Solved

Questions on Setting up a Terminal Server?

Posted on 2006-10-23
11
222 Views
Last Modified: 2010-04-18
I am needing to have some of my users to have access to our network from their home. We have our firewall controlled by third party. I ask them about how to give access to my users and they said I need to setup a terminal server on our DMZ. They said once I have the terminal server up and running they will be able to setup the rules, and users for the firewall.  I have been reading the articles about setting up a terminal server. From what I can figure out, I need to setup a Terminal Server then a Terminal Services Licensing Server (TSLS).

 It sounds like I am suppose to setup the TSLS on a Domain Controller.  How does this work if I am doing this for remote users outside our company. Do I still put it on the Domain Controller on our backbone then the Terminal Server on the DMZ? Will this still work?  Not sure what I am suppose to do in this case.
0
Comment
Question by:Splunker
  • 5
  • 4
  • 2
11 Comments
 
LVL 19

Expert Comment

by:BLipman
ID: 17790075
Are the terminal servers in question running 2000 or 2003?  
With 2000, a terminal server in a domain will look to a domain controller for its TS Licensing.  With 2003, you can have the TS License server on any 2003 box in your network.  If 2003 but not SP1, you set the License Server preference in the registry.  If 2003 SP1 you point it via Terminal Services Configuration.  

Firewalls need to fwd port 3389-tcp to your server.  The DMZ point is a best practice thing but not a technical necessity.  
0
 

Author Comment

by:Splunker
ID: 17790277
I haven't set anything up yet but the Terminal Server will running Windows 2003. My internal domain controller is Windows 2003.

You saying with Windows 2003 I don't need to place TSLS on a Domain Server, any member server will do?

So I do need TSLS on our internal network and then Terminal Server setup on DMZ with port 3389 -tcp open. I assume this port is open so that TS can communicate with the TSLS server to get licensing information?
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17790610
Port 3389-tcp is for Client to Server communication so that is the port your clients speak on to establish and maintain their connections.  I don't know what port(s) TSLicensing uses though...never set it up in a DMZ with licensing in a protected network.  To simplify things lets say you have 2 options:

Option A: put the terminal server in your DMZ.  Have the firewall fwd port 3389 from ANY (or from your remote client's block of addresses) to your terminal server on the same port.  Install TS Licensing on the same server (so you don't need to open ports from your DMZ to your internal network).  

Option B: put the terminal server in your LAN.  Same thing with the firewall and ports.  Install TS Licensing on any 2003 machine in your LAN (including the terminal server), just pick one.  
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791365
Just wondering why you would not want to use a VPN solution.  Its free, very little security risk, at least a lot less than TS, and takes no where near as much bandwidth..

Just my 2 cents..
0
 

Author Comment

by:Splunker
ID: 17791492
When I asked about remote access here is what my firwall monitors wrote back.

We recommend ssl VPNs up to a total of 15 users, setup a terminal server on your ecom dmz where you have total of each user's access. Then setup the access from the terminal server for the appropriate access, i.e. email, etc.
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17791536
The combination of VPN access and Terminal Services will give you the best mix of security and bandwidth.  You don't want your users to just VPN in and fire up Outlook "fat client mode" (applications residing on client machines).  Doing this with a dozon users and a handful of programs will quickly kill the best WAN connections.  

Combining the VPN with Terminal Server will establish a secure tunnel and then keep your applications running "thin" (on terminal servers sitting on your LAN).  Now you won't need to move your terminal servers to the DMZ, your VPN is putting the users on your LAN already.  
0
 

Author Comment

by:Splunker
ID: 17791592
Thats what I was confused about. If we are creating vpn connection between the firwall and the client, the firewall should handle trafic to the terminal server which is on inside of our network correct? So I don't need to put any terminal server on the DMZ like they were refrencing in the email. I should be able to get the terminal server working  here inside the our network first then work with the firewall people for setting up vpn and establishing connection to the terminal server.

Is this correct?


0
 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791607
AHH.

It seems they want you to setup a VPN into your network and have your users connect to a Terminal Services Server over the VPN.  They recommend this because you really don't want users connecting and just running apps off the network.  This also secures you from viruses that could be residing on home computers out side your control.

I would now say it is your call,  depending on how many remote users you expect to have.  If it is only one or two people, and they are running Laptops that you have control over, I say forget TS.  If you expect it to be heavlly utlized then go with the TS.

Personally I have a T1, 50+ people with the ability to VPN in, and all Outlook clients on the laptops are set to use cashed mode.  With 15 people on (right now) I am only using a little over 60% of my bandwidth.  Now, granted it depends on how you have it configured, (eg, split tunnels, IPSEC, PPTP, etc.) but if there is a cost involved in buying, configuring, and licensing your TS, I would suggest researching a VPN only solution before spending.

Just my 2 cents....
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17791965
You should be fine doing that, putting the terminal server(s) in the DMZ is just an extra precaution if you are doing the VPN setup anyway.  You would be fine just VPN'ing them into the LAN and hitting the server's IP directly.  
0
 

Author Comment

by:Splunker
ID: 17795935
If I put the TS inside our network, am I better off putting TSLS on the domain controller or can I put it on the TS server. Will it work fine? I will be loading windows 2003.
0
 
LVL 19

Accepted Solution

by:
BLipman earned 250 total points
ID: 17796888
You can put it anywhere you want at that point.  On one hand, you could put it on the DC and have it intact if you ever rebuild your Terminal Server.  On the other hand, if you rebuild your DC it would affect your Terminal Server.  6 one way half a dozon the other.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to check the account lockout counter? 6 64
Bizarre hard disk problem 15 120
Downgrade From Domain to WorkGroup 3 37
Domain Controller FSMO 7 36
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question