Demonstration virtualization through enhanced Terminal Services

Source: Internet
Author: User
Tags dns entry mstsc

Virtualization is a hot topic nowadays, but most people only associate it with virtual machines and operating system virtualization. However, since the launch of Windows NT 4.0, Terminal Services have been abstracted as the presentation layer of remote applications and desktops. Terminal Services have been around for a long time since then, while Windows Server 2008 provides a mature and reliable virtualization demonstration platform. I will focus on the key improvement areas in Terminal Services.

New functions in Terminal Services

Terminal Services in Windows Server 2008 have many new features and functions:

Terminal Service RemoteAppOne of the most significant changes in Windows Server 2008 is the ability to remotely run a single application. In earlier Terminal Services, the entire Remote Desktop is transmitted even if you only want to access a single application. This is often confusing for users, because some applications appear on the Remote Desktop through Terminal Services ), some appear on the local desktop-it may be challenging to remember which desktop has an application. Currently, applications accessed through terminal services seem to behave the same way as applications running on the user's local computer.

Terminal Service Web AccessEveryone wants a simple way for end users to activate the application. TS Web access meets this requirement and allows the system administrator to publish individual applications to the Web page. TS Web Access contains a default Web page for immediate deployment, and can be customized and integrated into a SharePoint website. To activate the TS RemoteApp through TS Web access, you need to access a webpage from the Internet or internal network), view the list of all available applications, and then click the application to activate.

In Windows Server 2003, to enable the connection from a browser, an ActiveX control called Remote Desktop website connection (RDWC) is required. This control is now directly built into the main Remote Desktop Connection (RDC) client, so there is no need to download or install anything on the client. In addition, the full Remote Desktop Protocol (RDP) feature set is supported, whereas the old version of RDWC client does not support this feature set.

<Span class = "ArticleInlineTitle"> Terminal Service Gateway </span> is one of the most important new functions of Windows Server 2008. RDP traffic runs on port 3389. When the system administrator deploys the terminal server to a user other than the firewall, one of the major problems encountered is that it is not recommended to open the port in the firewall), or the cost of using different VPN solutions is high ). With TS gateway, RDP traffic is transmitted through HTTPS port 443) in a tunnel to establish an encrypted connection between remote users on the Internet and terminal servers or remote computers. Even better, this solution is feasible even if the user or the terminal server is behind the Router Based on the Network Address Translation (NAT) traversal.

The TS gateway can be combined with the network access protection (NAP) feature of Windows Server 2008 to help confirm the running status of the client computer before granting access to terminal service resources.

Terminal Service Session BrokerWindows Server 2000 introduces the network load balancing (NLB). Although it works well with Web servers, it is not suitable for terminal service load balancing. The new TS Session Broker is an excellent alternative. It extends the Session Directory feature of Windows Server 2003 to support session-based load balancing.

Through TS Session Broker, new sessions can be distributed to servers with the least load in the field, and users can reconnect to existing sessions without having to know where the session is established. The IT administrator can use this function to map the IP addresses of each terminal server to a single DNS entry. This configuration can also provide fault tolerance. If one of the farm servers cannot be used, you can connect to the server with less load in the farm.

Easy printing of Terminal ServicesPrinting has always been a nightmare for many terminal service environment system administrators. Because the server and the client computer must have a matching print driver at the same time, there is little room for choice when the end user installs the printer, the system administrator must also worry about how to manage the print driver on the server. On the contrary, with TS Easy Print, users can now reliably Print data from TS RemoteApp or full desktop sessions to local printing devices, whether directly connected to devices or devices over the network. The best thing is that printers are now supported without having to install drivers on the terminal server.

When you want to print data from TS RemoteApp or desktop sessions, you can view the complete printer Properties dialog box on the local client, and access all printer functions such as watermarks, automatic paging, and binding ). When you print a job, it is displayed on the server in Microsoft XPS document format and transmitted to the client. In addition, with TS Easy Print, the system administrator can use a group policy to limit the number of printers redirected only to the default printer, thus reducing overhead and improving scalability.

These are all "important" features in Windows Server 2008. We will discuss TS RemoteApp, TS Web access, TS gateway, and TS Session Broker again below. First, let's take a look at other features that are equally outstanding but not obvious in this version.


 

Security Features

Security has been enhanced in the new version of Terminal Services.

Network-level authentication (NLA) and Server Authentication (SA)In the old version of TS, after you click "Connect" on the RDC client, the system displays the logon screen, this allows malicious attackers to launch DoS or interception attacks on the login screen of the terminal server. Now, NLA verifies the creden。 of the user, client computer, and server before the TS Session starts running on the server and displays the logon screen to the user. Server Authentication uses Transport Layer Security (TLS) to help ensure that the client is connected to a legitimate terminal server rather than a malicious computer.

Single loginThe user wants to be able to use a combination of creden and passwords, or a combination of a smart card and a PIN) for only one authentication, instead of being asked for authentication each time a new resource is used. In this version, if your computer runs Windows Vista or Windows Server 2008 and connects to a terminal Server or TS Gateway Based on Windows Server 2008 and is added to a domain, you can now use a single login.

System-level enhancementBoth Windows Vista and Windows Server 2008 have new system-level enhancements, which basically modularize the components of the operating system and run them at a lower level of permissions. In Terminal Services, this function is implemented by dividing the kernel TS engine (termsrv. dll) into two different parts: lsm.exe and termsrv. dll. The former is the kernel Session Administrator, and the latter is used for remote connection.

In the past, termsrv. dll ran at a high level of system permissions. Now, in the new lsm.exe, only 1/3 of the original termsrv. dll code runs at this level, and the remaining 2/3 run at a much lower level of network service permissions. Compared with Windows Server 2003, this change greatly reduces the attack surface.


 

User Experience

There are many improvements to help users:

Custom display resolutionWith the development of large monitors and the increasing variety of Display resolution ratios, Windows Server 2008 terminal services have also been upgraded to meet your needs.

Users can set custom display resolution up to 4096x2048), or change the ratio to or for a wide screen experience. Various new monitor configurations are supported, such as a monitor with a resolution of 1680x1050 or 1920x1200. Windows Server 2003 supports up to 1600x1200 resolution and only display resolution ratio, which is a major improvement. You can set the custom display resolution through the RDC client dialog box,. rdp file, or command prompt.

To. set the custom display resolution in the rdp file. Open it in the text editor. rdp file, and add or modify the following settings. Note that <value> is a resolution, such as 1680 or 1050 ):

Copy code

Required topwidth: I: <value>
Required topheight: I: <value>

To set a custom display resolution from a command prompt, follow the following syntax to use the mstsc.exe command. Note that <width> and  

Copy code

Mstsc.exe/w: <width>/h:

Monitor ExtensionRemote Desktop sessions can now be extended to multiple monitors. To make this function run properly, there are several prerequisites:

  • All monitors must use the same resolution. For example, you can extend to two monitors with 1024x768 resolution, but not to two monitors with 1024x768 resolution and 800x600 resolution, respectively.

  • All monitors must be horizontally aligned, that is, side by side ). Currently, multiple monitors cannot be vertically expanded on the client system.

  • The total resolution of all monitors cannot exceed 4096x2048.

To. enable the monitor extension in the rdp file. Open it in the text editor. rdp file and add or change the following settings. Note: <value >=0 indicates that the monitor extension is disabled, and <value >=1 indicates that the monitor extension is enabled ):

Copy code

Span: I: <value>

To set the monitor extension from the command prompt, run the mstsc.exe command in the following syntax:

Copy code

Mstsc.exe/span

Desktop experienceThe desktop experience makes the desktop of the terminal service more like the Windows Vista desktop experience. This feature adds several components to the Remote Desktop, including Windows Media Player 11, desktop themes, and photo management. The following describes how to enable the desktop experience:

After the server is restarted, you must confirm that the desktop experience feature is installed.

Smooth font displayFont smoothing means that the Terminal Service supports ClearType, which helps to display computer fonts more clearly, especially on LCD monitors. Font smoothing is enabled by default in Windows Server 2008, and can be enabled through the check box in "Remote Desktop Connection" when the client computer is connected, as shown in figureFigure 1.

Figure 1Enable font smooth display

You should note that the font smooth display will increase the bandwidth used between the client computer and the terminal server by 4 to 10 times, depending on the situation ). The reason for increasing the bandwidth is that the ClearType font is used remotely as a bitmap instead of a font, while the efficiency of using the font in RDP is much higher.

Display Data priorityIn Windows Server 2003, printing large jobs often reduces your screen experience. Display Data prioritization automatically controls virtual channel communication to give display, keyboard, and mouse data a higher priority than other communications such as printing or file transfers. This priority is designed to ensure that your screen, keyboard, and mouse performance is not affected by the use of a large amount of bandwidth operations such as large print jobs.

The default value is 70: 30, indicating that the display and input data occupy 70% of the bandwidth, and all other communications, such as file transfer or print jobs, account for 30%.

You can modify the registry of the terminal server. To this end, change the values of the following items under the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Ser vices \ Term DD subitem:

Copy code

FlowControlDisable
FlowControlDisplayBandwidth
FlowControlChannelBandwidth
FlowControlChargePostCompression

If these items are not displayed, you can right-click TermDD, point to "new", and then click "DWORD (32-bit) value" to add them.

You can Disable the display data by setting FlowControl-Disable = 1. If the display data is disabled for priority, all requests are processed first-in-first-out. The default value is FlowControlDisable = 0.

You can set the FlowControlDisplayBandwidth value to set the relative bandwidth priority for the display and input data. The default value is 70, and the maximum allowed value is 255. Similarly, by setting the FlowControlChannelBandwidth value, you can set a relative bandwidth priority for other virtual channels such as clipboard, file transfer, or print jobs. The default value is 30, and the maximum allowed value is 255.

The preferred bandwidth ratio of the display data is based on the value of FlowControlDisplayBandwidth and FlowControlChannelBandwidth. For example, if FlowControlDisplayBandwidth is set to 150 and FlowControlChannelBandwidth is set to 50, the ratio is 150: 50. Therefore, the display and input data occupy 75% of the bandwidth.

The FlowControlChargePostCompression value determines whether the stream control calculates the bandwidth allocation based on the pre-compressed bytes or the post-compressed bytes. The default value is 0, indicating that the computation will be performed based on the pre-compressed bytes.

If you make any changes to the registry value, you must restart the terminal server for the change to take effect.

Plug-and-play device redirectionIn Windows Server 2008 Terminal Services, device redirection has been enhanced and expanded. Now, you can redirect a portable Windows Device, especially a Media Player Based on the media Transfer Protocol (MTP) and a digital camera based on the image transfer protocol (PTP.

This feature can be enabled using the "options" button in "Remote Desktop Connection. When this feature is enabled, the list of currently inserted devices that support plug-and-play is displayed. Unsupported devices are not displayed. You can also select this option to redirect devices that have not been inserted.Figure 2Shows how to enable these features from the RDC client.

Figure 2Enable devices that have not been inserted

After you start a session with a remote computer, you will see that the redirected plug-and-play device is automatically installed on the remote computer-the plug-and-play notification is displayed in the taskbar. After the redirection plug-and-play device is installed, it can be used in a remote computer session. For example, if you redirect a Windows portable device, such as a digital camera, you can directly access it from applications such as scanner and camera wizard on a remote computer.

You can use one of the following policy settings to control plug-and-play device redirection:

  • Plug-and-play device redirection is not supported in Computer Configuration \ management template \ Windows Components \ Terminal Services \ terminal servers \ devices and resource redirection.

  • The policy settings are in "Computer Configuration \ management template \ System \ device installation redirection ".

You can also use the "supported plug-and-play devices" check box to control plug-and-play device redirection on the "client Settings" tab of the terminal service configuration tool (tsconfig. msc.


 

Easier Remote Access

As mentioned above, TS RemoteApp allows users to remotely control a single application, while TS Web access allows them to easily access applications from webpages, now let's take a closer look at these features and some configuration details.

TS RemoteAppThe RemoteApp can be deployed to the user desktop in various ways. In addition to TS Web access, you can also:

  • Create a Remote Desktop Protocol File.

  • Use the previously distributed Windows Installer (. msi) package to create a program icon on the desktop or the Start Menu.

  • The file associated with the RemoteApp program with the execution file extension. This can be configured by the Administrator using the Windows Installer package.

For more information about how users can access the RemoteApp, see go to go.microsoft.com/fwlink /? How do I deploy the RemoteApp ?".

TS Web AccessTS Web access allows you to deploy RemoteApp Programs from a single server or terminal server farm. The TS RemoteApp manager provides a fast and effective process for publishing an application to TS Web access-first install the terminal service and then install the application to be hosted.

Use the TS RemoteApp manager to add a Remote Application enabled for TS Web access. Next, install TS Web access on the server that you want the user to connect to through the Web. Add the computer account of the TS Web Access Server to the TS Web Access Computer Group on the terminal server. Finally, configure the TS Web Access Server to populate the RemoteApp list from a single terminal server or a single farm.

After the application is installed in a traditional way or the application is virtualized by the predecessor SoftGrid), it is easy to publish the application to TS Web access after the application is transferred to the terminal server. The Remote Application Wizard guides the Administrator to quickly complete several simple steps, and then the application is displayed on the list of released Remote applications.

Applications are released to TS Web access by default. The RemoteApp manager then displays the published applications and a list of all applications that are provided to users through TS Web access.

Now, let's take a quick look at the default end user experience. The first tab of TS Web access shows the icons of all published applications. For more information, seeFigure 3), The second Tab allows you to use the Web Front-end to connect to a specific desktop computer. As mentioned above, this Web interface is completely customizable. TS Web access step-by-step guide: using Windows SharePoint Services to customize TS Web access can be obtained from go.microsoft.com/fwlink /? LinkID = 111241) is an ideal resource to guide you step by step using SharePoint Services to customize.

Figure 3Enter settings for the. rdp FileClick to get a larger image)

Other deployment methodsIn addition to TS Web access, you can also deploy the RemoteApp program through the. rdp file or Windows Installer package. These packages can be distributed through file sharing, Microsoft Systems Center Operations Manager, or Active Directory software. The next section will guide you through several major steps to create a suitable software package for application distribution.

To prepare a RemoteApp for distribution through file sharing or other distribution mechanisms, you must install the Terminal Service and the application to be released, and verify the remote connection settings. The "TS RemoteApp wizard" will help you add RemoteApp Programs and configure global deployment settings. You can create a. rdp file or a Windows Installer package.

Let's quickly complete the steps of the Remote Application Wizard. In step 1, configure the terminal server, TS gateway, and certificate settings for the. rdp file. For more information, seeFigure 4).

Figure 4Set options of the packageClick to get a larger image)

In step 2, specify the location of the shortcut icon to be displayed on the desktop or the Start menu, and/or be associated with the client file extension name, so that local files can be started with RemoteApp. SeeFigure 5).

Figure 5View RemoteApp in ts Web AccessClick to get a larger image)

In the last step, the "RemoteApp wizard" opens the "packaged programs" folder, allows you to use the selected distribution software to easily deploy these packaged applications to the client computer. SeeFigure 6).

Figure 6Programs packaged for deploymentClick to get a larger image)


 

Terminal Service Gateway

Now I will analyze how TS gateway helps remote users access applications, data, or desktops from outside the firewall.Figure 7A typical scenario of deploying TS gateway to provide users with access rights over the Internet is highly summarized.

Figure 7Staff members connect to the company's network from portable computers at homeClick to get a larger image)

In fact, the TS gateway is located on the periphery of the network and transmits RDP communication over HTTPS. You can also place the SSL Terminator, such as Microsoft Internet Security and Acceleration Server-ISA, on the perimeter of the network and forward incoming RDP communication to the TS gateway at the other end.

Figure 7The steps are as follows:

For large-scale installation, you can create a TS gateway server farm, but you need a separate solution such as NLB or a third-party server Load balancer) to balance the load between systems on the server farm. The TS Session Broker does not handle the load balancing of the TS gateway server.

Now let's take a quick look at how to deploy this feature. To put it simply, you must obtain and configure the certificate for the TS gateway server and create the two authorization policies mentioned above: ts cap and ts rap.

Get CertificateYou can use an existing certificate or apply for a new certificate. To make TS gateway run smoothly, you must have a valid certificate. During installation, you can choose to import a certificate or create a self-signed certificate.

The self-Signed option is suitable for internal testing, but formal deployment requires a certificate issued by an enterprise certificate authority such as VeriSign. After installing the certificate, you can consider deploying an authorization policy.

Authorization PolicyTs cap will determine which users can connect to the TS gateway and specify the conditions under which users can connect. For example, you can specify a user group that exists on the local TS gateway server or Active Directory to connect to TS gateway, and the group members must use smart cards to connect.

On the other hand, ts rap determines which internal resource users can access through TS gateway. For example, you can create a computer group, such as a terminal server farm, and associate it with your ts rap.

You must create both the ts cap and ts rap to allow remote users to access internal resources, because users must have at least one ts cap and one ts rap to gain access. The administrator can create both types through the TS gateway manager, as shown in figureFigure 8AndFigure 9.

Figure 8Create a connection Authorization PolicyClick to get a larger image)

Figure 9Create a resource Authorization PolicyClick to get a larger image)

The combination of ts cap and ts rap provides two different types of authorization, so that you can configure a finer access control level for computers on the internal network. For more information, see the Terminal Services Gateway Step-by-Step Guide. The URL is go.microsoft.com/fwlink /? LinkID = 85872.


 

TS Session Broker

The last topic I want to introduce is the Session Broker, which provides a set of easy-to-deploy and session-Based Load Balancing solutions. This function is built on Windows Server 2003's "session directory" function to reconnect users to existing sessions) and adds the ability to create new sessions on servers with the least load.

Let's take a look at the typical scenario, that is, all the terminal servers in the field have host resource records mapped to the DNS of a specific terminal server farm named Farm1. Therefore, any terminal server in the field can act as a redirector and process initial connection requests.

Assume that a user starts the RDC client and specifies a terminal server farm named Farm1. The client will contact the DNS server to resolve the Farm1 name to an IP address, and the DNS server is configured to use the round robin mechanism to balance the load of the initial connection request) returns the list of IP addresses registered for Farm1.

The client sends the connection request to the first IP address in the list returned by the DNS server. The terminal server located at this address acts as a redirector and queries the TS Session Broker Server to determine which terminal server the client should log on. The TS Session Broker Server checks its database. If the user already has a session, the Session Broker returns the IP address of the terminal server. If the user does not have an existing Session, the Session Broker will judge which terminal server load in the field is least based on the number of sessions and the relative server weight), and then return the IP address of the specific server.

The redirector sends the IP address to the client, and then the client sends the connection request to the server to process the login request and notify the TS Session Broker that it has successfully logged on.

Note that although the initial distribution connection can use any load balancing mechanism, the DNS round robin mechanism is the easiest to deploy. However, note that the DNS round robin mechanism does have some limitations, including the DNS requirements on the cache client, which may make the client use the same IP address for each initial connection request, in addition, when a user redirects to a terminal server that is offline but still listed in DNS, a timeout delay of 30 seconds may occur.

When deployed, the TS Session Broker Server Load balancer can be combined with network-level Server Load balancer solutions such as NLB or hardware Server Load balancer to avoid DNS restrictions and use the TS Session Broker function. The TS Session Broker load balancing function allows you to assign relative weight values to each server, which helps to distribute loads between servers with strong and weak performance in the field. For example, if the number of sessions that a server can process is twice that of another server in the field, you can specify that the weight of the server is 200, and that of the other server is 100.

The server Load balancer of TS Session Broker limits a maximum of 16 pending login requests to a specific terminal server. This feature helps prevent a server with new login requests from generating excessive loads under certain circumstances, for example, when you add a new server to the farm or enable the user to log on to a previously rejected server.

In addition, a new "server clearing" mechanism is provided to prevent new users from logging on to the terminal server for maintenance. If a new logon attempt is rejected on a specific Terminal Server, the TS Session Broker allows users with existing sessions to reconnect, but redirects new users to the terminal server configured to allow new logins.

For more information, see TS Session Broker Load Balancing Step-by-Step Guide. The URL is go.microsoft.com/fwlink /? LinkID = 92670. I will not talk about the new features of Windows Server 2008 TS. However, the terminal service website has more content, including in-depth network broadcast. For more information, see technet.microsoft.com/ts.

Joshua SchnollWith more than 15 years of market and technical experience, Alibaba Cloud has been focusing on server-based computing for the past six years. He is currently a global senior product manager for Windows Server Terminal Services. Before joining Microsoft, he held several positions in Sun Microsystems, including marketing manager for pushing products for Sun Ray ultra-Simplified clients.

Original article address

Source: TechNet

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.