Guest DiFFeReNT Posted August 18, 2007 Posted August 18, 2007 I have a computer running Windows Server 2003 that I want to setup to be used exclusively as a Terminal Server. Basically I need to allow: a) Macs on the local network to remote desktop into the server (PC- only apps) and b) PCs/Macs outside the local network (WAN) to remote desktop into the server (access same two apps) It has to allow multiple users to be connected simultaneously. In addition, all terminal services users need to be "locked down", so only the two applications can be accessed, and the rest of the system can't be tampered with. After a failed Group Policy experiment, I now know that I need to use Active directory to setup security measures, which brings me to my first question: 1) Can Active Directory provide the kind of security I'm looking for? (two apps, nothing else) Also, I've read that having a Terminal Server and Active Directory on the same computer is a huge security risk. 2) How severe is this risk? Again, the server is for terminal services only. Windows workstations do not need to logon to this domain. Which brings me to my third question: 3) Since the server has to be on a Domain for Active Directory to be used, does that mean that all computers (PCs/Macs) on the local network have to be on that domain to get access to terminal services? Since this server might not always be reliable, I can't have all local computer relying on it to boot up with their usual desktops, resources and access to vital local data on other computers on the network. Do I need to be looking at a different kind of solution for local Macs and remote PCs/Macs to access the two applications, or is Terminal Services + Active Directory + Domains the only way to achieve what I'm trying to do? Thanks a lot for your help (I've been trying to figure this out for 6 months, so really, thank you), DiFFeReNT
Guest Mathieu CHATEAU Posted August 18, 2007 Posted August 18, 2007 Re: Terminal Services, Active Directory, Domains hello, Terminal Server on a DC is very bad, but you are not using AD for your workstation, so we don't really care. I don't understand why you want an AD to make GPO ? You can let it as a workgroup and apply the same GPO. You will have to put your terminal server in "application mode" to get more than 2 simultaneous connection. You will have to buy Terminal server licence, and activate it on the server. For this setup, for once, i may recommend not a MS Product (TSE), but Go-Global.: http://www.graphon.com/ It's a commercial product, that is between TSE and Citrix. I have tested it out a long ago, it was really cool. With this product, you will be able to publish only your application, not the desktop. You will have to install their client on Windows and Mac (they have client for it). So you won't have to buy TSE license. It can even work on a windows XP but I would not recommend this, or only if your application behave poorly on real TSE. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "DiFFeReNT" <ChrisLampson@gmail.com> wrote in message news:1187451377.171435.315410@22g2000hsm.googlegroups.com... >I have a computer running Windows Server 2003 that I want to setup to > be used exclusively as a Terminal Server. > Basically I need to allow: > a) Macs on the local network to remote desktop into the server (PC- > only apps) and > b) PCs/Macs outside the local network (WAN) to remote desktop into the > server (access same two apps) > > It has to allow multiple users to be connected simultaneously. In > addition, all terminal services users need to be "locked down", so > only the two applications can be accessed, and the rest of the system > can't be tampered with. > > After a failed Group Policy experiment, I now know that I need to use > Active directory to setup security measures, which brings me to my > first question: > 1) Can Active Directory provide the kind of security I'm looking for? > (two apps, nothing else) > > Also, I've read that having a Terminal Server and Active Directory on > the same computer is a huge security risk. > 2) How severe is this risk? > > Again, the server is for terminal services only. Windows workstations > do not need to logon to this domain. Which brings me to my third > question: > 3) Since the server has to be on a Domain for Active Directory to be > used, does that mean that all computers (PCs/Macs) on the local > network have to be on that domain to get access to terminal services? > > > Since this server might not always be reliable, I can't have all local > computer relying on it to boot up with their usual desktops, resources > and access to vital local data on other computers on the network. > > Do I need to be looking at a different kind of solution for local Macs > and remote PCs/Macs to access the two applications, or is Terminal > Services + Active Directory + Domains the only way to achieve what I'm > trying to do? > > Thanks a lot for your help (I've been trying to figure this out for 6 > months, so really, thank you), > DiFFeReNT >
Guest DiFFeReNT Posted August 18, 2007 Posted August 18, 2007 Re: Terminal Services, Active Directory, Domains > I don't understand why you want an AD to make GPO ? You can let it as a > workgroup and apply the same GPO. I will NEVER do that again. You apply the settings, which restrict the admin user, then you have to log in to every user for it to get applied to them (which makes adding a new user troublesome), then w when you get back to admin and undo the settings, it somehoundoes some settings for other users, and sometimes that happens anyways for whatever reason.... No. I need to be able control all users from one location, one user. > You will have to put your terminal server in "application mode" to get more > than 2 simultaneous connection. I don't know what that means, unless your talking about the Advanced tab in Performance Options. Regardless, I don't remember ever having to do that when I tried it without AD before. > For this setup, for once, i may recommend not a MS Product (TSE), but > Go-Global.:http://www.graphon.com/ Once I read more about it, and find a price tag, we'll see... Thanks for your help, DiFFeReNT
Guest DiFFeReNT Posted August 18, 2007 Posted August 18, 2007 Re: Terminal Services, Active Directory, Domains > > For this setup, for once, i may recommend not a MS Product (TSE), but > > Go-Global.:http://www.graphon.com/ Go-Global actually does look nice.. A reseller has it for: $295/each -- 3 User Minimum $45 -- Annual Maintenance Ow, that's more than TS 5 user CAL, but I'm gonna contact them direct about pricing anyways. Thanks again
Recommended Posts