Presentation is loading. Please wait.

Presentation is loading. Please wait.

70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

Similar presentations

Presentation on theme: "70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal."— Presentation transcript:

1 70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal Services and Remote Access

2 Guide to MCSE 70-270, 70-2902 Objectives Install and configure Terminal Services Describe remote access features and protocols Configure security features for remote access

3 Guide to MCSE 70-270, 70-2903 Implementing Terminal Services Terminal Services: Provides remote access to a server desktop –Through “thin client” software –Transmits only program’s user interface to client –Centralized control of applications Remote Desktop for Administration: Enables administrators to connect to a server for administrative purposes –Disabled by default

4 Guide to MCSE 70-270, 70-2904 Enabling Remote Desktop for Administration Only need to change a single setting in System Properties dialog box –By default, Administrators group members can connect via Remote Desktop for Administration Can grant other users access Activity 12-1: Enabling and Testing Remote Desktop for Administration –Objective: Enable and test Remote Desktop for Administration

5 Guide to MCSE 70-270, 70-2905 Enabling Remote Desktop for Administration (continued) Figure 12-1: The Remote tab of the System Properties dialog box

6 Guide to MCSE 70-270, 70-2906 Enabling Remote Desktop for Administration (continued) Figure 12-2: Entering a user name, password, and domain name for Remote Desktop Connection

7 Guide to MCSE 70-270, 70-2907 Implementing Terminal Services Table 12-1: Benefits of Terminal Services

8 Guide to MCSE 70-270, 70-2908 Implementing Terminal Services (continued) Terminal Services has 2 major components: –Terminal server: Computer on which Terminal Services installed Enables users to remotely run Windows applications –License server: Computer on which Terminal Services Licensing service installed Stores client access license (CAL) tokens for group of terminal servers Tracks license tokens that have been issued Implementing Terminal Services Licensing consists of installation and activation

9 Guide to MCSE 70-270, 70-2909 Implementing Terminal Services (continued) Installing Terminal Services on a Terminal Server: Installed from Control Panel’s Add or Remove Programs applet Activity 12-2: Installing Terminal Services –Objective: Install Windows Server 2003 Terminal Services Licensing Service Installation: Must be at least one license server on network for Terminal Services to obtain license information –Installing terminal server and Licensing service on same computer is acceptable, but possibly costly

10 Guide to MCSE 70-270, 70-29010 Implementing Terminal Services (continued) Figure 12-4: The Terminal Services Licensing model

11 Guide to MCSE 70-270, 70-29011 Implementing Terminal Services (continued) Licensing Service Installation (continued): –Microsoft maintains Microsoft Certificate Authority and Licensing Clearinghouse to activate license servers and issue client license key packs –License servers support many types of licenses Terminal Server Device Client Access Licenses Terminal Server User Client Access Licenses –Can be installed on workgroup-based server, member server, or domain controller Choice determines how and when terminal servers find a license server

12 Guide to MCSE 70-270, 70-29012 Implementing Terminal Services (continued) Licensing Service Activation: Use Activation Wizard in Terminal Services Licensing tool –Three connection methods: Automatic connection (recommended) Web Browser Telephone –When license server activated, Microsoft supplies limited-use digital certificate to validate server ownership and identity X.509 industry-standard certificate

13 Guide to MCSE 70-270, 70-29013 Configuring and Managing Terminal Services Three tools for Terminal Services administration: –Terminal Services Manager: Monitors and controls client access to terminal servers –Terminal Services Configuration: Configures terminal server settings and connections –Terminal Services Licensing: Stores and tracks Terminal Services client access licenses Configuring Remote Connection Settings: Configure security and connection-related settings with Terminal Services Configuration tool

14 Guide to MCSE 70-270, 70-29014 Configuring and Managing Terminal Services (continued) Figure 12-6: The Terminal Services Configuration window

15 Guide to MCSE 70-270, 70-29015 Configuring and Managing Terminal Services (continued) Each network interface in Terminal Services server can be configured with only one Remote Desktop Protocol (RDP) connection Most important settings to be checked when configuring a Terminal Services connection are encryption and authentication –Available encryption options include: Low Client Compatible High FIPS Compliant

16 Guide to MCSE 70-270, 70-29016 Configuring and Managing Terminal Services (continued) Table 12-3: Property settings for a Terminal Services connection

17 Guide to MCSE 70-270, 70-29017 Configuring and Managing Terminal Services (continued) Activity 12-3: Exploring Terminal Services Settings –Objective: Explore Terminal Services settings Using Terminal Services Manager: View and manage terminal servers in Active Directory forest –Monitor users, sessions, and applications –Carry out administrative tasks –Three tabs in Terminal Services Manager Window: Users, Sessions, and Processes

18 Guide to MCSE 70-270, 70-29018 Configuring and Managing Terminal Services (continued) Using Terminal Services Manager (continued): –Users tab: Name, connection time, state of user connection –Sessions tab: Displays user session information –Processes tab: Information about applications running in user’s session –Session types: User Consol Listener Idle

19 Guide to MCSE 70-270, 70-29019 Configuring and Managing Terminal Services (continued) Table 12-4: Terminal Services Manager actions

20 Guide to MCSE 70-270, 70-29020 Configuring and Managing Terminal Services (continued) Table 12-4 (continued): Terminal Services Manager actions

21 Guide to MCSE 70-270, 70-29021 Terminal Services Client Software After Terminal Services installed, client software packages automatically added to %systemroot%\System32\Clients\Tsclient\Win32 –Contains files for installing RDC software –Client software provided as both MSI file and Win32 executable –Recommended installation method is to share %systemroot%\System32\Clients\Tsclient\Win32 folder Initiate installation over network manually or via group policies for software deployment

22 Guide to MCSE 70-270, 70-29022 Installing Applications Applications must be installed in compatible mode for multiple users to access them simultaneously –Might need to reinstall some applications On terminal server, software applications should be installed only in install mode

23 Guide to MCSE 70-270, 70-29023 Configuring Terminal Services User Properties Terminal Services adds four tabs to Properties dialog boxes of user accounts: –Terminal Services Profile: Enable user as Terminal Services client –Remote control: Configure remote control properties for user account –Sessions: Set max session time and disconnect options –Environment: Configure programs to run automatically when user connects

24 Guide to MCSE 70-270, 70-29024 Troubleshooting Terminal Services Tips/Guidelines for troubleshooting: –If user unable to log on, ensure client software settings correct and Allow logon to terminal server option set –If connection refused, ensure client meets server’s RDP encryption requirements –If all users unable to log on, ensure connection enabled –Each network interface can be configured with only one RDP connection to the network

25 Guide to MCSE 70-270, 70-29025 Troubleshooting Terminal Services (continued) Tips/Guidelines for troubleshooting (continued): –If several users require sessions on RDP connection, might need to increase number of sessions available –If applications don’t run, might need to relax application security settings –Must have administrative rights on terminal server to manage and troubleshoot Terminal Services

26 Guide to MCSE 70-270, 70-29026 Implementing Remote Access Remote access: Connecting to another computer or network using a public carrier –Useful when used with Terminal Services Accomplished in two ways: –Direct dial-up –Virtual private network (VPN) over Internet

27 Guide to MCSE 70-270, 70-29027 Dial-up Remote Access Computers connect and transfer information using modems and a phone line –When connection created between dial-up client and server, modems act like NICs Allowing client to access resources on network –Easy availability –Example: Accessing Internet by dialing into an ISP IP Address Management: When clients connect to Windows Server 2003 remote access server, assigned an IP address –DHCP or static pool of IP addresses

28 Guide to MCSE 70-270, 70-29028 Dial-up Remote Access (continued) Figure 12-16: Using DHCP for the IP address configuration of a remote access client

29 Guide to MCSE 70-270, 70-29029 Dial-up Remote Access (continued) Enabling and Configuring a Dial-up Server: Use Routing and Remote Access Service (RRAS) to enable and configure dial-up servers and clients –Must enable RRAS –Must configure Telephony Application Programming Interface (TAPI) –Must ensure modem(s) installed and properly configured –Enable RRAS for dial-up connections Using the Routing and Remote Access snap-in in Windows Server 2003

30 Guide to MCSE 70-270, 70-29030 Dial-up Remote Access (continued) Activity 12-4: Installing a Modem –Objective: Perform the steps necessary to install a modem on a Windows Server 2003 or XP system Activity 12-5: Enabling RRAS as a Dial-up Server –Objective: Configure RRAS on your server to act as a dial-up server Dial-up Security: User name and password are basis for remote access security –Only designated users allowed to connect

31 Guide to MCSE 70-270, 70-29031 Dial-up Remote Access (continued) Figure 12-20: Dial-up security options

32 Guide to MCSE 70-270, 70-29032 Dial-up Remote Access (continued) Dial-up Protocols: Dial-up connections require different protocols than LAN connections –Serial Line Internet Protocol (SLIP): Rarely used –Point-to-Point Protocol (PPP): Used by default Can automatically configure clients with IP address information Can support multiple LAN protocols Can provide for scripting logon processes PPP Multilink Protocol (PPP-MP): Enables combination of multiple remote access links into one logical connection

33 Guide to MCSE 70-270, 70-29033 Dial-up Remote Access (continued) Dial-up Protocols (continued): –Both LAN and dial-up network protocols need to be considered when configuring Windows Server 2003 as a remote access server Activity 12-6: Creating a Dial-up Connection –Objective: Configure your client to make a dial-up connection to an RRAS server

34 Guide to MCSE 70-270, 70-29034 VPN Remote Access Virtual private network (VPN): Creates private connection between two entities across Internet –Advantages over dial-up: Ease of setup Speed Encryption Requires protocol to create secure “tunnel” for delivering TCP/IP packets across Internet –Point-to-Point Tunneling Protocol (PPTP) –Layer Two Tunneling Protocol (L2TP)

35 Guide to MCSE 70-270, 70-29035 VPN Remote Access (continued) Figure 12-22: Initiating a VPN connection across the Internet

36 Guide to MCSE 70-270, 70-29036 VPN Remote Access (continued) PPTP: Uses Microsoft Point-to-Point Encryption (MPPE) –Easy to configure –Works across NAT routers –Does not authenticate L2TP: More secure than PPTP –Harder to configure –Works in conjunction with IPSec –Performs authentication –Limited support for traversing NAT routers

37 Guide to MCSE 70-270, 70-29037 VPN Remote Access (continued) IP Security (IPSec): Negotiates secure encrypted communications link between client and server –Through public and private encryption keys –Two modes: Transport: Links between any two systems on network Tunneling: Only links between two specific systems –IPSec policies govern how system communicates through TCP/IP –Three sample IPSec policies given by Windows XP: Client (Respond Only), Server (Request Security), and Secure Server (Require Security)

38 Guide to MCSE 70-270, 70-29038 VPN Remote Access (continued) IP Security (continued): –Supports three types of authentication methods: Kerberos version 5 (default and preferred) Public key certificate Preshared key (least secure) Configuring a VPN Remote Access Server: Remote access server automatically configured for five PPTP ports and five L2TP ports Activity 12-7: Configuring a Remote Access Server –Objective: Configure remote access server settings

39 Guide to MCSE 70-270, 70-29039 VPN Remote Access (continued) Figure 12-23: Default VPN ports

40 Guide to MCSE 70-270, 70-29040 VPN Remote Access (continued) Table 12-5: RRAS authentication methods

41 Guide to MCSE 70-270, 70-29041 Remote Access Security Allowing Remote Access to Windows XP: Via dial-in or VPN connection –User’s name must be added to Remote Desktop Users list Remote Access Policies: Stored on each remote access server –Policies applied to users can vary depending on server to which user connects Activity 12-8: Creating a Remote Access Policy –Objective: Create a new remote access policy on your remote access server

42 Guide to MCSE 70-270, 70-29042 Remote Access Security (continued) Activity 12-9: Creating a Client VPN Connection –Objective: Create a client VPN connection and then test it Windows XP Internet Connection Firewall (ICF): Protect network connections from unwanted traffic –Stateful firewall –Configured by default to block most incoming traffic –Can configure to allow specific types of traffic without internal request

43 Guide to MCSE 70-270, 70-29043 Remote Access Security (continued) Figure 12-32: The Services tab of the Advanced Settings dialog box

44 Guide to MCSE 70-270, 70-29044 Remote Access Security (continued) ICF (continued): –Can log dropped traffic Activity 12-10: Configuring ICF –Objective: Configure a dial-up network connection (Internet) as a firewall

45 Guide to MCSE 70-270, 70-29045 Sharing Internet Connections Internet Proxy Service: Proxy server acts as intermediary between internal network and Internet Windows XP Internet Connection Sharing (ICS): Used to share a single network connection with small group of networked computers –Computer essentially becomes a limited DHCP server Activity 12-11: Configuring ICS –Objective: Configure Windows XP Professional to share an Internet connection with other computers on a network

46 Guide to MCSE 70-270, 70-29046 Sharing Internet Connections (continued) Figure 12-36: Using a proxy server

47 Guide to MCSE 70-270, 70-29047 Sharing Internet Connections (continued) Configuring ICS: –On-demand dialing –Define internal services accessible to external users –By default, allows access to L2TP,PPTP, and IKE (IPSec) resources Can enable access to other resources –Do not use on networks with domain controllers, DNS servers, gateway systems, DHCP servers, or with clients that must have static IP addresses

48 Guide to MCSE 70-270, 70-29048 Sharing Internet Connections (continued) Configuring ICS (continued): –ICS Troubleshooting Tasks: Verify connection is active and functioning Verify communication from other clients can access your system over the network Make sure computer hosting ICS has IP address of with mask of Ensure ICS client computers set to automatically obtain IP address information

49 Guide to MCSE 70-270, 70-29049 Windows Server 2003 Network Address Translation (NAT) Figure 12-38: NAT routing

50 Guide to MCSE 70-270, 70-29050 Summary Terminal Services is a Windows Server 2003 feature that allows users to connect to and run applications on a Windows Server 2003 system from their desktops as though they were sitting at the server console Remote Desktop for Administration is a Windows Server 2003 feature that allows an administrator to connect to servers remotely for administrative purposes Terminal Services requires that the Licensing service be installed and activated

51 Guide to MCSE 70-270, 70-29051 Summary (continued) Terminal Services Manager can be used to monitor user connection information and the status of the terminal server Remote access dial-in protocols include PPP and SLIP Remote access security includes enabling user accounts through group policies and setting callback security options VPN tunneling protocols include PPTP and L2TP

52 Guide to MCSE 70-270, 70-29052 Summary (continued) Internet Connection Firewall is used to protect systems against unwanted traffic from the Internet or untrusted network connections Proxy servers work directly with Web browsers to share Internet access through the proxy service Internet Connection Sharing can be used in Windows XP to share a single ISP link with a small network Network Address Translation (NAT) can be used on a Windows Server 2003 system to provide Internet access to clients

Download ppt "70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal."

Similar presentations

Ads by Google