Terminal Services, Active Directory, Domains

  • Thread starter Thread starter DiFFeReNT
  • Start date Start date
D

DiFFeReNT

Guest
I have a computer running Windows Server 2003 that I want to setup to
be used exclusively as a Terminal Server.
Basically I need to allow:
a) Macs on the local network to remote desktop into the server (PC-
only apps) and
b) PCs/Macs outside the local network (WAN) to remote desktop into the
server (access same two apps)

It has to allow multiple users to be connected simultaneously. In
addition, all terminal services users need to be "locked down", so
only the two applications can be accessed, and the rest of the system
can't be tampered with.

After a failed Group Policy experiment, I now know that I need to use
Active directory to setup security measures, which brings me to my
first question:
1) Can Active Directory provide the kind of security I'm looking for?
(two apps, nothing else)

Also, I've read that having a Terminal Server and Active Directory on
the same computer is a huge security risk.
2) How severe is this risk?

Again, the server is for terminal services only. Windows workstations
do not need to logon to this domain. Which brings me to my third
question:
3) Since the server has to be on a Domain for Active Directory to be
used, does that mean that all computers (PCs/Macs) on the local
network have to be on that domain to get access to terminal services?


Since this server might not always be reliable, I can't have all local
computer relying on it to boot up with their usual desktops, resources
and access to vital local data on other computers on the network.

Do I need to be looking at a different kind of solution for local Macs
and remote PCs/Macs to access the two applications, or is Terminal
Services + Active Directory + Domains the only way to achieve what I'm
trying to do?

Thanks a lot for your help (I've been trying to figure this out for 6
months, so really, thank you),
DiFFeReNT
 
Re: Terminal Services, Active Directory, Domains

hello,

Terminal Server on a DC is very bad, but you are not using AD for your
workstation, so we don't really care.

I don't understand why you want an AD to make GPO ? You can let it as a
workgroup and apply the same GPO.

You will have to put your terminal server in "application mode" to get more
than 2 simultaneous connection.
You will have to buy Terminal server licence, and activate it on the server.

For this setup, for once, i may recommend not a MS Product (TSE), but
Go-Global.:
http://www.graphon.com/

It's a commercial product, that is between TSE and Citrix. I have tested it
out a long ago, it was really cool.
With this product, you will be able to publish only your application, not
the desktop. You will have to install their client on Windows and Mac (they
have client for it).

So you won't have to buy TSE license. It can even work on a windows XP but I
would not recommend this, or only if your application behave poorly on real
TSE.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"DiFFeReNT" <ChrisLampson@gmail.com> wrote in message
news:1187451377.171435.315410@22g2000hsm.googlegroups.com...
>I have a computer running Windows Server 2003 that I want to setup to
> be used exclusively as a Terminal Server.
> Basically I need to allow:
> a) Macs on the local network to remote desktop into the server (PC-
> only apps) and
> b) PCs/Macs outside the local network (WAN) to remote desktop into the
> server (access same two apps)
>
> It has to allow multiple users to be connected simultaneously. In
> addition, all terminal services users need to be "locked down", so
> only the two applications can be accessed, and the rest of the system
> can't be tampered with.
>
> After a failed Group Policy experiment, I now know that I need to use
> Active directory to setup security measures, which brings me to my
> first question:
> 1) Can Active Directory provide the kind of security I'm looking for?
> (two apps, nothing else)
>
> Also, I've read that having a Terminal Server and Active Directory on
> the same computer is a huge security risk.
> 2) How severe is this risk?
>
> Again, the server is for terminal services only. Windows workstations
> do not need to logon to this domain. Which brings me to my third
> question:
> 3) Since the server has to be on a Domain for Active Directory to be
> used, does that mean that all computers (PCs/Macs) on the local
> network have to be on that domain to get access to terminal services?
>
>
> Since this server might not always be reliable, I can't have all local
> computer relying on it to boot up with their usual desktops, resources
> and access to vital local data on other computers on the network.
>
> Do I need to be looking at a different kind of solution for local Macs
> and remote PCs/Macs to access the two applications, or is Terminal
> Services + Active Directory + Domains the only way to achieve what I'm
> trying to do?
>
> Thanks a lot for your help (I've been trying to figure this out for 6
> months, so really, thank you),
> DiFFeReNT
>
 
Re: Terminal Services, Active Directory, Domains

> I don't understand why you want an AD to make GPO ? You can let it as a
> workgroup and apply the same GPO.

I will NEVER do that again. You apply the settings, which restrict the
admin user, then you have to log in to every user for it to get
applied to them (which makes adding a new user troublesome), then w
when you get back to admin and undo the settings, it somehoundoes some
settings for other users, and sometimes that happens anyways for
whatever reason.... No. I need to be able control all users from one
location, one user.

> You will have to put your terminal server in "application mode" to get more
> than 2 simultaneous connection.

I don't know what that means, unless your talking about the Advanced
tab in Performance Options.
Regardless, I don't remember ever having to do that when I tried it
without AD before.


> For this setup, for once, i may recommend not a MS Product (TSE), but
> Go-Global.:http://www.graphon.com/

Once I read more about it, and find a price tag, we'll see...

Thanks for your help,
DiFFeReNT
 
Re: Terminal Services, Active Directory, Domains

> > For this setup, for once, i may recommend not a MS Product (TSE), but
> > Go-Global.:http://www.graphon.com/

Go-Global actually does look nice..

A reseller has it for:
$295/each -- 3 User Minimum
$45 -- Annual Maintenance

Ow, that's more than TS 5 user CAL, but I'm gonna contact them direct
about pricing anyways.

Thanks again
 
Back
Top