Using Terminal Services as a Remote Using Terminal Services as a Remote Access Solution at MicrosoftAccess Solution at Microsoft

Published: April 2008

● The Terminal Services environment at The Terminal Services environment at MicrosoftMicrosoft

● The Windows ServerThe Windows Server®® 2008 Terminal 2008 Terminal Services pilotServices pilot● The Terminal Services Gateway (TS Gateway) The Terminal Services Gateway (TS Gateway)

featurefeature● ScalabilityScalability——load-balancing configurations load-balancing configurations ● User experience enhancementsUser experience enhancements

● Using TS Gateway as a remote access portalUsing TS Gateway as a remote access portal● Best practicesBest practices● ConclusionConclusion

AgendaAgenda

● WindowsWindows®® Terminal Services Terminal Services● Network Load Balancing (NLB)Network Load Balancing (NLB)● SSLSSL● Domain Name System (DNS) configurationDomain Name System (DNS) configuration

——DNS round robinDNS round robin

Level 200Level 200

Prerequisite KnowledgePrerequisite Knowledge

Current Environment Current Environment Terminal Services at Microsoft ITTerminal Services at Microsoft IT

● Three Windows Server 2003Three Windows Server 2003––based Terminal based Terminal Services deployments worldwideServices deployments worldwide

● Only a few applications are supportedOnly a few applications are supported● Seven internal business applications Seven internal business applications ● MicrosoftMicrosoft®® Office system applications such as Office system applications such as

Microsoft Office Word and Microsoft Office Microsoft Office Word and Microsoft Office ExcelExcel®®

● Experienced little usageExperienced little usage——only 30 to 40 users only 30 to 40 users each montheach month

Current Environment Current Environment Accessing terminal serversAccessing terminal servers——challengeschallenges

● Terminal servers can be accessed only from within Terminal servers can be accessed only from within the internal corporate networkthe internal corporate network

● Remote users must first establish a virtual private Remote users must first establish a virtual private network (VPN) connection to the internal networknetwork (VPN) connection to the internal network● VPN connection requires an appropriately VPN connection requires an appropriately

configured computerconfigured computer● Many organizations do not allow for outbound Many organizations do not allow for outbound

VPN connectionsVPN connections● VPN connections are less tolerant to network VPN connections are less tolerant to network

delaysdelays

Windows Server 2008Windows Server 2008Terminal Services deployment goalsTerminal Services deployment goals

● Test and validate the TS Gateway conceptTest and validate the TS Gateway concept——remove the limitations of a VPN connectionremove the limitations of a VPN connection

● Test the scalability of a Windows Server Test the scalability of a Windows Server 20082008––based terminal server farmbased terminal server farm

● Increase the security of sensitive corporate Increase the security of sensitive corporate documentsdocuments● Reduce the likelihood that users copy internal Reduce the likelihood that users copy internal

documents to remote computersdocuments to remote computers

Terminal Services PilotTerminal Services PilotDeployment strategyDeployment strategy

● Phase 1: Configure a single TS Gateway Phase 1: Configure a single TS Gateway environmentenvironment● Perform security tests to verify that the environment Perform security tests to verify that the environment

meets security requirementsmeets security requirements● Open TS Gateway to approximately 200 developers to Open TS Gateway to approximately 200 developers to

obtain initial feedbackobtain initial feedback

● Phase 2: Extend the environment to multiple sites Phase 2: Extend the environment to multiple sites worldwideworldwide● Open TS Gateway to multiple groups at MicrosoftOpen TS Gateway to multiple groups at Microsoft● Perform load-balancing and scalability testsPerform load-balancing and scalability tests

Terminal Services GatewayTerminal Services GatewayOverview of the TS Gateway roleOverview of the TS Gateway role

● A Web server componentA Web server component● Provides the following functionalitiesProvides the following functionalities

● Acts as the endpoint of an SSL connectionActs as the endpoint of an SSL connection● Performs authentication and authorization of the Performs authentication and authorization of the

connecting userconnecting user● Forwards the user’s connection to a resource by Forwards the user’s connection to a resource by

using Remote Desktop Protocol (RDP)using Remote Desktop Protocol (RDP)

● Requires Terminal Services client (TSClient) Requires Terminal Services client (TSClient) version 6.0version 6.0

TS Gateway DesignTS Gateway DesignConnection processConnection process

RDP encapsulated in RPC over HTTPS

Firewall listening for HTTPS traffic (port 443)

Load-balanced TS Gateway computers

RDP traffic

Terminal servers

` `

Remote Desktop-enabled personal

computers

External network

Internal network

Perimeter network

RDP traffic

Firewall listening for:RDP (TCP 3389)LDAP (TCP 389)

Kerberos (TCP/UDP 88)DNS (TCP 52)

RADIUS (TCP/UDP 1812)RADIUS accounting (TCP/UDP

1813)

Terminal Services PilotTerminal Services PilotPhase 1Phase 1——deployment characteristicsdeployment characteristics

● Two TS Gateway computersTwo TS Gateway computers● Five Windows Server 2008Five Windows Server 2008––based terminal based terminal

serversservers● One Terminal Services Session Broker (TS One Terminal Services Session Broker (TS

Session Broker) computerSession Broker) computer● All computers based on commodity hardwareAll computers based on commodity hardware

● Dual 2.2-gigahertz (GHz) CPUsDual 2.2-gigahertz (GHz) CPUs● Four gigabytes (GB) RAMFour gigabytes (GB) RAM

Deployment ResultsDeployment ResultsPhase 1Phase 1——initial feedbackinitial feedback

● Approximately 200 usersApproximately 200 users——Terminal Services Terminal Services developers groupdevelopers group

● The TS Gateway concept provenThe TS Gateway concept proven● Users could successfully connect from any Users could successfully connect from any

location worldwidelocation worldwide● Connection speed met or exceeded that of a Connection speed met or exceeded that of a

VPN connectionVPN connection

● Extremely popular with developersExtremely popular with developers——easy easy connections to Remote Desktopconnections to Remote Desktop––enabled enabled workstationsworkstations

Extending the DeploymentExtending the DeploymentPhase 2Phase 2——expanded goalsexpanded goals

● Expand the deployment to that of a large enterprise-level Expand the deployment to that of a large enterprise-level deploymentdeployment

● Test TS Gateway scalabilityTest TS Gateway scalability ● By using NLB clustersBy using NLB clusters● By using third-party load balancersBy using third-party load balancers

● Test terminal server farm scalabilityTest terminal server farm scalability● Round-robin DNSRound-robin DNS● TS Session BrokerTS Session Broker

● Implement user experience enhancementsImplement user experience enhancements● TS PortalTS Portal——based on Terminal Services Web Access (TS Web based on Terminal Services Web Access (TS Web

Access)Access)● TS RemoteAppTS RemoteApp

Extending the DeploymentExtending the DeploymentPhase 2Phase 2——deployment characteristicsdeployment characteristics

● Ten TS Gateway computersTen TS Gateway computers● Nine terminal serversNine terminal servers● Three TS Session Broker computersThree TS Session Broker computers● Four locations worldwideFour locations worldwide

● DublinDublin● HyderabadHyderabad● RedmondRedmond● SingaporeSingapore

Deployment Characteristics Deployment Characteristics A worldwide implementationA worldwide implementation

Terminal Servicesclient computers

HTTPStraffic

Firewalls listening for HTTPS traffic

Approved internal

resources

Worldwide DeploymentWorldwide DeploymentUsage statisticsUsage statistics

● Deployment first opened to other developer Deployment first opened to other developer groupsgroups——approximately 2,000 developersapproximately 2,000 developers

● Deployment next opened to other groups at Deployment next opened to other groups at MicrosoftMicrosoft——a goal of increased usage of a goal of increased usage of typical terminal server resourcestypical terminal server resources

● Overall usage of approximately 7,500 people Overall usage of approximately 7,500 people worldwideworldwide

Worldwide DeploymentWorldwide DeploymentUsage statisticsUsage statistics——Dec 1, 2007, through Dec 31, 2007Dec 1, 2007, through Dec 31, 2007

Usage statisticUsage statistic RedmondRedmond DublinDublin HyderabadHyderabad SingaporeSingapore

Total number of usersTotal number of users 5,4705,470 323323 350350 354354

Users who have more than Users who have more than one logon in a monthone logon in a month

4,9504,950 258258 313313 275275

Users who have more than Users who have more than 10 logons in a month10 logons in a month

2,7902,790 7676 144144 7878

Total resources accessedTotal resources accessed 8,7008,700 301301 424424 443443

Worldwide DeploymentWorldwide DeploymentLoad statisticsLoad statistics——Dec 1, 2007, through Dec 31, 2007Dec 1, 2007, through Dec 31, 2007

Load statisticLoad statistic RedmondRedmond DublinDublin HyderabadHyderabad SingaporeSingapore

Total number of Total number of sessionssessions

115,787115,787 3,0883,088 4,5804,580 2,7502,750

Total gigabytes sentTotal gigabytes sent 242242 33 55 33

Total gigabytes receivedTotal gigabytes received 2,6662,666 3737 4040 2727

TS Gateway ScalabilityTS Gateway ScalabilityNetwork Load BalancingNetwork Load Balancing

● NLB clusters are limited by overall traffic and not by NLB clusters are limited by overall traffic and not by the number of nodesthe number of nodes● A heavily loaded cluster may experience issues with A heavily loaded cluster may experience issues with

convergence and with cluster node synchronizationconvergence and with cluster node synchronization● For Windows Server 2008For Windows Server 2008––based NLB clustersbased NLB clusters

● Single nodeSingle node——supports approximately 700 simultaneous supports approximately 700 simultaneous connections with a maximum of 1,300 connectionsconnections with a maximum of 1,300 connections

● Multiple nodesMultiple nodes——supports approximately 1,500 supports approximately 1,500 simultaneous connections with a maximum of 2,600 simultaneous connections with a maximum of 2,600 connectionsconnections

● For fault tolerance, it is best to deploy at least three nodes For fault tolerance, it is best to deploy at least three nodes to support 1,500 connectionsto support 1,500 connections

● For loads greater than 1,500 simultaneous For loads greater than 1,500 simultaneous connections, a third-party load balancer is bestconnections, a third-party load balancer is best

TS TS GatewayGateway Load Balancing Load BalancingTraffic flowTraffic flow

Logical Terminal Services session

SSL connection 1

SSL connection 2

Terminal servers

` `

Remote Desktop-enabled personal

computers

Terminal Services session

Destination resources

Network load balancer (IP affinity

not required)

SSL connection 1SSL connection 2

Terminal Services client

TS Gateway computers

Logical session RPC traffic

TS Gateway ClusteringTS Gateway ClusteringBenefitsBenefits

● IP affinity is not requiredIP affinity is not required——improves cluster improves cluster efficiencyefficiency● TS Gateway automatically redirects the SSL traffic to the TS Gateway automatically redirects the SSL traffic to the

appropriate TS Gateway computerappropriate TS Gateway computer● Enables TS Gateway to efficiently handle multiple Enables TS Gateway to efficiently handle multiple

connections from an organization that has only one connections from an organization that has only one external IP addressexternal IP address

● Uses SSL for session encryptionUses SSL for session encryption● SSL connections are much more tolerant to network SSL connections are much more tolerant to network

delays than are VPN connectionsdelays than are VPN connections● SSL connections do not require specialized configurationSSL connections do not require specialized configuration

Terminal Server ScalabilityTerminal Server ScalabilityLoad balancing in a terminal server farmLoad balancing in a terminal server farm

● Implemented a typical DNS round-robin Implemented a typical DNS round-robin configurationconfiguration

● Implemented TS Session BrokerImplemented TS Session Broker● A new featureA new feature——builds on the functionality that is available builds on the functionality that is available

in Terminal Services Session Directoryin Terminal Services Session Directory● Provides a load-balancing functionality and user session Provides a load-balancing functionality and user session

management management ● Directs a reconnected session to the appropriate terminal serverDirects a reconnected session to the appropriate terminal server● Directs new sessions to the least busy terminal serverDirects new sessions to the least busy terminal server

TS Farm Load BalancingTS Farm Load BalancingConnection processConnection process

Load-balanced TS Gateway computers

External network

Internal networkPerimeter network

User profilesTerminal server A

Terminal server B

TS Session Broker

DNS server

DNS requestDNS response

User profile

TS Session Broker query

Session redirect response

TS Farm Load BalancingTS Farm Load BalancingTS Session Broker benefitsTS Session Broker benefits

● Easy to implementEasy to implement——no specialized configuration no specialized configuration requiredrequired

● TS Session Broker has low overheadTS Session Broker has low overhead——can be can be installed on a computer that hosts other rolesinstalled on a computer that hosts other roles

● Enables simple and effective load balancing in a Enables simple and effective load balancing in a terminal server farmterminal server farm● TS Session Broker together with DNS round robin is the TS Session Broker together with DNS round robin is the

only load-balancing solution in three of the four Windows only load-balancing solution in three of the four Windows Server 2008Server 2008–based–based terminal server farms terminal server farms

User Experience User Experience Enhancing Terminal Services usageEnhancing Terminal Services usage

● Used TS Web Access to create an easy-to-use Used TS Web Access to create an easy-to-use Web-based portal to access terminal server Web-based portal to access terminal server resourcesresources

● Implemented TS RemoteApp to create a seamless Implemented TS RemoteApp to create a seamless terminal server application experienceterminal server application experience

● Deployed many more Terminal Services Deployed many more Terminal Services applicationsapplications——approximately 30 applications now approximately 30 applications now availableavailable

TS Portal TS Portal A customized TS Web Access portalA customized TS Web Access portal

● Based on TS Web AccessBased on TS Web Access● A consistent and intuitive Web application that A consistent and intuitive Web application that

appears when a user accesses TS Gatewayappears when a user accesses TS Gateway● A single locationA single location——enables easy access to terminal enables easy access to terminal

server resourcesserver resources

TS Portal TS Portal Main pageMain page

TS Portal TS Portal Applications pageApplications page

TS RemoteApp TS RemoteApp Enhancing the application experienceEnhancing the application experience

● A Terminal Services componentA Terminal Services component——wholly directed wholly directed toward the end-user experiencetoward the end-user experience

● Enables Terminal Services applications to run Enables Terminal Services applications to run seamlessly on the end-user desktopseamlessly on the end-user desktop● Enables Terminal Services applications to run in Enables Terminal Services applications to run in

individual windows on the user’s desktopindividual windows on the user’s desktop● Includes notification icons in the notification area on the Includes notification icons in the notification area on the

client computerclient computer

● Does not modify the way in which a terminal server Does not modify the way in which a terminal server makes the application availablemakes the application available——only how the only how the TSClient program displays the applicationTSClient program displays the application

TS RemoteApp TS RemoteApp Deployment resultsDeployment results

● Proved popular for opening large documentsProved popular for opening large documents● Documents opened quickly and appeared the same as if they were Documents opened quickly and appeared the same as if they were

opened locallyopened locally——easier and faster than copying the document to the easier and faster than copying the document to the local computerlocal computer

● Some users determined that they no longer required locally installed Some users determined that they no longer required locally installed Microsoft Office applicationsMicrosoft Office applications

● Fewer documents were copied to remote locationsFewer documents were copied to remote locations——improved improved securitysecurity

● Users sometimes experienced issues with trying to drag Users sometimes experienced issues with trying to drag information from a TS RemoteApp applicationinformation from a TS RemoteApp application● Users would forget that the running application was a Terminal Users would forget that the running application was a Terminal

Services applicationServices application——unable to drag information between a Terminal unable to drag information between a Terminal Services application and a local applicationServices application and a local application

ConclusionConclusion

● TS Gateway enables the creation of a scalable TS Gateway enables the creation of a scalable SSL-based remote access solutionSSL-based remote access solution

● TS Session Broker enables the creation of TS Session Broker enables the creation of simple and effective load balancing for a simple and effective load balancing for a terminal server farmterminal server farm

● The Windows Server 2008 Terminal Services The Windows Server 2008 Terminal Services pilot was so successful that the project did not pilot was so successful that the project did not endend——instead, the environment is being instead, the environment is being integrated into the production environment at integrated into the production environment at Microsoft ITMicrosoft IT

Next StepsNext Steps

1.1. Obtain the Windows Server 2008 Terminal Obtain the Windows Server 2008 Terminal Services GuideServices Guidehttp://technet.microsoft.com/en-us/library/cc26834http://technet.microsoft.com/en-us/library/cc268349.aspx 9.aspx

2.2. Visit the Microsoft TechNet Terminal Services Visit the Microsoft TechNet Terminal Services Web siteWeb sitehttp://technet2.microsoft.com/windowsserver2008/http://technet2.microsoft.com/windowsserver2008/en/servermanager/terminalservices.mspxen/servermanager/terminalservices.mspx

3.3. Obtain a trial copy of Windows Server 2008Obtain a trial copy of Windows Server 2008http://www.microsoft.com/windowsserver2008/en/http://www.microsoft.com/windowsserver2008/en/us/trial-software.aspxus/trial-software.aspx

For More InformationFor More Information

● Additional content on Microsoft IT Additional content on Microsoft IT deployments and best practices can be deployments and best practices can be found on http://www.microsoft.comfound on http://www.microsoft.com● Microsoft IT Showcase WebcastsMicrosoft IT Showcase Webcasts

http://www.microsoft.com/howmicrosoftdoesitwhttp://www.microsoft.com/howmicrosoftdoesitwebcastsebcasts

● Microsoft TechNetMicrosoft TechNet http://www.microsoft.com/technet/itshowcasehttp://www.microsoft.com/technet/itshowcase