Solved

Questions on Setting up a Terminal Server?

Posted on 2006-10-23
11
220 Views
Last Modified: 2010-04-18
I am needing to have some of my users to have access to our network from their home. We have our firewall controlled by third party. I ask them about how to give access to my users and they said I need to setup a terminal server on our DMZ. They said once I have the terminal server up and running they will be able to setup the rules, and users for the firewall.  I have been reading the articles about setting up a terminal server. From what I can figure out, I need to setup a Terminal Server then a Terminal Services Licensing Server (TSLS).

 It sounds like I am suppose to setup the TSLS on a Domain Controller.  How does this work if I am doing this for remote users outside our company. Do I still put it on the Domain Controller on our backbone then the Terminal Server on the DMZ? Will this still work?  Not sure what I am suppose to do in this case.
0
Comment
Question by:Splunker
  • 5
  • 4
  • 2
11 Comments
 
LVL 19

Expert Comment

by:BLipman
ID: 17790075
Are the terminal servers in question running 2000 or 2003?  
With 2000, a terminal server in a domain will look to a domain controller for its TS Licensing.  With 2003, you can have the TS License server on any 2003 box in your network.  If 2003 but not SP1, you set the License Server preference in the registry.  If 2003 SP1 you point it via Terminal Services Configuration.  

Firewalls need to fwd port 3389-tcp to your server.  The DMZ point is a best practice thing but not a technical necessity.  
0
 

Author Comment

by:Splunker
ID: 17790277
I haven't set anything up yet but the Terminal Server will running Windows 2003. My internal domain controller is Windows 2003.

You saying with Windows 2003 I don't need to place TSLS on a Domain Server, any member server will do?

So I do need TSLS on our internal network and then Terminal Server setup on DMZ with port 3389 -tcp open. I assume this port is open so that TS can communicate with the TSLS server to get licensing information?
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17790610
Port 3389-tcp is for Client to Server communication so that is the port your clients speak on to establish and maintain their connections.  I don't know what port(s) TSLicensing uses though...never set it up in a DMZ with licensing in a protected network.  To simplify things lets say you have 2 options:

Option A: put the terminal server in your DMZ.  Have the firewall fwd port 3389 from ANY (or from your remote client's block of addresses) to your terminal server on the same port.  Install TS Licensing on the same server (so you don't need to open ports from your DMZ to your internal network).  

Option B: put the terminal server in your LAN.  Same thing with the firewall and ports.  Install TS Licensing on any 2003 machine in your LAN (including the terminal server), just pick one.  
0
 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791365
Just wondering why you would not want to use a VPN solution.  Its free, very little security risk, at least a lot less than TS, and takes no where near as much bandwidth..

Just my 2 cents..
0
 

Author Comment

by:Splunker
ID: 17791492
When I asked about remote access here is what my firwall monitors wrote back.

We recommend ssl VPNs up to a total of 15 users, setup a terminal server on your ecom dmz where you have total of each user's access. Then setup the access from the terminal server for the appropriate access, i.e. email, etc.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 19

Expert Comment

by:BLipman
ID: 17791536
The combination of VPN access and Terminal Services will give you the best mix of security and bandwidth.  You don't want your users to just VPN in and fire up Outlook "fat client mode" (applications residing on client machines).  Doing this with a dozon users and a handful of programs will quickly kill the best WAN connections.  

Combining the VPN with Terminal Server will establish a secure tunnel and then keep your applications running "thin" (on terminal servers sitting on your LAN).  Now you won't need to move your terminal servers to the DMZ, your VPN is putting the users on your LAN already.  
0
 

Author Comment

by:Splunker
ID: 17791592
Thats what I was confused about. If we are creating vpn connection between the firwall and the client, the firewall should handle trafic to the terminal server which is on inside of our network correct? So I don't need to put any terminal server on the DMZ like they were refrencing in the email. I should be able to get the terminal server working  here inside the our network first then work with the firewall people for setting up vpn and establishing connection to the terminal server.

Is this correct?


0
 
LVL 1

Expert Comment

by:culturaltrust
ID: 17791607
AHH.

It seems they want you to setup a VPN into your network and have your users connect to a Terminal Services Server over the VPN.  They recommend this because you really don't want users connecting and just running apps off the network.  This also secures you from viruses that could be residing on home computers out side your control.

I would now say it is your call,  depending on how many remote users you expect to have.  If it is only one or two people, and they are running Laptops that you have control over, I say forget TS.  If you expect it to be heavlly utlized then go with the TS.

Personally I have a T1, 50+ people with the ability to VPN in, and all Outlook clients on the laptops are set to use cashed mode.  With 15 people on (right now) I am only using a little over 60% of my bandwidth.  Now, granted it depends on how you have it configured, (eg, split tunnels, IPSEC, PPTP, etc.) but if there is a cost involved in buying, configuring, and licensing your TS, I would suggest researching a VPN only solution before spending.

Just my 2 cents....
0
 
LVL 19

Expert Comment

by:BLipman
ID: 17791965
You should be fine doing that, putting the terminal server(s) in the DMZ is just an extra precaution if you are doing the VPN setup anyway.  You would be fine just VPN'ing them into the LAN and hitting the server's IP directly.  
0
 

Author Comment

by:Splunker
ID: 17795935
If I put the TS inside our network, am I better off putting TSLS on the domain controller or can I put it on the TS server. Will it work fine? I will be loading windows 2003.
0
 
LVL 19

Accepted Solution

by:
BLipman earned 250 total points
ID: 17796888
You can put it anywhere you want at that point.  On one hand, you could put it on the DC and have it intact if you ever rebuild your Terminal Server.  On the other hand, if you rebuild your DC it would affect your Terminal Server.  6 one way half a dozon the other.  
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now