Terminal Services Overview
Updated: April 28, 2008
Applies To: Windows Server 2008
The Terminal Services server role in Windows Server® 2008 provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the full Windows desktop. With Terminal Services, users can access a terminal server from within a corporate network or from the Internet.
Terminal Services lets you efficiently deploy and maintain software in an enterprise environment. You can easily deploy programs from a central location. Because you install the programs on the terminal server and not on the client computer, programs are easier to upgrade and to maintain.
When a user accesses a program on a terminal server, the program execution occurs on the server. Only keyboard, mouse, and display information is transmitted over the network. Each user sees only their individual session. The session is managed transparently by the server operating system and is independent of any other client session.
For more information about Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter.
|In Windows Server 2008 R2, Terminal Services was renamed Remote Desktop Services. To find out what's new in this version and to find the most up-to-date resources, visit the Remote Desktop Services page on the Windows Server TechCenter.|
If you deploy a program on a terminal server instead of on each device, there are many benefits. These include the following:
You can quickly deploy Windows-based programs to computing devices across an enterprise. Terminal Services is especially useful when you have programs that are frequently updated, infrequently used, or difficult to manage.
Terminal Services can significantly reduce the network bandwidth that is required to access remote applications.
Terminal Services helps user productivity. Users can access programs that are running on a terminal server from devices such as home computers, kiosks, low-powered hardware, and operating systems other than Windows.
Terminal Services provides better program performance for branch office workers who need access to centralized data stores. Data-intensive programs sometimes do not have client/server protocols that are optimized for low-speed connections. Programs of this kind frequently perform better over a Terminal Services connection than over a typical wide area network.
Terminal Services is a server role that consists of several sub-components, known as "role services." In Windows Server 2008, Terminal Services consists of the following role services:
Terminal Server: The Terminal Server role service enables a server to host Windows-based programs or the full Windows desktop. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server.
TS Web Access: Terminal Services Web Access (TS Web Access) enables users to access RemoteApp™ programs and a Remote Desktop connection to the terminal server through a Web site. TS Web Access also includes Remote Desktop Web Connection, which enables users to remotely connect to any computer where they have Remote Desktop access.
TS Licensing: Terminal Services Licensing (TS Licensing) manages the Terminal Services client access licenses (TS CALs) that are required for each device or user to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server.
TS Gateway: Terminal Services Gateway (TS Gateway) enables authorized remote users to connect to resources on an internal corporate network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.
TS Session Broker: Terminal Services Session Broker (TS Session Broker) supports session load balancing between terminal servers in a farm, and reconnection to an existing session in a load-balanced terminal server farm.
A terminal server is the server that hosts Windows-based programs or the full Windows desktop for Terminal Services clients. Users can connect to a terminal server to run programs, to save files, and to use network resources on that server. Users can access a terminal server by using RDC or by using RemoteApp programs.
For more information about deploying terminal servers, see the "Checklist: Terminal Server Installation Prerequisites" in the Terminal Server Help in the Windows Server 2008 Technical Library).
RemoteApp programs are programs that are accessed remotely through Terminal Services and behave as if they are running on the end user's local computer. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program from the same terminal server, the RemoteApp programs will share the same Terminal Services session. This functionality conserves user sessions, and enables faster connection to each additional RemoteApp program that is located on the same server.
By using TS RemoteApp Manager, you can create Windows Installer packages (.msi packages) or .rdp files and then distribute the packages throughout your organization. Or, if you want users to access RemoteApp programs over the Web, you can deploy RemoteApp programs to a Web site by using TS Web Access.
TS RemoteApp can reduce complexity and reduce administrative overhead in many situations, including the following:
Branch offices, where there may be limited local IT support and limited network bandwidth.
Situations where users have to access applications remotely.
Deployment of line-of-business (LOB) applications, especially custom LOB applications.
Environments, such as "hot desk" or "hoteling" workspaces, where users do not have assigned computers.
Deployment of multiple versions of an application, especially if installing multiple versions locally would cause conflicts.
For more information about TS RemoteApp, see the TS RemoteApp Step-by-Step Guide.
TS Web Access lets you make RemoteApp programs and a Remote Desktop connection to the terminal server available to users from a Web browser. With TS Web Access, users can visit a Web site (either from the Internet or from an intranet) to access a list of available RemoteApp programs. When they start a RemoteApp program, a Terminal Services session is started on the terminal server that hosts the RemoteApp program. When you deploy TS Web Access, you can specify which terminal server to use as the data source to populate the list of RemoteApp programs that appears on the Web page.
The Remote Desktop Web Connection feature is also included with TS Web Access. With Remote Desktop Web Connection, a user can specify which computer they want to connect to, and then start a full Remote Desktop session to that computer. To successfully connect, the user must have Remote Desktop access on the destination computer.
For more information about TS Web Access, see the TS RemoteApp Step-by-Step Guide.
TS Licensing manages the TS CALs that are required for each user or device to connect to a terminal server. You use TS Licensing to install, issue, and monitor the availability of TS CALs on a Terminal Services license server.
To use Terminal Services, you must have at least one license server. For small deployments, you can install both the Terminal Server role service and the TS Licensing role service on the same computer. For larger deployments, we recommend that the TS Licensing role service be installed on a separate computer from the Terminal Server role service.
You must configure TS Licensing correctly for your terminal server to continue to accept connections from clients.
For more information about TS Licensing, see the TS Licensing Step-by-Step Guide.
TS Gateway enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the RDC client. The network resources can be terminal servers, terminal servers that are running RemoteApp programs, or computers that have Remote Desktop enabled. TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. In this manner, TS Gateway helps improve security by establishing an encrypted connection between remote users on the Internet and the internal network resources on which their productivity applications run.
TS Gateway provides these benefits:
TS Gateway enables remote users to connect to internal network resources over the Internet by using an encrypted connection, without having to configure virtual private network (VPN) connections.
TS Gateway provides a comprehensive security configuration model that enables you to control access to specific internal network resources. TS Gateway provides a point-to-point RDP connection, instead of allowing remote users access to all internal network resources.
TS Gateway enables remote users to connect to internal network resources that are hosted behind firewalls in private networks and across network address translators (NATs). With TS Gateway, you do not have to perform additional configuration for the TS Gateway server or clients for this scenario.
In earlier versions of Windows Server, security measures typically prevented remote users from connecting to internal network resources across firewalls and NATs via RDP. This is because port 3389, the port that is used for RDP connections, is typically blocked for network security purposes. TS Gateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TS Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
TS Gateway Manager enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. For example, you can specify:
Who can connect to network resources (in other words, the user groups that can connect).
What internal network resources (computer groups) users can connect to.
Whether client computers must be members of specific Active Directory® security groups.
Whether device and disk redirection is allowed.
Whether clients have to use smart card authentication or password authentication, or whether they can use either method.
- Who can connect to network resources (in other words, the user groups that can connect).
You can configure TS Gateway servers and Terminal Services clients to use Network Access Protection (NAP) to further enhance security. NAP is a health policy creation, enforcement, and remediation technology that is included in Windows Server 2008, Windows Vista®, and Windows XP with Service Pack 3 (SP3). With NAP, system administrators can enforce health requirements, which can include software requirements, security update requirements, required computer configurations, and other settings.
Note Computers that are running Windows Server 2008 cannot be used as NAP clients when TS Gateway enforces NAP. Only computers that are running Windows Vista or Windows XP with SP3 can be used as NAP clients when TS Gateway enforces NAP.
You can use a TS Gateway server together with Microsoft Internet Security and Acceleration (ISA) Server to enhance security. In this scenario, you can host TS Gateway servers in a private network instead of a perimeter network (also known as DMZ, demilitarized zone, and screened subnet), and host ISA Server in the perimeter network. Or, ISA Server can serve as an isolation point for either or both ends of the perimeter network. The SSL connection between the Terminal Services client and ISA Server can be terminated at the ISA Server, which is Internet-facing.
TS Gateway Manager provides tools to help you monitor TS Gateway connection status, health, and events. By using TS Gateway Manager, you can specify events (such as unsuccessful connection attempts to the TS Gateway server) that you want to monitor for auditing purposes.
For more information about TS Gateway, see the TS Gateway Step-by-Step Guide.
TS Session Broker keeps track of user sessions in a load-balanced terminal server farm. The TS Session Broker database stores session state information that includes session IDs, their associated user names, and the name of the server where each session resides. When a user who has an existing session connects to a terminal server in the load-balanced farm, TS Session Broker redirects the user to the terminal server where their session exists. This prevents the user from being connected to a different server in the farm and starting a new session.
If the TS Session Broker Load Balancing feature is enabled, TS Session Broker also tracks the number of user sessions on each terminal server in the farm, and redirects users who do not have an existing session to the server that has the fewest sessions. This functionality enables you to evenly distribute the session load between servers in a load-balanced terminal server farm.
For more information about TS Session Broker, see the TS Session Broker Load Balancing Step-by-Step Guide.