Getting back SBS TS access

[Bill M.]

I made the choice due to the numbers of workstations to move from SBS 2003
R2 to full dedicated servers with roles on many servers. After weeks of
fighting. Four calls to Microsoft at hundreds of dollars and we are up and
running on the new gear.. What a month. So now I have two items that I am
lost to fix. ( Well with out a further expensive call to Microsoft) So lets
see if I can solve it with the wisdom on line here. Both are related to
Termnal Service.

a) On the server that has the Terminal Server running .. If I log onto the
TS I of course need to be approved for access . If I go to the Domain Active
Directory there is no Remote Desktop Group to assign for that user. But
there is on the server that has the TS on it. So I need to approve the user
local and it works.. How do I get this up to the Domain level of control
rather then local...

b) So on SBS there is the great web based interface that allows you to
connect to the Server or a Workstation attached to the LAN.. No one told me
that I was going to loose this when I did the Transition Pack but my users
love to remind me about the lack of remote access to the Workstation.. So
not being a web developer .. Any suggestions on getting back the ability to
access the workstation.

Many thanks to those who respond

Bill

 

[Lanwench [MVP - Exchange]]

Re: Getting back SBS TS access

Bill M. <BillM@discussions.microsoft.com> wrote:
> I made the choice due to the numbers of workstations to move from
> SBS 2003 R2 to full dedicated servers with roles on many servers.
> After weeks of fighting. Four calls to Microsoft at hundreds of
> dollars and we are up and running on the new gear.. What a month.

Congratulations on your survival....

> So now I have two items that I am lost to fix. ( Well with out a
> further expensive call to Microsoft) So lets see if I can solve it
> with the wisdom on line here. Both are related to Termnal Service.
>
> a) On the server that has the Terminal Server running ..

Which is a member server, right?

> If I log
> onto the TS I of course need to be approved for access . If I go to
> the Domain Active Directory there is no Remote Desktop Group to
> assign for that user. But there is on the server that has the TS on
> it. So I need to approve the user local and it works.. How do I get
> this up to the Domain level of control rather then local...

Create an AD security group called "TS Users". Add it to the server's local
Remote Desktop Users group.
Add the domain users you wish to TS Users.

>
> b) So on SBS there is the great web based interface that allows you to
> connect to the Server or a Workstation attached to the LAN.. No one
> told me that I was going to loose this when I did the Transition Pack
> but my users love to remind me about the lack of remote access to the
> Workstation.. So not being a web developer .. Any suggestions on
> getting back the ability to access the workstation.

There's no Remote Web Workplace in non-SBS environments (and yes, I agree
that it'd be nice to have). Since you've got TS, the users can't
legitimately need RD access to their desktops any longer, can they? You can
just have them use the RD client to get to server.domain.com - or install
TSWeb.
>
> Many thanks to those who respond
>
> Bill

 

[AnchorDave]

Re: Getting back SBS TS access

I agree the SBS remote web workplace is a nice feature but this is easy to
duplicate in a non sbs environment.

on your firewall create a range of open ports , for example 10,000-10,100

for each internal machine that a user wants external access to create a
custom firewall rule that redirect the external port to the internal RDP
port( default of 3389)

eg. a user with internal ip address of 10.1.1.50 and the assigned firewall
port of 10,001 and an external domain name of domain.com could connect to
their workstation from any computer using.

mstsc /v:domain.com:10001

there are other ways of doing this also but this for me is the best and most
secure

"Lanwench [MVP - Exchange]" wrote:

> Bill M. <BillM@discussions.microsoft.com> wrote:
> > I made the choice due to the numbers of workstations to move from
> > SBS 2003 R2 to full dedicated servers with roles on many servers.
> > After weeks of fighting. Four calls to Microsoft at hundreds of
> > dollars and we are up and running on the new gear.. What a month.
>
> Congratulations on your survival....
>
> > So now I have two items that I am lost to fix. ( Well with out a
> > further expensive call to Microsoft) So lets see if I can solve it
> > with the wisdom on line here. Both are related to Termnal Service.
> >
> > a) On the server that has the Terminal Server running ..
>
> Which is a member server, right?
>
> > If I log
> > onto the TS I of course need to be approved for access . If I go to
> > the Domain Active Directory there is no Remote Desktop Group to
> > assign for that user. But there is on the server that has the TS on
> > it. So I need to approve the user local and it works.. How do I get
> > this up to the Domain level of control rather then local...
>
> Create an AD security group called "TS Users". Add it to the server's local
> Remote Desktop Users group.
> Add the domain users you wish to TS Users.
>
> >
> > b) So on SBS there is the great web based interface that allows you to
> > connect to the Server or a Workstation attached to the LAN.. No one
> > told me that I was going to loose this when I did the Transition Pack
> > but my users love to remind me about the lack of remote access to the
> > Workstation.. So not being a web developer .. Any suggestions on
> > getting back the ability to access the workstation.
>
> There's no Remote Web Workplace in non-SBS environments (and yes, I agree
> that it'd be nice to have). Since you've got TS, the users can't
> legitimately need RD access to their desktops any longer, can they? You can
> just have them use the RD client to get to server.domain.com - or install
> TSWeb.
> >
> > Many thanks to those who respond
> >
> > Bill
>
>
>
>

 

[Lanwench [MVP - Exchange]]

Re: Getting back SBS TS access

AnchorDave <AnchorDave@discussions.microsoft.com> wrote:
> I agree the SBS remote web workplace is a nice feature but this is
> easy to duplicate in a non sbs environment.
>
> on your firewall create a range of open ports , for example
> 10,000-10,100
>
> for each internal machine that a user wants external access to create
> a custom firewall rule that redirect the external port to the
> internal RDP port( default of 3389)
>
> eg. a user with internal ip address of 10.1.1.50 and the assigned
> firewall port of 10,001 and an external domain name of domain.com
> could connect to their workstation from any computer using.
>
> mstsc /v:domain.com:10001
>
> there are other ways of doing this also but this for me is the best
> and most secure

Oy. I've had to deal with this before. It's a complete nightmare to manage,
doesn't scale well, and you have to have non-changing LAN IPs on the
workstations. Not worth it!

Better option would be something like an SSL VPN appliance....Sonicwall or
other.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Bill M. <BillM@discussions.microsoft.com> wrote:
>>> I made the choice due to the numbers of workstations to move from
>>> SBS 2003 R2 to full dedicated servers with roles on many servers.
>>> After weeks of fighting. Four calls to Microsoft at hundreds of
>>> dollars and we are up and running on the new gear.. What a month.
>>
>> Congratulations on your survival....
>>
>>> So now I have two items that I am lost to fix. ( Well with out a
>>> further expensive call to Microsoft) So lets see if I can solve it
>>> with the wisdom on line here. Both are related to Termnal Service.
>>>
>>> a) On the server that has the Terminal Server running ..
>>
>> Which is a member server, right?
>>
>>> If I log
>>> onto the TS I of course need to be approved for access . If I go to
>>> the Domain Active Directory there is no Remote Desktop Group to
>>> assign for that user. But there is on the server that has the TS on
>>> it. So I need to approve the user local and it works.. How do I
>>> get this up to the Domain level of control rather then local...
>>
>> Create an AD security group called "TS Users". Add it to the
>> server's local Remote Desktop Users group.
>> Add the domain users you wish to TS Users.
>>
>>>
>>> b) So on SBS there is the great web based interface that allows you
>>> to connect to the Server or a Workstation attached to the LAN..
>>> No one told me that I was going to loose this when I did the
>>> Transition Pack but my users love to remind me about the lack of
>>> remote access to the Workstation.. So not being a web developer
>>> .. Any suggestions on getting back the ability to access the
>>> workstation.
>>
>> There's no Remote Web Workplace in non-SBS environments (and yes, I
>> agree that it'd be nice to have). Since you've got TS, the users
>> can't legitimately need RD access to their desktops any longer, can
>> they? You can just have them use the RD client to get to
>> server.domain.com - or install TSWeb.
>>>
>>> Many thanks to those who respond
>>>
>>> Bill

 

[AnchorDave]

Re: Getting back SBS TS access

Totally agree, nightmare to manage and requires static ip's but for 1 or 2
users a valid and easy quick solution that requires no additional hardware or
software.

the functionality of the sbs desktop gateway is hard to duplicate at any
price really, i would love to see it available for non SBS server
environments.

a ssl vpn is the best solution, fortinet have a ssl remote desktop client
built in to their firewalls



"Lanwench [MVP - Exchange]" wrote:

> AnchorDave <AnchorDave@discussions.microsoft.com> wrote:
> > I agree the SBS remote web workplace is a nice feature but this is
> > easy to duplicate in a non sbs environment.
> >
> > on your firewall create a range of open ports , for example
> > 10,000-10,100
> >
> > for each internal machine that a user wants external access to create
> > a custom firewall rule that redirect the external port to the
> > internal RDP port( default of 3389)
> >
> > eg. a user with internal ip address of 10.1.1.50 and the assigned
> > firewall port of 10,001 and an external domain name of domain.com
> > could connect to their workstation from any computer using.
> >
> > mstsc /v:domain.com:10001
> >
> > there are other ways of doing this also but this for me is the best
> > and most secure
>
> Oy. I've had to deal with this before. It's a complete nightmare to manage,
> doesn't scale well, and you have to have non-changing LAN IPs on the
> workstations. Not worth it!
>
> Better option would be something like an SSL VPN appliance....Sonicwall or
> other.
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Bill M. <BillM@discussions.microsoft.com> wrote:
> >>> I made the choice due to the numbers of workstations to move from
> >>> SBS 2003 R2 to full dedicated servers with roles on many servers.
> >>> After weeks of fighting. Four calls to Microsoft at hundreds of
> >>> dollars and we are up and running on the new gear.. What a month.
> >>
> >> Congratulations on your survival....
> >>
> >>> So now I have two items that I am lost to fix. ( Well with out a
> >>> further expensive call to Microsoft) So lets see if I can solve it
> >>> with the wisdom on line here. Both are related to Termnal Service.
> >>>
> >>> a) On the server that has the Terminal Server running ..
> >>
> >> Which is a member server, right?
> >>
> >>> If I log
> >>> onto the TS I of course need to be approved for access . If I go to
> >>> the Domain Active Directory there is no Remote Desktop Group to
> >>> assign for that user. But there is on the server that has the TS on
> >>> it. So I need to approve the user local and it works.. How do I
> >>> get this up to the Domain level of control rather then local...
> >>
> >> Create an AD security group called "TS Users". Add it to the
> >> server's local Remote Desktop Users group.
> >> Add the domain users you wish to TS Users.
> >>
> >>>
> >>> b) So on SBS there is the great web based interface that allows you
> >>> to connect to the Server or a Workstation attached to the LAN..
> >>> No one told me that I was going to loose this when I did the
> >>> Transition Pack but my users love to remind me about the lack of
> >>> remote access to the Workstation.. So not being a web developer
> >>> .. Any suggestions on getting back the ability to access the
> >>> workstation.
> >>
> >> There's no Remote Web Workplace in non-SBS environments (and yes, I
> >> agree that it'd be nice to have). Since you've got TS, the users
> >> can't legitimately need RD access to their desktops any longer, can
> >> they? You can just have them use the RD client to get to
> >> server.domain.com - or install TSWeb.
> >>>
> >>> Many thanks to those who respond
> >>>
> >>> Bill
>
>
>
>