Terminal Services, Active Directory, Domains

[Guest DiFFeReNT]

I have a computer running Windows Server 2003 that I want to setup to

be used exclusively as a Terminal Server.

Basically I need to allow:

a) Macs on the local network to remote desktop into the server (PC-

only apps) and

b) PCs/Macs outside the local network (WAN) to remote desktop into the

server (access same two apps)

 

It has to allow multiple users to be connected simultaneously. In

addition, all terminal services users need to be "locked down", so

only the two applications can be accessed, and the rest of the system

can't be tampered with.

 

After a failed Group Policy experiment, I now know that I need to use

Active directory to setup security measures, which brings me to my

first question:

1) Can Active Directory provide the kind of security I'm looking for?

(two apps, nothing else)

 

Also, I've read that having a Terminal Server and Active Directory on

the same computer is a huge security risk.

2) How severe is this risk?

 

Again, the server is for terminal services only. Windows workstations

do not need to logon to this domain. Which brings me to my third

question:

3) Since the server has to be on a Domain for Active Directory to be

used, does that mean that all computers (PCs/Macs) on the local

network have to be on that domain to get access to terminal services?

 

 

Since this server might not always be reliable, I can't have all local

computer relying on it to boot up with their usual desktops, resources

and access to vital local data on other computers on the network.

 

Do I need to be looking at a different kind of solution for local Macs

and remote PCs/Macs to access the two applications, or is Terminal

Services + Active Directory + Domains the only way to achieve what I'm

trying to do?

 

Thanks a lot for your help (I've been trying to figure this out for 6

months, so really, thank you),

DiFFeReNT

[Guest Mathieu CHATEAU]

Re: Terminal Services, Active Directory, Domains

 

hello,

 

Terminal Server on a DC is very bad, but you are not using AD for your

workstation, so we don't really care.

 

I don't understand why you want an AD to make GPO ? You can let it as a

workgroup and apply the same GPO.

 

You will have to put your terminal server in "application mode" to get more

than 2 simultaneous connection.

You will have to buy Terminal server licence, and activate it on the server.

 

For this setup, for once, i may recommend not a MS Product (TSE), but

Go-Global.:

http://www.graphon.com/

 

It's a commercial product, that is between TSE and Citrix. I have tested it

out a long ago, it was really cool.

With this product, you will be able to publish only your application, not

the desktop. You will have to install their client on Windows and Mac (they

have client for it).

 

So you won't have to buy TSE license. It can even work on a windows XP but I

would not recommend this, or only if your application behave poorly on real

TSE.

 

 

--

Cordialement,

Mathieu CHATEAU

http://lordoftheping.blogspot.com

 

 

"DiFFeReNT" <ChrisLampson@gmail.com> wrote in message

news:1187451377.171435.315410@22g2000hsm.googlegroups.com...

>I have a computer running Windows Server 2003 that I want to setup to

> be used exclusively as a Terminal Server.

> Basically I need to allow:

> a) Macs on the local network to remote desktop into the server (PC-

> only apps) and

> b) PCs/Macs outside the local network (WAN) to remote desktop into the

> server (access same two apps)

>

> It has to allow multiple users to be connected simultaneously. In

> addition, all terminal services users need to be "locked down", so

> only the two applications can be accessed, and the rest of the system

> can't be tampered with.

>

> After a failed Group Policy experiment, I now know that I need to use

> Active directory to setup security measures, which brings me to my

> first question:

> 1) Can Active Directory provide the kind of security I'm looking for?

> (two apps, nothing else)

>

> Also, I've read that having a Terminal Server and Active Directory on

> the same computer is a huge security risk.

> 2) How severe is this risk?

>

> Again, the server is for terminal services only. Windows workstations

> do not need to logon to this domain. Which brings me to my third

> question:

> 3) Since the server has to be on a Domain for Active Directory to be

> used, does that mean that all computers (PCs/Macs) on the local

> network have to be on that domain to get access to terminal services?

>

>

> Since this server might not always be reliable, I can't have all local

> computer relying on it to boot up with their usual desktops, resources

> and access to vital local data on other computers on the network.

>

> Do I need to be looking at a different kind of solution for local Macs

> and remote PCs/Macs to access the two applications, or is Terminal

> Services + Active Directory + Domains the only way to achieve what I'm

> trying to do?

>

> Thanks a lot for your help (I've been trying to figure this out for 6

> months, so really, thank you),

> DiFFeReNT

>

[Guest DiFFeReNT]

Re: Terminal Services, Active Directory, Domains

 

> I don't understand why you want an AD to make GPO ? You can let it as a

> workgroup and apply the same GPO.

 

I will NEVER do that again. You apply the settings, which restrict the

admin user, then you have to log in to every user for it to get

applied to them (which makes adding a new user troublesome), then w

when you get back to admin and undo the settings, it somehoundoes some

settings for other users, and sometimes that happens anyways for

whatever reason.... No. I need to be able control all users from one

location, one user.

> You will have to put your terminal server in "application mode" to get more

> than 2 simultaneous connection.

 

I don't know what that means, unless your talking about the Advanced

tab in Performance Options.

Regardless, I don't remember ever having to do that when I tried it

without AD before.

 

> For this setup, for once, i may recommend not a MS Product (TSE), but

> Go-Global.:http://www.graphon.com/

 

Once I read more about it, and find a price tag, we'll see...

 

Thanks for your help,

DiFFeReNT

[Guest DiFFeReNT]

Re: Terminal Services, Active Directory, Domains

 

> > For this setup, for once, i may recommend not a MS Product (TSE), but

> > Go-Global.:http://www.graphon.com/

 

Go-Global actually does look nice..

 

A reseller has it for:

$295/each -- 3 User Minimum

$45 -- Annual Maintenance

 

Ow, that's more than TS 5 user CAL, but I'm gonna contact them direct

about pricing anyways.

 

Thanks again