Solved

Questions on Setting up a Terminal Server?

Posted on 2006-10-23
11
226 Views
Last Modified: 2010-04-18
I am needing to have some of my users to have access to our network from their home. We have our firewall controlled by third party. I ask them about how to give access to my users and they said I need to setup a terminal server on our DMZ. They said once I have the terminal server up and running they will be able to setup the rules, and users for the firewall.  I have been reading the articles about setting up a terminal server. From what I can figure out, I need to setup a Terminal Server then a Terminal Services Licensing Server (TSLS).

 It sounds like I am suppose to setup the TSLS on a Domain Controller.  How does this work if I am doing this for remote users outside our company. Do I still put it on the Domain Controller on our backbone then the Terminal Server on the DMZ? Will this still work?  Not sure what I am suppose to do in this case.
0
Comment
Question by:Splunker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 19

Expert Comment

by:BLipman
ID: 17790075
Are the terminal servers in question running 2000 or 2003?  
With 2000, a terminal server in a domain will look to a domain controller for its TS Licensing.  With 2003, you can have the TS License server on any 2003 box in your network.  If 2003 but not SP1, you set the License Server preference in the registry.  If 2003 SP1 you point it via Terminal Services Configuration.  

Firewalls need to fwd port 3389-tcp to your server.  The DMZ point is a best practice thing but not a technical necessity.  
0
 

Author Comment

by:Splunker
ID: 17790277
I haven't set anything up yet but the Terminal Server will running Windows 2003. My internal domain controller is Windows 2003.

You saying with Windows 2003 I don't need to place TSLS on a Domain Server, any member server will do?

So I do need TSLS on our internal network and then Terminal Server setup on DMZ with port 3389 -tcp open. I assume this port is open so that TS can communicate with the TSLS server to get licensing information?
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17790610
Port 3389-tcp is for Client to Server communication so that is the port your clients speak on to establish and maintain their connections.  I don't know what port(s) TSLicensing uses though...never set it up in a DMZ with licensing in a protected network.  To simplify things lets say you have 2 options:

Option A: put the terminal server in your DMZ.  Have the firewall fwd port 3389 from ANY (or from your remote client's block of addresses) to your terminal server on the same port.  Install TS Licensing on the same server (so you don't need to open ports from your DMZ to your internal network).  

Option B: put the terminal server in your LAN.  Same thing with the firewall and ports.  Install TS Licensing on any 2003 machine in your LAN (including the terminal server), just pick one.  
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791365
Just wondering why you would not want to use a VPN solution.  Its free, very little security risk, at least a lot less than TS, and takes no where near as much bandwidth..

Just my 2 cents..
0
 

Author Comment

by:Splunker
ID: 17791492
When I asked about remote access here is what my firwall monitors wrote back.

We recommend ssl VPNs up to a total of 15 users, setup a terminal server on your ecom dmz where you have total of each user's access. Then setup the access from the terminal server for the appropriate access, i.e. email, etc.
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17791536
The combination of VPN access and Terminal Services will give you the best mix of security and bandwidth.  You don't want your users to just VPN in and fire up Outlook "fat client mode" (applications residing on client machines).  Doing this with a dozon users and a handful of programs will quickly kill the best WAN connections.  

Combining the VPN with Terminal Server will establish a secure tunnel and then keep your applications running "thin" (on terminal servers sitting on your LAN).  Now you won't need to move your terminal servers to the DMZ, your VPN is putting the users on your LAN already.  
0
 

Author Comment

by:Splunker
ID: 17791592
Thats what I was confused about. If we are creating vpn connection between the firwall and the client, the firewall should handle trafic to the terminal server which is on inside of our network correct? So I don't need to put any terminal server on the DMZ like they were refrencing in the email. I should be able to get the terminal server working  here inside the our network first then work with the firewall people for setting up vpn and establishing connection to the terminal server.

Is this correct?


0
 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791607
AHH.

It seems they want you to setup a VPN into your network and have your users connect to a Terminal Services Server over the VPN.  They recommend this because you really don't want users connecting and just running apps off the network.  This also secures you from viruses that could be residing on home computers out side your control.

I would now say it is your call,  depending on how many remote users you expect to have.  If it is only one or two people, and they are running Laptops that you have control over, I say forget TS.  If you expect it to be heavlly utlized then go with the TS.

Personally I have a T1, 50+ people with the ability to VPN in, and all Outlook clients on the laptops are set to use cashed mode.  With 15 people on (right now) I am only using a little over 60% of my bandwidth.  Now, granted it depends on how you have it configured, (eg, split tunnels, IPSEC, PPTP, etc.) but if there is a cost involved in buying, configuring, and licensing your TS, I would suggest researching a VPN only solution before spending.

Just my 2 cents....
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17791965
You should be fine doing that, putting the terminal server(s) in the DMZ is just an extra precaution if you are doing the VPN setup anyway.  You would be fine just VPN'ing them into the LAN and hitting the server's IP directly.  
0
 

Author Comment

by:Splunker
ID: 17795935
If I put the TS inside our network, am I better off putting TSLS on the domain controller or can I put it on the TS server. Will it work fine? I will be loading windows 2003.
0
 
LVL 19

Accepted Solution

by:
BLipman earned 250 total points
ID: 17796888
You can put it anywhere you want at that point.  On one hand, you could put it on the DC and have it intact if you ever rebuild your Terminal Server.  On the other hand, if you rebuild your DC it would affect your Terminal Server.  6 one way half a dozon the other.  
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question