Announcement

Collapse
No announcement yet.

Windows 2008R2 RDS farm - design and security configuration

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2008R2 RDS farm - design and security configuration

    Hi all, I have a DC with 2 machines with R2std installed. One of them, called terminal.domain.com is running all the RDS roles except for the RD Session Host, and terminal01.domain.com has only the RD session host role installed. I am planning to add treminal02 etc later on, as required.

    The questions are:
    1. Is this a correct way of managing this sort of setup - a single gateway and a bunch of session hosts, or am I missing something?
    2. when my test users log in, they get to see all the software installed on the treminal01 host. Where do I define what they can and can not see? Does this have to be a global GPO definition, or can I do that through some RDS specific setting?
    3. I have the farm defined as "Terminals". Set up a DNS A record for both terminal and terminal01 IP addresses to point to "Terminals". was that the right way to do that, or do I only point to terminal (the RD gateway/broker) or to terminal01..N set of hosts?

    Thanks

    upd: messed up the tags, mods, please make it comma separated, thnks
    Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

    BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

  • #2
    Re: Windows 2008R2 RDS farm - design and security configuration

    Hi,

    I hope that the DC dont function as TS also

    1. Web Access... To allow users to access to the application from remote.
    Also, what about Radius server? TS License server? Easy Print?

    http://blogs.technet.com/b/danstolts...r-2008-r2.aspx

    2. There is no offical methood to control permissions. You can yse NTFS permissions for this, but
    this option isnt supported as I know.

    3.

    http://www.networkworld.com/community/node/49484

    http://www.networkworld.com/community/node/49566

    http://www.digicomp.ch/misc/document...in7_Zurich.pdf
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Windows 2008R2 RDS farm - design and security configuration

      I hope that the DC dont function as TS also
      No, I've enough machines to spare (got a 2008r2 datacenter license, and a lot of hypervisors)


      1. Web Access... To allow users to access to the application from remote.
      Also, what about Radius server? TS License server? Easy Print?
      I need more than web access, there will be full scale terminal sessions in there. I put the license server as well as everything besides the actual RD session host in the "terminal" machine.

      The entire setup is in a closed off DC, access is via site to site ASA 5500 series VPN concentrators. What would I need the radius server for here?
      Can you also elaborate on Easy Print? Never heard of it before...


      2. There is no offical methood to control permissions. You can yse NTFS permissions for this, but
      this option isnt supported as I know.
      By permissions I mean that a simple user logging into the terminal session gets access to administrative MMCs in the start menu. Most of them wouldn't start and some only work in r/o mode, but I'd like to make the terminal session look like a limited PC - no access to anything besides the programs I want the users to have access to.


      Great links btw, rep added of course, but an extra thanks from me for the reply
      Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

      BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

      Comment


      • #4
        Re: Windows 2008R2 RDS farm - design and security configuration

        Hi,

        a. Easy Print:

        http://trycatch.be/blogs/roggenk/arc...s-it-work.aspx

        http://technet.microsoft.com/en-us/l.../cc732264.aspx

        b. Radius:

        Using Radius allow you to add another security layer (e.g. OTP/Smart Card etc.).

        You can use Microsoft TMG with (or without Radius) and drop the need to VPN.
        The main advance of the TMG is build a shield from the internet to the internal network.

        http://www.isaserver.org/tutorials/M...way-Part1.html

        http://technet.microsoft.com/en-us/l.../cc995085.aspx
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment

        Working...
        X