234 Introducing Windows Server 2008 through TS Gateway—it simply blocks them from accessing your internal terminal servers. In addition, device redirection is blocked for remote clients connecting via TS Gateway (though best practice is actually to block such redirection on your terminal servers and not on your TS Gateway). An alternative to placing your TS Gateway on the perimeter network is to put it on your corp- net—that is, behind your internal firewall. Then place an SSL terminator in your perimeter net- work to forward incoming RDP traffic securely to your TS Gateway. Either way you implement this, however, one advantage of this new feature is that you don’t need to worry about using an SSL VPN any longer and all the headaches associated with getting this working properly. This integration with Network Access Protection (NAP) is an important aspect of TS Gateway because many mid- and large-sized organizations that will deploy Windows Server 2008 will probably do so because of NAP (and also, of course, because of the many enhancements in Terminal Services on the new platform). (We’ll be covering NAP in Chapter 10, “Implementing Network Access Protection.”) Before we go any further, let’s hear from one more of our experts: From the Experts: Better Together: TS Gateway, ISA Server, and NAP Terminal Services–based remote access has long been used as a simpler, lower-risk alternative to classical layer 2 VPN technologies. Whereas the layer 2 VPN has often provided “all ports, all protocols” access to an organization’s internal network, the Terminal Services approach restricts connectivity to a single well-defined port and pro- tocol. However, as more and more capability has ascended the stack into RDP (such as copy/paste and drive redirection), the potential attack vectors have risen as well. For example, a remote drive made available over RDP can present the same kinds of security risks as one mapped over native CIFS/SMB transports. With the advent of TS Gateway, allowing workers to be productive from anywhere has never been easier. TS Gateway also includes several powerful security capabilities to make this access secure. In addition to its default encryption and authentication capa- bilities, TS Gateway can be combined with ISA Server and Network Access Protection to provide a secure, manageable access method all the way from the client, through the perimeter network, to the endpoint terminal server. Combining these technologies allows an organization to reap the benefits of rich RDP-based remote access, while mitigating the potential exposure this access can bring. ISA Server adds two primary security capabilities to the TS Gateway solution. First, because it can act as an SSL terminator, it allows for more secure placement of TS Gateway servers. Because ISA can be the Internet-facing endpoint for SSL traffic, the TS Gateway itself does not need to be placed within the perimeter network. Instead, Chapter 8 Terminal Services Enhancements 235 the TS Gateway can be kept on the internal network and the ISA Server can forward traf- fic to it. However, if ISA were simply performing traffic forwarding, it would be of little real security benefit. Thus, the second main security value ISA brings to the solution is pre-authentication capabilities. Rather than simply terminating SSL traffic and forward- ing frames on to the TS Gateway, ISA authenticates users before they ever contact the TS Gateway, ensuring that only valid users are able to communicate with it. Using ISA as the SSL endpoint and traffic inspection device allows for better placement of TS Gateway resources and ensures that they receive only inspected, clean traffic from the Internet. Although ISA Server provides important network protection abilities to a TS Gateway solution, it does not address client-side threats. For example, users connecting to a TS Gateway session might have malicious software running on their machines or be non- compliant with the organization’s security policy. To mitigate against these threats, TS Gateway can be integrated with Network Access Protection to provide enforcement of security and healthy policies on these remote machines. NAP is included in Windows Server 2008 and can be run on the same machine as TS Gateway, or TS Gateway can be configured to use an existing NAP infrastructure run- ning elsewhere. When combined with TS Gateway, NAP provides the same policy-based approach to client health and enforcement as it does on normal (not RDP-based) net- work connections. Specifically, NAP can control access to a TS Gateway based on a cli- ent’s security update, antivirus, and firewall status. For example, if you choose to enable redirected drives on your terminal servers, you might require that clients have antivirus software running and up to date. NAP allows organizations to ensure that computers connecting to a TS Gateway are healthy and compliant with its security policies. –John Morello Senior Program Manager, Windows Server Division One other thing about ISA is that it does inspect the underlying HTTP stream when being accessed over port 80, and although this is not RDP/HTTP inspection, it does afford addi- tional protection from anything that might try to piggyback on the HTTP connection itself. Implementing TS Gateway Implementing TS Gateway on a server running Windows Server 2008 requires that you add the TS Gateway role service for the Terminal Services role. When you do this using Server Manager, you are prompted to add the following roles and features as well (if they are not already installed): ■ Network Policy and Access Server role (specifically, the Network Policy Server role services) ■ Web Server (IIS) role (plus various role services and components) ■ RPC Over HTTP Proxy feature 236 Introducing Windows Server 2008 Note that for smaller environments, it’s all right to install TS Gateway and the Network Policy Server (NPS) on the same Windows Server 2008 machine. Larger enterprises, however, will probably want to separate these two different role services for greater isolation and manageability. Adding the TS Gateway role service also requires that you specify a server certificate for your server so that it can use SSL to encrypt network traffic with Terminal Services clients. A valid digital certificate is required for TS Gateway to work, and you have the choice during installa- tion of this role to import a certificate (for example, a certificate from VeriSign if you want cli- ents to be able to access terminal servers running on your corpnet from anywhere in the world via the Internet), create a self-signed certificate (good for testing purposes), or delay installing a certificate until later: After importing a certificate for your server, you’re given the option of creating authorization policies now or doing so later using the TS Gateway Management console. There are two kinds of authorization policies you need to create: ■ Connection authorization policies These are policies that enable remote users to access your network based on conditions you have specified. ■ Resource authorization policies These are policies that grant access to your terminal servers only to users whom you have specified. Chapter 8 Terminal Services Enhancements 237 Finally, the Add Role Services Wizard indicates which additional roles and role services will be installed for the Network Policy and Access Server and Web Server (IIS) roles (if these roles and role services are not installed already). And finally you’re done. Once your TS Gateway is set up, you can configure it by creating additional connections and resource authorization policies. For example, you could create a resource authorization policy (RAP) to specify a group of terminal servers on your internal corpnet that you want the TS Gateway to allow access to by authorized remote clients: When you create and configure connection authorization policies, you specify which security groups of users they apply to and, optionally, which groups of computers as well. You also specify whether authorization will use smart cards, passwords, or both. When you create and configure resource groups, you define a collection of resources (for example, terminal servers) that remote users will be allowed to access. You can specify these resources either by selecting a security group that contains the computer accounts of these computers, by specifying indi- vidual computers using their names (hostname or FQDN) or IP addresses, or by allowing remote users to access any computer (client or server) on your internal network that has Remote Desktop enabled on it. You need to create both connection and resource authorization policies for TS Gateway to do its job. Finally, the Monitoring node in the TS Gateway Management console lets you monitor connections happening through your TS Gateway and disconnect them if needed. Benefits of TS Gateway Why is TS Gateway a great feature? It gives your users remote access to fully firewalled termi- nal servers on your corpnet, and it does so without any of the headache of having to configure a VPN connection to those servers. That’s not to say that VPNs aren’t still useful, but if users don’t need a local copy of data, network bandwidth is limited, or the amount of application data that needs to be transferred is large, you’ll likely get better performance out of using TS Gateway than trying to let your users VPN into your corpnet to access your terminal servers. 238 Introducing Windows Server 2008 Best practices for deploying this feature? Use a dedicated TS Gateway (it can coexist with Outlook RPC/HTTP), and consider placing it behind Microsoft Internet and Acceleration Server (ISA) rather than using a simple port-based firewall. Terminal Services Licensing Let’s move on and talk briefly about Terminal Services Licensing (or TS Licensing) and also hear from more of our experts on the Terminal Services team at Microsoft. The job of TS Licensing is to simplify the task of managing Terminal Services Client Access Licenses (TS CALs). In other words, TS Licensing helps you ensure your TS clients are properly licensed and that you aren’t purchasing too many (or too few) licenses. TS Licensing manages clients that are unlicensed, temporarily licensed, and client-access (that is, permanent) licensed clients, and it manages licenses for both devices and users that are connecting to your terminal servers. The TS Licensing role service in Windows Server 2008 supports terminal servers that run both Windows Server 2008 and Windows Server 2003. Device-based TS Licensing basically works like this: When a client tries to connect to a terminal server, the terminal server first determines whether the client requires a license (a TS CAL). If the client requires a license, the terminal server contacts your TS Licensing server (usually a separate machine, but for small environments this could also be the terminal server) and requests a license token, which it then forwards to the client. Meanwhile, the TS Licensing server keeps track of all the license tokens you’ve installed on it to ensure your environment complies with licensing requirements. Note that if a client requires a permanent license token, your TS Licensing server must be activated. (Nonactivated TS Licensing servers can issue only temporary tokens.) A new feature of TS Licensing in Windows Server 2008 is its ability to track issuance of TS Per- User CALs. If your terminal server is configured to use Per-User licensing mode, any user attempting to connect to it must have a TS Per-User CAL. If the user doesn’t, the terminal server will contact the license server to obtain a CAL for her, and administrators can track the issuance of these CALs by using the TS Licensing management tool. Note that TS Per-User CAL tracking and reporting requires an Active Directory infrastructure. To learn more about managing licensing servers, let’s hear now from our experts. First let’s learn how to configure TS Licensing after this role service has been installed: From the Experts: Configuring Terminal Server License Server After Installation TS Licensing Manager, the admin console for Terminal Server License Server, can now find configuration-related issues with a Terminal Server License Server. It displays the License Server configuration status under a new column, Configuration, in the list view. If there are some issues with the License Server configuration, the configuration status will be set to Review. Chapter 8 Terminal Services Enhancements 239 TS Licensing Manager also allows the admin to view the current License Server configuration settings in detail. The admin can choose Review Configuration from the right-click menu for a License Server, which opens the configuration dialog. The License Server configuration dialog displays the following information: ■ TS License Server Database Path ■ Current scope for the license server ■ Membership of the Terminal Server License Server group at the Active Directory Domain Controller. During installation of the TS Licensing role on a domain machine, the setup tries to add the License Server in the Terminal Server License Server group at the Active Directory Domain controller, for which it requires domain administrator privileges. Membership to this group enables the License Server to track Per-User license usage. ■ Status of the global policy License Server Security Group (TSLS). If this policy is enabled and the Terminal Server Computers group is not created, a warning message will be displayed. If the policy is disabled, no message/status will be displayed. Admins can take corrective actions if some License Server configuration issues are found. The License Server configuration dialog allows an administrator to take the following actions: ■ Change the License Server scope. ■ If the License Server scope is set to Forest and the License Server is not published in Active Directory, the License Server configuration dialog shows a warning mes- sage to the administrator and allows the administrator to publish the License Server in Active Directory. ■ Add to the TSLS group in AD. ■ If the License Server Security Group Group Policy is enabled and the Terminal Server Computers local group is not created, the License Server configuration dialog displays the warning message and allows the administrator to create the Terminal Server Computers local group on the License Server. –Ajay Kumar Software Design Engineer, Terminal Services 240 Introducing Windows Server 2008 Next, let’s learn how revocation of TS CALs works in Windows Server 2008. CAL revocation can be done only with Per-Device CALs, not Per-User ones, and there are some things you need to know about how this works before you begin doing it. Here’s what our next expert has to say concerning this: From the Experts: CAL Revocation on Terminal Services License Server CAL Revocation is supported only for Windows Server 2008 TS Per-Device CALs. Terminal Services License Server’s automatic CAL reclamation mentioned later in this sidebar applies only to Per Device CALs. Per-Device CALs are issued to clients for a certain validity period, after which the CAL expires. If the client accesses the terminal server often, the validity of the CAL is renewed accordingly before its expiration. If the client does not access the terminal server for a long time, the CAL eventually expires. The Terminal Services License Server reclaims all the expired CALs periodically with its automatic CAL reclamation mechanism. Occasionally, an administrator might need to transfer a Per-Device CAL from the client back into the free license pool on the License Server (a process referred to as reclaiming or revoking) when the original client has been permanently removed from the environ- ment and one needs to reallocate the CAL to a different client. Historically, there was no way to do it. An administrator would have had to wait until the CAL expired or lost its validity and was automatically reclaimed by its mechanism. So it was desired to have the License Server support a mechanism to reclaim or revoke CALs. Using the new Revoke CAL option in TS Licensing Manager, administrators can now reclaim issued CALs and place them back into a free license pool on the License Server. An administrator has to also select the specific client whose CAL needs to be revoked. But there are certain restrictions on the number of CALs that can be revoked at a given time. This is a restriction imposed by the License Server to prevent misuse. The restric- tion can be stated as follows: At any given point in time, the number of LH PD CALs in a revoked state cannot exceed 20 percent of the total number of LH PD CALs installed on the License Server. A CAL goes into a revoked state right after revocation, and its state is cleared when it goes past its original expiration date. One can see the list of CALs in the revoked state in the TS Licensing Manager tool by observing the Status column in the client list view. When the administrator has exceeded this limit, he is given a date when further revocation is possible. Chapter 8 Terminal Services Enhancements 241 Note that TS CALs should not be revoked to affect concurrent licensing. TS CALs can only be revoked when it is reasonable to assume that the machine they were issued to will no longer participate in the environment, for example, when the machine failed. Client machines, no matter how infrequently they may connect, are required to have a TS CAL at all times. This also applies for per user licensing. –Harish Kumar Poongan Shanmugam Software Design Engineer in Test, Terminal Services Finally, let’s dig into some troubleshooting stuff and learn how we can diagnose licensing problems for terminal servers. Our expert will look at four different troubleshooting scenarios in this next sidebar: From the Experts: Running Licensing Diagnosis on a Terminal Server The Licensing Diagnosis tool is now integrated into the Terminal Services Configuration MMC snap-in (TSConfig.msc). This tool on the terminal server, in conjunction with the TS Licensing Manager’s Review Configuration option on the License Server, can be use- ful in finding problems arising because of a misconfigured TS Licensing setup. The Diagnostic tool does not report all possible problems in all possible scenarios during diagnosis. However, it collates the entire TS Licensing information of Terminal Services and the License Servers at a single place and identifies common licensing configuration errors. Upon launch of the Licensing Diagnosis tool, it first makes up a list of License Servers that the terminal server can discover via auto-discovery and also those that can be dis- covered via manual specification by using either the Use The Specified License Servers option in TSConfig.msc (registry-by-pass) or the Use The Specified Terminal Services License Servers Group Policy. It then contacts each License Server in turn to gather its configuration details, such as the activation state, License Key Pack information, relevant Group Policies, and so on. For this to work properly, we need to make sure that the Licensing Diagnosis tool has been launched with credentials that have administrator privileges on the License Servers. If needed, use the Provide Credentials option to specify appropriate credentials for each License Server individually at run time. Then the termi- nal server’s licensing settings—such as the licensing mode, Group Policies, and so on— are analyzed and compared, together with the License Servers information, to summa- rize common TS Licensing problems. A summary of diagnostic messages, with the possible resolution steps, is provided by this tool at the end of diagnosis. We can understand how the tool can be used by considering some sample scenarios. 242 Introducing Windows Server 2008 Case 1: Basic Diagnosis The terminal server has just been set up, and the licensing mode of the server has remained in Not Yet Configured mode. No other Licensing settings have been done on the TS, and a License Server has not been set up. Within the grace period of 120 days, TS has allowed connection to clients. Past the grace period, the administrator observes that the clients are no longer able to connect. The administrator launches the diagnostic tool and finds that two diagnostic messages are reported. One message is that the TS mode needs to be configured to either Per-User or Per-Device mode, and the other is that no License Servers have been discov- ered on the terminal server. The administrator now sets the TS licensing mode to Per- Device mode using TSConfig.msc. (If the TS licensing mode is set up using the Set The Terminal Services Licensing Mode Group Policy, the Licensing tab in TSConfig.msc is disabled.) A License Server is also set up by the administrator in the domain. When rerunning the tool, it now reports that the License Server needs to be activated and License Key Packs of the required TS mode need to be installed on the License Server. And so on. Case 2: Advanced Diagnosis Cases The Terminal Services License Server Security Group Policy has been enforced on the domain. The administrator has not added the TS computer name into the Terminal Server Computers local group on the License Server. When the Licensing Diagnosis tool is launched, it displays a diagnostic message indicating that licenses cannot be issued to the given terminal server because of the Group Policy setting. This can be corrected by using the Review Configuration option in TS Licensing Manager to create the TSC group, and TS can be added to the group using the Local Users And Groups MMC snap-in. If the License Server computer name is not a member of the Terminal Server License Servers local group in the Active Directory Domain Controller of the TS’s domain, per- user licensing and per-user license reporting will not work. In such case, when the Licensing Diagnosis tool is opened on TS, the Per-User Reporting And Tracking field in the License Server Configuration Details panel indicates that per-user tracking is not available. This can be corrected by using the Review Configuration option in TS Licensing Manager to add the License Server computer name into the Terminal Server License Servers group. Case 3: License Server Discovery Diagnosis on the Terminal Server During License Server setup, the administrator selected to install the License Server in the Forest Discovery Scope. But as the administrator ran the installation without the required Active Directory privileges, the License Server did not get published in the Active Directory licensing object. When the Licensing Diagnosis tool is launched on the TS, it is unable to discover the License Server. For diagnosing discovery problems, the administrator can initially specify the License Server by manually configuring it in the Chapter 8 Terminal Services Enhancements 243 Use The Specified License Servers option in TSConfig.msc so that the License Server shows up in the diagnostic tool. When rerunning the Licensing Diagnosis tool, the administrator notices that the License Server’s discovery scope is visible in the License Server Configuration Details section. The discovery scope shows up as Domain Scope, instead of Forest Scope. This can be corrected by using the Review Configuration option in TS Licensing Manager and exercising the Change Scope option to set the License Server discovery scope to Forest Scope. Case 4: Licensing Mode Mismatch Diagnosis The terminal server is configured in Per-Device licensing mode, but the administrator has installed Per-User licenses on the License Server. On launching the Licensing Diag- nosis tool, a diagnostic message shows that the appropriate type of licenses are not installed on the License Server, indicating a potential mode mismatch problem. –Harish Kumar Poongan Shanmugam Software Design Engineer in Test, Terminal Services For a look at how one can use WMI to manage licensing for terminal servers, see the “Terminal Services WMI Provider” section upcoming. Other Terminal Services Enhancements Finally, let’s briefly talk about three other features of Terminal Services in Windows Server 2008: ■ WMI Provider for scripted management of Terminal Services features ■ Integrating Windows System Resource Manager with Terminal Services ■ Terminal Services Session Broker Terminal Services WMI Provider Windows Server 2008 and Windows Vista have many enhancements to WMI compared with previous versions of Microsoft Windows, and we’ve already covered these enhancements ear- lier in Chapter 4. Let’s hear from our experts on the Terminal Services team concerning these WMI enhancements, including some tips on how to use WMI for managing Terminal Services: [...]... some familiarity with how server clustering works in Windows Server 2003, but if not you can find an overview of this topic on the Microsoft Windows Server TechCenter See the Server Clusters Technical Reference” found at http://technet2 .microsoft. com/WindowsServer/en/library/8ad 362 86- df8d-4c53-9aee7a9a073c95ee1033.mspx?mfr=true Understanding the New Quorum Model For Windows Server 2003 clusters, the... assume that what worked with Windows Server 2003 will work with Windows Server 2008 In other words, there won’t be any grandfathering of storage hardware support for qualified Windows server clustering solutions that are currently listed in the Windows Server Catalog But I’ll get to the topic of qualifying your clustering hardware in a few moments 258 Introducing Windows Server 2008 Now here’s the sidebar... http://www .microsoft. com/windowsserver /2008/ evaluation/overview.mspx By the time you read this chapter, this site will probably redirect you to something with a lot more content If you have access to the Windows Server 2008 beta program on Microsoft Connect (http://connect .microsoft. com), you can get some great Terminal Services documents from there, including: ■ Windows Server 2008 Terminal Services... of the failed node and continue servicing client requests to keep your applications running In Windows NT 4.0, server clusters were known as the Microsoft Cluster Services (MSCS); in Windows 2000 Server, this feature was renamed Server Clusters Now in Windows Server 2008, we call this technology Windows Server Failover Clustering (WSFC) or simply Failover Clustering, which communicates clearly the... Support, Windows Server Core Team 266 Introducing Windows Server 2008 Tips for Validating Clustering Solutions Here are a few tips on getting a successful validation from running this tool: ■ If you’re going to use domain controllers as nodes, use domain controllers If you’re going to use member servers instead, use member servers You can’t do both for the same cluster or validation will fail (Note that Microsoft. .. picked up a copy of the Microsoft Windows Vista Resource Kit (Microsoft Press, 2007), you’ll have already read a lot about the new TCP/IP networking stack in Windows Vista (If you haven’t picked up a copy of this title yet, why haven’t you? How am I supposed to retire if the books I’ve been involved with don’t earn royalties?) Windows Server 2008 is built on the same TCP/IP stack as Windows Vista, so all... although a form of GeoClusters was supported on earlier Windows server platforms, you had to use technologies such as Virtual LANs (VLANs) to ensure that all the nodes in your cluster appeared on the same IP subnet, 260 Introducing Windows Server 2008 which could be a pain sometimes In addition, support for configurable heartbeat time-outs in Windows Server 2008 effectively means that there are no practical... one IP Address resource If the IP address resource failed to come Chapter 9 Clustering Enhancements 261 online or failed to stay online, the Network Name resource also failed Even if a Network Name resource depended on two different IP Address resources, if one of those IP Address resources failed, the Network Name resource also failed In the Windows Server 2008 Failover Cluster feature, this has changed... Terminal Services Windows System Resource Manager Windows System Resource Manager (WSRM) is an optional feature of Windows Server 2008 that can be used to control how CPU and memory resources are allocated to applications, services, and processes running on a computer WSRM is not a feature of Terminal Services, but if you install it on a terminal server you can control allocation of such resources for... terminal servers in your farm) 248 Introducing Windows Server 2008 With Windows Server 2008, there are two key deployment scenarios for Session Broker: ■ Session Broker Load Balancing ■ Third-party Load Balancing (or MS NLB) Session Broker provides a simple-to-deploy load balancing solution for small scale deployments Create a DNS record for the farm that contains the IP address of the terminal servers . connecting to your terminal servers. The TS Licensing role service in Windows Server 2008 supports terminal servers that run both Windows Server 2008 and Windows Server 2003. Device-based TS. running. In Windows NT 4.0, server clusters were known as the Microsoft Cluster Services (MSCS); in Windows 2000 Server, this feature was renamed Server Clusters. Now in Windows Server 2008, we. remaining details (you need to do this on all terminal servers in your farm). 248 Introducing Windows Server 2008 With Windows Server 2008, there are two key deployment scenarios for Session