer through TS Gateway. To ensure that remote users connect to the internal network computers that you intend, we recommend that you do not specify IP addresses for the computers if the computers are not configured to use static IP addresses. For example, you should not specify IP addresses if your organization uses DHCP to dynamically reconfigure IP addresses for the computers. To specify any network resource, click Allow users to connect to any network resource, and then click OK. 10. After you specify a computer group, the new TS RAP that you created appears in the TS Gateway Manager results pane. When you click the name of the TS RAP, the policy details appear in the lower pane.

Configuring the Terminal Services Client for TS Gateway

This section provides procedures for configuring your Terminal Services client computers to connect to internal network resources through TS Gateway. It includes the following topics: Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional) Configure Remote Desktop Connection Settings Verify Connectivity Through TS Gateway

Install the TS Gateway Server Root Certificate on the Terminal Services Client (Optional)
The client computer must verify and trust the identity of the TS Gateway server before the client can send the user's password and logon credentials securely and complete the authentication process. To establish this trust, the clients must trust the root certificate of the server. That is, clients must have the certificate of the certification authority (CA) that issued the server certificate 89

in their Trusted Root Certification Authorities store. You can view this store by using the Certificates snap-in. This procedure is not required if: A certificate that is issued by one of the trusted public CAs that participate in the Microsoft Root Certificate Program Members program is installed on the TS Gateway server; for a list of trusted public CAs, see article 931125 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=59547); and The Terminal Services client computer already trusts the CA that issued the certificate. If the TS Gateway server is using a certificate that is issued by one of the trusted public CAs, and the certificate is recognized and trusted by your client computer, proceed to complete the steps in the Configure remote desktop connection settings section. Important Do not install certificates from any untrusted sources or individuals. Note If you are configuring the Terminal Services client for use with Network Access Protection (NAP), you must install the TS Gateway server root certificate by using the computer account. If not, you can install the TS Gateway server root certificate by using the user account. Before you complete the steps in the following procedure, you must have already copied the certificate to the client computer. For example, if you created a self-signed certificate for the TS Gateway server by using TS Gateway Manager, you must have already copied that certificate from the TS Gateway server to the client computer. To install the TS Gateway server root certificate in the Trusted Root Certification Authorities store on the Terminal Services client 1. Open the Certificates snap-in console. If you have not already added the Certificates snap-in console, you can do so by doing the following: a. Click Start, click Run, type mmc, and then click OK. b. On the File menu, click Add/Remove Snap-in. c. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Certificates, and then click Add. d. In the Certificates snap-in dialog box, to open the snap-in for a computer account, click Computer account, and then click Next. To open the snap-in for a user account, click My user account, and then click Finish. e. If you opened the Certificates snap-in for a computer account, in the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish. f. In the Add or Remove snap-ins dialog box, click OK. 90

2. In the Certificates snap-in console, in the console tree, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, right-click Certificates, point to All Tasks, and then click Import. 3. On the Welcome to the Certificate Import Wizard page, click Next. 4. On the File to Import page, in the File name box, browse to the TS Gateway server root certificate, click Open, and then click Next. 5. On the Certificate Store page, accept the default option (Place all certificates in the following store - Trusted Root Certification Authorities), and then click Next. 6. On the Completing the Certificate Import Wizard page, confirm that the following certificate settings appear: Certificate Store Selected by User: Trusted Root Certification Authorities Content: Certificate

File Name: FilePath\<Root_Certificate_Name.cer>, where <Root_Certificate_Name> is the name of the TS Gateway server root certificate. 7. Click Finish. 8. After the certificate import has successfully completed, a message appears confirming that the import was successful. Click OK. 9. With Certificates selected in the console tree, in the details pane, verify that the root certificate of the TS Gateway server appears in the list of certificates on the client. Ensure that the certificate appears under the Trusted Root Certification Authorities store.

Configure Remote Desktop Connection Settings

Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). To configure Remote Desktop Connection settings for TS Gateway 1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings. 3. On the Advanced tab, in the Connect from anywhere area, click Settings. 4. In the TS Gateway Server Settings dialog box, select the appropriate options: 91

 Automatically detect TS Gateway server settings (default). If you select this option, the Terminal Services client attempts to use Group Policy settings that determine the behavior of client connections to TS Gateway servers or TS Gateway server farms, if these settings have been configured and enabled. For more information, see the "Using Group Policy to Manage Client Connections Through TS Gateway" topic in the TS Gateway Help. Use these TS Gateway server settings. If a TS Gateway server name or TS Gateway server farm name and a logon method are not already enabled and enforced by Group Policy, you can select this option and specify the name of the TS Gateway server or TS Gateway server farm that you want to connect to and the logon method to use for the connection. The name that you specify for the server must match the name in the Issued to field of the TS Gateway server certificate. If you create a self-signed certificate by using the Add Roles Wizard during installation of the TS Gateway role service or by using TS Gateway Manager after installation, specify the fully qualified domain name (FQDN) of the TS Gateway server. Bypass TS Gateway server for local addresses. This option is selected by default. If you want the Terminal Services client to automatically detect when TS Gateway is required, select this check box. If you use a mobile computer, selecting this option will optimize client connectivity performance and minimize latency because TS Gateway will only be used when it is required. If your computer is always connected to the local area network (LAN) or if it is hosted inside the internal network firewall, TS Gateway will not be used. If you are outside the internal network and connecting to the internal network over the Internet, TS Gateway will be used.If you are in a LAN, but want to test connectivity through a TS Gateway server or TS Gateway server farm, clear this check box. Otherwise, the client will not connect through the TS Gateway server or TS Gateway server farm in this case. Do not use a TS Gateway server. Select this option if your computer is always connected to the LAN or if it is hosted inside the internal network firewall. This option is appropriate if you know that you do not need to use TS Gateway to traverse a firewall. 5. Do one of the following: To save the settings and close the Remote Desktop Connection dialog box, click Save, and then click Cancel. The settings will be saved as an RDP file to a default location (by default, the file is saved to Drive:\<Username>\Documents). To save the RDP file to a specified location (you can customize and distribute the file later to multiple clients as needed), click Save As. In the Save as dialog box, in the File name box, specify the file name and location, and then click Save. To proceed with a connection to an internal network resource, click Save, click Connect, and then proceed to Step 5 in the next procedure ("Verify that end-to-end connectivity through TS Gateway is functioning correctly").

92

Verify Connectivity Through TS Gateway

Use the following procedure to verify the functionality of the TS Gateway deployment. To verify the functionality of the TS Gateway deployment 1. Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings. 3. On the General tab, type the name of the computer (terminal server or computer running Remote Desktop) to which you want to connect remotely through TS Gateway. 4. Click Connect. 5. In the Enter your credentials dialog box, select the user account that you want to use to log on remotely to the computer, enter the required credentials, and then click OK. 6. In the Gateway server credentials dialog box, select the user name that you want to use to log on to the TS Gateway server, enter the required credentials, and then click OK. 7. After a few moments, the connection completes and a connection will be established through the TS Gateway server to the computer.

Limiting the Maximum Number of Simultaneous Connections Through TS Gateway

By default, with the exception of TS Gateway servers that are running the Windows Server 2008 Standard operating system, no limit is set for the number of simultaneous connections that clients can make to internal network resources through a TS Gateway server. To optimize TS Gateway server performance or to ensure compliance with the connection and security policies of your organization, you can set a limit for the number of simultaneous connections that clients can make to network resources through a TS Gateway server. Note For TS Gateway servers that are running Windows Server 2008 Standard, a maximum of 250 simultaneous connections is supported. To limit the maximum number of allowable connections for TS Gateway 1. Open TS Gateway Manager. To open TS Gateway Manager, click Start, point to 93

Administrative Tools, point to Terminal Services, and then click TS Gateway Manager. 2. In the console tree, click to select the node that represents your TS Gateway server, which is named for the computer on which the TS Gateway server is running. 3. In the console tree, expand Monitoring. 4. With the Monitoring folder selected, right-click the Monitoring folder, and then click Edit Connection Limit. 5. On the General tab, under Maximum Connections, do one of the following: To set a limit for the maximum number of simultaneous connections that Terminal Services clients can make to internal network resources through TS Gateway, click Limit maximum allowed simultaneous connections to, and then specify the number of allowable connections. To set no limit on the number of allowable connections between clients and internal network resources through TS Gateway, click Allow the maximum supported simultaneous connections. This is the default option. For TS Gateway servers that are running Windows Server 2008 Standard, a maximum of 250 simultaneous connections is supported. To prevent new connections from being made between clients and internal network resources through TS Gateway, click Disable new connections. If you select this option, only new connection attempts will be rejected. Current connections will not be ended by TS Gateway. 6. Click OK.

Using Group Policy to Manage Client Connections Through TS Gateway

You can use Group Policy and Active Directory Domain Services to centralize and simplify the administration of TS Gateway Group Policy settings. You use the Local Group Policy Editor to configure these policy settings, which are contained within Group Policy objects (GPOs). You use the Group Policy Management Console (GPMC) to link GPOs to sites, domains, or organizational units (OUs) in Active Directory Domain Services. The Local Group Policy Editor operates as an extension to the GPMC. When you edit a GPO from within the GPMC, the Local Group Policy Editor appears, displaying the policy settings for that particular GPO. You must have editing rights on a GPO to open it in the Local Group Policy Editor. The Default Domain Policy GPO and Default Domain Controllers Policy GPO are vital to Important the health of any domain. As a best practice, you should not edit the Default Domain Controllers Policy GPO or the Default Domain Policy GPO, except in the following cases: 94

If it is required that account policy settings be configured in the Default Domain GPO.

If you install applications on domain controllers that require modifications to the User Rights or Audit policy settings, you must modify the policy settings in the Default Domain Controllers Policy GPO. Group Policy settings for Terminal Services client connections through TS Gateway can be applied in one of two ways. These policy settings can be suggested (that is, they can be enabled, but not enforced), or they can be enabled and enforced. To suggest a policy setting for TS Gateway, enable the policy setting in Group Policy, but do not clear the Allow users to change this setting check box. Doing this allows users on the client to enter alternate TS Gateway connection settings. To specify alternate policy settings, users select the Use these TS Gateway server settings option in the TS Gateway Server Settings dialog box on the client, and then specify the alternate TS Gateway connection settings. To enforce a policy setting for TS Gateway, enable the policy setting in Group Policy and clear the Allow users to change this setting check box. When you do this, users cannot change the TS Gateway connection setting, even if they select the Use these TS Gateway server settings option on the client. For information about how to configure Terminal Services client settings, see Configuring the Terminal Services Client for TS Gateway. This section provides procedures for using Group Policy to manage Terminal Services client connections to the network through TS Gateway. It includes the following topics: Set the TS Gateway Server Authentication Method Enable Connections Through TS Gateway Set the TS Gateway Server Address

Set the TS Gateway Server Authentication Method

The following procedure describes how to use the Group Policy Management Console (GPMC) to set an authentication method for Terminal Services clients that connect to internal network resources through a TS Gateway server. Note To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners group, or have been delegated the appropriate authority over Group Policy. 95

To set the TS Gateway server authentication method 1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the left pane, locate the OU that you want to edit. 3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO. 4. To create a new GPO, follow these steps: a. Right-click the OU, and then click Create a GPO in this domain, and link it here. b. In the Name box, type a name for the GPO, and then click OK. c. In the left pane, locate and click the new GPO. 5. In the right pane, click the Settings tab. 6. Right-click User Configuration, and then click Edit. 7. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway. 8. In the right pane, in the settings list, right-click Set TS Gateway authentication method, and then click Properties. 9. On the Setting tab, do one of the following: Click Not Configured. The authentication method that is specified by the user is used. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication. Click Enabled, and then select the authentication method. By default, the Allow users to change this setting check box is selected, meaning that the authentication method setting is suggested, and that users on the client can specify an alternate authentication method. To enforce the authentication method, clear this check box. For information about supported Windows authentication methods for TS Gateway, see Understanding Requirements for Connecting to a TS Gateway Server. Click Disabled. The authentication method that is specified by the user is used. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication. 10. Click OK. Note To configure TS Gateway Group Policy settings by using the local computer policy, use the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a member of the Administrators group on the local computer or you must have been delegated the appropriate authority. 96

Enable Connections Through TS Gateway

The following procedure describes how to use the Group Policy Management Console (GPMC) to enable connections through TS Gateway. When this policy setting is enabled, and when Terminal Services clients cannot connect directly to an internal network resource, the clients will attempt to connect to the computer through the TS Gateway server that is specified in the Set TS Gateway server address policy setting. Note To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners group, or have been delegated the appropriate authority over Group Policy. To enable connections through TS Gateway 1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the left pane, locate the OU that you want to edit. 3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and then click the GPO. 4. To create a new GPO, follow these steps: a. Right-click the OU, and then click Create a GPO in this domain, and link it here. b. In the Name box, type a name for the GPO, and then click OK. c. In the left pane, locate and click the new GPO. 5. In the right pane, click the Settings tab. 6. Right-click User Configuration, and then click Edit. 7. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway. 8. In the right pane, in the settings list, right-click Enable connection through TS Gateway, and then click Properties. 9. On the Settings tab, do one of the following: Click Not Configured. Terminal Services clients will not use the TS Gateway server address that is specified in the Set TS Gateway server address policy setting. If a TS Gateway server is specified by the user, a client connection attempt 97

will be made through that TS Gateway server. Click Enabled. When Terminal Services clients cannot connect directly to an internal network resource, the clients will attempt to connect to the internal network resource through the TS Gateway server that is specified in the Set TS Gateway server address policy setting. Click Disabled. Terminal Services clients will not use the TS Gateway server address that is specified in the Set TS Gateway server address policy setting. If a TS Gateway server is specified by the user, a client connection attempt will be made through that TS Gateway server. 10. Click OK. Note To configure TS Gateway Group Policy settings by using the local computer policy, use the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a member of the Administrators group on the local computer or you must have been delegated the appropriate authority.

Set the TS Gateway Server Address

The following procedure describes how to use the Group Policy Management Console (GPMC) to specify the TS Gateway server that Terminal Services clients use when connecting to internal network resources through a TS Gateway server. By default, Terminal Services clients automatically detect when TS Gateway is required. Note To manage Group Policy on a Windows Server 2008-based domain controller, you must first add the Group Policy Management Console feature. To do this, start Server Manager, and then under Feature Summary, click Add Features. On the Select Features page, select the Group Policy Management check box. Follow the on-screen instructions to complete the installation. To change Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners group, or have been delegated the appropriate authority over Group Policy. To set the TS Gateway server address 1. Start the GPMC. To do so, click Start, point to Administrative Tools, and then click Group Policy Management. 2. In the left pane, locate the OU that you want to edit. 3. To modify an existing Group Policy object (GPO) for the OU, expand the OU, and 98

then click the GPO. 4. To create a new GPO, follow these steps: a. Right-click the OU, and then click Create a GPO in this domain, and link it here. b. In the Name box, type a name for the GPO, and then click OK.

99

c.

In the left pane, locate and click the new GPO.

5. In the right pane, click the Settings tab. 6. Right-click User Configuration, and then click Edit. 7. In the left pane, under User Configuration, expand Administrative Templates, expand Windows Components, expand Terminal Services, and then click TS Gateway. 8. In the right pane, in the list of policy settings, right-click Set TS Gateway server address, and then click Properties. 9. On the Settings tab, do one of the following: Click Not Configured. Terminal Services clients automatically detect when TS Gateway is required. When a connection through TS Gateway is required, the TS Gateway server or the TS Gateway server farm specified by the user is used. Click Enabled, and then specify a valid, fully qualified domain name (FQDN) of the TS Gateway server or TS Gateway server farm that clients are to use when connecting to internal network resources. The name must match the name that appears in the Secure Sockets Layer (SSL) certificate for the TS Gateway server. By default, the Allow users to change this setting check box is selected, meaning that this policy setting is suggested, and users can specify an alternate TS Gateway server or TS Gateway server farm. To enforce this policy setting so that users cannot specify an alternate TS Gateway server or TS Gateway server farm, clear this check box. Click Disabled. Terminal Services clients automatically detect when TS Gateway is required. Important If you disable or do not configure this policy setting, but enable the Enable connections through TS Gateway policy setting, client connection attempts to any internal network resource will fail, if the client cannot connect directly to the internal network resource. 10. Click OK. Note To configure TS Gateway Group Policy settings by using the local computer policy, use the Local Group Policy Editor. To start the Local Group Policy Editor, click Start, click Run, type gpedit.msc, and then click OK. To configure local Group Policy settings, you must be a member of the Administrators group on the local computer or you must have been delegated the appropriate authority.

100

Deploying TS RemoteApp
Terminal Services RemoteApp (TS RemoteApp) is a feature that enables you to deploy RemoteApp programs to users. RemoteApp programs are applications that are accessed remotely through Terminal Services and appear as if they are running on the end user's local computer. Instead of being presented to the user on the desktop of the remote terminal server, the RemoteApp program is integrated with the client's desktop, running in its own resizable window with its own entry in the taskbar. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs share the same Terminal Services session. To install, configure, and manage TS RemoteApp, see the following topics: Installation Prerequisites for TS RemoteApp Checklist: Configuring TS RemoteApp

Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism Checklist: Making RemoteApp Programs Available from the Internet Configuring the Server That Will Host RemoteApp Programs Adding RemoteApp Programs and Configuring Global Deployment Settings Creating an .rdp File from a RemoteApp Program Creating a Windows Installer Package from a RemoteApp Program Managing RemoteApp Programs and Settings Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session Deploying TS Web Access

Installation Prerequisites for TS RemoteApp

To access RemoteApp programs that are deployed as .rdp files or as Windows Installer packages, the client computer must be running Remote Desktop Connection (RDC) 6.0 or RDC 6.1. A supported version of the RDC client is included with Windows Server 2008 and Windows Vista. To download RDC 6.0 for Windows Server 2003 with Service Pack 1 (SP1), Windows Server 2003 with Service Pack 2 (SP2), or Windows XP with SP2, see article 925876 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=79373). Note RDC 6.1 (6.0.6001) supports Remote Desktop Protocol 6.1.

101

Client requirements
To access RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1. RDC 6.1 is included with the following operating systems: Windows Server 2008 Windows Vista with Service Pack 1 (SP1) Windows XP with Service Pack 3 (SP3)

Checklist: Configuring TS RemoteApp

You can make programs on a terminal server available to users through TS RemoteApp. You can deploy RemoteApp programs to users through .rdp files or Windows Installer packages, or you can use TS Web Access to make the programs available through a Web page. Note The following checklist applies to an environment where you are using a single terminal server to host RemoteApp programs.
Task Reference

Configure the server that will host RemoteApp programs. Add programs to the RemoteApp Programs list. Configure global deployment settings. Configure TS Web Access if you are going to distribute RemoteApp programs through a Web page. Configure RemoteApp programs if you are going to distribute them through .rdp files or Windows Installer packages. Manage the RemoteApp Programs list (optional).

Configuring the Server That Will Host RemoteApp Programs Add Programs to the RemoteApp Programs List Configure Global Deployment Settings Checklist: Deploying RemoteApp Programs Through TS Web Access Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism Managing RemoteApp Programs and Settings

102

Checklist: Deploying RemoteApp Programs Through a File Share or Other Distribution Mechanism
Instead of using TS Web Access, you can deploy RemoteApp programs through .rdp files or Windows Installer packages that are made available through file sharing, or through other distribution mechanisms such as Microsoft System Center Configuration Manager or Active Directory software distribution. These methods enable you to distribute RemoteApp programs to users without using TS Web Access. Note If you distribute RemoteApp programs through Windows Installer packages, you can also configure whether the terminal server takes over client file name extensions for the RemoteApp programs. If this is the case, a user can double-click a file where the file name extension is associated with a RemoteApp program. You must complete the following tasks to configure RemoteApp programs for distribution through a file share or some other distribution mechanism. After you create .rdp files or Windows Installer packages, you can distribute them to users.
Task Reference

Configure the server that will host RemoteApp programs. This includes installing Terminal Server, installing programs, and verifying remote connection settings. Add RemoteApp programs and configure global deployment settings.

Configuring the Server That Will Host RemoteApp Programs

Add Programs to the RemoteApp Programs List Configure Global Deployment Settings

Create .rdp files or Windows Installer packages from RemoteApp programs.

Creating an .rdp File from a RemoteApp Program Creating a Windows Installer Package from a RemoteApp Program

Checklist: Making RemoteApp Programs Available from the Internet

By using TS RemoteApp with TS Gateway, you can enable users to connect from the Internet to individual programs on a terminal server without first establishing a virtual private network (VPN) 103

connection. Depending on the deployment method that you choose, remote users can connect to a program by opening an .rdp file, by clicking a shortcut to a Windows Installer package on their desktop or Start menu, or by accessing a RemoteApp program on a Web page through TS Web Access. This checklist shows the steps that are required to make RemoteApp programs available from the Internet through TS Gateway. Alternatively, if you do not want to deploy TS Gateway, you can make RemoteApp programs available through a VPN solution.
Task Reference

Ensure that you meet the following prerequisites: You have deployed RemoteApp programs on the terminal server. You have successfully deployed TS Web Access in an intranet environment (if you want to make RemoteApp programs available from the Internet through TS Web Access). Review information about TS Gateway. Deploy and configure TS Gateway. When you configure TS Gateway, ensure that you do the following: Create a Terminal Services connection authorization policy (TS CAP) to define the list of user groups that can connect to the terminal servers that host the RemoteApp programs. Create a Terminal Services resource authorization policy (TS RAP) that provides access to the terminal servers that host the RemoteApp programs. When you create the TS RAP, add the user groups that you defined in the TS CAP. Create a new TS Gateway-managed computer group that contains both the NetBIOS names and the fully qualified domain names (FQDNs) of the terminal servers or the terminal server farm that hosts the RemoteApp programs. Configure TS Gateway settings in

Checklist: Configuring TS RemoteApp

Checklist: Deploying RemoteApp Programs Through TS Web Access

TS Gateway Server Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=85872) TS Gateway Server Step-by-Step Guide (http://go.microsoft.com/fwlink/? LinkId=85872) Overview of TS Gateway (http://go.microsoft.com/fwlink/? LinkId=179869) Checklist: Deploying TS Gateway Creating a Terminal Services Connection Authorization Policy Creating a Terminal Services Resource Authorization Policy

Configure TS Gateway Settings 104

Task

Reference

TS RemoteApp Manager (either in the global deployment settings or when you create an .rdp file or Windows Installer package). Ensure that existing .rdp files or Windows Installer packages were created with the correct TS Gateway settings if you want to use them to access RemoteApp programs over the Internet. If they were not, you must create new files with the correct settings, and then distribute them to users. Creating an .rdp File from a RemoteApp Program Creating a Windows Installer Package from a RemoteApp Program

Configure firewall and authentication settings if Configure the TS Web Access Server to Allow you want to allow Internet access to Access from the Internet RemoteApp programs through TS Web Access.

Configuring the Server That Will Host RemoteApp Programs

Before you can deploy RemoteApp programs to users, you must configure the server to host RemoteApp programs. You must make sure that the Terminal Server role service is installed, install programs on the server, and verify remote connection settings. This process includes the following procedures: Install the Terminal Server role service Install programs on the terminal server Verify remote connection settings

To perform these procedures, you must be a member of the Administrators group on the terminal server.

Install the Terminal Server role service

To use TS RemoteApp, the Terminal Server role service must be installed. The TS RemoteApp feature is automatically installed as part of the Terminal Server role service. For more information, see Install the Terminal Server Role Service.

Install programs on the terminal server

We recommend that you install programs on the terminal server after you install the Terminal Server role service. If you install a program from a Windows Installer package, the program 105

automatically installs in Terminal Server Install mode. If you are installing from another kind of setup package, use either of the following methods to put the server into Install mode: To install the program, use the Install Application on Terminal Server option in Control Panel. Before you install a program, run the change user /install command from the command line. After the program is installed, run the change user /execute command to exit from Install mode. If you have programs that are related or have dependencies, we recommend that you install the programs on the same terminal server. For example, we recommend that you install Microsoft Office as a suite instead of installing individual Office programs on separate terminal servers. You should consider putting individual programs on separate terminal servers in the following circumstances: The program has compatibility issues that may affect other programs. A single program and the number of associated users may fill server capacity.

Verify remote connection settings

By default, remote connections are enabled after you install the Terminal Server role service. You can use the following procedure to add users and groups that need to connect to the terminal server, and to verify or change remote connection settings. To verify remote connection settings 1. Start the System tool. To do this, click Start, click Run, type control system in the Open box, and then click OK. 2. Under Tasks, click Remote settings. 3. In the System Properties dialog box, on the Remote tab, ensure that the Remote Desktop connection setting is configured correctly, depending on your environment. You can select either of the following options: Allow connections from computers running any version of Remote Desktop (less secure) Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) For more information about the two options, on the Remote tab, click the Help me choose link. 4. To add the users and groups that need to connect to the terminal server by using Remote Desktop, click Select Users, and then click Add. The users and groups that you add are added to the Remote Desktop Users group. Note Members of the local Administrators group can connect even if they are not listed. 106

5. When you are finished, click OK to close the System Properties dialog box.

Adding RemoteApp Programs and Configuring Global Deployment Settings

After you have prepared the terminal server to host RemoteApp programs, you can use TS RemoteApp Manager to do the following: Add Programs to the RemoteApp Programs List Configure Global Deployment Settings

In TS RemoteApp Manager, you can also delete or modify RemoteApp programs, import RemoteApp programs and settings from another terminal server, or export RemoteApp programs and settings to another terminal server. For more information, see Managing RemoteApp Programs and Settings.

Add Programs to the RemoteApp Programs List

To make a RemoteApp program available to users through any distribution mechanism, you must add the program to the RemoteApp Programs list. By default, programs that you add to the list are configured to be available through TS Web Access. To add a program to the RemoteApp Programs list 1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the Actions pane, click Add RemoteApp Programs. 3. On the Welcome to the RemoteApp Wizard page, click Next. 4. On the Choose programs to add to the RemoteApp Programs list page, select the check box next to each program that you want to add to the RemoteApp Programs list. You can select multiple programs. Note The programs that are shown on the Choose programs to add to the RemoteApp Programs list page are the programs that are found on the All Users Start menu on the terminal server. If the program that you want to add to the RemoteApp Programs list is not in the list on that page, click Browse, and then specify the location of the program's .exe file. 5. To configure the properties for a RemoteApp program, click the program name, and 107

then click Properties. You can configure the following: The program name that will appear to users. To change the name, type a new name in the RemoteApp program name box. The path of the program executable file. To change the path, type the new path in the Location box, or click Browse to locate the .exe file. Note You can use system environment variables in the path name. For example, you can substitute %windir% for the explicit path of the Windows folder (such as C:\Windows). You cannot use per user environment variables. The alias for the RemoteApp program. The alias is a unique identifier for the program that defaults to the program's file name (without the extension). We recommend that you do not change this name. Whether the RemoteApp program is available through TS Web Access. By default, the RemoteApp program is available through TS Web Access setting is enabled. To change the setting, select or clear the check box. Whether command-line arguments are allowed, not allowed, or whether to always use the same command-line arguments. The program icon that will be used. To change the icon, click Change Icon. 6. When you are finished configuring program properties, click OK, and then click Next. 7. On the Review Settings page, review the settings, and then click Finish. The programs that you selected should appear in the RemoteApp Programs list.

Configure Global Deployment Settings

You can configure global deployment settings that apply to all RemoteApp programs that appear in the RemoteApp Programs list. These settings apply to any RemoteApp program that you make available through TS Web Access. Additionally, these settings are used as the default settings if you create .rdp files or Windows Installer packages from any of the listed RemoteApp programs. Note Any changes to deployment settings that you make when you use TS RemoteApp Manager to create .rdp files or Windows Installer packages override the global settings. These global deployment settings include: Configure Terminal Server Settings Configure TS Gateway Settings Configure Common RDP Settings (Optional) Configure Custom RDP Settings (Optional) 108

Configure Digital Signature Settings (Optional)

Configure Terminal Server Settings

To define how users will connect to the terminal server (or terminal server farm) to access RemoteApp programs, you can configure terminal server deployment settings. To configure terminal server settings 1. In the Actions pane of TS RemoteApp Manager, click Terminal Server Settings. (Or, in the Overview pane, next to Terminal Server Settings, click Change.) 2. On the Terminal Server tab, under Connection settings, accept or modify the server or farm name, the RDP port number, and server authentication settings. Important If the Require server authentication check box is selected, consider the following: If any client computers are running Windows Server 2003 with SP1 or Windows XP with SP2, you must configure the terminal server to use a Secure Sockets Layer (SSL) certificate. (You cannot use a self-signed certificate.) If the RemoteApp program is for intranet use, and all client computers are running either Windows Server 2008 or Windows Vista, you do not have to configure the terminal server to use an SSL certificate. In this case, Network Level Authentication is used. 3. To provide a link to the full terminal server desktop through TS Web Access, under Remote desktop access, select the Show a remote desktop connection to this terminal server in TS Web Access check box. 4. Under Access to unlisted programs, choose either of the following: Do not allow users to start unlisted program on initial connection (recommended) To help protect against malicious users, or a user unintentionally starting a program from an .rdp file on initial connection, we recommend that you select this setting. Important This setting does not prevent users from starting unlisted programs remotely after they connect to the terminal server by using the RemoteApp program. For example, if Microsoft Word is in the RemoteApp Programs list and Microsoft Internet Explorer is not, if a user starts a remote Word session, and then clicks a hyperlink in a Word document, they can start Internet Explorer. Allow users to start both listed and unlisted programs on initial connection

109

Caution If you choose this option, users can start any program remotely from an .rdp file on initial connection, not just those programs in the RemoteApp Programs list. To help protect against malicious users, or a user unintentionally starting a program from an .rdp file, we recommend that you do not select this setting. 5. When you finish, click OK.

Configure TS Gateway Settings

To define whether users will connect to the terminal server across a firewall through TS Gateway, you can configure TS Gateway deployment settings. For more information about TS Gateway, see the TS Gateway Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=85872). To configure TS Gateway settings 1. In the Actions pane of TS RemoteApp Manager, click TS Gateway Settings. (Or, in the Overview pane, next to TS Gateway Settings, click Change.) 2. On the TS Gateway tab, configure the desired TS Gateway behavior. You can configure whether to automatically detect TS Gateway server settings, to use TS Gateway server settings that you specify, or to not use a TS Gateway server. If you select Automatically detect TS Gateway server settings, the client tries to use Group Policy settings to determine the behavior of client connections to TS Gateway. Note For more information about client Group Policy settings, see Using Group Policy to Manage Client Connections Through TS Gateway. If you select Use these TS Gateway server settings, do the following: a. Configure the TS Gateway server name and the logon method. Important The server name must match what is specified in the SSL certificate for the TS Gateway server. b. If you want the connection to try to use the same user credentials to access both the TS Gateway server and the terminal server, select the Use the same user credentials for TS Gateway and terminal server check box. However, users may still receive two prompts for credentials if conflicting credentials exist from any source such as Group Policy settings, and those credentials do not work. They may also receive two prompts for credentials if default credentials are used for the connection and those credentials do not work. 110

c. If you want the client computer to automatically detect when TS Gateway is required, select the Bypass TS Gateway server for local addresses check box. (Selecting this option optimizes client performance.) To always use a TS Gateway server for client connections, clear the Bypass TS Gateway server for local addresses check box. 3. When you finish, click OK.

Configure Common RDP Settings (Optional)

You can specify common Remote Desktop Protocol (RDP) settings for RemoteApp connections, such as device and resource redirection and some user display settings. These settings apply when a user connects to a RemoteApp program through TS Web Access, or when you create an .rdp file or a Windows Installer package from an existing RemoteApp program. To configure common RDP settings 1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change. 2. Under Devices and resources, configure which devices and resources on the client computer you want to make available in the remote session. 3. Under User experience, choose whether to enable font smoothing and the desired color depth. 4. When you are finished, click Apply. Note To configure additional RDP settings, such as audio redirection, click the Custom RDP Settings tab. For more information, see Configure Custom RDP Settings (Optional). 5. To close the RemoteApp Deployment Settings dialog box, click OK. If you do not sign .rdp files with a digital signature, or if you sign .rdp files with a digital Note signature that clients do not recognize (such as a certificate from a private certification authority), the client computer may override some redirection settings that you specify in TS RemoteApp Manager. For example, if you enable all the redirection settings on the Common RDP Settings tab, and a user connects to an .rdp file that is not signed, disk drives and supported Plug and Play devices are not redirected automatically. These devices and resources are only redirected if the user enables these redirection settings in the RemoteApp warning dialog box that appears when they try to connect. This default behavior helps reduce potential security vulnerabilities. (Note that the same behavior occurs if you enable serial port redirection on the Custom RDP Settings tab.)

111

Configure Custom RDP Settings (Optional)

You can specify custom RDP settings for RemoteApp connections, such as audio redirection. These settings apply when a user connects to a RemoteApp program through TS Web Access, or when you create a Windows Installer package or .rdp file from an existing RemoteApp program. Note You can use custom RDP settings to configure the working directory for RemoteApp programs. By default, the working directory for a RemoteApp program is the same location as the program executable file. If you configure the working directory as a custom RDP setting, the setting applies to all RemoteApp programs that are available through TS Web Access, and to any .rdp files or Windows Installer packages that you create from a RemoteApp program. If you want to customize the working directory for RemoteApp programs that you plan to distribute as .rdp files or Windows Installer packages, you can add the working directory as a custom RDP setting, create the files from the RemoteApp programs, and then clear the working directory custom RDP setting. To specify custom RDP settings 1. In the Overview pane of TS RemoteApp Manager, next to RDP Settings, click Change. 2. On the Custom RDP Settings tab, type or copy the custom RDP settings that you want to use into the Custom RDP settings box. To copy settings from an existing .rdp file, open the file in a text editor such as Notepad, and then copy the desired settings. Important You cannot override settings that are available in the global deployment settings in TS RemoteApp Manager. If you do so, you will be prompted to remove those settings when you click Apply. To create an .rdp file to copy the settings from, follow these steps: a. Open the RDC client, and then click Options. b. Configure the settings that you want, such as audio redirection. c. When you are finished, on the General tab, click Save As, and then save the .rdp file. d. Open the .rdp file in Notepad, and then copy the desired settings into the Custom RDP settings box on the Custom RDP Settings tab. 3. When you have finished adding the settings that you want, click Apply. 4. If the Error with Custom RDP Settings dialog box appears, do the following: a. Click Remove to automatically remove the settings that are not valid or cannot be overridden, or click OK to remove the settings manually. 112

b. After the settings are removed, click Apply again. 5. To close the RemoteApp Deployment Settings dialog box, click OK.

Configure Digital Signature Settings (Optional)

You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the terminal server. This includes the .rdp files that are used for connections through TS Web Access to RemoteApp programs on the terminal server and to the terminal server desktop. Important To connect to a RemoteApp program by using a digitally signed .rdp file, the client must be running Remote Desktop Connection (RDC) 6.1. The RDC 6.1 (6.0.6001) client supports Remote Desktop Protocol 6.1. If you use a digital certificate, the cryptographic signature on the connection file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the RemoteApp program or the remote desktop connection, and allows the clients to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user. You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication certificate (SSL certificate) or a Code Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs) or from an enterprise CA in your public key infrastructure hierarchy. If you already use an SSL certificate for terminal server or TS Gateway connections, you can use the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from public or home computers, you must use either of the following: A certificate from a public certification authority (CA) that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547) An enterprise CA-issued certificate that is co-signed by a public CA that participates in the Microsoft Root Certification Program Members program To configure the digital certificate to use 1. In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings. (Or, in the Overview pane, next to Digital Signature Settings, click Change.) 2. Select the Sign with a digital certificate check box. 3. In the Digital certificate details box, click Change. 4. In the Select Certificate dialog box, select the certificate that you want to use, and 113

then click OK. Note The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file
You can use Group Policy settings to configure clients to always trust RemoteApp programs from a particular publisher. You can also configure whether clients will block RemoteApp programs and remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities. The relevant Group Policy settings are located in the Local Group Policy Editor at the following location, in the Computer Configuration node and in the User Configuration node: Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client The available policy settings include the following: Specify SHA1 thumbprints of certificates representing trusted .rdp publishers This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any certificate with a SHA1 thumbprint that matches a thumbprint on the list is trusted. Allow .rdp files from valid publishers and users default .rdp settings This policy setting allows you to specify whether users can run .rdp files from a publisher that signed the file with a valid certificate. This policy setting also controls whether the user can start an RDP session by using default .rdp settings, such as when a user directly opens the RDC client without specifying an .rdp file. Allow .rdp files from unknown publishers This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Important To use these Group Policy settings, the client computer must be running RDC 6.1. For more information about these policy settings, view the Group Policy Explain text in the Local Group Policy Editor.

114

Creating an .rdp File from a RemoteApp Program

You can use the RemoteApp Wizard to create an .rdp file from any program in the RemoteApp Programs list. To create an .rdp file 1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the RemoteApp Programs list, click the program that you want to create an .rdp file for. To select multiple programs, press and hold the CTRL key when you click each program name. 3. In the Actions pane for the program or selected programs, click Create .rdp file. Note If you selected multiple programs, the settings described in the rest of this procedure apply to all of the selected programs. A separate .rdp file is created for each program. 4. On the Welcome to the Remote App Wizard page, click Next. 5. On the Specify Package Settings page, do the following: a. In the Enter the location to save the packages box, accept the default location or click Browse to specify a new location to save the .rdp file. b. In the Terminal server settings area, click Change to modify the terminal server or farm name, the RDP port number, and the Require server authentication setting. (For more information about these settings, see Configure Terminal Server Settings.) When you finish, click OK. c. In the TS Gateway settings area, click Change to modify or to configure whether clients will use a TS Gateway server to connect to the target terminal server across a firewall. (For more information about these settings, see Configure TS Gateway Settings.) When you finish, click OK. d. To digitally sign the .rdp file, in the Certificate Settings section, click Change to select or to change the certificate to use. Select the certificate that you want to use, and then click OK. (For more information about these settings, see Configure Digital Signature Settings (Optional).) 6. When you finish, click Next. 7. On the Review Settings page, click Finish. When the wizard is finished, the folder where the .rdp file was saved opens in a new window. You can confirm that the .rdp file was created.

115

Creating a Windows Installer Package from a RemoteApp Program

You can use the RemoteApp Wizard to create a Windows Installer (.msi) package from any program in the RemoteApp Programs list. To create a Windows Installer package 1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the RemoteApp Programs list, click the program that you want to create a Windows Installer package for. To select multiple programs, press and hold the CTRL key when you click each program name. 3. In the Actions pane for the program or selected programs, click Create Windows Installer package. Note If you selected multiple programs, the settings described in the rest of this procedure apply to all of the selected programs. A separate Windows Installer package is created for each program. 4. On the Welcome to the RemoteApp Wizard page, click Next. 5. On the Specify Package Settings page, do the following: a. In the Enter the location to save the packages box, accept the default location or click Browse to specify a new location to save the Windows Installer package. b. In the Terminal server settings area, click Change to modify the terminal server or farm name, the RDP port number, and the Require server authentication setting. (For more information about these settings, see Configure Terminal Server Settings.) When you finish, click OK. c. In the TS Gateway settings area, click Change to modify or to configure whether clients will use a TS Gateway server to connect to the target terminal server across a firewall. (For more information about these settings, see Configure TS Gateway Settings.) When you finish, click OK. d. To digitally sign the file, in the Certificate Settings section, click Change to select or to change the certificate to use. Select the certificate that you want to use, and then click OK. (For more information about these settings, see Configure Digital Signature Settings (Optional).) 6. When you finish, click Next. 7. On the Configure Distribution Package page, do the following: a. In the Shortcut icons area, specify where the shortcut icon for the program will appear on client computers. b. In the Take over client extensions area, configure whether to take over client 116

file name extensions for the program. If you associate the file name extensions on the client computer with the RemoteApp program, all file name extensions that are handled by the program on the terminal server will also be associated on the client computer with the RemoteApp program. For example, if you add Microsoft Word as a RemoteApp program, and you configure the option to take over client file name extensions, any file name extensions on the client computer that Word takes over will be associated with Remote Word. This means that any existing program on the client computer will no longer handle file name extensions such as .doc and .dot. Note that users are not prompted whether the terminal server should take over file extensions for the program. To view what file name extensions are associated with a program on the terminal server, click Start, click Control Panel, and then double-click Default Programs. Click Associate a file type or protocol with a program to view the file name extensions and their default associated program. Caution Do not install Windows Installer packages that were created with this setting enabled on the terminal server itself. If you do, clients that use the Windows Installer package may not be able to start the associated RemoteApp program. 8. After you have configured the properties of the distribution package, click Next. 9. On the Review Settings page, click Finish. When the wizard is finished, the folder where the Windows Installer package was saved opens in a new window. You can confirm that the Windows Installer package was created.

Managing RemoteApp Programs and Settings

In TS RemoteApp Manager, you can make changes to an existing RemoteApp program, or you can remove the program from the list. Additionally, you can export or import the RemoteApp Programs list and the global deployment settings to or from another terminal server. This section includes the following topics: Change or Delete a RemoteApp Program Export or Import RemoteApp Programs and Settings

117

Change or Delete a RemoteApp Program

After you have added a program to the RemoteApp Programs list, you can change the deployment settings for all RemoteApp programs, change the properties of a single RemoteApp program, or delete the RemoteApp program from the list. To change or delete a RemoteApp program To change deployment settings for all RemoteApp programs, in the Actions pane of TS RemoteApp Manager, click Terminal Server Settings, TS Gateway Settings, or Digital Signature Settings. (Or, click one of the Change options in the Overview pane. You can also change custom RDP settings in the Overview pane.) Important If you make any changes, the changes do not affect .rdp files or Windows Installer packages that you already created by using TS RemoteApp Manager. To change the properties of a single RemoteApp program, click the program in the RemoteApp Programs list, and then in the Actions pane for the program, click Properties. Note You cannot change the properties of an existing .rdp file or Windows Installer package by using TS RemoteApp Manager. Instead, you must click Create .rdp File or Create Windows Installer Package in the Actions pane to create a new .rdp file or Windows Installer package that has the desired properties. To change whether the RemoteApp program is available from TS Web Access, click the program, and then in the Actions pane, click Show in TS Web Access or Hide in TS Web Access. To delete a program in the RemoteApp Programs list, click the RemoteApp program, and then in the Actions pane for the program, click Remove. Click Yes to confirm the deletion. Note When you delete a program in the RemoteApp Programs list, any .rdp files or Windows Installer packages that you created from the RemoteApp program are not deleted.

118

Export or Import RemoteApp Programs and Settings

You can copy the RemoteApp Programs list and deployment settings from one terminal server to another terminal server. This allows you to configure multiple terminal servers identically to host RemoteApp programs, such as in a terminal server farm. To export the RemoteApp Programs list and deployment settings 1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the Actions pane, click Export RemoteApp Settings. 3. Select either of the following options: Export the RemoteApp Programs list and settings to another terminal server If you select this option, in the Terminal server name box, enter the name of the terminal server that you want to export the settings to, and then click OK. (For the export operation to succeed, the source terminal server must have Windows Management Instrumentation (WMI) access to the target terminal server.) Important When you click OK, the RemoteApp Programs list and deployment settings will be automatically overwritten on the target terminal server. Export the RemoteApp Programs list and settings to a file If you select this option, click OK. In the Save As dialog box, specify a location to save the .tspub file, and then click Save. To import the RemoteApp Programs list and deployment settings 1. Start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the Actions pane, click Import RemoteApp Settings. 3. Select either of the following options: Import the RemoteApp Programs list and settings from another terminal server If you select this option, in the Terminal server name box, enter the name of the terminal server that you want to import the settings from, and then click OK. The settings are imported directly into TS RemoteApp Manager. (For the import operation to succeed, the source terminal server must have WMI access to the target terminal server.) Import the RemoteApp Programs list and settings from a file 119

If you select this option, click OK. In the Open dialog box, locate and then click the .tspub file that you want to import, and then click Open. If you import a configuration, and the target terminal server does not have a program in the RemoteApp Programs list installed or the program is installed in a different folder, the program will appear in the RemoteApp Programs list. However, the name will be displayed with strikethrough text. Note Only the RemoteApp Programs list and deployment settings are exported or imported. Any .rdp files or Windows Installer packages that were created from the programs are not exported or imported. You must create new .rdp files or Windows Installer packages on each terminal server unless the server is a member of a terminal server farm. If you specified a farm name when you created the .rdp files or Windows Installer packages, and the server where you want to copy the files is a member of the same terminal server farm, you can manually copy the files.

Configuring Server Manager and Initial Tasks Not to Run in a RemoteApp Session
If a user has administrative access to the terminal server where the RemoteApp programs are installed, when the user starts a RemoteApp program, the Server Manager tool and Initial Configuration Tasks also start in the RemoteApp session. You can control this behavior by using the following Group Policy settings in the Computer Configuration\Administrative Templates\System\Server Manager node of the Local Group Policy Editor on the terminal server: Do not display Initial Configuration Tasks window automatically at logon You must enable this policy setting to prevent the Initial Configuration Tasks window from opening when a user with administrative access starts a RemoteApp session. Do not display Server Manager automatically at logon You must enable this policy setting to prevent Server Manager from opening when a user with administrative access starts a RemoteApp session.

Deploying TS Web Access

TS Web Access and TS RemoteApp allow you to deploy a single Web site to allow users to run programs, access the full terminal server desktop, or connect remotely to the desktop of any computer in the internal network where they have the appropriate permissions. To install and configure TS Web Access, see the following topics: 120

Checklist: Deploying RemoteApp Programs Through TS Web Access Enable RemoteApp Programs for TS Web Access Install the TS Web Access Role Service Populate the TS Web Access Computers Security Group Specify the Data Source for TS Web Access Connect to TS Web Access Configure the TS Web Access Server to Allow Access from the Internet Configure Remote Desktop Web Connection Behavior Change the Install Location of the TS Web Access Web Site

Checklist: Deploying RemoteApp Programs Through TS Web Access

If you use TS Web Access, you can deploy RemoteApp programs from a single terminal server or terminal server farm, or from a link to the terminal server desktop, directly through TS Web Access. All RemoteApp programs on the terminal server or terminal server farm that are configured for TS Web Access will appear on the TS Web Access Web site. Note TS Web Access includes the Remote Desktop Web Connection feature, which allows users to connect from a Web browser to the remote desktop of any server or client computer where they have Remote Desktop access. You can determine whether you want this feature to be available to users. For more information, see Configure Remote Desktop Web Connection Behavior. To deploy RemoteApp programs by using TS Web Access, complete the following tasks.
Task Reference

Configure the server that will host RemoteApp programs. This includes installing Terminal Server, installing programs, and verifying remote connection settings. Add RemoteApp programs that are enabled for TS Web Access, and configure global deployment settings. Install TS Web Access on the server that you want users to connect to over the Web to access RemoteApp programs.

Configuring the Server That Will Host RemoteApp Programs

Add Programs to the RemoteApp Programs List Configure Global Deployment Settings

Install the TS Web Access Role Service

121

Task

Reference

Add the computer account of the TS Web Access server to the TS Web Access Computers group on the terminal server. Configure the TS Web Access server to populate its list of RemoteApp programs from a single terminal server or single terminal server farm.

Populate the TS Web Access Computers Security Group Specify the Data Source for TS Web Access

After you complete this checklist, users can access the TS Web Access site from an intranet. To make the TS Web Access Web site available from the Internet, see Checklist: Making RemoteApp Programs Available from the Internet.

Enable RemoteApp Programs for TS Web Access

By default, a RemoteApp program is enabled for TS Web Access when you add a program to the RemoteApp Programs list on a terminal server. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/? LinkId=83477). To determine if a RemoteApp program is enabled for TS Web Access 1. On the terminal server where the RemoteApp programs are configured, start TS RemoteApp Manager. To do this, click Start, point to Administrative Tools, point to Terminal Services, and then click TS RemoteApp Manager. 2. In the RemoteApp Programs list, verify that a Yes value appears in the TS Web Access column next to the program that you want to make available through TS Web Access. 3. To change whether a RemoteApp program is available through TS Web Access, do either of the following: To enable a RemoteApp program for TS Web Access, click the program name, and then in the Actions pane, click Show in TS Web Access. To disable a RemoteApp program for TS Web Access, click the program name, and then in the Actions pane, click Hide in TS Web Access. If TS Web Access is configured to populate its list of RemoteApp programs from the terminal server, RemoteApp programs that are enabled for TS Web Access automatically appear on the 122

TS Web Access Web site. For more information, see Specify the Data Source for TS Web Access.

Install the TS Web Access Role Service

You must install the TS Web Access role service on the server that you want users to connect to over the Web to access RemoteApp programs. When you install the TS Web Access role service, Microsoft Internet Information Services (IIS) 7.0 is also installed. The server where you install TS Web Access acts as the Web server. The server does not have to be a terminal server. Note By default, when you install TS Web Access, the TS Web Access Web site installs to the Default Web Site in IIS. To change the default install location of the site, you can configure a different location in the registry. You must do this before you install the TS Web Access role service. For more information, see Change the Install Location of the TS Web Access Web Site. Membership in the local Administrators group is the minimum required to complete this procedure. To install TS Web Access 1. Open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. If the Terminal Services role is already installed: a. Under Roles Summary, click Terminal Services. b. Under Role Services, click Add Role Services. c. On the Select Role Services page, select the TS Web Access check box. If the Terminal Services role is not already installed: a. Under Roles Summary, click Add Roles. b. On the Before You Begin page, click Next. c. On the Select Server Roles page, select the Terminal Services check box, and then click Next. d. Review the Terminal Services page, and then click Next. e. On the Select Role Services page, select the TS Web Access check box. 3. Review the information about the required role services, and then click Add Required Role Services. 4. Click Next. 5. Review the Web Server (IIS) page, and then click Next. 123

6. On the Select Role Services page, where you are prompted to select the role services that you want to install for IIS, click Next. 7. On the Confirm Installation Selections page, click Install. 8. On the Installation Results page, confirm that the installation succeeded, and then click Close.

Populate the TS Web Access Computers Security Group

If the TS Web Access server and the terminal server that hosts the RemoteApp programs are separate servers, you must add the computer account of the TS Web Access server to the TS Web Access Computers security group on the terminal server. To add the computer account of the TS Web Access server to the security group 1. On the terminal server, click Start, point to Administrative Tools, and then click Computer Management. 2. In the left pane, expand Local Users and Groups, and then click Groups. 3. In the right pane, double-click TS Web Access Computers. 4. In the TS Web Access Computers Properties dialog box, click Add. 5. In the Select Users, Computers, or Groups dialog box, click Object Types. 6. In the Object Types dialog box, select the Computers check box, and then click OK. 7. In the Enter the object names to select box, specify the computer account of the TS Web Access server, and then click OK. 8. Click OK to close the TS Web Access Computers Properties dialog box.

Specify the Data Source for TS Web Access

You can configure TS Web Access to populate the list of RemoteApp programs that appear in the Web Part from a specific terminal server or terminal server farm. By default, TS Web Access populates its list of RemoteApp programs from a single terminal server and points to the local host. The Web Part is populated by all RemoteApp programs that are enabled for TS Web Access on that terminal server's RemoteApp Programs list. To complete the following procedure, you must log on to the TS Web Access server by using the local Administrator account or an account that is a member of the TS Web Access Administrators group on the TS Web Access server. 124

To specify which terminal server or terminal server farm to use as the data source 1. Connect to the TS Web Access Web site. To do this, use either of the following methods: On the TS Web Access server, click Start, point to Administrative Tools, point to Terminal Services, and then click TS Web Access Administration. Use Internet Explorer to connect to the TS Web Access Web site. By default, the Web site is located at the following address, where server_name is the name of the TS Web Access server: http://server_name/ts Note If you have configured the Web site to use Secure Sockets Layer (SSL), connect to https://server_name/ts. 2. Log on to the site by using either the local Administrator account, or an account that is a member of the local TS Web Access Administrators group. (If you are already logged on to the computer as one of these accounts, you are not prompted for credentials.) 3. On the title bar, click the Configuration tab. Note If you access the TS Web Access Web site by using the TS Web Access Administration option, the page automatically opens to the Configuration tab. 4. In the Editor Zone area, in the Terminal server name box, enter the name of the terminal server or terminal server farm that you want to use as the data source. 5. Click Apply to apply the changes. To test TS Web Access, see Connect to TS Web Access.

Connect to TS Web Access

By default, you can access the TS Web Access Web site at the following location, where server_name is the NetBIOS name or the fully qualified domain name of the Web server where you installed TS Web Access: http://server_name/ts If you have configured the Web site to use Secure Sockets Layer (SSL), connect to Note https://server_name/ts. If you connect to TS Web Access from a public computer, such as a computer in an "Internet caf," you should clear the I am using a private computer that complies with my organization's security policy check box that appears in the lower-right corner of the Web Part. In public mode, you are not provided with the option to save your credentials.

125

Client requirements and configuration

To connect to TS Web Access, the client computer must be running RDC 6.1 (6.0.6001). RDC 6.1 is included with the following operating systems: Windows Server 2008 Windows Vista with SP1 Windows XP with SP3

The client computer must be running Internet Explorer 6 or a later version. Additionally, the Terminal Services ActiveX Client control must be enabled. The ActiveX control is included with RDC 6.1. If you are running Windows Server 2008 or Windows Vista with SP1, and you receive a warning message on the Internet Explorer Information bar about the site being restricted from showing certain content, click the message line, point to Add-on Disabled, and then click Run ActiveX Control. When you do this, you may see a security warning. Before you click Run, make sure that the publisher for the ActiveX control is "Microsoft Corporation." Note If the Internet Explorer Information bar does not appear, and you cannot connect to TS Web Access, you can enable the Terminal Services ActiveX control by using the Manage Add-ons tool on the Tools menu of Internet Explorer. The add-on appears as Microsoft Terminal Services Client Control. If you are running Windows XP with SP3, when you first access the TS Web Access site, the page displays an ActiveX control not installed or not enabled error message. Use the following procedure to enable the ActiveX control. To enable the ActiveX control in Windows XP with SP3 1. Connect to the TS Web Access site, and then enter your logon credentials. 2. Do either of the following, depending on the version of Internet Explorer that you are running. If you are using Internet Explorer 7, on the Tools menu, point to Manage Addons, and then click Enable or Disable Add-ons. If you are using Internet Explorer 6, on the Tools menu, click Manage Add-ons. The Manage Add-ons dialog box appears. Make sure that the Show list is set to Addons currently loaded in Internet Explorer. 3. Under Disabled, click either Microsoft Terminal Services Client Control (redist) or Microsoft RDP Client Control (redist)whichever is listed. 4. Under Settings, click Enable. (If you are running Internet Explorer 6, click OK in response to the message saying that you may need to restart Internet Explorer for the changes to take effect.) Note 126

If the ActiveX control is listed two times, enable both instances. 5. Click OK to close the Manage Add-ons dialog box. (If you are running Internet Explorer 7, click OK in response to the message saying that you may need to restart Internet Explorer for the changes to take effect.) Any available RemoteApp programs should appear on the TS Web Access Web site.

Configure the TS Web Access Server to Allow Access from the Internet
To allow users to access the TS Web Access server from the Internet through TS Gateway, the recommended configuration is to place both the TS Gateway server and the TS Web Access server in the perimeter network, and to place the terminal servers that host RemoteApp programs behind the internal firewall. Alternatively, you can deploy TS Web Access on the internal network, and then make the Web site available through Microsoft Internet Security and Acceleration (ISA) Server. For more information about Web publishing through ISA Server 2006, see Publishing Concepts in ISA Server 2006 (http://go.microsoft.com/fwlink/?LinkId=86359). If you deploy TS Web Access in the perimeter network, you must configure your firewall to allow Windows Management Instrumentation (WMI) traffic from the TS Web Access server to the terminal server. You must ensure that TCP port 135 is open for WMI-related DCOM traffic. To control the other ports that are used for WMI traffic, you can configure a fixed port. For information about how to do this, see Setting Up a Fixed Port for WMI on MSDN (http://go.microsoft.com/fwlink/?LinkId=109867). To use this procedure on a Windows Server 2008-based server, note the following additional information: If you are not logged on by using the local Administrator account, you must run the commands from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. The procedure shows how to configure TCP port 24158 for WMI traffic. By default, the winmgmt -standalonehost command moves the Windows Management Instrumentation service (Winmgmt) to a standalone Svchost process that has a fixed DCOM endpoint of "ncacn_ip_tcp.0.24158". To specify a different port number, do not use the winmgmt -standalonehost command. Instead, you must use the following procedure. To specify a port number that is different from the default 1. Use Component Services to configure the fixed DCOM endpoint for WMI to the port that you want. To do this, follow these steps: a. Open Component Services. To do this, click Start, point to Administrative 127

Tools, and then click Component Services. b. In the console tree, expand Component Services, expand Computers, expand My Computer, and then click DCOM Config. c. In the middle pane, right-click Windows Management and Instrumentation, and then click Properties. d. On the Endpoints tab, click either Properties or Add, depending on whether an existing custom entry already exists. e. Click Use static endpoint, enter the port number to use, and then click OK two times. 2. Restart the Winmgmt service for the change to take effect. To restart the service, run the commands net stop winmgmt and net start winmgmt from the command line. 3. Run the netsh command with the port parameter set to the same port that you specified in Component Services. When you run the netsh command to create a firewall rule, you must include the protocol parameter and specify TCP as the protocol type. The following is an example of the command syntax: netsh firewall add portopening protocol=TCP port=24158 profile=domain name=WMIFixedPort Note The profile parameter indicates whether the firewall rule applies to the Domain, Private, or Public profile. For more information, see "Understanding Windows Firewall with Advanced Security Profiles" in the Windows Firewall with Advanced Security Help. Additionally, the TS Web Access Web site must be configured to use Windows authentication. By default, Windows authentication is enabled for the TS Web Access Web site. To verify that Windows authentication is enabled 1. On the TS Web Access server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the left pane of Internet Information Services (IIS) Manager, expand the server name, expand Sites, expand Default Web Site, and then click TS. 3. In the middle pane, under IIS, double-click Authentication. 4. Ensure that Windows Authentication is set to Enabled. If it is not, right-click Windows Authentication, and then click Enable. Note If you placed TS Web Access in a custom Web site, you must ensure that the authentication method that is used for the Web site can map to the user's Windows account. You can do this by using integrated Windows authentication on the custom Web site.

128

Configure Remote Desktop Web Connection Behavior

Terminal Services Remote Desktop Web Connection enables a user to connect to the desktop of a remote computer from the TS Web Access Web site. To connect to a remote computer, the following conditions must be true: The remote computer must be configured to accept Remote Desktop connections. The user must be a member of the Remote Desktop Users group on the remote computer. A user can access Remote Desktop Web Connection by clicking the Remote Desktop tab on the TS Web Access page. As an administrator, you can configure whether the Remote Desktop tab is available to users. Additionally, you can configure settings such as which TS Gateway server to use, and the default device and resource redirection options. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To configure Remote Desktop Web Connection behavior 1. On the TS Web Access server, start Internet Information Services (IIS) Manager. To do this, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the left pane, expand the server name, expand Sites, expand Default Web Site, and then click TS. 3. In the middle pane, under ASP.NET, double-click Application Settings. 4. To change Remote Desktop Web Connection settings, modify the values in the Application Settings pane. To configure a default TS Gateway server, double-click DefaultTSGateway, enter the fully qualified domain name of the server in the Value box (for example, server1.contoso.com), and then click OK. To specify the TS Gateway authentication method, double-click GatewayCredentialsSource, type the number that corresponds to the desired authentication method in the Value box, and then click OK. The possible values include: 0 = Ask for password (NTLM) 1 = Smart card 4 = Allow user to select later To configure whether the Remote Desktop tab appears on the TS Web Access page, double-click ShowDesktops. In the Value box, type true to show the Remote Desktop tab, or type false to hide the Remote Desktop tab. When you are finished, click OK. 129

 To configure default device and resource redirection settings, double-click the setting that you want to modify (xClipboard, xDriveRedirection, xPnPRedirection, xPortRedirection, or xPrinterRedirection). In the Value box, type true to enable the redirection setting by default, or type false to disable the redirection setting by default, and then click OK. 5. When you finish, close IIS Manager. Your changes should take effect immediately on the TS Web Access Web site. If the Web page is open, refresh the page to view the changes. Note You can also configure these settings by modifying the %windir%\Web\ts\Web.config file directly by using a text editor such as Notepad.

Change the Install Location of the TS Web Access Web Site

By default, when you install TS Web Access, the TS Web Access Web site installs to the Default Web Site in IIS (to the /TS virtual path). To specify a different Web site to install TS Web Access, you can configure a different target Web site in the registry. You must do this before you install the TS Web Access role service. Caution Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. To change the location of the TS Web Access Web site 1. If you do not already have IIS installed, install IIS. To do this, follow these steps: a. Start Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. b. Under Roles Summary, click Add Roles. c. On the Before You Begin page, click Next. d. On the Select Server Roles page, select the Web Server (IIS) check box, click Add Required Features, and then click Next. e. On the Web Server (IIS) page, click Next. f. On the Select Role Services page, click Next. g. On the Confirm Installation Selections page, click Install. 130

h. On the Installation Results page, verify that the installation succeeded, and then click Close. 2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 3. In Internet Information Services (IIS) Manager, expand the server name, right-click Sites, and then click Add Web Site. 4. In the Add Web Site dialog box, add the information for the new Web site, such as the site name. Ensure that you do the following: In the Physical path box, specify the path C:\Windows\Web, where "C:" represents the drive where you installed Windows. To not conflict with the Default Web Site, you should either specify a different IP address in the IP address list, or specify a port other than port 80 in the Port box. (If you specify another port, ensure that the firewall is configured to permit HTTP or HTTPS traffic on that port, depending on your configuration.) 5. When you finish, click OK. 6. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press ENTER. 7. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft 8. To specify a new install location for the TS Web Access Web site, do the following: a. Right-click Microsoft, point to New, and then click Key. b. Type Terminal Server Web Access as the subkey name, and then press ENTER. c. Right-click Terminal Server Web Access, point to New, and then click String Value. d. Type Website as the entry name, and then press ENTER. e. Right-click Website, and then click Modify. f. In the Value data box, type the name of the Web site where you want to install the TS Web Access Web site (the site name that you specified in step 4 of this procedure), and then click OK. 9. Close Registry Editor. 10. Install TS Web Access. For more information, see Install the TS Web Access Role Service.

131

Deploying Terminal Services Printing

Terminal Services printing has been enhanced in Windows Server 2008 by the addition of the Terminal Services Easy Print printer driver and a Group Policy setting that enables you to redirect only the default client printer. The Terminal Services Easy Print driver enables users to reliably print from a Terminal Services RemoteApp program or from a Terminal Services desktop session to the correct printer on their client computer. It also enables users to have a much more consistent printing experience between local and remote sessions. To install and configure Terminal Services Printing, see the following topics: Using Terminal Services Easy Print Driver Installing the Printer Driver on the Server Creating a Custom Printer Mapping File Configuring Printer Redirection Settings Using Terminal Services Printing-Related Group Policy Settings

Using Terminal Services Easy Print Driver

By default, a Windows Server 2008-based terminal server is configured to use the Terminal Services Easy Print printer driver first when a client tries to print, and then it tries to use a matching printer driver on the server if the client does not support Terminal Services Easy Print. To change this default behavior, modify the Use Terminal Services Easy Print printer driver first Group Policy setting. If you set this policy setting to Disabled, the terminal server first tries to find a suitable printer driver to install the client printer. If the terminal server does not have a printer driver that matches the client printer, the server tries to use the Terminal Services Easy Print driver to install the client printer. For more information, see Using Terminal Services Printing-Related Group Policy Settings. Note This policy setting is available in the Computer Configuration node and the User Configuration node.

Client requirements
To use the Terminal Services Easy Print driver, clients must be running both of the following: Remote Desktop Connection 6.1 [The RDC 6.1 (6.0.6001) client supports Remote Desktop Protocol 6.1.] At least Microsoft .NET Framework 3.0 Service Pack 1 (SP1) The following list provides information about which operating systems support the Terminal Services Easy Print driver, and whether additional configuration is required. 132

 Windows Vista with SP1 includes both of the required components. By default, Windows Vista with SP1 supports the Terminal Services Easy Print driver with no additional configuration. Windows XP with Service Pack 3 (SP3) includes RDC 6.1. However, you must install a supported version of the .NET Framework separately. You can download Microsoft .NET Framework 3.5 (which includes .NET Framework 3.0 SP1) from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=109422). Windows Server 2008 includes both of the required components. However, by default, NET Framework 3.0 SP1 is not installed. Therefore, to use the Terminal Services Easy Print driver on a Windows Server 2008-based server (that is acting as the client), you must add .NET Framework 3.0 SP1 by using Server Manager or by adding the feature from the command line. To add .NET Framework 3.0 SP1 by using Server Manager 1. Start Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager. 2. In the left pane of Server Manager, right-click Features, and then click Add Features. 3. On the Select Features page, expand .NET Framework 3.0. 4. Select the .NET Framework 3.0 Features and the XPS Viewer check boxes, and then click Next. 5. Click Install.

To add .NET Framework 3.0 SP1 by using the command line 1. Start the command prompt with elevated privileges. To do this, click Start, rightclick Command Prompt, and then click Run as administrator. 2. At the command prompt, type the following, and then press ENTER: pkgmgr.exe /iu:NetFx3 The installation occurs silently, and may take several minutes.

Additional information
When you use the Terminal Services Easy Print driver, users cannot save printing preferences from Printers in Control Panel. Instead, printing preferences can only be applied and saved per application.

133

Installing the Printer Driver on the Server

If some client computers do not support the Terminal Services Easy Print driver, you can install matching printer drivers on the terminal server. If the printer driver that is installed on the client computer is an OEM driver, and a driver is available from the printer's manufacturer, replace the OEM driver with the driver that is available from the printers manufacturer. If you are installing a non-Microsoft driver, make sure that the driver is a Windows Hardware Quality Labs (WHQL)-signed driver. Note After you install a printer driver, terminal server clients must log off and then log on to the terminal server before the printer driver change takes effect. To install the printer driver, use either of the following methods. To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. Method 1: Run the printer's Setup program to install the printer driver .inf file on the terminal server. Method 2: Install the printer driver by using the Add Printer Driver Wizard.

To install the printer driver by using the Add Printer Driver Wizard 1. On the terminal server, click Start. 2. In the Start Search box, type control printers and then press ENTER. 3. On the File menu, click Server Properties. 4. On the Drivers tab, click Add, and then follow the instructions in the Add Printer Driver Wizard to install the printer driver .inf file.

Creating a Custom Printer Mapping File

You can create or modify an existing custom printer mapping file to define mappings from clientside drivers to server-side drivers on the terminal server. To perform the following procedures on the terminal server, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Step one: Create or modify an .inf file

Using a text editor such as Notepad, create or modify an .inf file to include the user-defined mappings from the client-side driver to the server-side driver. Follow the format used in the following example: 134

;NTPRINTSUBS.INF ;Printer mapping file for client-side to server-side drivers [Printers] "OEM Printer Driver Name" = "Windows Server 2008 Driver Name"

For example:
"HP DeskJet 720C Series v10.3" = "HP DeskJet 722C"

The left side of the equation is the exact name of the printer driver that is associated with the client-side print queue that is being redirected to the server. To obtain the exact name of the client-side driver 1. On the client computer, in Control Panel, open Printers. 2. Right-click the printer that you want to use, and then click Properties. The exact name of the printer driver appears on the General tab, next to Model. Note You can also click the Advanced tab and view the driver name in the Driver list. The right side of the equation is the exact name of the server-side driver equivalent that is installed on the terminal server. To obtain the exact name of the server-side driver 1. On the terminal server, in Control Panel, open Printers. 2. On the File menu, click Server Properties. 3. The exact name of the printer driver is listed on the Drivers tab in the Name column. Note If the server-side printer driver that you want to use is not installed, click Add, and then follow the instructions in the Add Printer Driver Wizard to install the printer driver.

Step two: Configure the registry

After you create the printer mapping file, you must configure the registry to point to the printer mapping .inf file, and to the correct section of the printer mapping file that contains the userdefined mappings. Caution Incorrectly editing the registry might severely damage your system. Before you make changes to the registry, you should back up any valued data.

135

To use a custom printer mapping file 1. On the terminal server, open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press ENTER. 2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd 4. Create a registry entry for the printer mapping file name. To do this, follow these steps: a. Right-click the rdpwd subkey, point to New, and then click String Value. b. Type PrinterMappingINFName as the entry name, and then press ENTER. c. Right-click PrinterMappingINFName, and then in the Value data box, enter the path and name of the .inf file to which you want to redirect lookups. For example, type c:\windows\inf\ntprintsubs.inf. d. When you finish, click OK. 5. Create a registry entry for the section of the .inf file to which you want to redirect lookups. To do this, follow these steps: a. Right-click the rdpwd subkey, point to New, and then click String Value. b. Type PrinterMappingINFSection as the entry name, and then press ENTER. c. Right-click PrinterMappingINFSection, and then in the Value data box, enter the name of the section in the .inf file that contains the user-defined mappings. For example, type Printers. d. When you finish, click OK. 6. Close Registry Editor. Important For the changes to take effect, you must restart the Print Spooler service on the terminal server.

Configuring Printer Redirection Settings

As an administrator, you can configure printer redirection settings for terminal server connections as a whole (per connection) or on a per user basis.

136

Configure printer redirection settings per connection

By using Group Policy (best practice)
To configure Group Policy settings for a domain or an organizational unit (OU), you must be logged on as a member of the Domain Admins group, Enterprise Admins group, or the Group Policy Creator Owners group, or have been delegated the appropriate authority over Group Policy. To configure Group Policy settings by using the Local Group Policy Editor, membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To configure per connection printer redirection settings on a terminal server by using Group Policy 1. In either the Group Policy Management Console or the Local Group Policy Editor, locate the following node: Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection 2. Configure the desired printer redirection settings: To disable client printer redirection, enable the Do not allow client printer redirection policy setting. To use the default printer of the server as the default printer for all client sessions, enable the Do not set default client printer to be default printer in a session policy setting.

By using Terminal Services Configuration

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To configure per connection printer redirection settings on a terminal server by using Terminal Services Configuration 1. Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration. 2. In the middle pane, under Connections, right-click the connection, and then click Properties. 3. On the Client Settings tab, under Redirection, configure the desired printer redirection settings: To disable client printer redirection, select the Windows Printer check box. To use the default printer of the server as the default printer for all client sessions, select the Default to main client printer check box. To print to the default 137

printer of the client, clear this check box.

Configure printer redirection settings per user

You can configure per user printer redirection settings by using either Local Users and Groups or Active Directory Users and Computers. These settings override client-specified settings. To configure per user printer redirection settings by using Active Directory Users and Computers, you must be logged on as a member of the Domain Admins group, or have been delegated the appropriate authority. To configure per user printer redirection settings by using Local Users and Groups, membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To configure per user printer redirection settings 1. Do either of the following, depending on whether you are configuring settings for a domain user or for a local user on the terminal server. To configure settings for a domain user, on a domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers. To configure settings for a local user, on a terminal server, click Start, point to Administrative Tools, click Computer Management, and then expand Local Users and Groups. 2. In the console tree, locate the user for whom you want to configure printer redirection settings. 3. Right-click the user name, and then click Properties. 4. On the Environment tab, configure the following settings: Connect client printers at logon If you clear this check box, client printers are not automatically connected. However, a user can still manually map their client printer. Default to main client printer Select this check box to print to the default printer of the client. If you clear this check box, the default printer of the server is used as the default printer for all client sessions. Note By default, both of these check boxes are selected. 5. When you finish, click OK.

Use client-specified printer redirection settings

Users can also control printer redirection settings through the Remote Desktop Connection (RDC) client, or when starting a connection to a RemoteApp program. 138

To control printer redirection through the RDC client 1. Start the Remote Desktop Connection client. 2. Click Options. 3. On the Local Resources tab, under Local devices and resources, select or clear the Printers check box.

Using Terminal Services Printing-Related Group Policy Settings

There are several Group Policy settings that you can configure to help control Terminal Services printing behavior. These settings are located in the following node of the Group Policy Management Console: Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection Note Some of the policy settings are available in both the Computer Configuration node and the User Configuration node. Following are the available Group Policy settings for Terminal Services printing.
Name Description Requirements

Do not allow client printer redirection

This policy setting allows you to specify whether to prevent the mapping of client printers in Terminal Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Terminal Services allows this client printer mapping. If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Terminal Services sessions.

At least Windows XP Professional or Windows Server 2003 family

139

Name

Description

Requirements

If you disable this policy setting, users can redirect print jobs with client printer mapping. If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. However, an administrator can still disable client printer mapping by using the Terminal Services Configuration tool. Do not set default client printer to be default printer in a session This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a Terminal Services session. By default, Terminal Services automatically designates the client default printer as the default printer in a Terminal Services session. You can use this policy setting to override this behavior. If you enable this policy setting, the default printer is the printer specified on the remote computer. If you disable this policy setting, the terminal server automatically maps the client default printer and sets it as the default printer upon connection. If you do not configure this policy setting, the default printer is not specified at the Group Policy level. However, an administrator can configure the default printer for client sessions by using the Terminal Services Configuration tool. Redirect only the default This policy setting allows you to At least Windows Server 2008 140 At least Windows XP Professional or Windows Server 2003

Name

Description

Requirements

client printer

specify whether the default client printer is the only printer redirected in Terminal Services sessions. If you enable this policy setting, only the default client printer is redirected in Terminal Services sessions. If you disable or do not configure this policy setting, all client printers are redirected in Terminal Services sessions.

Specify terminal server fallback printer driver behavior

This policy setting allows you to specify the terminal server fallback printer driver behavior. By default, the terminal server fallback printer driver is disabled. If the terminal server does not have a printer driver that matches the client's printer, no printer will be available for the terminal server session. If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the terminal server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: Do nothing if one is not found If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. Default to PCL if one is not found If no suitable printer driver can be found, default to the

Windows Server 2003 with Service Pack 1 only

141

Name

Description

Requirements

Printer Control Language (PCL) fallback printer driver. Default to PS if one is not found If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. Show both PCL and PS if one is not found If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. If you disable this policy setting, the terminal server fallback driver is disabled and the terminal server will not attempt to use the fallback printer driver. If you do not configure this policy setting, the fallback printer driver behavior is off by default. Note If the Do not allow client printer redirection policy setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. Use Terminal Services Easy Print printer driver first This policy setting allows you to specify whether the Terminal Services Easy Print printer driver is used first to install all client printers. If you enable or do not configure this policy setting, the terminal server first tries to use the Terminal Services Easy Print printer driver to install all client printers. If for any reason the Terminal Services Easy Print 142 At least Windows Server 2008

Name

Description

Requirements

printer driver cannot be used, a printer driver on the terminal server that matches the client printer is used. If the terminal server does not have a printer driver that matches the client printer, the client printer is not available for the Terminal Services session. If you disable this policy setting, the terminal server tries to find a suitable printer driver to install the client printer. If the terminal server does not have a printer driver that matches the client printer, the server tries to use the Terminal Services Easy Print printer driver to install the client printer. If for any reason the Terminal Services Easy Print printer driver cannot be used, the client printer is not available for the Terminal Services session. Note If the Do not allow client printer redirection policy setting is enabled, the Use Terminal Services Easy Print printer driver first policy setting is ignored.

143