Windows Server 2008 Thread, Terminal Server Gateway deployment best practice in Technical; Hi All,
I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use ...
26th August 2009, 04:02 AM #1
- Rep Power
Terminal Server Gateway deployment best practice
I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use Windows Server 2008 Std. x64 TSG service, but now in this case what is the best practice for deploying this infrastructure ?
Do i need to join the TSG into the domain ?
Should I need to open LDAP port 389 from DMZ into my local network --> security hole ?
Any help and suggestion would be greatly appreciated.
IDG Tech News
22nd October 2009, 12:45 AM #2
Have you made any progress on this matter?
I have currently got a project on the go which works in the sand box environment. We are simply waiting for clearance / go ahead for the project to go life as well as final tests / preparations.
Thanks to RSoP_Robbers from:
albertwt (22nd October 2009)
22nd October 2009, 06:20 AM #3
- Rep Power
Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway,
here's what I did:
on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver):
1. Join the TSG server into the domain
2. go through the steps in [ame="http://www.youtube.com/watch?v=x_0oeiCTTfU"]YouTube - Windows Server 2008 - Installing Terminal Services[/ame]
3. TS_CAP_01 settings:
select password for the authentication
add BUILTIN\Administrators group
Device Redirection tab:
Enable device redirection for all devices
4. TS_RAP_01 settings:
User groups tab:
*make the same members as the previous CAP_01 setting*
Computer group tab:
select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver.
Allowed ports tab:
select Allow connection through any port --> and this one as well.
5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation.
on the DMZ Webserver (open only on port 443 after going through this steps)
1. join the webserver to the domain
2. go to system properties | Remote tab and click on Allow connection from computers running....
3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4)
on the client:
1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder).
2. run mstsc (remote desktop application)
3. General Tab:
computer: (webserver IP address) --> due to the no DNS available.
select Connect and don't warn me.
click on settings:
select use these TS Gateway server settings:
Server name: TSG.domain.com
Login method: NTLM
click on OK
then connect by supplying the local admin password.
Thanks to albertwt from:
FragglePete (28th October 2009)
28th October 2009, 02:11 PM #4
Doing a similar setup at the moment for RemoteApps. Have it all working internally, but waiting for the RFC to be actioned with SWGfL to open up Port 443 only to the TSG Server to see if it all works. (Fingers crossed).
29th October 2009, 01:47 AM #5
It's my week off and I've still ended up with support calls and couldn't stay away from here!
What can I say!
Our provider is YHGFL and to be honest, it has been like pulling teeth!
We have everything sat waiting to run as a pilot but YHGFL insist that this is a mass security breach. On the flip side, the level of web filtering that we have to go to is ridiculous as everything comes through YHGFL so "security" was not a sensible excuse to use......
So, still waiting to get this working sadly! :-(
I've set this up with someone at another site who is sending me hardware performance stats based on usage so I can see what our overall hardware requirements will be on our site according to our user base. Just trying to keep it alive really!
The current plan running around my head is try and get some terminals and plonk them around the site for use in classrooms where basic word processing or internet access is required.
Good work though Albert!
Good luck Pete! I know how you feel!
7th November 2009, 10:59 AM #6
Well, got it working last week. SWGfL sent confirmation of the RFC and can now access the system via RemoteApps. Quite impressed. Made it clear what it was for and they allowed it with no problems.
Only slight hiccup was the fact that it initially complained that the internal TS Server did not have a certificate and could not be trusted. But the TS Gateway Server has. Small tweak to the RDC file allowed the connection with just the TS Gateway Certificate. Just then had to change one of the options when making the .MSI to allow this to connect.
We've got a report cycle coming up, which will be within the 120 day grace period for the licencing for Terminal Services to see how the system copes. If it works well then I'll be putting a request in for a new Server to host the TS Server and TS Gate Server on (currently using old servers that I wanted to retire for this initial trial) and getting the licensing sorted out. Writing documentation for the teachers at the moment, and will ensure that those who want access (on a case by case basis) meet certain security criteria.
8th November 2009, 09:11 PM #7
Thats great news Pete!
Sadly, I still have a week or so to wait for a chap at our LEA to return to wait a few more weeks for some final decisions to be made....
9th November 2009, 04:03 PM #8
Now looking at access for people with Macs at home now. It's all theory, but Microsoft doing a Remote Desktop Client for the Mac. Hoping they can just install this and I can give them a .RDP file that should find the way through to the server.
29th November 2009, 11:27 PM #9
Thought I'd give an update on this little project....
Report Writing Cycle was opened up last week and staff given instructions to see me to arrange remote access. After supplying them with the .MSI, instructions, moving their account into a specific sercurity group and forcing a password change I'm pleased to say this is looking good.
We're using the 4C Aim High report writing tool which works quite nicely with RemoteApps. Had to get a bit of assistance getting it installed on 2008 Server as the installer doesn't recognise the OS but their support provided a solution quite quickly.
Staff who I thought would struggle are getting this up and running with no problems on their home computers. Even got reports from a couple of MAC users that all seems to work nicely. We'll see what comments I get back tomorrow after the weekend.
Last edited by FragglePete; 1st December 2009 at 04:11 PM.
22nd January 2010, 12:54 AM #10
- Rep Power
HI Guys, I hope you can still answer as it's been a fgew months since the strat of this.
I am looking in implementing remote access through a TS 2003 Server and the only thing that stopped me was the amount of servers. We currently only have one server and thought it wasn't enough. Do I need more than one TS Server in order to cope with a big amount of users connecting?
Thanks for your advice.
22nd January 2010, 10:06 PM #11
It all depends on the spec of the software especially the amount of RAM you have installed. I think your looking at about 30 - 40 users max on standard hardware.
Originally Posted by armadillo
23rd January 2010, 12:20 AM #12
- Rep Power
Originally Posted by Sylv3r
Thanks for your reply Sylv3r- I just wanted to confirm my believe that it wasn't possible to have more than 30 concurrent users on a TS server. The school I work at hired a consultant who is looking into lijnking two schools VLE and ICT suport provision. He disagreed with me and said that he had set up remote access to a school for all the students (700 students school) with one TS server only- no Citrix to do the load balancing or anything else. Whihc I found strange to believe.
31st January 2010, 02:37 PM #13
Originally Posted by armadillo
I think that the consultant has made quite a bold statement there however, he could be correct if users just logged in and didn't launch any programs or at worst, Calculator / Internet Explorer. (Just don't set Calculator to scientific mode )
What spec is the TS server?
I've been testing a TS Farm with Windows 2008 Server on Quad Core classroom machines with 2Gig of RAM and to be honest, with the optimisations and changes to Terminal Services, it's quite nippy!
I'm making some changes following some of the tests that I've done but I have intentions of getting an ICT class to try it out and put some load on it for the acid test.
I'm a little on the fence with that statement though......... Is the server 32 or 64bit?
2nd February 2010, 04:25 PM #14
- Rep Power
Hi, thanks for your reply. The TS server is win 2003 R2 32bit and it's currently used for one ICT classroom with 25 clients. Everybody I spoke to in the past said that without more servers and load balancing of some sort the users would struggle. Any more advice is appreciated.
Originally Posted by RSoP_Robbers
By f21970 in forum Windows Server 2008
Last Post: 29th May 2009, 02:56 PM
By ranj in forum Thin Client and Virtual Machines
Last Post: 6th February 2009, 04:28 PM
By darknova in forum Windows Server 2008
Last Post: 13th March 2008, 10:27 AM
By tosca925 in forum Thin Client and Virtual Machines
Last Post: 17th March 2007, 07:01 PM
By tosca925 in forum Virtual Learning Platforms
Last Post: 12th May 2006, 05:44 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread