70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal Services and Remote Access

Guide to MCSE , Objectives Install and configure Terminal Services Describe remote access features and protocols Configure security features for remote access

Guide to MCSE , Implementing Terminal Services Terminal Services: Provides remote access to a server desktop –Through “thin client” software –Transmits only program’s user interface to client –Centralized control of applications Remote Desktop for Administration: Enables administrators to connect to a server for administrative purposes –Disabled by default

Guide to MCSE , Enabling Remote Desktop for Administration Only need to change a single setting in System Properties dialog box –By default, Administrators group members can connect via Remote Desktop for Administration Can grant other users access Activity 12-1: Enabling and Testing Remote Desktop for Administration –Objective: Enable and test Remote Desktop for Administration

Guide to MCSE , Enabling Remote Desktop for Administration (continued) Figure 12-1: The Remote tab of the System Properties dialog box

Guide to MCSE , Enabling Remote Desktop for Administration (continued) Figure 12-2: Entering a user name, password, and domain name for Remote Desktop Connection

Guide to MCSE , Implementing Terminal Services Table 12-1: Benefits of Terminal Services

Guide to MCSE , Implementing Terminal Services (continued) Terminal Services has 2 major components: –Terminal server: Computer on which Terminal Services installed Enables users to remotely run Windows applications –License server: Computer on which Terminal Services Licensing service installed Stores client access license (CAL) tokens for group of terminal servers Tracks license tokens that have been issued Implementing Terminal Services Licensing consists of installation and activation

Guide to MCSE , Implementing Terminal Services (continued) Installing Terminal Services on a Terminal Server: Installed from Control Panel’s Add or Remove Programs applet Activity 12-2: Installing Terminal Services –Objective: Install Windows Server 2003 Terminal Services Licensing Service Installation: Must be at least one license server on network for Terminal Services to obtain license information –Installing terminal server and Licensing service on same computer is acceptable, but possibly costly

Guide to MCSE , Implementing Terminal Services (continued) Figure 12-4: The Terminal Services Licensing model

Guide to MCSE , Implementing Terminal Services (continued) Licensing Service Installation (continued): –Microsoft maintains Microsoft Certificate Authority and Licensing Clearinghouse to activate license servers and issue client license key packs –License servers support many types of licenses Terminal Server Device Client Access Licenses Terminal Server User Client Access Licenses –Can be installed on workgroup-based server, member server, or domain controller Choice determines how and when terminal servers find a license server

Guide to MCSE , Implementing Terminal Services (continued) Licensing Service Activation: Use Activation Wizard in Terminal Services Licensing tool –Three connection methods: Automatic connection (recommended) Web Browser Telephone –When license server activated, Microsoft supplies limited-use digital certificate to validate server ownership and identity X.509 industry-standard certificate

Guide to MCSE , Configuring and Managing Terminal Services Three tools for Terminal Services administration: –Terminal Services Manager: Monitors and controls client access to terminal servers –Terminal Services Configuration: Configures terminal server settings and connections –Terminal Services Licensing: Stores and tracks Terminal Services client access licenses Configuring Remote Connection Settings: Configure security and connection-related settings with Terminal Services Configuration tool

Guide to MCSE , Configuring and Managing Terminal Services (continued) Figure 12-6: The Terminal Services Configuration window

Guide to MCSE , Configuring and Managing Terminal Services (continued) Each network interface in Terminal Services server can be configured with only one Remote Desktop Protocol (RDP) connection Most important settings to be checked when configuring a Terminal Services connection are encryption and authentication –Available encryption options include: Low Client Compatible High FIPS Compliant

Guide to MCSE , Configuring and Managing Terminal Services (continued) Table 12-3: Property settings for a Terminal Services connection

Guide to MCSE , Configuring and Managing Terminal Services (continued) Activity 12-3: Exploring Terminal Services Settings –Objective: Explore Terminal Services settings Using Terminal Services Manager: View and manage terminal servers in Active Directory forest –Monitor users, sessions, and applications –Carry out administrative tasks –Three tabs in Terminal Services Manager Window: Users, Sessions, and Processes

Guide to MCSE , Configuring and Managing Terminal Services (continued) Using Terminal Services Manager (continued): –Users tab: Name, connection time, state of user connection –Sessions tab: Displays user session information –Processes tab: Information about applications running in user’s session –Session types: User Consol Listener Idle

Guide to MCSE , Configuring and Managing Terminal Services (continued) Table 12-4: Terminal Services Manager actions

Guide to MCSE , Configuring and Managing Terminal Services (continued) Table 12-4 (continued): Terminal Services Manager actions

Guide to MCSE , Terminal Services Client Software After Terminal Services installed, client software packages automatically added to %systemroot%\System32\Clients\Tsclient\Win32 –Contains files for installing RDC software –Client software provided as both MSI file and Win32 executable –Recommended installation method is to share %systemroot%\System32\Clients\Tsclient\Win32 folder Initiate installation over network manually or via group policies for software deployment

Guide to MCSE , Installing Applications Applications must be installed in compatible mode for multiple users to access them simultaneously –Might need to reinstall some applications On terminal server, software applications should be installed only in install mode

Guide to MCSE , Configuring Terminal Services User Properties Terminal Services adds four tabs to Properties dialog boxes of user accounts: –Terminal Services Profile: Enable user as Terminal Services client –Remote control: Configure remote control properties for user account –Sessions: Set max session time and disconnect options –Environment: Configure programs to run automatically when user connects

Guide to MCSE , Troubleshooting Terminal Services Tips/Guidelines for troubleshooting: –If user unable to log on, ensure client software settings correct and Allow logon to terminal server option set –If connection refused, ensure client meets server’s RDP encryption requirements –If all users unable to log on, ensure connection enabled –Each network interface can be configured with only one RDP connection to the network

Guide to MCSE , Troubleshooting Terminal Services (continued) Tips/Guidelines for troubleshooting (continued): –If several users require sessions on RDP connection, might need to increase number of sessions available –If applications don’t run, might need to relax application security settings –Must have administrative rights on terminal server to manage and troubleshoot Terminal Services

Guide to MCSE , Implementing Remote Access Remote access: Connecting to another computer or network using a public carrier –Useful when used with Terminal Services Accomplished in two ways: –Direct dial-up –Virtual private network (VPN) over Internet

Guide to MCSE , Dial-up Remote Access Computers connect and transfer information using modems and a phone line –When connection created between dial-up client and server, modems act like NICs Allowing client to access resources on network –Easy availability –Example: Accessing Internet by dialing into an ISP IP Address Management: When clients connect to Windows Server 2003 remote access server, assigned an IP address –DHCP or static pool of IP addresses

Guide to MCSE , Dial-up Remote Access (continued) Figure 12-16: Using DHCP for the IP address configuration of a remote access client

Guide to MCSE , Dial-up Remote Access (continued) Enabling and Configuring a Dial-up Server: Use Routing and Remote Access Service (RRAS) to enable and configure dial-up servers and clients –Must enable RRAS –Must configure Telephony Application Programming Interface (TAPI) –Must ensure modem(s) installed and properly configured –Enable RRAS for dial-up connections Using the Routing and Remote Access snap-in in Windows Server 2003

Guide to MCSE , Dial-up Remote Access (continued) Activity 12-4: Installing a Modem –Objective: Perform the steps necessary to install a modem on a Windows Server 2003 or XP system Activity 12-5: Enabling RRAS as a Dial-up Server –Objective: Configure RRAS on your server to act as a dial-up server Dial-up Security: User name and password are basis for remote access security –Only designated users allowed to connect

Guide to MCSE , Dial-up Remote Access (continued) Figure 12-20: Dial-up security options

Guide to MCSE , Dial-up Remote Access (continued) Dial-up Protocols: Dial-up connections require different protocols than LAN connections –Serial Line Internet Protocol (SLIP): Rarely used –Point-to-Point Protocol (PPP): Used by default Can automatically configure clients with IP address information Can support multiple LAN protocols Can provide for scripting logon processes PPP Multilink Protocol (PPP-MP): Enables combination of multiple remote access links into one logical connection

Guide to MCSE , Dial-up Remote Access (continued) Dial-up Protocols (continued): –Both LAN and dial-up network protocols need to be considered when configuring Windows Server 2003 as a remote access server Activity 12-6: Creating a Dial-up Connection –Objective: Configure your client to make a dial-up connection to an RRAS server

Guide to MCSE , VPN Remote Access Virtual private network (VPN): Creates private connection between two entities across Internet –Advantages over dial-up: Ease of setup Speed Encryption Requires protocol to create secure “tunnel” for delivering TCP/IP packets across Internet –Point-to-Point Tunneling Protocol (PPTP) –Layer Two Tunneling Protocol (L2TP)

Guide to MCSE , VPN Remote Access (continued) Figure 12-22: Initiating a VPN connection across the Internet

Guide to MCSE , VPN Remote Access (continued) PPTP: Uses Microsoft Point-to-Point Encryption (MPPE) –Easy to configure –Works across NAT routers –Does not authenticate L2TP: More secure than PPTP –Harder to configure –Works in conjunction with IPSec –Performs authentication –Limited support for traversing NAT routers

Guide to MCSE , VPN Remote Access (continued) IP Security (IPSec): Negotiates secure encrypted communications link between client and server –Through public and private encryption keys –Two modes: Transport: Links between any two systems on network Tunneling: Only links between two specific systems –IPSec policies govern how system communicates through TCP/IP –Three sample IPSec policies given by Windows XP: Client (Respond Only), Server (Request Security), and Secure Server (Require Security)

Guide to MCSE , VPN Remote Access (continued) IP Security (continued): –Supports three types of authentication methods: Kerberos version 5 (default and preferred) Public key certificate Preshared key (least secure) Configuring a VPN Remote Access Server: Remote access server automatically configured for five PPTP ports and five L2TP ports Activity 12-7: Configuring a Remote Access Server –Objective: Configure remote access server settings

Guide to MCSE , VPN Remote Access (continued) Figure 12-23: Default VPN ports

Guide to MCSE , VPN Remote Access (continued) Table 12-5: RRAS authentication methods

Guide to MCSE , Remote Access Security Allowing Remote Access to Windows XP: Via dial-in or VPN connection –User’s name must be added to Remote Desktop Users list Remote Access Policies: Stored on each remote access server –Policies applied to users can vary depending on server to which user connects Activity 12-8: Creating a Remote Access Policy –Objective: Create a new remote access policy on your remote access server

Guide to MCSE , Remote Access Security (continued) Activity 12-9: Creating a Client VPN Connection –Objective: Create a client VPN connection and then test it Windows XP Internet Connection Firewall (ICF): Protect network connections from unwanted traffic –Stateful firewall –Configured by default to block most incoming traffic –Can configure to allow specific types of traffic without internal request

Guide to MCSE , Remote Access Security (continued) Figure 12-32: The Services tab of the Advanced Settings dialog box

Guide to MCSE , Remote Access Security (continued) ICF (continued): –Can log dropped traffic Activity 12-10: Configuring ICF –Objective: Configure a dial-up network connection (Internet) as a firewall

Guide to MCSE , Sharing Internet Connections Internet Proxy Service: Proxy server acts as intermediary between internal network and Internet Windows XP Internet Connection Sharing (ICS): Used to share a single network connection with small group of networked computers –Computer essentially becomes a limited DHCP server Activity 12-11: Configuring ICS –Objective: Configure Windows XP Professional to share an Internet connection with other computers on a network

Guide to MCSE , Sharing Internet Connections (continued) Figure 12-36: Using a proxy server

Guide to MCSE , Sharing Internet Connections (continued) Configuring ICS: –On-demand dialing –Define internal services accessible to external users –By default, allows access to L2TP,PPTP, and IKE (IPSec) resources Can enable access to other resources –Do not use on networks with domain controllers, DNS servers, gateway systems, DHCP servers, or with clients that must have static IP addresses

Guide to MCSE , Sharing Internet Connections (continued) Configuring ICS (continued): –ICS Troubleshooting Tasks: Verify connection is active and functioning Verify communication from other clients can access your system over the network Make sure computer hosting ICS has IP address of with mask of Ensure ICS client computers set to automatically obtain IP address information

Guide to MCSE , Windows Server 2003 Network Address Translation (NAT) Figure 12-38: NAT routing

Guide to MCSE , Summary Terminal Services is a Windows Server 2003 feature that allows users to connect to and run applications on a Windows Server 2003 system from their desktops as though they were sitting at the server console Remote Desktop for Administration is a Windows Server 2003 feature that allows an administrator to connect to servers remotely for administrative purposes Terminal Services requires that the Licensing service be installed and activated

Guide to MCSE , Summary (continued) Terminal Services Manager can be used to monitor user connection information and the status of the terminal server Remote access dial-in protocols include PPP and SLIP Remote access security includes enabling user accounts through group policies and setting callback security options VPN tunneling protocols include PPTP and L2TP

Guide to MCSE , Summary (continued) Internet Connection Firewall is used to protect systems against unwanted traffic from the Internet or untrusted network connections Proxy servers work directly with Web browsers to share Internet access through the proxy service Internet Connection Sharing can be used in Windows XP to share a single ISP link with a small network Network Address Translation (NAT) can be used on a Windows Server 2003 system to provide Internet access to clients