Windows Server 2008 Terminal Services Web Access (Part 2)
If you missed the first part in this article series please read Windows Server 2008 Terminal Services Web Access (Part 1).
In part one of this two-part article, we reviewed the capabilities and use cases of TS Web Access and installed the related Roles and Services. In part two, we will configure TS Web Access and examine other aspects including farm coordination and SharePoint Services integration.
Once the appropriate roles have been installed, the following is a high-level list of tasks that must be performed to complete the configuration of TS Web Access for use by clients.
- Configure the TS Web Access web part data source
- Configure the TS Web Access Computers security group membership
- Enable TS Web Access on RemoteApp applications
- Ensure clients meet the prerequisites for use
The TS Web Access Data Source
The TS Web Access component can display RemoteApp programs from any terminal server; however, it can only display the applications from one terminal server at a time. If TS Web Access is installed on a terminal server, the default configuration will display the RemoteApp applications from itself, requiring no further action. However, if the TS Web Access role is being installed on its own, the web part must be configured.
To configure the web part, you must be either a member of the local TS Web Access Admins group or logged on as the local Administrator account.
- Open the TS Web Access Administration web site. You can do this by either using the TS Web Access Administration shortcut on the Administrative Tools start menu or by connecting to the TS Web Access web site using Internet Explorer and selecting the Configuration button (see Figure 1.
- In the Editor Zone of the Configuration web page, enter the name of terminal server from which to populate the web part. Click Apply.
The change takes effect immediately and any RemoteApp programs configured for TS Web Access will immediately populate the RemoteApp Programs screen in the web part.
The TS Web Access Computers Security Group
As stated previously, TS Web Access does not need to be installed on a Terminal Server. If the TS Web Access server and the terminal server that hosts the RemoteApp programs are separate servers, the computer account of the TS Web Access server must be added to the TS Web Access Computers security group on the terminal server to enable the web part to display applications from that terminal server.
Because the TS Web Access server’s computer account must be added to a security group on the terminal server, the TS Web Access server must be a member of an accessible security context – either the same Active Directory domain or a trusted Active Directory domain.
The TS Web Access Computers group will be even more important when we get to the SharePoint Integration section later.
Enabling RemoteApp applications for TS Web Access
Once TS Web Access has been installed and configured, the applications that are published on the selected terminal server must be enabled to use TS Web Access. By default, all applications are enabled for this functionality; however, those that are not yet enabled can be configured using the TS RemoteApp Manager MMC.
Open the TS RemoteApp Manager. The TS Web Access column indicates whether web access is enabled for each application (see Figure 2).
You can enable applications that are labeled “No” one of two ways:
- Right click on the application in the RemoteApp Programs list and select Show in TS Web Access.
- Right click on the application in the RemoteApp Programs list, select Properties, and check the box labeled RemoteApp program is available through TS Web Access.
Once the applications have been enabled for TS Web Access, the TS Web Access web part must be configured to communicate with the Terminal Server.
In addition to RemoteApp programs, TS Web Access can also display a remote desktop connection icon for the terminal server configured as the web part Data Source. To enable the remote desktop icon in TS Web Access, perform the following:
- Open the TS RemoteApp Manager on the terminal server configured as the data source for the web part.
- Under the Actions pane on the right side, click Terminal Server Settings.
- On the Terminal Server tab, check the box labeled “Show a remote desktop connection to this terminal server in TS Web Access”.
- Click OK to accept the changes. The changes take effect immediately; no reboot or restart of services is necessary.
Client Requirements for TS Web Access-Enabled Applications
Now that the role has been installed & configured and our RemoteApp programs are set up we must turn our attention to the client. To connect to RemoteApp applications deployed on Windows Server 2008 terminal servers, the client must be running Remote Desktop Connection (RDC) software version 6.0 (6.0.6000.x) or later. Version 6.0 comes with Windows Vista and is available as a download for Windows Server 2003 and Windows XP from Microsoft’s web site (see KB925876).
However, to connect to RemoteApp applications using TS Web Access, version 6.1 (6.0.6001.x) of the RDC client is required. RDC 6.1 is included in the following operating systems:
- Windows Server 2008
- Windows Vista SP1
- Windows XP SP3
With Windows Server 2008 and Vista SP1, no further action is necessary and those systems can access and run TS Web-enabled applications. If running the latter (Windows XP SP3), the ActiveX control must be enabled in the registry. To do so, follow these steps:
- Open Regedit and find the following key:
- Within the Settings sub-key, delete the following sub-keys:
Once these sub-keys have been removed, the TS Web Access page should display correctly. No reboot is necessary to enable the above changes.
In the case of any of the above client operating system, you may receive a security warning message about the ActiveX control. To enable it, simply click on the Internet Explorer message bar and select Run ActiveX Control. The page should display normally afterwards.
Connecting to TS Web Access
By default, TS Web Access installs into the default web site in the following location:
All applications that are TS Web Access-enabled are displayed in the web page. The checkbox at the bottom of the screen labeled “I am using a private computer…” enables saving of logon credentials for future seamless login to the application on subsequent occasions. Un-checking the box will disable this feature and prevent credentials from being cached. This is useful if the client from which you are connecting is an unsecure endpoint, such as an internet café or public workstation.
To run a published application, you just click on it in the TS Web interface. As each RemoteApp application is launched, you will be required to enter credentials.
Configuring TS Web Access Settings
You can configure several setting in TS Web Access. This can be done either in the IIS Manager MMC or by editing the web.config file in C:\Windows\Web\TS. For this article, we’ll stick with the MMC:
- Open the IIS Manager MMC.
- Under Connections in the left pane, drill down to the TS folder under the Default Web Site.
- In the Details pane (center), double-click on Application Settings. This will display the settings in Figure 3.
Each one can be edited by double-clicking on the name in the first column. Each one is listed below:
- DefaultTSGateway – Identifies the default TS Gateway Server to use for connections. This setting defines the TS Gateway for remote desktop connections as well. This can also be set at the individual RemoteApp program configuration in TS RemoteApp Manager.
- GatewayCredentialsSource – Identifies the credential source to use for connections.
- ShowDesktops – Enables or disables the Remote Desktop tab in the TS Web Access web page.
- xClipboard – Enables or disables clipboard mapping.
- xDriveRedirection – Enables or disables client drive mapping.
- xPnPRedirection – Enables or Plug-n-Play device mapping.
- xPortRedirection – Enables or disables COM/LPT port mapping.
- xPrinterRedirection – Enables or disables client printer mapping.
Changes made to these settings, either in the IIS Manager MMC or the web.config file, take effect immediately. No services need to be restarted.
Using TS Web Access for Farm Access
As stated previously, TS Web Access, by default, will display RemoteApp programs hosted on a single terminal server. However, there are ways to leverage TS Web Access to access an entire farm of terminal servers. The catch is that all terminal servers must have the same RemoteApp programs published since TS Web Access has no way to identify multiple terminal server targets for the web part.
In most cases, a terminal server farm will also involve leveraging the TS Session Broker role of Windows Server 2008. This feature is beyond the scope of this article so I won’t go into much detail on the role; however, TS Session Broker acts as a front-end coordination mechanism for incoming connections and manages the connections to a collection of terminal servers. Again, all of these terminal servers would be have the exact same set of RemoteApp programs published.
The TS Web Access web part still points to a single name; however the web part would point to a DNS alias of the farm, rather than an individual terminal server. Since all terminal servers publish the same list of RemoteApp programs, it really doesn’t matter which one it is communicating with at the time.
The key to creating a Terminal Server “Farm” in Windows Server 2008 is DNS resolution using DNS Round Robin, Windows Network Load Balancing (NLB) or a hardware load balancer such as an F5, RadWare or other such device. The former is inexpensive and the simplest to set up, but does have some drawbacks around DNS caching and the inability to prevent DNS from handing out an IP resolve for a server that no longer is available. NLB is a cost-effective intermediate solution if hardware load balancers are not available in your environment.
One key thing to remember is the TS Web Access Computer security group. If TS Web Access service will be using a DNS alias to a farm name, then each the TS Web Access computer account must be a member of each terminal servers’ local group that is tied to the DNS alias since the web part could communicate with any of them.
SharePoint Services Integration
The last item of interest is SharePoint Services integration. As I’ve stated before, the web part can front end a group of terminal servers that share a common set of RemoteApp programs. But what do you do if you have terminal servers with different published applications?
Windows SharePoint Services can integrate multiple web parts into a single “mostly seamless” interface. If there are several groups of terminal servers that host different applications, all RemoteApp programs from all of the terminal server farms can be accessed from one web page. Figure 4 shows how the integration of two web parts appears using Windows SharePoint Services.
For detailed information on setting up Windows SharePoint Services for TS Web Access, check out the Microsoft whitepaper “Step-by-Step Guide to Customizing TS Web Access by Using Windows SharePoint Services”. The paper will step you through the simple process of setting this up.
One final note – again, I bring up the TS Web Access Computers security group; remember that the SharePoint Services server will need to be added to this group on all terminal servers in the farm.
Now that you’ve seen how to install and configure TS Web Access, what’s missing from its capabilities? Well, the fact that you can only access a single terminal server or common group of terminal servers with the same applications is pretty limiting. However, it is a great feature that’s included in Windows Server 2008. This feature is probably on the top 5 list of anyone looking to leverage terminal servers in their environment, and TS Web Access does provide a decent alternative to spending money on an add-on product to perform the same basic functionality. Provided the terminal server farm is architected effectively, it is a viable alternative.
If you missed the first part in this article series please read Windows Server 2008 Terminal Services Web Access (Part 1).