Link to home
Create AccountLog in
Avatar of SDudek
SDudek

asked on

SBS2003 Add Terminal Server or Use Remote Access?

With Microsoft not recommending adding Terminal Server to the SBS2003 Server - instead they recommend adding extra hardware, Server 2003 + Terminal Server. Is Remote Access a viable alternative???
I wondered if it would be appropriate to use Remote Access on the server with VPN on the XP Clients to run a server/client based application for a handful of remote users (Part Sage, Part Bespoke).
I have carried out a simple test to install Remote Access Service on the server and start a partial install of the application on the client having first used the remote connection disk on a users PC.
Anyone carried out similar? How secure is the connection? Would it be better to use hardware VPN? Is this the best way to progress given the small amount of users who require access to the application – less than 5? Is there a limit on the number of users that can simultaneously connect to the server using Remote Access?
Apologises for the number of questions in advance but feel sure that someone must have already implemented a similar setup and am looking for reasurance that Remote Access is a viable alternative.
Avatar of Rob Williams
Rob Williams
Flag of Canada image

The terminal services built into SBS is for administration purposes only. You cannot make SBS a terminal server, that is one of the restrictions. So it is not a case of security. You can, as you suggested, add a separate server to act as a Terminal Server which is a very nice combination for small businesses. If concerned about security, it is still nice, though not completely necessary, to enable Routing and Remote Access to create a VPN so that your remote users can connect with added security to the new terminals server/network.

Another option, if each of the remote users could have access to a local workstation, would be to access Remote Web Workplace through the SBS and connect to a desktop in what would effectively be a terminal server session on the desktop. You are restricted to one user per desktop, but it works well. There are no additional licenses or hardware required for this scenario.
 
Avatar of dhoustonie
dhoustonie

If you have five mobile users trying to access this application, how many of them are accessing it at any one time?
What is the speed connection into the server?
Are your mobile users going to be using broadband or dial up or internet access with questionable quality?

If you are using a dsl line, your best bet would be to either put ina dedicated Terminal server if you need more then two constant connections, if you only need a sparadic then setup a Windows XP Pro machine as your Remote Desktop machine.

I would never be keen to install an application like this over a broadband or  less connection you do really need a proper network connection to the local network.

The cheapest and simplest method is teh Remote Desktop, but the most versitile is the Terminal Service Server.

Regards,

David Houston
Avatar of SDudek

ASKER

The connection will be by ADSL but experience tells me that once the user has connected they often stay connected for large parts of the day accessing file and data servers even if they only use the application once every half hour/hour for 5 minutes or so.
As they already have computers at remote locations it seems overkill to connect 5 x PC's at head office just so they can use these PC's for remote connection and remote desktop/terminal type session. (Although I suspect that if the link is to slow for the user experience then maybe a couple of PC's is the cheaper of the options).
As an aside Outlook Web Access seems to work with no problems as well as collecting and sending emails through the exchange whilst connected by the VPN.  I guess that the only way to find out is to install the application and see what performance issues are identified. (I was thinking more of Icon on remote desktop with network share to the application location, hence my question about how many connections are possible/limited by Microsoft i.e RDP Admin, and if I take the VPN route how secure is the Remote Access using Microsoft software tools (Remote Connection verses a hardware VPN setup.)
Trust this update gives a clearer picture....but thanks for the comments so far.
Terminal Server the restriction is the number of licences that you own.

Remote Desktop, the number of XP Pro machines that you have to connect to.
Note: RDP can be setup to disconnect a user after a certain period of time of no use, but a single user instance is all that can be done.

VPN is reliant on the bandwidth requirements and the amount of disk writing that the software package will be doing.
Certain programs like Quickbooks require a Full Local Area Network Connection to work and not corrupt databases.

If you will have 5 users connected all the time the best course would be terminal server if the application supports a terminal service enviroment.
5 users as you mentioned using RDP will be intensive on the bandwidth and require 5 dedicated machines.
5 users across a vpn connection to access an application that is bandwidth intensive is only going to cause you problems. But if it uses a simple web front end like OWA then or a well designed and thought out like Outloo RPC though HTTP.

I have not dealt with the product that you are wanting to use but, anything like this to me is either RDP or Terminal Server.


Hope this Helps,

David Houston
I agree, if you don't have the workstations in place already, terminal server is the recommended method. Remote Web Workplace is more ideally designed for an office employee who wants to be able to connect to their office desktop, from time to time, when away from the office. Five users for a proper Terminal Server over one DSL connection should be no problem at all, with or without a VPN. My preference for security is to use a VPN, but it is not necessary. If you wish to go that route a hardware VPN solution (VPN router) will slightly improve encryption performance and offload that service from the server. If it is an option, a VPN router at the client site is the best way to go, but budgets do not always allow, especially if it is one user per site. In that case you could use a VPN software client.
ASKER CERTIFIED SOLUTION
Avatar of dhoustonie
dhoustonie

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I agree David, I guess there are concerns with any solution. Though the VPN does give you substantial protection from outsiders, the biggest concern is who and what has control of the connecting machine. It is sometimes necessary to lock down within the VPN.

At the risk of sounding very naive I didn't realize you can encrypt the terminal server session, until you pointed that out. I just had a look. Sounds like a good alternative. I have read several articles lately about it being easy to "listen in" on TS sessions. The ability to encrypt, would greatly improve security without having to go the VPN route.
Cheers,
--Rob
TS On SBS
TS will only work on SBS in Administrative Mode, which is restricted to no more than 2 users.  Also, Administrative mode won't give you access to certain parts of the system, so if you wanted to use certain programs, like Faxnow! and others, it simply will not work for ANY user.

5 Users on TS
Several of my clients are using 2Ghz machines with a Gig or 2 of memory to support 10 to 15 users, so 5 users isn't a big deal.  However, you may want to upgrade your connection to do at least 512K upload, since each user will require 40K per session, so if anything else is going on in a 256K upload connection, that leaves you VERY little headroom.  (Keep in mind that I'm talking about UPLOAD speed, not download, which is what most people focus on)

5 Users on VPN
I wouldn't recommend it, unless you have something nice like a Cisco or Firebox, you can get the same level of security setting up your SBS server with Remote Workplace, and have your employees connect to the TS via that website (as opposed to directly forwarding port 3389 to your TS).  Most people don't take into account that a VPN get's VERY processor intensive when more than a couple of people log in and your average Linksys router is barely able to handle it.

An Alternative
If the 5 users in question already have a computer at the office, you may want to simply get Logmein.com for them, which would allow them access to their desktops.  Logmein has 256bit encryption, and is free if you don't need the printing and file sharing features.