+ Post New Thread
Results 1 to 14 of 14
Windows Server 2008 Thread, Terminal Server Gateway deployment best practice in Technical; Hi All, I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use ...
  1. #1

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Question Terminal Server Gateway deployment best practice

    Hi All,

    I'm about to publish a certain servers available through port 443 (SSL) only therefore I need to use Windows Server 2008 Std. x64 TSG service, but now in this case what is the best practice for deploying this infrastructure ?

    Do i need to join the TSG into the domain ?
    Should I need to open LDAP port 389 from DMZ into my local network --> security hole ?

    Any help and suggestion would be greatly appreciated.

    Thanks.

  2. #2
    RSoP_Robbers's Avatar
    Join Date
    Oct 2009
    Location
    Doncaster
    Posts
    101
    Thank Post
    13
    Thanked 8 Times in 8 Posts
    Rep Power
    11
    Hi!
    Have you made any progress on this matter?

    I have currently got a project on the go which works in the sand box environment. We are simply waiting for clearance / go ahead for the project to go life as well as final tests / preparations.

  3. Thanks to RSoP_Robbers from:

    albertwt (22nd October 2009)

  4. #3

    Join Date
    May 2009
    Location
    Sydney
    Posts
    282
    Thank Post
    322
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Cool Final Configuration.

    Hi RSoP

    Finally I was able to access the Webserver that I want from the internet using Terminal Server Gateway,

    here's what I did:

    on Terminal Server Gateway (open ports 53, 88, 389, 135, 139, 3389, after that only open port 443 to the external and to the webserver):
    1. Join the TSG server into the domain
    2. go through the steps in [ame="http://www.youtube.com/watch?v=x_0oeiCTTfU"]YouTube - Windows Server 2008 - Installing Terminal Services[/ame]
    3. TS_CAP_01 settings:
    Requirement tab:
    select password for the authentication
    add BUILTIN\Administrators group
    Device Redirection tab:
    Enable device redirection for all devices
    4. TS_RAP_01 settings:
    User groups tab:
    *make the same members as the previous CAP_01 setting*
    Computer group tab:
    select Allow users to connect to any network resources --> because of this now i can secure RDP to the webserver.
    Allowed ports tab:
    select Allow connection through any port --> and this one as well.
    5. Export the certificate as (whatever).cer and then this must be imported into the Trusted Root CA on the client workstation.

    on the DMZ Webserver (open only on port 443 after going through this steps)
    1. join the webserver to the domain
    2. go to system properties | Remote tab and click on Allow connection from computers running....
    3. click on Remote users button and add the same user as the previous one in the TSG group (step 3 and 4)


    on the client:

    1. import the certificate from the TSG.domain.com into the trusted root CA location (click on browse and select the folder).
    2. run mstsc (remote desktop application)
    3. General Tab:
    computer: (webserver IP address) --> due to the no DNS available.
    username: Webserver\Administrator
    Advanced Tab:
    select Connect and don't warn me.
    click on settings:
    select use these TS Gateway server settings:
    Server name: TSG.domain.com
    Login method: NTLM
    click on OK
    then connect by supplying the local admin password.

  5. Thanks to albertwt from:

    FragglePete (28th October 2009)

  6. #4

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    877
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Doing a similar setup at the moment for RemoteApps. Have it all working internally, but waiting for the RFC to be actioned with SWGfL to open up Port 443 only to the TSG Server to see if it all works. (Fingers crossed).

    Pete

  7. #5
    RSoP_Robbers's Avatar
    Join Date
    Oct 2009
    Location
    Doncaster
    Posts
    101
    Thank Post
    13
    Thanked 8 Times in 8 Posts
    Rep Power
    11
    Hiya guys!

    It's my week off and I've still ended up with support calls and couldn't stay away from here!

    What can I say!

    Our provider is YHGFL and to be honest, it has been like pulling teeth!

    We have everything sat waiting to run as a pilot but YHGFL insist that this is a mass security breach. On the flip side, the level of web filtering that we have to go to is ridiculous as everything comes through YHGFL so "security" was not a sensible excuse to use......

    So, still waiting to get this working sadly! :-(

    I've set this up with someone at another site who is sending me hardware performance stats based on usage so I can see what our overall hardware requirements will be on our site according to our user base. Just trying to keep it alive really!

    The current plan running around my head is try and get some terminals and plonk them around the site for use in classrooms where basic word processing or internet access is required.

    Good work though Albert!

    Good luck Pete! I know how you feel!

  8. #6

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    877
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Well, got it working last week. SWGfL sent confirmation of the RFC and can now access the system via RemoteApps. Quite impressed. Made it clear what it was for and they allowed it with no problems.

    Only slight hiccup was the fact that it initially complained that the internal TS Server did not have a certificate and could not be trusted. But the TS Gateway Server has. Small tweak to the RDC file allowed the connection with just the TS Gateway Certificate. Just then had to change one of the options when making the .MSI to allow this to connect.

    We've got a report cycle coming up, which will be within the 120 day grace period for the licencing for Terminal Services to see how the system copes. If it works well then I'll be putting a request in for a new Server to host the TS Server and TS Gate Server on (currently using old servers that I wanted to retire for this initial trial) and getting the licensing sorted out. Writing documentation for the teachers at the moment, and will ensure that those who want access (on a case by case basis) meet certain security criteria.

    Pete

  9. #7
    RSoP_Robbers's Avatar
    Join Date
    Oct 2009
    Location
    Doncaster
    Posts
    101
    Thank Post
    13
    Thanked 8 Times in 8 Posts
    Rep Power
    11
    Thats great news Pete!

    Sadly, I still have a week or so to wait for a chap at our LEA to return to wait a few more weeks for some final decisions to be made....

  10. #8

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    877
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Thanks RSoP.

    Now looking at access for people with Macs at home now. It's all theory, but Microsoft doing a Remote Desktop Client for the Mac. Hoping they can just install this and I can give them a .RDP file that should find the way through to the server.

    Pete

  11. #9

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    877
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    26
    Rep Power
    42
    Thought I'd give an update on this little project....

    Report Writing Cycle was opened up last week and staff given instructions to see me to arrange remote access. After supplying them with the .MSI, instructions, moving their account into a specific sercurity group and forcing a password change I'm pleased to say this is looking good.

    We're using the 4C Aim High report writing tool which works quite nicely with RemoteApps. Had to get a bit of assistance getting it installed on 2008 Server as the installer doesn't recognise the OS but their support provided a solution quite quickly.

    Staff who I thought would struggle are getting this up and running with no problems on their home computers. Even got reports from a couple of MAC users that all seems to work nicely. We'll see what comments I get back tomorrow after the weekend.

    Very pleased!

    Pete
    Last edited by FragglePete; 1st December 2009 at 03:11 PM.

  12. #10

    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    176
    Thank Post
    13
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    HI Guys, I hope you can still answer as it's been a fgew months since the strat of this.
    I am looking in implementing remote access through a TS 2003 Server and the only thing that stopped me was the amount of servers. We currently only have one server and thought it wasn't enough. Do I need more than one TS Server in order to cope with a big amount of users connecting?

    Thanks for your advice.

  13. #11

    Sylv3r's Avatar
    Join Date
    Jul 2005
    Location
    Co. Durham
    Posts
    3,197
    Thank Post
    370
    Thanked 374 Times in 332 Posts
    Rep Power
    147
    Quote Originally Posted by armadillo View Post
    HI Guys, I hope you can still answer as it's been a fgew months since the strat of this.
    I am looking in implementing remote access through a TS 2003 Server and the only thing that stopped me was the amount of servers. We currently only have one server and thought it wasn't enough. Do I need more than one TS Server in order to cope with a big amount of users connecting?

    Thanks for your advice.
    It all depends on the spec of the software especially the amount of RAM you have installed. I think your looking at about 30 - 40 users max on standard hardware.

  14. #12

    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    176
    Thank Post
    13
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    Quote Originally Posted by Sylv3r View Post
    It all depends on the spec of the software especially the amount of RAM you have installed. I think your looking at about 30 - 40 users max on standard hardware.

    Thanks for your reply Sylv3r- I just wanted to confirm my believe that it wasn't possible to have more than 30 concurrent users on a TS server. The school I work at hired a consultant who is looking into lijnking two schools VLE and ICT suport provision. He disagreed with me and said that he had set up remote access to a school for all the students (700 students school) with one TS server only- no Citrix to do the load balancing or anything else. Whihc I found strange to believe.

  15. #13
    RSoP_Robbers's Avatar
    Join Date
    Oct 2009
    Location
    Doncaster
    Posts
    101
    Thank Post
    13
    Thanked 8 Times in 8 Posts
    Rep Power
    11
    Quote Originally Posted by armadillo View Post
    Thanks for your reply Sylv3r- I just wanted to confirm my believe that it wasn't possible to have more than 30 concurrent users on a TS server. The school I work at hired a consultant who is looking into lijnking two schools VLE and ICT suport provision. He disagreed with me and said that he had set up remote access to a school for all the students (700 students school) with one TS server only- no Citrix to do the load balancing or anything else. Whihc I found strange to believe.
    Hi armadillo,

    I think that the consultant has made quite a bold statement there however, he could be correct if users just logged in and didn't launch any programs or at worst, Calculator / Internet Explorer. (Just don't set Calculator to scientific mode )

    What spec is the TS server?

    I've been testing a TS Farm with Windows 2008 Server on Quad Core classroom machines with 2Gig of RAM and to be honest, with the optimisations and changes to Terminal Services, it's quite nippy!

    I'm making some changes following some of the tests that I've done but I have intentions of getting an ICT class to try it out and put some load on it for the acid test.

    I'm a little on the fence with that statement though......... Is the server 32 or 64bit?

  16. #14

    Join Date
    Apr 2007
    Location
    Birmingham
    Posts
    176
    Thank Post
    13
    Thanked 2 Times in 2 Posts
    Rep Power
    15
    Quote Originally Posted by RSoP_Robbers View Post
    Hi armadillo,

    I think that the consultant has made quite a bold statement there however, he could be correct if users just logged in and didn't launch any programs or at worst, Calculator / Internet Explorer. (Just don't set Calculator to scientific mode )

    What spec is the TS server?

    I've been testing a TS Farm with Windows 2008 Server on Quad Core classroom machines with 2Gig of RAM and to be honest, with the optimisations and changes to Terminal Services, it's quite nippy!

    I'm making some changes following some of the tests that I've done but I have intentions of getting an ICT class to try it out and put some load on it for the acid test.

    I'm a little on the fence with that statement though......... Is the server 32 or 64bit?
    Hi, thanks for your reply. The TS server is win 2003 R2 32bit and it's currently used for one ICT classroom with 25 clients. Everybody I spoke to in the past said that without more servers and load balancing of some sort the users would struggle. Any more advice is appreciated.

    Thanks

SHARE:
+ Post New Thread

Similar Threads

  1. Terminal Server running on Server 2008
    By f21970 in forum Windows Server 2008
    Replies: 2
    Last Post: 29th May 2009, 01:56 PM
  2. Virtualising more server roles and Learning Gateway
    By ranj in forum Thin Client and Virtual Machines
    Replies: 5
    Last Post: 6th February 2009, 03:28 PM
  3. How to I make all Terminal 08 Sessions go via the TS Gateway
    By darknova in forum Windows Server 2008
    Replies: 0
    Last Post: 13th March 2008, 09:27 AM
  4. Good practice for server set up for thin clients
    By tosca925 in forum Thin Client and Virtual Machines
    Replies: 2
    Last Post: 17th March 2007, 06:01 PM
  5. Do you want to know about Learning Gateway, Class Server etc
    By tosca925 in forum Virtual Learning Platforms
    Replies: 13
    Last Post: 12th May 2006, 04:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •