We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Questions on Setting up a Terminal Server?

Splunker asked
Medium Priority
Last Modified: 2010-04-18
I am needing to have some of my users to have access to our network from their home. We have our firewall controlled by third party. I ask them about how to give access to my users and they said I need to setup a terminal server on our DMZ. They said once I have the terminal server up and running they will be able to setup the rules, and users for the firewall.  I have been reading the articles about setting up a terminal server. From what I can figure out, I need to setup a Terminal Server then a Terminal Services Licensing Server (TSLS).

 It sounds like I am suppose to setup the TSLS on a Domain Controller.  How does this work if I am doing this for remote users outside our company. Do I still put it on the Domain Controller on our backbone then the Terminal Server on the DMZ? Will this still work?  Not sure what I am suppose to do in this case.
Watch Question

Are the terminal servers in question running 2000 or 2003?  
With 2000, a terminal server in a domain will look to a domain controller for its TS Licensing.  With 2003, you can have the TS License server on any 2003 box in your network.  If 2003 but not SP1, you set the License Server preference in the registry.  If 2003 SP1 you point it via Terminal Services Configuration.  

Firewalls need to fwd port 3389-tcp to your server.  The DMZ point is a best practice thing but not a technical necessity.  


I haven't set anything up yet but the Terminal Server will running Windows 2003. My internal domain controller is Windows 2003.

You saying with Windows 2003 I don't need to place TSLS on a Domain Server, any member server will do?

So I do need TSLS on our internal network and then Terminal Server setup on DMZ with port 3389 -tcp open. I assume this port is open so that TS can communicate with the TSLS server to get licensing information?

Port 3389-tcp is for Client to Server communication so that is the port your clients speak on to establish and maintain their connections.  I don't know what port(s) TSLicensing uses though...never set it up in a DMZ with licensing in a protected network.  To simplify things lets say you have 2 options:

Option A: put the terminal server in your DMZ.  Have the firewall fwd port 3389 from ANY (or from your remote client's block of addresses) to your terminal server on the same port.  Install TS Licensing on the same server (so you don't need to open ports from your DMZ to your internal network).  

Option B: put the terminal server in your LAN.  Same thing with the firewall and ports.  Install TS Licensing on any 2003 machine in your LAN (including the terminal server), just pick one.  
Just wondering why you would not want to use a VPN solution.  Its free, very little security risk, at least a lot less than TS, and takes no where near as much bandwidth..

Just my 2 cents..


When I asked about remote access here is what my firwall monitors wrote back.

We recommend ssl VPNs up to a total of 15 users, setup a terminal server on your ecom dmz where you have total of each user's access. Then setup the access from the terminal server for the appropriate access, i.e. email, etc.

The combination of VPN access and Terminal Services will give you the best mix of security and bandwidth.  You don't want your users to just VPN in and fire up Outlook "fat client mode" (applications residing on client machines).  Doing this with a dozon users and a handful of programs will quickly kill the best WAN connections.  

Combining the VPN with Terminal Server will establish a secure tunnel and then keep your applications running "thin" (on terminal servers sitting on your LAN).  Now you won't need to move your terminal servers to the DMZ, your VPN is putting the users on your LAN already.  


Thats what I was confused about. If we are creating vpn connection between the firwall and the client, the firewall should handle trafic to the terminal server which is on inside of our network correct? So I don't need to put any terminal server on the DMZ like they were refrencing in the email. I should be able to get the terminal server working  here inside the our network first then work with the firewall people for setting up vpn and establishing connection to the terminal server.

Is this correct?


It seems they want you to setup a VPN into your network and have your users connect to a Terminal Services Server over the VPN.  They recommend this because you really don't want users connecting and just running apps off the network.  This also secures you from viruses that could be residing on home computers out side your control.

I would now say it is your call,  depending on how many remote users you expect to have.  If it is only one or two people, and they are running Laptops that you have control over, I say forget TS.  If you expect it to be heavlly utlized then go with the TS.

Personally I have a T1, 50+ people with the ability to VPN in, and all Outlook clients on the laptops are set to use cashed mode.  With 15 people on (right now) I am only using a little over 60% of my bandwidth.  Now, granted it depends on how you have it configured, (eg, split tunnels, IPSEC, PPTP, etc.) but if there is a cost involved in buying, configuring, and licensing your TS, I would suggest researching a VPN only solution before spending.

Just my 2 cents....

You should be fine doing that, putting the terminal server(s) in the DMZ is just an extra precaution if you are doing the VPN setup anyway.  You would be fine just VPN'ing them into the LAN and hitting the server's IP directly.  


If I put the TS inside our network, am I better off putting TSLS on the domain controller or can I put it on the TS server. Will it work fine? I will be loading windows 2003.
You can put it anywhere you want at that point.  On one hand, you could put it on the DC and have it intact if you ever rebuild your Terminal Server.  On the other hand, if you rebuild your DC it would affect your Terminal Server.  6 one way half a dozon the other.  

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.