Terminal Services Web Access and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
It is beyond the scope of this white paper to describe all aspects of maintaining appropriate levels of security in an organization running servers that use Terminal Services Web Access (TS Web Access) to offer applications across the Internet. This section, however, provides overview information as well as suggestions for other sources of information about balancing your organization’s requirements for communication across the Internet with your organization’s requirements for protection of networked assets.
TS Web Access is a role service in the Terminal Services role that enables you to make RemoteApp™ programs, and a link to the terminal server desktop, available to users from a Web browser. Additionally, TS Web Access enables users to connect from a Web browser to the remote desktop of any server or client computer where they have the appropriate access.
With TS Web Access, users can visit a Web site (either from the Internet or from an intranet) to access a list of available RemoteApp programs. When they start a RemoteApp program, a Terminal Services session is started on the Windows Server 2008-based terminal server that hosts the RemoteApp program.
If you want to use TS Web Access to make RemoteApp programs available to users, the Web Server (IIS 7) role is also needed. The Web Server (IIS 7) role is installed as a required component when you install TS Web Access. For information about some of the security-related features in IIS 7.0, and links to additional information, see Internet Information Services and Resulting Internet Communication in Windows Server 2008, earlier in this white paper.
In addition, you can deploy TS Web Access with the Terminal Services Gateway (TS Gateway) role service to enable users to connect from the Internet to individual programs on a terminal server without having to first establish a virtual private network (VPN) connection. (Alternatively, if you do not want to deploy TS Gateway, you can make RemoteApp programs available through a VPN solution.) TS Gateway helps you secure remote connections to terminal servers on your corporate network. For information about some of the security-related features in TS Gateway, and links to additional information, see Terminal Services Gateway and Resulting Internet Communication in Windows Server 2008, earlier in this white paper.
When you install TS Web Access, the following default settings apply:
The TS Web Access Web site uses Windows Authentication.
The TS Web Access Web site opens TCP port 80 for HTTP traffic to enable client connections to the Web site.
If you configure the site to use HTTPS, the default port that is used for Secure Sockets Layer (SSL) connections is TCP port 443.
When you install TS Web Access, Windows Firewall is automatically configured to allow Windows Management Instrumentation (WMI) traffic. The TS Web Access server must be able to communicate through WMI to the source terminal server that hosts the RemoteApp programs. Therefore, if the TS Web Access server is located in the perimeter network to allow access from the Internet, you must ensure that the firewall rules allow WMI traffic from the TS Web Access server to the source terminal server in the internal network.
|To view the firewall rules that are created for WMI when you install TS Web Access, open Windows Firewall with Advanced Security (available in the Administrative Tools folder).|
Windows Server 2008 RemoteApp Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=84895)
Web page for Terminal Services in Windows Server 2008 on the TechNet Web site at:
Terminal Services Gateway and Resulting Internet Communication in Windows Server 2008
Terminal Services Licensing and Resulting Internet Communication in Windows Server 2008