Terminal Server 2008 R2 Deployment and Improvements

we have two 2003 TS Server which are getting "old".

On those two TS we have Citrix running so we can logon to customers environment.
The idea is to displace those with a newer,more secure and reliable solution.

The discussion went for TS 2008 R2,although im not sure what the improvements and advanteages are. Our customers are i.e banks and do require high security.

if somebody could pls list me the pro/contras? In which ways is TS 2008 better than 2003?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The detailed article from Microsoft here... go through it... you will understand the differences and pros/cons..

Tony JohncockLead Technical ArchitectCommented:
I don't think that gives you all the detail you really want.

To highlight some of the improvements:

Session Host Load Balancing: You can now load balance RD Session Host servers (previously Terminal Servers in Application Mode) and if a user is disconnected they can usually be reconnected to their existing session as in Citrix. Whilst this was available in 2003 it is significantly improved in 2008 R2;

Application Publishing: RemoteApp allows you to publish applications to users;

RDWeb Gateway: Akin to Citrix Secure Gateway/lower end CAG devices, these allow you to securely publish the RemoteApp applications and desktops via a web browser over 443, secured with certificates and end-to-end encrypted;

Greater user capacity: 2008 R2, being 64 bit means in some cases you have better user scalability (this is always dependent on apps of course, as well as what users are doing so your mileage may vary). One flip side is, R2 is 64-bit only so you may not be able to use some legacy applications;

More secure RDS client: The RDS Client (RDP) can now use certificate authentication and you can determine whether to allow connections from earlier versions of client or not.

2008 R2 is actively patched and supported and in theory should maintain a lower attack profile.

Depending on what you're doing, you may not require Citrix so there can be significant cost savings.

Of course there are other benefits such as greater control via the enhanced group policies.
quickslvrAuthor Commented:

thanks a lot,that is ,ore specific and what im looking for. however,its still not quite complete.

i need to present this to our CEO`s to have a negotiating base. what does TS 2008 R2 offer Citrix,VDI cant-and vice versa? and of course, cost is always a topic.but as long something functions the way we need it,it shall have its price.

We use TS and citrix to login to our customers servers and provide support,etc.
our customers are i.e. banks/insurances and have very strict policies and we have to obey them.

the idea is to have one single appication which allows SSO and fulfills all the security needs.

so,if you pls could give me more info.that would be great
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Tony JohncockLead Technical ArchitectCommented:
Ok - in a nutshell, RDS 2008 doesn't offer anything Citrix doesn't but some would argue that Citrix is just a bit better at its management and deployment and in some cases is a bit easier to get working.

Citrix on the other hand, will do everything that I mentioned in RDS above but also more. Important to some folks is the connect from anywhere mentality of Citrix - whereas with RDS you are basically limited to using an RDP client (so pretty much Windows, OS X and Linux), Citrix have a receiver (client) for all of those, plus iDevice, BlackBerry, Android etc.

Citrix offer a physical appliance (Citrix Access Gateway - CAG*) that can offload the SSL transactions away from the web gateway, so increased capacity and arguably a lower attack profile than dropping IIS into a DMZ.

You can also get Edgesight with Citrix which gives much better monitoring and reporting than anything native to RDS which may tip the balance with your customers.

VDI - I don't think this is a suitable solution in this case, but in a nutshell it's about delivering a virtualised desktop, but unlike the case of XenApp or RDS, it's a workstation-based OS. VDI tends to have much greater complexity of management. Plus you still need some kind of gateway in so you'd be building the RDS or Citrix environment for this anyway. Plus, where it's just in as a support tool, I've found it much simpler and more cost-effective to use RDS/XenApp and have a workstation OS in a virtual PC type of platform (it works surprisingly well). This can often negate the x64/2008R2 OS problems with older/non compatible software.

RDS does support SSO, but can be a real pain to configure the way you want. Certificates are always the friend there. Citrix's SSO is much simpler and if you are authenticating at a CAG then tends to "just work" in a much more streamlined fashion.

The one thing that goes against Citrix is generally cost, but in my honest opinion, it tends to be a better end-to-end solution when you need the multiple access methods, SSO, reporting etc.

*Citrix also offer one variant of the CAG as a virtual appliance - it's basically the same Linux-based OS but you can run it virtually.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
quickslvrAuthor Commented:

thanks for all that info. see, cost is not really a concern as long as that solution fulfills all our needs.

we use citrix in three different ways:

1. direct internet access (no proxy)
2.customer support (with proxy)
3. with office and company internal reporting tools

im not really experienced in that technology,thats why i need detailled info about.

would you recommend to migrate internal fromTS 2003 to TS 2008 R2 first? our technicians complain about TS sessions who crash or remain idle and thats something we need to get fixed asap before any citrix upgrade.
Tony is spot-on.. RDS/TS has always been the core of XenApp (Citrix wrote that multi-win core and sold it back to Microsoft; they both have permanent engineers on each others campuses to support this).

Microsoft can do most of the raw mechanics of what Citrix does, but they do so in a much more complicated and antquated way compared to Citrix.  As long as you have maintained your Citrix Subscription Advantage, you are entitled to the current products, so that is really not an issue either.  If you have allowed it to lapse then chances are you will have to completely re-buy the licensing if it has been too long.

Define in more detail your 3 scenarios?  Not sure what you mean by proxy/no proxy?  

In the existing 2k3 environment, what version of Citrix are you running?  You can certainly set timers in the connectors for ICA (and RDP) to handle the idle time.  

Basically, you can set sessions to have a certain amount of "active" time - I virtually always recommend *against* this.  You can an option if a session connection 'breaks' if it is disconnected or reset.  Disconnected sessions remain "alive" on the server, and reset sessions are just that -- reset.  You can then set other timers: idle time - how long can a session go without any keyboard or mouse input, and at the end of that idle timer, their session will be disconnected or reset depending on the option you chose, and once they are disconnected, how long can they remain in that disconnected state before the session is reset.  It is important to note that a reset session is *not* logged off, it is simply terminated.

Citrix offers SSO as part of its licensing at the Platinum level.  (Platinum gets you XenApp, SSO, a CAG or Netscaler Virtual Appliance, and a whole host of related products).  

It would help if you defined more of what you are looking for from the upgrade.  There are a lot of things that Citrix does that Microsoft does not (like SmartAuditor - recording the ICA sessions for later replay, EdgeSight for massively detailed logging, Single Sign-On, clients for every graphical platform in existence etc.).  

quickslvrAuthor Commented:
ok,i will discuss this with our team before we proceed
quickslvrAuthor Commented:
ok, i have migrated to TS 2008 R2 by now and all MS CALs and citrix licenses are migrated to the new LS. the TS servers are still 2003.

the basic idea is to replace hardware computers with a virtualized solution. which one it will be in the end,doesnt matter.

right now,theres a portal where they logon with citrix ICA 10.150.

there are two configs on it, one very basic,naked and one with standard software (office,etc) and some tools like SAP,etc.

1.users in-house login to a TS where office, SAP,acrobat,etc.printers are installed and all the work can be done from there

2. technicians are not allowed to bring their own computers to a customer,so they need to access their tools thru citrix/RDP.they need tools like wireshark,putty,checkpoint,tftp,etc. they need instant access to ISOs and other images.

from there, two more configs are required:
1. a "naked" config without any proxy-settings for the purpose of connectivity testings,
2. a config where we can access our customer supper DB and password tool.

so,what could be a solution which fulfills all this?

Tony JohncockLead Technical ArchitectCommented:
Citrix Web Interface may be your friend here.

You get the same concept of a web portal that a user logs into securaly.

You would configure it to communicate with the Citrix server(s) and it will take published applications and display them to the user. The user will only see those applications that they have rights to, so you can make the web interface as granular as you wish.

One point - wireshark - you might be struggling with that in a virtualised environment due to the OS being abstracted from the hardware. It may be you need to have a physical machine somewhere on the network that you can RDP into - again, you can publish the RDP client from within the Web Interface page.
quickslvrAuthor Commented:
we have citrix presentation server 4.5.

could you pls provide me with detailled info how i could proceed?

how and what i have to upgrade?  what about VDI?
I don't think you are going to accomplish what you want, if I am understanding this.  

Your engineers are going to customer sites, and want to utilize their tools at the customer site correct? If that is the case, then none of these scenarios will work for you, because the tools will be running from your site, not from the customer's site.

You can potentially get around that by packaging and streaming the applications, which will let them work locally, and wireshark should work also (an educated guess).

I use wireshark on my VM's and it works just fine capturing the VM data (does not capture the local system data as far as I can tell).

Tony JohncockLead Technical ArchitectCommented:
If Wireshark installs drivers (and I recall it installs a PCAP driver?) then it most certainly won't work streamed via Citrix offline streaming or App-V.
Tony JohncockLead Technical ArchitectCommented:
Quickslvr: My understanding of your question is that these Citrix servers sit on the customers' sites. If they sit at your own site, then is there a connection into the customers via something such as a VPN?

Again, although I am assuming, it would appear that you've had a terminal server solution in place that was working fine for some time, but is ageing and will fall out of the required levels of security for your customers?

So - assuming they are in the customers location or you have a link: you would need a CAG device or secure gateway - I am unsure of the supported lifecycle of CSG so it might be worth checking this.

This would sit in a DMZ either in the customers site or your own. It then proxies connections to the XenApp servers (I would not stick with 4.5 - even if you require 32bit, I'd consider at least XenApp 5.0 so you can run 2008 RTM). All communication between the client and the Citrix servers is SSL encrypted.

You can then use the usual tools and applications.

You keep asking about VDI - this, as I am sure you are aware, delivers a virtual client destkop (Win 7 etc) as opposed to a virtual server desktop (2008/2008R2). The only real advantage you would get is where you have applications that can't/won't run under 2008. However, bear in mind that it's still a virtual machine and as such the hardware is abstracted from the operating system.

A less complex and more cost effective solution, I think, would be to have a workstation installed in the customer site that you can RDP to and use tools such as Wireshark from there. You can control who can RDP to it in the same way as 2008/2008R2 - by group membership.
quickslvrAuthor Commented:

the citrix server (presentation server 4.5) is here in-house at our place and works fine since a long time. we simply connect to our portal and choose which config one we need. yes, they run on server 2003 TS and need a replacement with the newest technologies. since we experience some issues with TS 2003 like "hanging" ect. we have to do something about it than just workaround like constantly rebooting them.

so,if im at a customers place, i would use a computer they handed to me and connect to our portal from there and do the testings.

for in-house,we want to limit the HW costs and considering a virtual solution (what it will be in the end,doesnt matter). since our techs are out-of-office so often,they dont need a full fledged PC standing around here. it is enough when they can login,check their mails,write down their working hours and thats it.
Tony JohncockLead Technical ArchitectCommented:
Dropping a Citrix server with an Access Gateway will provide you with the connectivity back to your office for sure - for people to use the apps you suggested for time management/email etc (no Outlook Web Access/Outlook Anywhere available? Might be an easier way than publishing Outlook).

I'm missing something here, sorry (my lack of understanding of something, not your explanations): you need to connect back to your office FROM customers to test...got that...but what is it you'll be testing? Do you need to run tools that reside on the customer site from the connection on the Citrix server?

Bear in mind that for anything like a normal user experience, VDI requires high speed storage as it is very IOP intensive. Depending on how many users connect to it and how many concurrently, that may limit your choices.
quickslvrAuthor Commented:
ok,i have to clear all this details with our techs first before we can proceed.

as said,we have citrix presentation server 4.5 running now. that one need to be migrated to a version where we can use VDI.

or citrix licences will probably changed to xendesktop model. from what i heard, xenapp and xenserver is included there,almost for free.

Well, XenApp pricing is about 2x the cost of XenDesktop licensing.  *BUT* there is a catch.  You go from concurrent user licensing in XA to per-user/per-device licensing in XD.  XD includes XA, but only using the per-user/per-device licensing.  

Tony JohncockLead Technical ArchitectCommented:
You might want also to look at the XenApp/XenDesktop Tradeup program for 2012:


I confess I haven't read it all in detail, but this bit might interest you:

2012 Trade-up to XenDesktop Program Overview

Citrix will continue to offer three permanent Trade-up to XenDesktop programs that give
XenApp customers the ability to add desktop virtualization to XenApp and expand their desktop
virtualization footprint. These programs include:

• Trade-up: Customers can choose to trade-up a subset or their XenApp licenses to
receive one XenDesktop license for each XenApp license, or Trade-up all of their
XenApp licenses to receive two XenDesktop licenses for each XenApp license
. This
program allows customers to save more than 70% on XenDesktop.

• Trade-up PLUS: Customers who trade-up all of their XenApp licenses can also expand
to reach MORE users with XenDesktop for 10% off the standard product SRP.

Trade-up MAX: Customers who trade-up all of their XenApp licenses can also expand
to reach ALL of their users with XenDesktop for 35% off the standard product SRP

You might want to ask a Citrix reseller to clarify if you lose the XenApp license or note - reading those bullet points, it could be either way.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.