Terminal Services Overview
Applies To: Windows Server 2008
What is Terminal Services?
The Terminal Services server role in Windows Server® 2008 provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the full Windows desktop. With Terminal Services, users can access a terminal server from within a corporate network or from the Internet.
Terminal Services lets you efficiently deploy and maintain software in an enterprise environment. You can easily deploy programs from a central location. Because you install the programs on the terminal server and not on the client computer, programs are easier to upgrade and to maintain.
When a user accesses a program on a terminal server, the program execution occurs on the server. Only keyboard, mouse, and display information is transmitted over the network. Each user sees only their individual session. The session is managed transparently by the server operating system and is independent of any other client session.
For more information about Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=48555).
Why use Terminal Services?
If you deploy a program on a terminal server instead of on each device, there are many benefits. These include the following:
You can quickly deploy Windows-based programs to computing devices across an enterprise. Terminal Services is especially useful when you have programs that are frequently updated, infrequently used, or difficult to manage.
Terminal Services can considerably reduce the amount of network bandwidth that is required to access remote applications.
Terminal Services helps user productivity. Users can access programs that are running on a terminal server from devices such as home computers, kiosks, low-powered hardware, and operating systems other than Windows.
Terminal Services provides better program performance for branch office workers who need access to centralized data stores. Data-intensive programs sometimes do not have client/server protocols that are optimized for low-speed connections. Programs of this kind frequently perform better over a Terminal Services connection than over a typical wide area network.
Terminal Services role services
Terminal Services is a server role that consists of several sub-components, referred to as "role services." In Windows Server 2008, Terminal Services consists of the following role services:
Terminal Server: The Terminal Server role service enables a server to host Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server.
TS Web Access: Terminal Services Web Access (TS Web Access) enables users to access RemoteApp™ programs and a remote desktop connection to the terminal server through a Web site.
TS Licensing: Terminal Services Licensing (TS Licensing) manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server.
TS Gateway: Terminal Services Gateway (TS Gateway) enables authorized remote users to connect to resources on an internal corporate network, from any Internet-connected device.
TS Session Broker: Terminal Services Session Broker (TS Session Broker) supports session load balancing between terminal servers in a farm, and reconnection to an existing session in a load-balanced terminal server farm.
What is a terminal server?
A terminal server is the server that hosts Windows-based programs or the full Windows desktop for Terminal Services clients. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. Users can access a terminal server by using Remote Desktop Connection or by using RemoteApp programs.
For more information about deploying terminal servers, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
Terminal Services RemoteApp (TS RemoteApp)
RemoteApp programs are programs that are accessed remotely through Terminal Services and behave as if they are running on the end user's local computer. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program from the same terminal server, the RemoteApp programs will share the same Terminal Services session. This functionality conserves user sessions, and enables faster connection to each additional RemoteApp program that is on the same server.
By using TS RemoteApp Manager, you can create Windows Installer packages (.msi packages) or .rdp files and then distribute the packages throughout your organization. Or, if you want users to access RemoteApp programs over the Web, you can deploy RemoteApp programs to a Web site by using TS Web Access.
Why use TS RemoteApp?
TS RemoteApp can reduce complexity and reduce administrative overhead in many situations, including:
Branch offices, where there may be limited local IT support and limited network bandwidth.
Situations where users need to access applications remotely.
Deployment of line-of-business (LOB) applications, especially custom LOB applications.
Environments, such as "hot desk" or "hoteling" workspaces, where users do not have assigned computers.
Deployment of multiple versions of an application, particularly if installing multiple versions locally would cause conflicts.
For more information about TS RemoteApp, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
What is TS Web Access?
TS Web Access lets you make RemoteApp programs and a remote desktop connection to the terminal server available to users from a Web browser. With TS Web Access, users can visit a Web site (either from the Internet or from an intranet) to access a list of available RemoteApp programs. When they start a RemoteApp program, a Terminal Services session is started on the terminal server that hosts the RemoteApp program.
When you deploy TS Web Access, you can specify which terminal server to use as the data source to populate the list of RemoteApp programs that appears on the Web page.
For more information about TS Web Access, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
What is TS Licensing?
TS Licensing manages the TS CALs that are required for each user or device to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server.
To use Terminal Services, you must have at least one license server. For small deployments, you can install both the Terminal Server role service and the TS Licensing role service on the same computer. For larger deployments, it is recommended that the TS Licensing role service be installed on a separate computer from the Terminal Server role service.
You must configure TS Licensing correctly in order for your terminal server to continue to accept connections from clients.
For more information about TS Licensing, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
What is TS Gateway?
TS Gateway enables authorized remote users to connect to resources on an internal corporate network, from any Internet-connected device. The network resources can be either terminal servers running RemoteApp programs [hosting line-of-business (LOB) applications] or computers with Remote Desktop enabled. TS Gateway encapsulates RDP over HTTPS to help form a secure, encrypted connection between users on the Internet and the internal network resources on which their productivity applications run.
Why use TS Gateway?
TS Gateway provides these benefits:
TS Gateway enables remote users to connect to internal network resources over the Internet by using an encrypted connection, without needing to configure virtual private network (VPN) connections.
TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources. TS Gateway provides a point-to-point RDP connection, rather than allowing remote users access to all internal network resources.
TS Gateway enables remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario.
Prior to this release of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer Transport Layer Security (TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
TS Gateway Manager enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:
Who can connect to network resources (in other words, the user groups who can connect).
What internal network resources (computer groups) users can connect to.
Whether client computers must be members of specific Active Directory security groups.
Whether device and disk redirection is allowed.
Whether clients need to use smart card authentication or password authentication, or whether they can use either method.
You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows XP Service Pack 2, Windows Vista®, and Windows Server 2008. With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.
For information about how to configure TS Gateway to use NAP for health policy enforcement for Terminal Services clients that connect to TS Gateway servers, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
You can use a TS Gateway server with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network rather than a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. The Secure Sockets Layer (SSL) connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.
For information about how to configure ISA Server as an SSL termination device for TS Gateway server scenarios, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?linkid=73931).
TS Gateway Manager provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes.
What is TS Session Broker?
TS Session Broker keeps track of user sessions in a load-balanced terminal server farm. The TS Session Broker database stores session state information that includes session IDs, their associated user names, and the name of the server where each session resides. When a user with an existing session connects to a terminal server in the load-balanced farm, TS Session Broker redirects the user to the terminal server where their session exists. This prevents the user from being connected to a different server in the farm and starting a new session.
If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the number of user sessions on each terminal server in the farm, and redirects users who do not have an existing session to the server with the fewest sessions. This functionality enables you to evenly distribute the session load between servers in a load-balanced terminal server farm.
For more information about TS Session Broker, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkId=73931).