Setting up Remote Access in Windows 2003 Server

Posted on 2007-10-17
Medium Priority
Last Modified: 2013-11-21
Hi all,

I want to set up Remote Access for staff and students to access their documents from home, however I am not sure which server I need to put it on! I have 2 servers for students data and profiles, 1 main server for staff data and profiles and also 1 other server that contains both staff and student data, which is like an archive / video server. Would I need to set up remote access on all of these servers or just my Domain Controller, or a new server altogether. Sorry to sound so primitive in my question, but all the documentation states how to do it, it just doesn't state on which server to put it on!

Thanks in advance

Question by:brookesm

Expert Comment

ID: 20093270
All of this can be accomplished by having your remote users connect back to the main office via a VPN conection.
Your firewall should have that ability and if not, Windows 2003 has that abiltity.

Once the user connects the VPN he/she shoudl be able to use all the same network functions that are available to them while physically at the main office location.  

Here is an artcile on configure RAS for Windows 2003.

Author Comment

ID: 20093433
If I do it using windows server 2003, which server do I have to set it up on?
LVL 31

Accepted Solution

Cláudio Rodrigues earned 2000 total points
ID: 20108397
VPN is a double edge sword. When the connection is established the computer becomes a node on the network and if you have no control over this computer (meaning if you do not know/guarantee they have antivirus, are patched, worm free, etc) this may end up attacking/infecting your network.
In this case it is much better to setup a terminal server for your users that need remote access to applications.
The basics are very simple:
1. Install a new server with Windows 2003.
2. After the install go to Control Panel | Add/Remove Programs | Windows Components and select 'Terminal Services'. Do not worry at this stage about 'Terminal Services Licensing'. You will have 120 days to install this and another 90 days after it is installed to purchase/install Terminal Services Client Access Licenses (TSCALs as we call them). Note that you can install the Terminal Services Licensing on the TS itself or on your domain controller. Just keep this in the back of your mind that you will need to have that installed and with licenses within 210 days.
3. Once Terminal Services get installed it will ask for a reboot. Reboot.
4. Make the TS part of your domain.
5. On the TS, logon to it and go to computer management. Under Local Users and Groups find the 'Remote Desktop Users' group. Add the users you want to access the TS to that group. I would go to the domain controller and create a group called 'TS Users' and all the users you need there. Then just add the 'TS Users' group to the local TS group mentioned above.
6. Now logon to the TS and install applications on it always using Control Panel | Add/Remove Programs.
7. Configure your firewall to do a port mapping on the external IP address, port TCP 3389 to go to the TS internal IP, port 3389.
8. Give the external IP address to your users and tell them to use the Remote Desktop Client software (from Microsoft, part of Windows XP). They can run it by simply typing MSTSC on their Windows XP PCs. Once they launch it they just type the external IP and they will see the logon screen!

Optional steps:
1. Create an OU on your domain called Terminal Servers.
2. Move the TS you just created to that OU.
3. Create a group policy at that OU level to lockdown/restrict what your users do. Make sure you DENY the policy to administrators, REMOVE 'Authenticated Users' from it and ADD 'TS Users' (the group you created above) and the TS computer object itself.
4. Enable 'Loopback Processing Mode' in the policy itself (check Google).
5. Configure the policy to lock down all you want (so users cannot screw up the TS).

Hope this helps.

Cláudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question