Download   Report
  1. No category

Using Terminal Services as a Remote Access Solution at Microsoft Published: April 2008

Using Terminal Services as a Remote
Access Solution at Microsoft
Published:
April 2008
Agenda
●
●
The Terminal Services environment at
Microsoft
The Windows Server® 2008 Terminal
Services pilot
●
●
●
●
●
●
The Terminal Services Gateway (TS Gateway)
feature
Scalability—load-balancing configurations
User experience enhancements
Using TS Gateway as a remote access portal
Best practices
Conclusion
Prerequisite Knowledge
●
●
●
●
Windows® Terminal Services
Network Load Balancing (NLB)
SSL
Domain Name System (DNS)
configuration—DNS round robin
Level 200
Current Environment
Terminal Services at Microsoft IT
●
●
Three Windows Server 2003–based Terminal
Services deployments worldwide
Only a few applications are supported
●
●
●
Seven internal business applications
Microsoft® Office system applications such as
Microsoft Office Word and Microsoft Office
Excel®
Experienced little usage—only 30 to 40 users
each month
Current Environment
Accessing terminal servers—challenges
●
●
Terminal servers can be accessed only from within
the internal corporate network
Remote users must first establish a virtual private
network (VPN) connection to the internal network
● VPN connection requires an appropriately
configured computer
● Many organizations do not allow for outbound
VPN connections
● VPN connections are less tolerant to network
delays
Windows Server 2008
Terminal Services deployment goals
●
●
●
Test and validate the TS Gateway concept—
remove the limitations of a VPN connection
Test the scalability of a Windows Server
2008–based terminal server farm
Increase the security of sensitive corporate
documents
●
Reduce the likelihood that users copy internal
documents to remote computers
Terminal Services Pilot
Deployment strategy
●
Phase 1: Configure a single TS Gateway
environment
●
●
●
Perform security tests to verify that the environment
meets security requirements
Open TS Gateway to approximately 200 developers to
obtain initial feedback
Phase 2: Extend the environment to multiple sites
worldwide
●
●
Open TS Gateway to multiple groups at Microsoft
Perform load-balancing and scalability tests
Terminal Services Gateway
Overview of the TS Gateway role
●
●
A Web server component
Provides the following functionalities
●
●
●
●
Acts as the endpoint of an SSL connection
Performs authentication and authorization of the
connecting user
Forwards the user’s connection to a resource by
using Remote Desktop Protocol (RDP)
Requires Terminal Services client (TSClient)
version 6.0
TS Gateway Design
Connection process
External network
Firewall listening for
HTTPS traffic (port 443)
RDP encapsulated in
RPC over HTTPS
Load-balanced
TS Gateway computers
Perimeter network
Internal network
Terminal servers
Remote Desktopenabled personal
computers
RDP traffic
`
`
RDP traffic
Firewall listening for:
RDP (TCP 3389)
LDAP (TCP 389)
Kerberos (TCP/UDP 88)
DNS (TCP 52)
RADIUS (TCP/UDP 1812)
RADIUS accounting (TCP/UDP
1813)
Terminal Services Pilot
Phase 1—deployment characteristics
●
●
●
●
Two TS Gateway computers
Five Windows Server 2008–based terminal
servers
One Terminal Services Session Broker (TS
Session Broker) computer
All computers based on commodity hardware
●
●
Dual 2.2-gigahertz (GHz) CPUs
Four gigabytes (GB) RAM
Deployment Results
Phase 1—initial feedback
●
●
Approximately 200 users—Terminal Services
developers group
The TS Gateway concept proven
●
●
●
Users could successfully connect from any
location worldwide
Connection speed met or exceeded that of a
VPN connection
Extremely popular with developers—easy
connections to Remote Desktop–enabled
workstations
Extending the Deployment
Phase 2—expanded goals
●
Expand the deployment to that of a large enterprise-level
deployment
●
Test TS Gateway scalability
●
●
●
Test terminal server farm scalability
●
●
●
By using NLB clusters
By using third-party load balancers
Round-robin DNS
TS Session Broker
Implement user experience enhancements
●
●
TS Portal—based on Terminal Services Web Access (TS Web
Access)
TS RemoteApp
Extending the Deployment
Phase 2—deployment characteristics
●
●
●
●
Ten TS Gateway computers
Nine terminal servers
Three TS Session Broker computers
Four locations worldwide
●
●
●
●
Dublin
Hyderabad
Redmond
Singapore
Deployment Characteristics
A worldwide implementation
Firewalls listening for
HTTPS traffic
Approved
internal
resources
HTTPS
traffic
Terminal Services
client computers
Worldwide Deployment
Usage statistics
●
●
●
Deployment first opened to other developer
groups—approximately 2,000 developers
Deployment next opened to other groups at
Microsoft—a goal of increased usage of
typical terminal server resources
Overall usage of approximately 7,500 people
worldwide
Worldwide Deployment
Usage statistics—Dec 1, 2007, through Dec 31, 2007
Usage statistic
Redmond
Dublin Hyderabad
Singapore
Total number of users
5,470
323
350
354
Users who have more than
one logon in a month
4,950
258
313
275
Users who have more than
10 logons in a month
2,790
76
144
78
Total resources accessed
8,700
301
424
443
Worldwide Deployment
Load statistics—Dec 1, 2007, through Dec 31, 2007
Load statistic
Redmond
Dublin
Hyderabad
Singapore
Total number of sessions 115,787
3,088
4,580
2,750
Total gigabytes sent
242
3
5
3
Total gigabytes received
2,666
37
40
27
TS Gateway Scalability
Network Load Balancing
●
NLB clusters are limited by overall traffic and not by
the number of nodes
●
●
For Windows Server 2008–based NLB clusters
●
●
●
●
A heavily loaded cluster may experience issues with
convergence and with cluster node synchronization
Single node—supports approximately 700 simultaneous
connections with a maximum of 1,300 connections
Multiple nodes—supports approximately 1,500
simultaneous connections with a maximum of 2,600
connections
For fault tolerance, it is best to deploy at least three nodes
to support 1,500 connections
For loads greater than 1,500 simultaneous
connections, a third-party load balancer is best
TS Gateway Load Balancing
Traffic flow
SSL connection 2
Terminal Services
client
Logical Terminal
Services session
TS Gateway
computers
Network load
balancer (IP affinity
not required)
Logical session
RPC traffic
SSL connection 1
SSL connection 2
Destination
resources
SSL connection 1
Terminal servers
Remote Desktopenabled personal
computers
Terminal Services
session
`
`
TS Gateway Clustering
Benefits
●
IP affinity is not required—improves cluster
efficiency
●
●
●
TS Gateway automatically redirects the SSL traffic to the
appropriate TS Gateway computer
Enables TS Gateway to efficiently handle multiple
connections from an organization that has only one
external IP address
Uses SSL for session encryption
●
●
SSL connections are much more tolerant to network
delays than are VPN connections
SSL connections do not require specialized configuration
Terminal Server Scalability
Load balancing in a terminal server farm
●
●
Implemented a typical DNS round-robin
configuration
Implemented TS Session Broker
●
●
A new feature—builds on the functionality that is available
in Terminal Services Session Directory
Provides a load-balancing functionality and user session
management
●
●
Directs a reconnected session to the appropriate terminal server
Directs new sessions to the least busy terminal server
TS Farm Load Balancing
Connection process
External network
User profile
Terminal server A
Terminal server B
User profiles
Session redirect
response
DNS request
DNS response
TS Session Broker query
Load-balanced
TS Gateway computers
Perimeter network
TS Session Broker
DNS server
Internal network
TS Farm Load Balancing
TS Session Broker benefits
●
●
●
Easy to implement—no specialized configuration
required
TS Session Broker has low overhead—can be
installed on a computer that hosts other roles
Enables simple and effective load balancing in a
terminal server farm
●
TS Session Broker together with DNS round robin is the
only load-balancing solution in three of the four Windows
Server 2008–based terminal server farms
User Experience
Enhancing Terminal Services usage
●
●
●
Used TS Web Access to create an easy-to-use
Web-based portal to access terminal server
resources
Implemented TS RemoteApp to create a seamless
terminal server application experience
Deployed many more Terminal Services
applications—approximately 30 applications now
available
TS Portal
A customized TS Web Access portal
●
●
●
Based on TS Web Access
A consistent and intuitive Web application that
appears when a user accesses TS Gateway
A single location—enables easy access to terminal
server resources
TS Portal
Main page
TS Portal
Applications page
TS RemoteApp
Enhancing the application experience
●
●
A Terminal Services component—wholly directed
toward the end-user experience
Enables Terminal Services applications to run
seamlessly on the end-user desktop
●
●
●
Enables Terminal Services applications to run in
individual windows on the user’s desktop
Includes notification icons in the notification area on the
client computer
Does not modify the way in which a terminal server
makes the application available—only how the
TSClient program displays the application
TS RemoteApp
Deployment results
●
Proved popular for opening large documents
●
●
●
●
Documents opened quickly and appeared the same as if they were
opened locally—easier and faster than copying the document to the
local computer
Some users determined that they no longer required locally installed
Microsoft Office applications
Fewer documents were copied to remote locations—improved
security
Users sometimes experienced issues with trying to drag
information from a TS RemoteApp application
●
Users would forget that the running application was a Terminal
Services application—unable to drag information between a Terminal
Services application and a local application
Conclusion
●
●
●
TS Gateway enables the creation of a scalable
SSL-based remote access solution
TS Session Broker enables the creation of
simple and effective load balancing for a
terminal server farm
The Windows Server 2008 Terminal Services
pilot was so successful that the project did not
end—instead, the environment is being
integrated into the production environment at
Microsoft IT
Next Steps
1.
2.
3.
Obtain the Windows Server 2008 Terminal
Services Guide
http://technet.microsoft.com/enus/library/cc268349.aspx
Visit the Microsoft TechNet Terminal Services
Web site
http://technet2.microsoft.com/windowsserver2008/
en/servermanager/terminalservices.mspx
Obtain a trial copy of Windows Server 2008
http://www.microsoft.com/windowsserver2008/en/
us/trial-software.aspx
For More Information
●
Additional content on Microsoft IT
deployments and best practices can be
found on http://www.microsoft.com
●
●
Microsoft IT Showcase Webcasts
http://www.microsoft.com/howmicrosoftdoesitw
ebcasts
Microsoft TechNet
http://www.microsoft.com/technet/itshowcase
TMS Guide Adding a Terminal to the Site Planner

TMS Guide Adding a Terminal to the Site Planner

Manual Switch Type Terminal Box Model 4999

Manual Switch Type Terminal Box Model 4999

Merchant Activation: Frequently Asked Questions Phone Lines and IP Communications

Merchant Activation: Frequently Asked Questions Phone Lines and IP Communications

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode

How to Configure Terminal Services for Pro-Watch in Remote Administration Mode

Document 227496

Document 227496

Document 173473

Document 173473

2 How to Install Module

2 How to Install Module

How to Open Remote Desktop, Citrix ICA or

How to Open Remote Desktop, Citrix ICA or

G a t e w a y U...

G a t e w a y U...

PGM-FI Main Relay (how it works and how to test...

PGM-FI Main Relay (how it works and how to test...

abcdocz.com

© Copyright 2024