Announcement

Collapse
No announcement yet.

TS Newbie questions...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • TS Newbie questions...

    I have a client that is needs 1 TS at 1 location and 2 PC's at different remote locations accessing it - they also need SQL running on the TS server too. I have some questions...

    1- does the TS need to be a domain controller OR can it be a workgroup?
    2- does the TS need to have a outside static IP address from the ISP?
    3- the remote PC's will be XP Pro/Home PC's - what client do they use to access the IP?
    4- do I just have to forward 3389 on the DSL routers to the IP of the TS Server?
    5- if there's onle 2 PC's accessing the TS server - do I need to purchase TS licenses?
    6- from what I understand - I can't use SBS2003?

    THANKS in advance!!!

  • #2
    Re: TS Newbie questions...

    Only reason I'm responding to this (as I'm not a TS kind of guy) is it appears to me you can do this on the cheap (I'm Dutch so I can smell cheap).

    I use Remote Desktop to admin my servers all the time.

    1- does the TS need to be a domain controller OR can it be a workgroup?

    Restate: Does the TS need to be a member server of a domain or a standalone workgroup server?

    Either.

    2- does the TS need to have a outside static IP address from the ISP?

    Possibly not. Look into a DDNS service like http://www.dyndns.com/

    3- the remote PC's will be XP Pro/Home PC's - what client do they use to access the IP?

    "Remote Desktop Connection". Default security should be sufficient.

    4- do I just have to forward 3389 on the DSL routers to the IP of the TS Server?

    Yes. Although you could pick a different port OR route a different port to 3389 through NAT for "added" security.

    5- if there's onle 2 PC's accessing the TS server - do I need to purchase TS licenses?

    Normal W2K3 provides 2 sessions for "Remote Administration". These are full featured sessions. You will need to check the EULA to see if they can be used for general purpose, end user terminal services or just for admin purposes. Based on the terminology, I'm guessing you are in some kind of violation using these admin sessions for general computing but the system will allow it.

    6- from what I understand - I can't use SBS2003?

    Non lo so (I know it not).

    One final issue is when the 2 sessions are "held" and a new connection tries to come on line from the outside. It will be rejected. Inside the LAN, one would run "Terminal Services Manager" from the W2K3 Admin Tools Pack, kick off the oldest session, and connect. Coming in from the outside, I'm guessing Admin Tools Pack won't get through the firewall or, if you relaxed things so it did, you would have a security hole.

    So how do you enable a user to close and old RDP session?

    VNC is a possibility. Search for that in these forums and Stonelaughter's comments on security issues unless you upgrade beyond the free stuff.

    So the ability to dump a stale session and general EULA issues would be my biggest concern in the "Dutch" solution -- no offense intended to the Nederlanders out there.
    Cheers,

    Rick

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

    Comment


    • #3
      Re: TS Newbie questions...

      This time I checked before I posted my map
      My answer is now obsolete
      If there are only two sessions involved, there is no need for Terminal Services, Remote Desktop should be enough. Regarding the question #2, the TS server is on an DSL network too? I thought the server has a static IP address and you ask if you need another one from the ISP, so it will be on the same network as the stations... Did I understand wrong? If this is what you asked, then the answer is no, you don't need another address for the server.
      Only thing I can add to Rick's excellent post is that one can login to the console and close from there the idle, unwanted session.
      To login to the console use:
      mstsc /console /v:[server IP address: port]
      For more mstsc parameters (like the geometry of the screen), see mstsc /?
      Last edited by sorinso; 10th February 2007, 21:37.

      Sorin Solomon

      »»»»»
      In order to succeed, your desire for success should be greater than your fear of failure.
      -
      «««««

      Comment


      • #4
        Re: TS Newbie questions...

        Originally posted by sorinso View Post
        This time I checked before I posted my map
        My answer is now obsolete
        Only reason I posted is because you did not get in there sooner

        Anyone out there know what the EULA issues are on using those 2 admin TS sessions as general purpose clients?

        I'd certainly like to know before I made a decision as ignorance is generally not an accepted excuse.
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment


        • #5
          Re: TS Newbie questions...

          Just a slight tweak, if I may...
          4- do I just have to forward 3389 on the DSL routers to the IP of the TS Server?
          doing this, even if you move it to a different port, is a bit of a security risk, because your login username and password is sent down the wire in plain text. I recommend no port forwarding at all.

          First, join the VPN, then, with no port forwarding at all, RDP to the local IP address of the TS.

          Joining a VPN is pretty easy: there are the built in Server 2003 functions, but even easier is a nice ADSL router like the Draytek Vigor 2800 series, which are really nice to setup - you add a teleworker VPN using the visual web interface for the router. Then have your XP remote users join the VPN onto the router's public IP address (preferably fixed, or use the dyndns address) following my step-by-step instructions here http://jcsltd.co.uk/technet/knowledg....php?kbid=5729

          Once they have joined the VPN, use Windows XP's RDP (Start > All Programs > Accessories > Communications > Remote Desktop Connection) and type in the Terminal Server's local IP address. Voila!

          If you need help setting up the Vigor Draytek 2800 router just ask me & I'll help you out. It does dyndns too, in case you haven't got a fixed public IP.

          I've used this technique on SBS2003 as well as Server2003.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: TS Newbie questions...

            PaulH:

            As I understand it, w/ WXP or W2K3 targets of Remote desktop, the security is built in these days (vs. the old W2K days where you needed an encrypting client).

            This is a link for WXP:

            http://www.microsoft.com/technet/pro...c08621675.mspx

            And for W2K3:

            http://technet2.microsoft.com/Window....mspx?mfr=true

            Many more out there. One of the best comes from here:

            http://www.petri.com/securing_rdp_communications.htm

            Default is "Client Compatible" which, per the Petri article:

            Choices are client compatible, high, or FIPS. Client compatible means enforce the highest level of encryption that the connecting client supports. High means enforce the highest level of encryption that the server supports. FIPS means enforce FIPS encryption on both the server and the client. FIPS is government approved level of encryption.
            Here's a fourth link that may be the best yet:

            http://technet2.microsoft.com/Window....mspx?mfr=true

            So if you have WXP clients hitting W2K3 servers via 3389, I'm seeing the connections are sufficiently encrypted.

            Let me know if you find otherwise.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: TS Newbie questions...

              One more thing: if you install an Application (e.g. Microsoft Office, SQL Server with a database, etc) and allow the users to access that application via Remote Desktop, you are in effect using a Terminal Server as opposed to Remote Administration. This may have licensing implications and you should consult Microsoft prior to proceeding. Although USUALLY Microsoft products PREVENT you doing things which are not allowed, I think that TS is one of those grey areas where they don't....


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: TS Newbie questions...

                Originally posted by rvalstar View Post
                PaulH:

                As I understand it, w/ WXP or W2K3 targets of Remote desktop, the security is built in these days (vs. the old W2K days where you needed an encrypting client).
                Aha! Then I stand corrected! Rick, you have just saved me a whole lot of time setting these things up - I really thought that port forwarding 3389 was going to result in the login to the TS being sent in plain text. You've shown how that's not the case, and I'm very pleased about that, so thank you.

                Best wishes,
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment


                • #9
                  Re: TS Newbie questions...

                  Here's my situation....I need to have a Windows 2003 Server w/ SQL on it - and I need to have 2 remote locations that needs to update their data with the data on the SQL Server.....the software provider said they need Terminal Server....

                  Comment


                  • #10
                    Re: TS Newbie questions...

                    Originally posted by hfctpl View Post
                    Here's my situation....I need to have a Windows 2003 Server w/ SQL on it - and I need to have 2 remote locations that needs to update their data with the data on the SQL Server.....the software provider said they need Terminal Server....
                    It really depends on how much you trust these two locations, these two users will be logging on as admins on to the server, and will have full admin access. There is no way to lock down these users logoning onto a server using the administrative TS. (IE. no TS license)
                    Now on the other hand if all these users access is SQL server then I would open those ports and have them access just SQL server and then you would not have to deal with TS at all.
                    But, if you are dealing with the same kinds of crazy software vendors that I deal with you will surely confuse them with a suggestion on how to use their own software. <sigh>

                    oh, and SBS2003 can never be licensed as a real TS
                    "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                    Comment


                    • #11
                      Re: TS Newbie questions...

                      Originally posted by Lior_S View Post
                      oh, and SBS2003 can never be licensed as a real TS
                      No, it can't, so you're stuck with just 2 remote users for ever, along with those licencing worries. But if all they are doing is accessing the software vendor's SQL products, you may want to avoid installing MS Office or anything else at all. Depends on what else they want to do.
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment


                      • #12
                        Re: TS Newbie questions...

                        So it there any issues with installing this 2003 Server in a workgroup - There is no existing server, so I can't make it a member server AND I've been told not to make it a DC.

                        Comment


                        • #13
                          Re: TS Newbie questions...

                          Originally posted by hfctpl View Post
                          So it there any issues with installing this 2003 Server in a workgroup - There is no existing server, so I can't make it a member server AND I've been told not to make it a DC.
                          I'm not an SBS guy but from what I've learned in these forums, SBS must be a DC else stuff starts breaking.

                          No workgroup possibility for SBS.
                          Cheers,

                          Rick

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                          Comment


                          • #14
                            Re: TS Newbie questions...

                            Originally posted by rvalstar View Post
                            I'm not an SBS guy but from what I've learned in these forums, SBS must be a DC else stuff starts breaking.

                            No workgroup possibility for SBS.
                            Yes - correct. SBS by default installs as a DC and basically can be the only SBS DC on that LAN. You can't have 2 SBS servers side-by side, no trust relationships with any Server 2003 boxes, no stuff like that. Advice is, "Have only one SBS within the building". SBS does not really "do" workgroups.
                            Best wishes,
                            PaulH.
                            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                            Comment


                            • #15
                              Re: TS Newbie questions...

                              Originally posted by hfctpl View Post
                              So it there any issues with installing this 2003 Server in a workgroup - There is no existing server, so I can't make it a member server AND I've been told not to make it a DC.
                              Just to clarify - because of references in this thred to sbs - this is not an SBS box, right?

                              If so, just install Windows Server 2003, do not install Active Directory, i.e. do not run dcpromo nor use Server Management to make it a domain controller, and all you have is a nice simple fileserver with a workgroup name. Done that plenty of times and it works really well if you do not want it to be a DC or have anything to do with AD. No problem with that. It can, then, be made a Terminal Server and that too is perfectly legitimate. Just install all your applications after making it a Terminal Server, and don't forget to install Terminal Server licencing, which in your case would be on the same box.
                              Best wishes,
                              PaulH.
                              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                              Comment

                              Working...
                              X