Intrepidity
asked on
Running remoteapp from TS1 inside a terminal server session on TS2
We have two physical locations with terminal servers present in both locations. These locations are not yet joined in AD. Today some users access terminal server on the other location to access needed software. The following would off course be implemented AFTER joining the two locations in the same domain.
Example: Remote users connecting to terminal server on location1(where home folder and most shared recources they need are present) also need access to for example CRM app on location2. Any problems assosiated with running CRM from terminal server location2 as remoteapp inside a terminal server session in the terminal server on location1? Credentials would have to be passed on as in the single sign on process so users don´t get asked about this a second time when accessing the remoteapp. Can I restrict this adding path to the terminal server on location2 in software restriction as allow? I do not want to open up for network access for users accessing the terminal server, but if I have to I have to. I don´t even know if this setup will work at all..?
The CRM application in question has the database running on a server in loc2, and the client isn´t capable of a connection over VPN due to need of bandwith to database. The clientsoftware for the application can because of this not be installed in the terminal server in location1. Running as a remoteapp from terminal server in loc2 should however not be a problem.
This also mean that a single user access 2 terminal servers with the same credentials at the same time. Any issues here?
Example: Remote users connecting to terminal server on location1(where home folder and most shared recources they need are present) also need access to for example CRM app on location2. Any problems assosiated with running CRM from terminal server location2 as remoteapp inside a terminal server session in the terminal server on location1? Credentials would have to be passed on as in the single sign on process so users don´t get asked about this a second time when accessing the remoteapp. Can I restrict this adding path to the terminal server on location2 in software restriction as allow? I do not want to open up for network access for users accessing the terminal server, but if I have to I have to. I don´t even know if this setup will work at all..?
The CRM application in question has the database running on a server in loc2, and the client isn´t capable of a connection over VPN due to need of bandwith to database. The clientsoftware for the application can because of this not be installed in the terminal server in location1. Running as a remoteapp from terminal server in loc2 should however not be a problem.
This also mean that a single user access 2 terminal servers with the same credentials at the same time. Any issues here?
ASKER
Well I'm hoping this won't have any licensing issues - but I'm probably too optimistic here.
Users at loc1 will log onto ts1 and users at loc to will log onto ts2. Users from loc1 will have to be able to run crm app from loc2. This is where I want to use remoteapp since the application can't be run over a VPN connection.
The CRM application is not integrated with AD and use it's own authentication, so a single account for this purpose is an option.
Haven't decided on using roaming terminal services profiles or not.
Users at loc1 will log onto ts1 and users at loc to will log onto ts2. Users from loc1 will have to be able to run crm app from loc2. This is where I want to use remoteapp since the application can't be run over a VPN connection.
The CRM application is not integrated with AD and use it's own authentication, so a single account for this purpose is an option.
Haven't decided on using roaming terminal services profiles or not.
I double up on TS occasionally. I don't use roaming profiles.
Login to the TS, then use that for Remote Desktop to workstations or servers.
Login to workstation via SBS2003 Remote Web Workplace. From there, Remote Desktop to server.
The trick roaming profiles. Turn it off, or you will have terrible login times...sometimes 5-10 minutes if you've never logged in.
Plus, as BobintheNoc stated, profile updates upon logout...but you still have the first logon active. Wreaks havoc with files sitting on the desktop, icons, etc.
Login to the TS, then use that for Remote Desktop to workstations or servers.
Login to workstation via SBS2003 Remote Web Workplace. From there, Remote Desktop to server.
The trick roaming profiles. Turn it off, or you will have terrible login times...sometimes 5-10 minutes if you've never logged in.
Plus, as BobintheNoc stated, profile updates upon logout...but you still have the first logon active. Wreaks havoc with files sitting on the desktop, icons, etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the 2nd terminal server that's serving just the application, you might be able to configure it with either a local policy, or a gpo that only applies to it that restricts the updating of the network location---as if it were a locked down profile.
Question: Does your CRM application have it's own authentication within itself, or does it use the existing user's Windows credentials? I'm suspecting that it must be Windows, since it's indicated that the user doesn't have to enter a 2nd set of credentials. If the CRM app WERE using it's own security, I'd suggest something like using a 'common' or single user account to make the actual 2nd connection, instead of the user using their own again--this'd avoid any profile corruption/conflilcts with the user using their own profile twice.
You might also have to ramp up your licensing, as this may be considered as two TS Cals per user ??
Bob