mkouloumoundras
asked on
SBS 2008 and Remote Desktop Services
I'm currently attempting to configure a second server running Server 2008 Enterprise R2 as an RDS server (formerly terminal services). I have searched the Microsoft technet website looking for a step by step guide but have only found an SBS 2008 with terminal services installation guide which does not follow the same steps as the installation I'm attempting. http://technet.microsoft.com/en-us/library/dd262139(WS.10).aspx
While a lot of the steps are similar, they are out of sequence and the terminology has changed in the installation process that it is confusing.
Does anyone know where I might find a good installation guide for configuring RDS in an SBS 2008 environment on Server 2008 Enterprise R2?
Thanks in advance for any replies.
While a lot of the steps are similar, they are out of sequence and the terminology has changed in the installation process that it is confusing.
Does anyone know where I might find a good installation guide for configuring RDS in an SBS 2008 environment on Server 2008 Enterprise R2?
Thanks in advance for any replies.
ThorinO
http://blogs.msdn.com/b/rds/archive/2010/05/27/deployment-guides-for-remote-desktop-services-in-windows-server-2008-r2-and-for-terminal-services-in-windows-server-2008-are-now-available.aspx
ASKER
The only problem is that this guide is not specific for intergration on a SBS 2008 domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The roles have been installed on the RDS server, most of the configuration was done as part of the installation which I'm not so confident the configuration is correct.
What I'm trying to achieve here is very basic, I want to assign the RDS server as the default computer for a particular group of users in AD so that when they access RWW on the SBS Server, they have the option to connect to the RDS.
This is my first attempt at RDS ever so I don't fully understand all of the roles that have been installed, such as the connection broker etc.
Item 3 on your list is already a group on my SBS 2008 server, can those be linked through AD and GP?
What I'm trying to achieve here is very basic, I want to assign the RDS server as the default computer for a particular group of users in AD so that when they access RWW on the SBS Server, they have the option to connect to the RDS.
This is my first attempt at RDS ever so I don't fully understand all of the roles that have been installed, such as the connection broker etc.
Item 3 on your list is already a group on my SBS 2008 server, can those be linked through AD and GP?
RWW be default will only let "User" accounts connect to computers not servers. Your users would need to be "SBS Administrators" in to connect to servers.
Ultimately, I think you'll need to setup an OU in active directory for your Terminal Server so that you can apply specific GPOs w/ loopback processing in order to lock down the desktop.
If you want to provide a web based connection for your end users you could use the TS RemoteApp Manager and TS Web Access. Of course you'll need to setup a subdomain (https://rds.mydomain.com) and do the usual port forwarding/etc. to pass the traffic through the firewall.
> TS RemoteApp Manager (used for configuration of the web portal)
> TS Web Access (web portal for end users)
Ultimately, I think you'll need to setup an OU in active directory for your Terminal Server so that you can apply specific GPOs w/ loopback processing in order to lock down the desktop.
If you want to provide a web based connection for your end users you could use the TS RemoteApp Manager and TS Web Access. Of course you'll need to setup a subdomain (https://rds.mydomain.com) and do the usual port forwarding/etc. to pass the traffic through the firewall.
> TS RemoteApp Manager (used for configuration of the web portal)
> TS Web Access (web portal for end users)
ASKER
itcok, your comments helped me out tremoundously and I now have the server configured (I used a guide I found on Petri after reading your comments) but the guide fails to indicate in the proper configuration of the firewall to forward requests to the RDS server. I know RDS uses 3389 but my SBS server uses the same port already and my firewall is setup to forward requests to the SBS server. So the new question is, what is the best method for my firewall configuation and what port number should I change the RD Session Host to?
If your going the standard route (using the RDP client) you could use a port in the 40000 to 50000 range... and port forward it to 3389. So your RDP client would connect to something like:
rds.mydomain.com:46565 = myrdsserver.mydomain.local
Are you passing 3389 on your firewall to SBS for remote administration? If so I recommend using port forwarding and using a random port (like mentioned above) so that its not quite so obvious to lazy port scanners that are scanning the well known ports. You could use this to connect to SBS:
rds.mydomain.com:46566 = mysbsserver.mydomain.local
rds.mydomain.com:46565 = myrdsserver.mydomain.local
Are you passing 3389 on your firewall to SBS for remote administration? If so I recommend using port forwarding and using a random port (like mentioned above) so that its not quite so obvious to lazy port scanners that are scanning the well known ports. You could use this to connect to SBS:
rds.mydomain.com:46566 = mysbsserver.mydomain.local
ASKER
I'd rather leave port 3389 as forwarded to my SBS, would recommend changing the port number on the RDS server to 40xxx and setup a rule on the firewall to point all TCP requests to forward to my RDS servers inteneral IP?
rds.mydomain.com forwards to LAN 192.168.xxx.xxx:40xxxx
rds.mydomain.com forwards to LAN 192.168.xxx.xxx:40xxxx
What happens is, you leave the servers configured to listen on 3389. You then use port forwarding on the firewall to contol which external port gets routed to your servers.
Lets say your SBS server is 192.168.1.10 and it's listening on 3389 for TS. You create a port forward on your firewall that will route incoming traffic on port 46566 to your server which is listening on 3389 . When the firewall sees traffic coming in on port 46566 it will redirect it to your SBS server and connect.
PF > rds.mydomain.com:46566 to 192.168.1.20:3389
Now for your RDS server we'll say its at 192.168.1.20 and it's listening on 3389. You create a port forward on your firewall that will route incoming traffic on port 46565 to your server which is listening on 3389.
PF > rds.mydomain.com:46565 to 192.168.1.20:3389
If you had 30 servers, you could just keep incrementing the external port number (40xxx) and adding port forwards as needed.
It really isn't good to have port 3389 open on your firewall and will expose you to brute force attacks. Not that using a high port 40xxx will protect you, but it's more likely to go undetected unless someone runs a full port scan against your firewall.
Lets say your SBS server is 192.168.1.10 and it's listening on 3389 for TS. You create a port forward on your firewall that will route incoming traffic on port 46566 to your server which is listening on 3389 . When the firewall sees traffic coming in on port 46566 it will redirect it to your SBS server and connect.
PF > rds.mydomain.com:46566 to 192.168.1.20:3389
Now for your RDS server we'll say its at 192.168.1.20 and it's listening on 3389. You create a port forward on your firewall that will route incoming traffic on port 46565 to your server which is listening on 3389.
PF > rds.mydomain.com:46565 to 192.168.1.20:3389
If you had 30 servers, you could just keep incrementing the external port number (40xxx) and adding port forwards as needed.
It really isn't good to have port 3389 open on your firewall and will expose you to brute force attacks. Not that using a high port 40xxx will protect you, but it's more likely to go undetected unless someone runs a full port scan against your firewall.
See this site for adding the TS to the computer list in RWW. I do this frequently and it works fine:
http://msmvps.com/blogs/steveb/archive/2009/08/17/terminal-server-access-through-rww-in-ebs-amp-sbs.aspx
http://msmvps.com/blogs/steveb/archive/2009/08/17/terminal-server-access-through-rww-in-ebs-amp-sbs.aspx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For access:
Create a user group that you will use to assign users access rights to the terminal server. Add this group to the local Remote Desktop Users group on the terminal server. Next, create a user role, and make sure this user group that you created is a group in your newly created user role. Finally, you can assign this new user role to users that you wish to have remote access. Make sure you do all of this within the SBS console for best results.
Other than this, you can simply use the standard setup guides for terminal servers.
Create a user group that you will use to assign users access rights to the terminal server. Add this group to the local Remote Desktop Users group on the terminal server. Next, create a user role, and make sure this user group that you created is a group in your newly created user role. Finally, you can assign this new user role to users that you wish to have remote access. Make sure you do all of this within the SBS console for best results.
Other than this, you can simply use the standard setup guides for terminal servers.
AAppleton - that's just great! Learn something new everyday.
Thanks
Thanks
ASKER
AAppleton, this is perfect, thanks for the post.