 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Small Business Server / SBS 2000 / November 2003taking the Term Server plunge
Ok, boys and girls, I finally have some time (and, more importantly, a "reason") to set up a separate term server to one of my SBS networks. I took a look at the Microsoft document 'Using SBS2000 w/ Term Services in App Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SBS200 0_Plus_W2KServer_Running_TS.aspx Is it right for me to feel real stupid about right now? Bottom line, I'm not sure what I have, or how close I am to making it work or not work. So, I thought rather than proceeding any further I'd stop and find out if there's either a simpler set of instructions or documents. Primarily, I want to set up a TS server to allow for Outlook/Exchange access along with using Microsoft WORD for some document support for people connecting in. As to the Microsoft document provided, first off, the details for installing and configuring TS (page 8 of the document) doesn't really match up with what I see on my W2K TS server box - close but not perfect. Page 9 & 10 go thru suggested tweaks for making the TS server run better. But somewhere around having me run the 'cacls' command to configure local rights on the TS server got me feeling nervous. So I did not do that step nor the one about setting the root drive variable. On page 11 I have instructions for creating a TSADmin account on the SBS server. Again, it's close, but the instructions don't exactly match up. On page 13 it has me login to the TS server using the TSAdmin account, but when I try to do anything it tells me I don't have permission to install anything. On page 17 it has me go through more configuration changes. I'm not even sure when or where I enable the licensing on the SBS server side and tell it there's a TS server. Any help? Thanks! kw any TS gurus out there? :-) > Ok, boys and girls, I finally have some time (and, more importantly, a > "reason") to set up a separate term server to one of my SBS networks. I took > a look at the Microsoft document 'Using SBS2000 w/ Term Services in App > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SBS200 0_Plus_W2KServer_Running_TS.aspx > Is it right for me to feel real stupid about right now? > [quoted text clipped - 29 lines] > Thanks! > kw Hey Kevin, I see you reposted on this same topic, but I don't see answers to the questions you have below as being fully covered. Did you still want to follow-up on these other questions? If so, clarify what you want to know either here or there, and I'll offer additional thoughts if you like. > any TS gurus out there? > :-) [quoted text clipped - 4 lines] > > a look at the Microsoft document 'Using SBS2000 w/ Term Services in App > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB S2000_Plus_W2KServer_Running_TS.aspx > > Is it right for me to feel real stupid about right now? > > [quoted text clipped - 31 lines] > > Thanks! > > kw Thanks, Jeff -- funny, you must of read my mind. OK, I installed W2K TS Server (tserver1), set it up to install Outlook 2002 and joined it to my SBS server. Now, from a locally attached workstation on the network, I can run RDP (mstsc), and simply enter the name of the TS server -- and I get a login prompt, and I can login and run Outlook and get out. That's good so far. Now, what do I do for an external workstation to connect? My particular setup is that the SBS server has two NICs, and the external NIC is connected to a Linksys BEFSR11 box. One option is to VPN to the SBS server, then run RDP to the TS server. But if I don't want to VPN, I assume I have to open up a port on the Linksys box, yes? Port 3389 (by default), yes? When I do, I get the login prompt from the TS (Remote Admn) running on the SBS server. So how do I get it to go to the TS server? Do I have to do anything with ISA? -kw > Hey Kevin, I see you reposted on this same topic, but I don't see answers to > the questions you have below as being fully covered. Did you still want to [quoted text clipped - 9 lines] > > > a look at the Microsoft document 'Using SBS2000 w/ Term Services in App > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > S2000_Plus_W2KServer_Running_TS.aspx > > > [quoted text clipped - 39 lines] > > > Thanks! > > > kw Hi Kev - I haven't done this setup myself, but from the sounds it if you need to re-run the ICW and make sure that Terminal Services are not selected on the Configure Packet Filters page. Then open ISA Management and navigate to Servers & Arrays | <servername> | Policy Elements | Protocol Definitions. Create a new Protocol Definition for TS Inbound (TCP / 3389 / Inbound). Next, expand Publishing | Server Publishing Rules. Create a new Server Publishing Rule for TS - you'll specify the internal IP of the TS, the external IP ISA & the protocol you want to use (TS inbound you just created). In theory, that's all you should have to do . . . :^)  SignatureChad A. Gross [SBS-MVP] SBS ROCKS!!! > Thanks, Jeff -- funny, you must of read my mind. > [quoted text clipped - 38 lines] > App > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > S2000_Plus_W2KServer_Running_TS.aspx > > > > [quoted text clipped - 44 lines] > > > > Thanks! > > > > kw Thanks, Chad - I was waiting for you to joump in! Will "un"selecting TS from ICW interfere or cause me not to be able to connect to the SBS server for remote admin support? --kw > Hi Kev - > [quoted text clipped - 61 lines] > > App > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > [quoted text clipped - 49 lines] > > > > > Thanks! > > > > > kw Hi Kevin - By de-selecting TS in the ICW, you won't be able to directly TS to your SBS from the outside, but you'll be able to TS into the SBS over a VPN tunnel. If you want to be able to TS directly into both the SBS & TS, you'll either need a 2nd public IP or to hack the registry to change which port TS listens on for one of the servers. If you wanted to change ports, I'd change the TS port that the SBS listens on and leave the TS with the standard 3389 (as this would pose the least impact on end-users). If you change the port on your SBS, you'd need to manually publish TS for your SBS in ISA as I"m pretty sure that the ICW will only create the standard packet filter for 3389. SignatureChad A. Gross [SBS-MVP] SBS ROCKS!!! > Thanks, Chad - I was waiting for you to joump in! > [quoted text clipped - 75 lines] > > > App > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > [quoted text clipped - 55 lines] > > > > > > Thanks! > > > > > > kw I agree with what Chad outlined as the general idea, you modify the ISA to publish the TS Apps server rather than publishing the SBS itself. That is the easiest way to accomplish this if you want to allow TS connections from the web without using a VPN first, and without using SBS 2003 with Remote Web Workplace. Of all solutions, SBS 2003 RWW is the easiest to implement, probably the most secure other than a VPN, and in some respects, simpler to secure in all respects than the VPN is....but that's another story. As you suspected, and Chad explained, when you are outside the ISA firewall, by launching the TS Client from a workstation and pointing to your public domain/IP, you are connecting to the ISA server's port matching the one you request (3389). By default, if you have a packet filter enabled from the ICW, that passes directly to the SBS itself. By reconfiguring in the manner Chad described, you are telling ISA to forward that port to the other server. In the case that you actually want to manage the SBS itself, it's a trivial matter to establish a TS session to the Apps server, and then from there, do yet another "window in a windows" TS session from the Apps server to the SBS to gain control of it. The idea of a TS window in a windows shouldn't seem that odd, in fact, it's the way I do all my remote management where there are multiple servers or XP desktops. It's a better conservation of bandwidth and, frankly more convenient, to initiate that way because you can even leave multiple windows running on the Apps server if you want to disconnect and come back later. Myself, I still believe in the VPN as the better idea than the TS session running raw over the web. There are issues with both. A simple summary statement is that with your TS session launched directly over the web, you are forced to expose or obfuscate a direct logon option over the web, essentially divesting some of your security perimeter to the web itself. With a VPN, you are establishing a trusted channel over the web first, one that isn't a primary logon, and that is easily used for general purposes of any kind. You expose practically nothing at all to the web other than the authentication port for the VPN. The downside of a VPN is that in a default condition, everything inside the VPN is wide open....somewhat of a benefit actually for somethings, but it means that you are implying that you fully trust any VPN connection. In the case of a home user connecting to the office, that would imply you trust that the home user's computer is safely secured and can be trusted....not always the best bet. With site to site connections you own yourself, it's probably the best idea. With untrusted connections, you have a mixed bag of issues on both situations. > Hi Kev - > [quoted text clipped - 66 lines] > > App > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > [quoted text clipped - 49 lines] > > > > > Thanks! > > > > > kw thanks! the issue with using VPN is that I have been on some networks where the company has decided to not allow VPN connections to be established, period. -kw > I agree with what Chad outlined as the general idea, you modify the ISA to > publish the TS Apps server rather than publishing the SBS itself. That is [quoted text clipped - 119 lines] > > > App > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > [quoted text clipped - 55 lines] > > > > > > Thanks! > > > > > > kw I knew you'd get there Kev, also, getting the TS functional on the SBS network was the first step. I do as Jeff suggests and publish the TS via ISA. If I then wish to access the SBS I TS from the TS. One small thing. By default W2K TS binds to all NICs. http://support.microsoft.com/default.aspx?scid=kb;en-us;294720 The article also mentions the TSAC, quite handy to set up as you then just browse to http(s)://fqdn/tsweb and it installs the TSAC. > thanks! > [quoted text clipped - 143 lines] > > > > App > > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > > [quoted text clipped - 60 lines] > > > > > > > Thanks! > > > > > > > kw SG-- I happened to stumble across 294720 after reading Jeff's post. I looked at what Chad & Jeff wrote, and compared it to 294720 - and the info there looked straight up - so I went those instructions, and it worked like a champ! More than super cool -- it's a super gumby type of day now!!!! What I hate is when I follow the cookbook, but I'm not sure what I did or why it worked. That's for another day. ONE MORE THING ... if I want to restrict what a user can do when logged into a TS session (for example, disabling Run command, etc) -- do I do it on the TS box, or on SBS?, or what? Keep in mind, some of these users also will log in when in the building locally. -kw > I knew you'd get there Kev, also, getting the TS functional on the SBS > network was the first step. [quoted text clipped - 182 lines] > > > > > App > > > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > > > [quoted text clipped - 64 lines] > > > > > > > > Thanks! > > > > > > > > kw SG: how do I setup the TSAC on the TS server so that users cann access it? -kw > "SuperGumby" <not@your.nellie> wrote in message > > The article also mentions the TSAC, quite handy to set up as you then just > > browse to http(s)://fqdn/tsweb and it installs the TSAC. Well, actually, you don't set up TSAC on the TS, you set it up on a public IP (or something that appears to be a public IP). The TSAC is loaded from a website, normally FQDN/TSWEB, and then asks you which server you wish to connect to. AFAIK you can use the TSAC from my.first.domain.com to connect to a server in your.damned.com, as long as comunications work. > SG: how do I setup the TSAC on the TS server so that users cann access it? > -kw [quoted text clipped - 3 lines] > just > > > browse to http(s)://fqdn/tsweb and it installs the TSAC. You can install either the TSAC or (preferably) the XP RDP Client by just installing it. The XP RDP Client can be downloaded from the MS site for Windows XP, it's in the additional Tools group of downloads. Once either TSAC or RDP Client is installed on the TS, you can launch it with an Icon or from the command line with "mstsc.exe" entered in the Run command. If this is a feature you intend primarily for the Administrator to use, either use NTFS security to prevent general access to the Icon, command, or just use the run blank which you make available only to the Administrator to use. BTW, I didn't mention it in my treatise on Group Policy that you can set permissions on a Group Policy to Deny | Apply Group Policy specfically for a User Group (like Administrators) and that prevents the policy in question from being applied to that group of users. In this way, you can lock down the TS for regular users, but allow the Administrator to not be affected by those rules. > SG: how do I setup the TSAC on the TS server so that users cann access it? > -kw [quoted text clipped - 3 lines] > just > > > browse to http(s)://fqdn/tsweb and it installs the TSAC. thanks,Jeff - as always ... concise and to the point! ;-) -kw > You can install either the TSAC or (preferably) the XP RDP Client by just > installing it. The XP RDP Client can be downloaded from the MS site for [quoted text clipped - 21 lines] > > just > > > > browse to http(s)://fqdn/tsweb and it installs the TSAC. > Once either TSAC or RDP Client is installed on the TS, you can launch it > with an Icon or from the command line with "mstsc.exe" entered in the Run > command. A minor point of issue, but with the very latest RDP client on the website (also the one that comes with Windows Server 2003), for some obscure reason, typing MSTSC at the command line no longer works. I think they have moved it out of the system32 directory into it's own folder, and didnt add a reg entry in the Application Paths section. Restrictions on the TS user sessions would normally be handled by using Group Policy configuration at the DC (SBS), and the most common way of handling that is to use Loopback Mode. Loopback Mode allows you to specify both User and Computer Configuration settings that apply to any user session on the TS, regardless of if you allow different Group Policy based options/features for users/computers other than when using the TS. For instance, I commonly disallow users to have the Shutdown command or to access the Control Panel on the TS, even if I do allow that for them at their local workstations. The loopback mode settings allows you to specify restrictions that override normal user permisssions. This concept can be a little confusing if you are not already doing Group Policy work. Group Policy is a convoluted concept you don't necessarily understand when you start. I think of it as "not being able to recognize answers because you still don't know what questions to ask". There's a whitepaper on using Group Policy with Terminal Server. You can go to the MS site for Windows2000 Server, find the Technology guides for Terminal Server and you will see a fairly brief and sensible paper on using Group Policy with Terminal Server. The only thing about using Group Policy in Loopback Mode that I find is really poorly revealed is that when you choose to use it, you need to decide if you want to use Merge or Replace in the Loopback. What I find to be the most sensible approach for a newbie Group Policy Administrator is to set Replace as the option ~only~ on the first Policy you create in the OU where you place your TS Server object and make that policy the lowest policy in that stack. The effect then is that all policies that normally apply to any user or computer will be replaced entirely...essentially making the Loopback Policy a clean slate at that point including only what is in that policy for both Computer and User settings. You can then add additional policies in the same stack above the first policy and these can include Loopback Mode as Merge meaning that all the rest of the policies in this same OU ~add~ to the first Loopback Mode policy in that OU. This is much easier to understand and troubleshoot. If you have more than one Loopback Policy that applies and both are set to Replace, the second policy to apply effectively overrules the first one making the first one server no purpose. This is because in normal policy accumulation, policy items that have no preference indicated carry forward as not changing a previously set condition in an earlier policy in the stack, but with Loopback Mode set to Replace, this effectively forces "no preference" on all items even if a previous policy had set a policy. Therefore, Replace tell not to just replace items you have a preference for, it's the equivalent to replace all previous items back to "no preference" and then add only the preferences to that which are stated in the current policy. When you first attempt to do policy management, you will be tempted to create a single policy that includes everything about everything....that's a bad idea. Far better is to create a number of concise policies that do specific tasks separately like "IE Settings", "Logon Scripts", "Desktop Settings", and "Computer Security Policy" each in a different policy file. If you do this, you will find that 'modular' policies like this can be used in many locations in your AD tree, not just one specific location. It allows you to use Loopback Mode very conveniently to Replace all previous policies, but then simply apply the little once right about the Loopback|Replace policy so that the User Logon script indeed does apply even though you just use Replace to remove everything the user normally gets because of a policy you configured on the User object elsewhere in the tree. The explanation I've made here may well be confusing if you are a newbie, or it may spark recognition of "oh, I see!" if you have played with policies a bit and become stumped on the need/value/challenge of loopback or replacing� policies without losing things you want to always apply to a user session no matter what computer they use, yet control things uniquely at a special station like a TS in a way that overrides normal settings for a user at any other station. > SG-- > I happened to stumble across 294720 after reading Jeff's post. I looked at [quoted text clipped - 222 lines] > > > > > > App > > > > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > > > > [quoted text clipped - 73 lines] > > > > > > > > > Thanks! > > > > > > > > > kw You will find this specific issue very neatly resolved with SBS 2003 using the feature of Remote Web Workplace which allows you to do a TS connection even in the condition where an ISP is blocking even the TS ports, as well as VPN ports, because RWW uses a non-default port in a redirected connection for RDP connections. > thanks! > [quoted text clipped - 143 lines] > > > > App > > > > > > > Mode': http://members.microsoft.com/partner/products/Servers/SmallBusinessServer/SB > > > > > S2000_Plus_W2KServer_Running_TS.aspx > > > > > > > [quoted text clipped - 60 lines] > > > > > > > Thanks! > > > > > > > kw |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.