In Windows Server 2008, Terminal Services has expanded its support for knowledge workers needing support for multiple desktops, telecommuters and people working from remote offices.
From the assumption that people will use one or two terminal servers in the office to support users -- at least if they're using the in-the-box solution -- Terminal Services in Windows Server 2008 is supporting a wider array of business situations. It also assumes a larger number of servers in the farm for improved redundancy, which requires the connections to those servers to be managed.
Windows Server 2003's display looked pretty good when it was launched. At a maximum display size of 1,600 by 1,200 pixels and support for 32-bit color, it was a big improvement over Windows 2000. But ever since Microsoft released Windows Server 2003, many end users have become accustomed to using multiple monitors.
Remote connections using Microsoft Remote Desktop Protocol 6.1, known as RDP 6.1, can connect to a Windows Server 2008 terminal server and get a display much like the one they can get locally. End users can use several monitors so long as they're set to the same resolution and oriented side by side, show custom display resolutions and get a maximum total display of 4,096 by 2,048.
Terminal Services in Windows Server 2008 supports client-side devices
Just as the expectations about monitor displays have changed in five years, so have the expectations about client-side device support. Two important consumer devices are media players and digital cameras.
If you're working in a completely remote environment, you need to be able to control these devices from the remote session and copy data to and from the remote devices. Using Windows Server 2008 Terminal Services with RDP 6.1 , you can map devices that use the Media Transfer Protocol for media players and digital cameras that use the Picture Transfer Protocol, or PTP. Terminal Services also supports client-side point-o f-service devices to support retailers.
Printing with Terminal Services has long been difficult because of the way the print job was split between client and server. In addition, the need existed to support printers that the administrator might not have been able to test easily. Terminal Services in Windows Server 2008 addresses these problems in a couple of ways.
First -- and simplest -- a Group Policy allows administrators to map only the client's default printer to a terminal session. Second, EasyPrint technology avoids driver problems for Windows Vista clients running Remote Desktop Connection 6.1.
Basically, EasyPrint allows end users to print from a remote session without having to install any drivers on the terminal server at all. The remote session gets printer settings from the client's computer and even makes calls to the client-side user interface to show the driver configuration panes for the drivers.
It's a good practice to have more than one terminal server hosting your remote application set and to load balance those servers. That spreads out the user load and eliminates the possibility that one server could go down and take out your ability to serve centralized applications. The trouble is that connections are fundamentally made to terminal servers, not to groups of them.
Users connect to the terminal server named TS01 or whatever original name you've given it. But if your RDP files include the names of specific terminal servers, they won't support load balancing. Nor will they be flexible enough to redirect a new connection request to a server where the user already has a session.
The Session Broker role determines which terminal server an incoming connection should be connected to when a user connects to a farm. It bases this decision on several criteria, including the farm the user wants to connect to, whether that user already has a session, and, if not, which terminal server has the lowest number of sessions. Although the Session Broker includes only one form of load balancing, it can be integrated with third-party load balancers that support additional criteria, such as CPU or memory load, time of day or the application requested.
Terminal Server Gateway expands connectivity
If you wanted to connect a terminal server to the outside world prior to Windows Server 2008 using only the tools in the box, you might have considered opening port 3389 -- which is the port that the Remote Display Protocol listens on -- so that the terminal server could accept incoming connections. Most people didn't do this because of the security hole it opened up – i.e., more ports mean more exposure to attack.
Terminal Services Gateway is one of the sub-roles of Terminal Services in Windows Server 2008. TS Gateway enables authorized remote users to connect via RDP over HTTPS to resources on an internal corporate or private network from any authorized Internet-connected device, whether originally part of the domain or a public kiosk. The network resources can be terminal servers supporting full desktops, terminal servers running RemoteApp programs or computers with Remote Desktop enabled.
In other words, people accessing the corporate network from the Internet can use full desktops, individual applications or even their own desktop computers — it all depends on what the administrator has set up. Best of all, it can do this via the standard port already open for secure Internet connectivity.
Also, users don't need a VPN, and administrators can provide more granularly secured access than is possible with a VPN. TS Gateway can be used with Microsoft Internet Security and Acceleration Server or on its own.
Using the TS Gateway Microsoft Management Console snap-in, you can monitor connection-related events and specify the following options:
- Which user groups can connect to network resources
- What network resources users can connect to
- Whether client computers must be members of Active Directory security groups
- Whether device and disk redirection is allowed
- Whether clients need to use smart card authentication or password authentication, or whether they can use either method
TS Gateway servers and Terminal Services clients can be configured to use Network Access Protection, or NAP, to further enhance security for XP SP2 and Windows Vista clients. With NAP, Windows administrators can enforce health requirements, such as software requirements, security update requirements and required computer configurations.
TS Gateway can be used with just a terminal server farm and RDP files stored on client computers, or with Terminal Services Web Access. With TS Web Access, you can set up a remote workspace that presents a website with the application icons and then makes sure that the person connecting or the computer they're connecting from meets the TS Gateway rules. Because TS Gateway uses few resources and can support hundreds of incoming users, it can be safely combined with other roles that can be in the DMZ.
Christa Anderson is a program manager on the Terminal Services team at Microsoft.
Author of Windows Terminal Services, The Definitive Guide to MetaFrame XP, and co-author
of Mastering Windows 2003 Server. She is also the author of the forthcoming Terminal
Services Resource Kit from Microsoft Press.
This was first published in March 2008