SBS2003 Add Terminal Server or Use Remote Access?

Posted on 2006-03-20
Last Modified: 2010-04-19
With Microsoft not recommending adding Terminal Server to the SBS2003 Server - instead they recommend adding extra hardware, Server 2003 + Terminal Server. Is Remote Access a viable alternative???
I wondered if it would be appropriate to use Remote Access on the server with VPN on the XP Clients to run a server/client based application for a handful of remote users (Part Sage, Part Bespoke).
I have carried out a simple test to install Remote Access Service on the server and start a partial install of the application on the client having first used the remote connection disk on a users PC.
Anyone carried out similar? How secure is the connection? Would it be better to use hardware VPN? Is this the best way to progress given the small amount of users who require access to the application – less than 5? Is there a limit on the number of users that can simultaneously connect to the server using Remote Access?
Apologises for the number of questions in advance but feel sure that someone must have already implemented a similar setup and am looking for reasurance that Remote Access is a viable alternative.
Question by:SDudek
    LVL 77

    Expert Comment

    by:Rob Williams
    The terminal services built into SBS is for administration purposes only. You cannot make SBS a terminal server, that is one of the restrictions. So it is not a case of security. You can, as you suggested, add a separate server to act as a Terminal Server which is a very nice combination for small businesses. If concerned about security, it is still nice, though not completely necessary, to enable Routing and Remote Access to create a VPN so that your remote users can connect with added security to the new terminals server/network.

    Another option, if each of the remote users could have access to a local workstation, would be to access Remote Web Workplace through the SBS and connect to a desktop in what would effectively be a terminal server session on the desktop. You are restricted to one user per desktop, but it works well. There are no additional licenses or hardware required for this scenario.
    LVL 8

    Expert Comment

    If you have five mobile users trying to access this application, how many of them are accessing it at any one time?
    What is the speed connection into the server?
    Are your mobile users going to be using broadband or dial up or internet access with questionable quality?

    If you are using a dsl line, your best bet would be to either put ina dedicated Terminal server if you need more then two constant connections, if you only need a sparadic then setup a Windows XP Pro machine as your Remote Desktop machine.

    I would never be keen to install an application like this over a broadband or  less connection you do really need a proper network connection to the local network.

    The cheapest and simplest method is teh Remote Desktop, but the most versitile is the Terminal Service Server.


    David Houston

    Author Comment

    The connection will be by ADSL but experience tells me that once the user has connected they often stay connected for large parts of the day accessing file and data servers even if they only use the application once every half hour/hour for 5 minutes or so.
    As they already have computers at remote locations it seems overkill to connect 5 x PC's at head office just so they can use these PC's for remote connection and remote desktop/terminal type session. (Although I suspect that if the link is to slow for the user experience then maybe a couple of PC's is the cheaper of the options).
    As an aside Outlook Web Access seems to work with no problems as well as collecting and sending emails through the exchange whilst connected by the VPN.  I guess that the only way to find out is to install the application and see what performance issues are identified. (I was thinking more of Icon on remote desktop with network share to the application location, hence my question about how many connections are possible/limited by Microsoft i.e RDP Admin, and if I take the VPN route how secure is the Remote Access using Microsoft software tools (Remote Connection verses a hardware VPN setup.)
    Trust this update gives a clearer picture....but thanks for the comments so far.
    LVL 8

    Expert Comment

    Terminal Server the restriction is the number of licences that you own.

    Remote Desktop, the number of XP Pro machines that you have to connect to.
    Note: RDP can be setup to disconnect a user after a certain period of time of no use, but a single user instance is all that can be done.

    VPN is reliant on the bandwidth requirements and the amount of disk writing that the software package will be doing.
    Certain programs like Quickbooks require a Full Local Area Network Connection to work and not corrupt databases.

    If you will have 5 users connected all the time the best course would be terminal server if the application supports a terminal service enviroment.
    5 users as you mentioned using RDP will be intensive on the bandwidth and require 5 dedicated machines.
    5 users across a vpn connection to access an application that is bandwidth intensive is only going to cause you problems. But if it uses a simple web front end like OWA then or a well designed and thought out like Outloo RPC though HTTP.

    I have not dealt with the product that you are wanting to use but, anything like this to me is either RDP or Terminal Server.

    Hope this Helps,

    David Houston
    LVL 77

    Expert Comment

    by:Rob Williams
    I agree, if you don't have the workstations in place already, terminal server is the recommended method. Remote Web Workplace is more ideally designed for an office employee who wants to be able to connect to their office desktop, from time to time, when away from the office. Five users for a proper Terminal Server over one DSL connection should be no problem at all, with or without a VPN. My preference for security is to use a VPN, but it is not necessary. If you wish to go that route a hardware VPN solution (VPN router) will slightly improve encryption performance and offload that service from the server. If it is an option, a VPN router at the client site is the best way to go, but budgets do not always allow, especially if it is one user per site. In that case you could use a VPN software client.
    LVL 8

    Accepted Solution


    I agree that vpn is a secure method and security is alway the prime key of success, but you can ecrypt the terminal server session.

    One question I do have is are the mobile user;s systems managed? IE are they patched, have their antivirus uptodate. If they are not or are home machines with no restricted acces, a vpn connection would give them open access to your network.

    One thing that i have seen people miss or don't understand is that having a firewall on your sites is great, but when you let a vpn connection in you have to trust it completely and know exactly what is coming into your network.
    A terminal session although has its own security risks, if you can not gaurantee the system connecting to your network this is a better solution in my opinion.


    David Houston
    LVL 77

    Expert Comment

    by:Rob Williams
    I agree David, I guess there are concerns with any solution. Though the VPN does give you substantial protection from outsiders, the biggest concern is who and what has control of the connecting machine. It is sometimes necessary to lock down within the VPN.

    At the risk of sounding very naive I didn't realize you can encrypt the terminal server session, until you pointed that out. I just had a look. Sounds like a good alternative. I have read several articles lately about it being easy to "listen in" on TS sessions. The ability to encrypt, would greatly improve security without having to go the VPN route.
    LVL 5

    Expert Comment

    TS On SBS
    TS will only work on SBS in Administrative Mode, which is restricted to no more than 2 users.  Also, Administrative mode won't give you access to certain parts of the system, so if you wanted to use certain programs, like Faxnow! and others, it simply will not work for ANY user.

    5 Users on TS
    Several of my clients are using 2Ghz machines with a Gig or 2 of memory to support 10 to 15 users, so 5 users isn't a big deal.  However, you may want to upgrade your connection to do at least 512K upload, since each user will require 40K per session, so if anything else is going on in a 256K upload connection, that leaves you VERY little headroom.  (Keep in mind that I'm talking about UPLOAD speed, not download, which is what most people focus on)

    5 Users on VPN
    I wouldn't recommend it, unless you have something nice like a Cisco or Firebox, you can get the same level of security setting up your SBS server with Remote Workplace, and have your employees connect to the TS via that website (as opposed to directly forwarding port 3389 to your TS).  Most people don't take into account that a VPN get's VERY processor intensive when more than a couple of people log in and your average Linksys router is barely able to handle it.

    An Alternative
    If the 5 users in question already have a computer at the office, you may want to simply get for them, which would allow them access to their desktops.  Logmein has 256bit encryption, and is free if you don't need the printing and file sharing features.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now