Role Services and Features in a Terminal Services Deployment

Applies To: Windows Server 2008

The following figure shows the network diagram for the Terminal Services role services and features that are covered in this deployment guide. This diagram isolates specific functionality on separate servers, instead of running multiple services on the same server. Your deployment design will vary according to your resources and requirements.

What are the role services and features in a Terminal Services deployment?

Terminal Services is a server role that consists of several sub-components, known as "role services." In Windows Server 2008, Terminal Services consists of the following role services:

  • Terminal Server   The Terminal Server role service enables a server to host Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server.

  • TS Licensing   Terminal Services Licensing (TS Licensing) manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server.


You must have a correctly configured license server within 120 days after your terminal server accepts its first connection.

  • TS Session Broker   Terminal Services Session Broker (TS Session Broker) supports session load balancing between terminal servers in a farm, and reconnection to an existing session in a load-balanced terminal server farm.


To use the built-in TS Session Broker Load Balancing feature, terminal servers in the farm must be running Windows Server 2008.

  • TS Web Access   Terminal Services Web Access (TS Web Access) enables users to access RemoteApp programs and a Remote Desktop connection to the terminal server through a Web site. TS Web Access also includes Remote Desktop Web Connection, which enables users to remotely connect to any computer where they have Remote Desktop access.

  • TS Gateway   Terminal Services Gateway (TS Gateway) enables authorized remote users to connect to resources on an internal corporate network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

Your deployment might also include the following:

  • Remote Desktop Connection (RDC) client   The RDC client must be installed on client computers for users to start Terminal Services sessions. To access most of the new features in Windows Server 2008, the client must be running RDC 6.0 or RDC 6.1.

  • Active Directory Domain Services   If you deploy TS Session Broker, the server where you install the TS Session Broker role service must be a member of an Active Directory domain. If you deploy terminal servers or terminal server farms, the servers must be members of the same Active Directory domain as the license servers, or the license servers must be deployed at the forest level.

  • Network Access Protocol (NAP)   You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Server 2008, Windows Vista®, Windows Vista Service Pack 1 (SP1), and Windows XP Service Pack 3 (SP3). With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.

  • Network Firewall   The Terminal Services role services are typically deployed within the corporate network behind a firewall. If TS Gateway is deployed, it may be hosted in a perimeter network. TS Gateway enables most remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not need to perform additional configuration for the TS Gateway server or clients for this scenario.

    In earlier versions of Windows Server, security measures prevented remote users from connecting to internal network resources across firewalls and NATs. This is because port 3389, the port used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.

  • Front-end load balancer   If you deploy TS Session Broker, a front-end load balancer is required. Depending on your requirements, you can use the Domain Name System (DNS) round robin feature, Network Load Balancing (NLB), or a hardware load balancer.