Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Windows Server 2008 Centralized Application Access ............................................................. 1
Exercise 1 Implementing Terminal Services Gateway ..................................................................................................2
Exercise 2 Implementing Terminal Services RemoteApp .............................................................................................9
Exercise 3 Implementing Terminal Services Web Access .......................................................................................... 13
Exercise 4 Using Windows System Resource Manager with Terminal Services (Optional)....................................... 15
Windows Server 2008 Centralized Application Access
Page 1 of 15
Windows Server 2008 Centralized Application Access
Exercise 1
Implementing Terminal Services Gateway
Scenario
In this exercise, you will configure a Terminal Services Gateway Server and a Terminal Services Gateway Client.
You will configure the Terminal Services Gateway Server by first obtaining, importing and mapping a security
certificate for the server. You will then configure the server with a Connection Authorization Policy, a Resource
Group and a Resource Authorization Policy.
After configuring the Terminal Services Gateway Server, you will then configure a Terminal Services Gateway
Client and then establish a connection to the Terminal Services Gateway Server.
Note: This exercise uses the following computers: NYC-DC-01 and NYC-CLI-01
Note: Before you begin this exercise, you must start and log on to the computers.
Note: The Terminal Services Gateway Server has already had the Terminal Services Gateway role installed.
Page 2 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
2. Create and Map a Note: In this task you will use the Terminal Services Gateway management console
certificate for the snap-in to create and map a certificate to the Terminal Services Gateway server. In
Terminal Services order to be able to use a server as a Terminal Services Gateway server, you must first
Gateway Server install a SSL Compatible X.509 certificate. This ensures that the Terminal Services
Gateway will use this certificate when providing connection security. This task uses a
self-signed certificate. Self signed certificates are appropriate for use in environments
that do not have an established public key infrastructure, or do not wish to create one.
Note: The use of a self signed certificate is recommended in environments that do not
have an established public key infrastructure.
a. On the Start menu, navigate to All Programs/ Administrative Tools/Terminal
Services and then click TS Gateway Manager.
b. In TS Gateway Manager, in the Explorer pane, select NYC-DC-01 (Local).
c. On the Action menu, click Properties.
d. In the NYC-DC-01 Properties dialog box, select the SSL Certificate tab, and
then select Create a self-signed certificate for SSL encryption, and then click
Create Certificate….
e. In the Create Self-Signed Certificate dialog box, in File name, type
C:\Public\NYC-DC-01.cer and then and then click OK.
f. In the TS Gateway dialog box, click OK.
Note: The Issued to, Issued By and Expiration date fields now have values. This
indicates that you have successfully installed the certificate.
g. Click on OK to close the NYC-DC-01 Properties dialog box.
h. On the Start Menu, in Start Search, type MMC and then press ENTER.
i. In Console1, on the File menu, select Add/Remove Snap-in….
j. In the Add or Remove Snap-ins dialog box, select Certificates, and then click
Add.
k. In the Certificates snap-in dialog box, select Computer account, and then click
Next.
l. In the Select Computer dialog box, ensure Local computer is selected, and then
click Finish.
m. In the Add or Remove Snap-ins dialog box, click OK.
n. In Console1, navigate to Console Root/Certificates (Local Computer)/Trusted
Root Certification Authorities and then select Certificates.
o. In the Action menu, select All Tasks and then Import….
p. In the Certificate Import Wizard, click Next.
q. In the Certificate Import Wizard, on the File to Import Page, in the File name
text box, enter C:\Public\NYC-DC-01.cer, and then click Next.
r. In the Certificate Import Wizard, on the Certificate Store page, ensure Place all
certificates in the following store is selected and then click Next.
s. In the Certificate Import Wizard, on the Completing the Certificate Import
Wizard, click Finish.
t. On the Certificate Import Wizard dialog box, click OK.
u. In Console1, on the File menu, click Exit, Do not save changes.
3. Configure Group Note: In this task you will use group policy to ensure that the security certificate for
Policy to distribute your company is installed automatically on all client computers. This will ensure that
Security Certificate use and installation of the security certificates are uniform across the business
environment.
Page 3 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
Note: This task uses the following computer: NYC-DC-01
a. On the Start navigate to Start Search, and type GPMC.MSC.
b. In Group Policy Management, in the Explorer pane, navigate to Group Policy
Management/Forest:
Woodgrovebank.com/Domains/Woodgrovebank.com/Group Policy Objects
and then select Default Domain Policy.
c. In Group Policy Management, on the Action menu, click Edit….
d. In Group Policy Management Editor, navigate to Computer
Configuration/Windows Settings/Security Settings/Public Key Policies and
then select Trusted Root Certification Authorities.
e. In Group Policy Management Editor, on the Action menu, click Import….
f. In the Certificate Import Wizard dialog box, click Next.
g. In the Certificate Import Wizard, on the File to Import page, click Browse….
h. In the Open dialog box, in File Name type, \\NYC-DC-01\Public\ and then click
Open.
i. In the Open dialog box, select NYC-DC-01 and then click Open.
j. In the Certificate Import Wizard, on the File to Import page, click Next.
k. In the Certificate Import Wizard dialog box, on the Certificate Store page,
ensure Place all certificates in the following store is selected and then click
Next.
l. In the Certificate Import Wizard dialog box, on the Completing the Certificate
Import Wizard page, click Finish.
m. In the Certification Import Wizard dialog box, click OK.
n. In Group Policy Management Editor, on the File menu, click Exit.
o. Close Group Policy Management.
Complete the following Note: In this task you will configure the computer that will be hosting the remote
task on: applications. For this purpose configurations will be made that allow other
computers to connect via RDP.
Note: This task uses the following computer: NYC-CLI-02
NYC-CLI-02
4. Client Configuration
a. Log on to NYC-CLI-02 as Woodgrovebank\Administrator using the password
P@ssw0rd.
b. On NYC-CLI-02, in the Start menu, right click Computer and select properties
c. On the System dialog select Remote Settings (upper left of dialog)
d. On the System Properties Dialog select the Remote Tab.
e. In the Remote Desktop Region select Allow Connections from computers
running any version of Remote Desktop radio button.
f. System Properties Dialog, Click OK.
g. System Dialog, Click File, Close
h. Log Off from NYC-CLI-02
Complete the following Note: In this task you will force the application of the newly created group policy
task on: settings by using the GPUPDATE command on the client machines. This will ensure
that the self-signed certificate is available for the clients to use in the following
exercises.
NYC-CLI-01
Note: This task uses the following computers: NYC-CLI-01
5. Force application of
a. The NYC-CLI-01 has been prelogged in as Woodgrovebank\DonHall using the
the Group Policy
password P@ssw0rd.
settings to client
Page 4 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
machines b. On NYC-CLI-01, in the Start menu, in Start Search, type CMD and press
ENTER.
c. In the command prompt window, type the following command, and then press
ENTER.
GPUPDATE /FORCE
d. Log off NYC-CLI-01
Complete the following 3 Note: In this task you will create a Connection Authorization Policy (CAP) that will
tasks on: allow you to control who can connect to the Terminal Services Gateway server. A
CAP allows you to specify detailed connection requirements, including requirements
such as group membership, domain membership, and the requirement to use a smart
NYC-DC-01 card.
6. Create a Connection Note: This task use the following computer: NYC-DC-01
Authorization Policy
a. In TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01
(CAP)
(Local)/Polices and then select Connection Authorization Policies.
b. In the Actions pane, click Create New Policy and then click Wizard.
c. In the Authorization Policies dialog box, ensure that Create only a TS CAP is
selected, and then click Next.
d. Complete the Authorization Policies with the following values:
Setting Value
Name for the TS CAP: Remote User Access
Windows authentication Password
method:
User group Remote Application Users
membership(required):
Client computer group No group selected
membership (optional):
TS Gateway device redirection Enable device redirection for all client
devices
e. In the Authorization Policies dialog box, click Finish to complete the policy
creation.
f. Click Close to close the Authorization Policies dialog box.
7. Create a computer Note: In this task you will create a group containing computers that can connect
group to control remotely through the Terminal Services Gateway. If a computer tries to connect to the
access to the Terminal Services Gateway that is not part of this group they will be denied access.
Terminal Services a. In the TS Gateway Manager, In the Explorer pane, expand NYC-DC-01
Gateway (Local), Polices and then select Resource Authorization Policies.
b. In the Actions pane, click Manage Local Computer Groups.
c. In the Manage locally stored computer groups dialog box, click Create group….
d. In the New TS Gateway-Managed Computer Group dialog box, on the General
tab, enter the following values, do not click OK.
Setting Value
Name: Remote Access Computers
Page 5 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
Description: Computers allowed to connect to TS
Gateway
e. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, type NYC-CLI-01 and then click Add.
f. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, enter NYC-CLI-02 and then click Add.
g. In the New TS Gateway-Managed Computer Group dialog box, on the
Network resources tab, in the text box, enter NYC-DC-01 and then click Add.
h. In the New TS Gateway-Managed Computer Group dialog box, click OK.
i. In the Manage locally stored computer groups dialog box, click Close.
Note: You are only adding the computers that will access the Gateway server
remotely. Normally you would not add the Gateway server to the policy. As the
gateway server is NYC-DC-01 and in this lab is used to host the terminal services it is
required to be added.
8. Create a Resource Note: In this task you will create Resource Authorization Policy (RAP). The RAP is
Authorization Policy used to identify which computers users that connect to a Terminal Services Gateway
(RAP) can connect to. In order to connect to a computer using the Terminal Services
Gateway, the client must meet the conditions of one CAP and one RAP.
a. In the TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01
(Local)/Polices and then select Resource Authorization Policies.
b. In the Actions pane, click Create New Policy and then click Wizard.
c. In the Authorization Policies dialog box, ensure that Create only a TS RAP is
selected, and then click Next.
d. Complete the Authorization Policies with the following values:
Setting Value
Name for the TS RAP: Remote Resource Access
User group membership: Remote Application Users
Computer Group: Select an existing TS Gateway-managed
computer group or create a new one
Select an existing TS Remote Access Computers
Gateway-managed computer
group
Allowed Ports Allow connections only through TCP
port 3389
e. In the Authorization Policies dialog box, click Finish to complete the policy
creation
f. Click Close to close the Authorization Policies dialog box.
Complete the following Note: In this task, you will modify the Remote Desktop Connection settings on NYC-
task on: CLI-01 to connect through the Terminal Services Gateway that you have configured.
You will first attempt to connect directly to NYC-CLI-02 using the default settings of
Remote Desktop Connection. NYC-CLI-02 has had the default Windows Firewall
NYC-CLI-01 settings modified to only accept connections from the IP address of NYC-DC-01.
9. Configure Remote Note: In order to connect to NYC-CLI-02 you will need to modify the settings of the
Desktop Connection Remote Desktop Connection to use the Terminal Services Gateway to connect
Settings on the Client through.
Computer Note: This task uses the following computers: NYC-CLI-01, NYC-CLI-02 and NYC-
Page 6 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
DC-01
a. Log on to the NYC-CLI-01 as DonHall with a password of P@ssw0rd.
b. On the Start menu, navigate to Start/All Programs/ Accessories, and then click
Remote Desktop Connection.
c. In Remote Desktop Connection, in the Computer text box, type NYC-CLI-
02.Woodgrovebank.com and then click Connect.
d. In the Windows Security box, use the following values and then click OK.
Setting Value
User Name: Woodgrovebank\DonHall
Password: P@ssw0rd
Note: There will be a delay and then the connection will fail. This is because the
Windows Firewall on NYC-CLI-02 is configured to only accept Remote Desktop
connections from NYC-DC-01.
e. In the Remote Desktop Disconnected dialog box, click OK.
f. In the Remote Desktop Connection dialog box, click Options, and then click the
Advanced tab.
g. In the Remote Desktop Connection dialog box, in Connect from anywhere,
click Settings….
h. In the Gateway Server Settings dialog box, select Use these TS Gateway server
settings:.
i. In the Gateway Server Settings dialog box, in the Server name, type NYC-DC-
01.Woodgrovebank.com and select Logon method: Ask for password (NTLM).
j. In the Gateway Server Settings dialog box, uncheck Bypass TS Gateway server
for local addresses.
k. Click OK to accept the settings.
l. In Remote Desktop Connection, click on the General tab.
m. In the Computer text box, type NYC-CLI-02.Woodgrovebank.com and then
click Connect.
n. In the Windows Security box, use the following values:
Setting Value
User Name: Woodgrovebank\DonHall
Password: P@ssw0rd
o. Click OK.
Note: There will be a slight delay before the next step appears. When the next box
appears, observe that this is for the Gateway Server Credentials.
p. In the Windows Security box, use the following values:
Setting Value
User Name: DonHall
Password: P@ssw0rd
q. Click OK.
Note: There will be a slight delay before the desktop of NYC-CLI-02 appears. When it
Page 7 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
does appear, you can observe in the connection toolbar, the padlock which symbolizes
that the connection is using security.
r. If you are prompted that there is a user RDPed into the NYC-CLI-02 machine, log
off the other user and log on.
s. Log off the NYC-CLI-02 remote session.
Page 8 of 15
Windows Server 2008 Centralized Application Access
Exercise 2
Implementing Terminal Services RemoteApp
Scenario
RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they
are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local
programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share
the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available
through a Web site.
In this exercise, you will configure NYC-DC-01 to be able to publish remote applications. In addition you will
create packages for deploying remote applications to the client machines and then distribute these packages.
You will also test the connection of the remote program application from a client machine. In order to test these
RemoteApp, you will also modify the allow list to allow an application to be accessed remotely.
Note: This exercise uses the following computers: NYC-DC-01, NYC-CLI-01, NYC-DC-01-2, and NYC-CLI-01-2
Page 9 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
restart NYC-DC-01.
l. In the Add Role Services dialog box, in the Installation Results screen, click
Close.
m. In the Add Role Services dialog box, click Yes to begin the restart.
n. It takes a couple of minutes to restart the NYC-DC-01. Due to the network
limitation of machine reboot in the Virtual environment, please continue the rest of
the exercises on the NYC-DC-01-2 machine.
Note: The reboot will take several minutes. After completing the log in the Post-
Reboot Configuration Wizard will appear to confirm that the Terminal Services role
has been installed successfully.
Complete the following 3 Note: In this task you will add two existing program to the Allow list for Terminal
tasks on: Services RemoteApp. In order for a user to be able to access a program with
RemoteApp the application must be on the Allow List. The Allow List settings also
includes the ability to change settings for the remote applications, such as additional
NYC-DC-01-2 command line arguments and changes to the default icons. You will use a sample
2. Add a program to the program named OnTheServer.exe and in addition will add WordPad to the Allow List.
Allow list a. The NYC-DC-01-2 machine has been prelogged in as Administrator with the
password of P@ssw0rd.
b. In the Post-Reboot Configuration Wizard dialog box, click Close.
c. On the Start menu, navigate to All Programs/Administrative Tools/Terminal
Services/TS RemoteApp Manager.
d. In RemoteApp, in the Action menu, click Add RemoteApps.
e. In the RemoteApp Wizard, click Next.
f. In the Choose RemoteApp to add to the allow list, click Browse.
g. In the Choose a program dialog box, in File name type
C:\Public\OnTheServer.exe, and then click Open.
h. In the RemoteApp Wizard, in the Choose programs to add to the RemoteApps
list page, click Next.
i. In the RemoteApp Wizard, in the Review Settings page, click Finish.
j. In the RemoteApp console, in the Contents pane, select OnTheServer.exe.
k. In the RemoteApp console, in the Actions pane, click Properties.
l. In the RemoteApp Demo Properties, in the RemoteApp name text box, change
OnTheServer.exe to Demo Application and click OK.
m. In RemoteApp, in the Action pane, click Add RemoteApps.
n. In the RemoteApp Wizard, click Next.
o. In the Choose programs to add to the RemoteApps list, check the box next to
WordPad and then click Next.
p. In the RemoteApp Wizard, in the Review Settings page, click Finish.
3. Create a RDP file Note: In this task you will create a RDP file that can then be distributed to clients
that publishes a either via e-email or USB Flash Disk (UFD). This will then enable users to connect
connection to an remotely to the remote program that was added to the allow list. Any settings that
application have been added to the application in the allow list will also be added to the RDP file.
a. In TS RemoteApp Manager, select Demo Application in the Contents pane,
b. In TS RemoteApp Manager, in the Actions pane, click Create .rdp File.
c. In the RemoteApp Wizard, click Next.
d. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the
location for saving the package to C:\Public\
Page 10 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS
Gateway Settings, click Change….
f. In the Configure TS Gateway Settings dialog box, select Use these TS Gateway
Server settings: and enter the following settings and then click OK.
Setting Value
Server name: NYC-DC-01.Woodgrovebank.com
Logon method: Ask for password (NTLM)
Use the same user Checked
credentials for TS Gateway
and TS Server
Bypass TS Gateway Server Unchecked
for local addresses
g. In the RemoteApp Wizard, in the Specify Packages Settings page, click Next.
h. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created RDP file. The
created file is named OnTheServer.rdp
4. Create a MSI file that Note: In this task you will create a MSI file that can be distributed as an installation
installs an package. This package could be distributed for users to manually install or installed
application as part of a Group Policy Object. As part of the configuration of an MSI package it is
possible to define where the remote program will appear in the User’s environment
and also to associate the remote program with client file associations. An example of
using this would be to publish Microsoft Word – to be intergrated into the user’s Start
Menu and to be opened when they click on a Word Document. This gives a seamless
integration for the users to the remote program. Any settings that have been added to
the application in the allow list will also be added to the MSI file.
a. In TS RemoteApp Manager, in the Contents pane, select WordPad
b. In the Actions pane, click Create Windows Installer Package.
c. In the RemoteApp Wizard, click Next.
d. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the
location for saving the package to C:\Public\
e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS
Gateway Settings, click Change….
f. In the Configure TS Gateway Settings dialog box, select Use these TS Gateway
Server settings: and enter the following settings and then click OK. Then click
Next.
Setting Value
Server name: NYC-DC-01.Woodgrovebank.com
Logon method: Ask for password (NTLM)
Use the same user Checked
credentials for TS
Gateway and TS
Server
Page 11 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
Bypass TS Gateway Unchecked
Server for local
addresses
g. In the RemoteApp Wizard, in the Configure Distribution Package page, accept
the default settings by clicking Next.
h. In the RemoteApp Wizard, in the Review Settings page, click Finish.
Note: Windows Explorer will now appear displaying the created installation file. The
created file is named wordpad.rap.msi
Complete the following Note: In this task, you will use the RDP file and the MSI file that you created in the
task on: previous tasks. This will be achieved by accessing the files on the Public share on
NYC-DC-01.
Note: This task uses the following computer: NYC-CLI-01-2
NYC-CLI-01-2
Note: Log on to NYC-CLI-01-2 as Woodgrovebank\Administrator with the password
5. Using RemoteApp
of P@ssw0rd
Access
a. On the Start menu, in Start Search, type \\NYC-DC-01\Public and then press
ENTER.
b. In Windows Explorer, double click OnTheServer.RDP.
c. In the Windows Security dialog box, enter the following values:
Setting Value
User Name: DonHall
Password: P@ssw0rd
d. Check Remember my credentials and then click OK.
e. In the RemoteApp dialog box, check Don’t prompt me again for connections to
this computer, and then click Yes.
Note: The application now launches. When the application launches successfully it
will display on the screen as On The Server. This is the remote application running on
the server.
f. Close the On The Server remote program.
g. In Windows Explorer, double click WordPad.rap.msi.
Note: The remote WordPad application now installs. Observe the name of the
application matches the name that was entered during the creation of the MSI file.
h. After the application has completed installation, on the Start menu, navigate to All
Programs – RemoteApp – WordPad.
Note: The application now launches. When the application launches successfully it
will display on the screen as WordPad.
i. In the remote WordPad application, in the File menu, click Exit to close.
Page 12 of 15
Windows Server 2008 Centralized Application Access
Exercise 3
Implementing Terminal Services Web Access
Scenario
TS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web Access, a
user can visit a Web site—either from the Internet or from an intranet—to access a list of available RemoteApp
applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started on the terminal
server that hosts the Remote Program.
TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the Web. The
Web page consists of a frame and a customizable Web Part, where the list of RemoteApp application is displayed.
In this exercise, you will configure the terminal server to support Terminal Services Web Access and then configure
an application to be made unavailable via the web interface.
Note: This exercise uses the following computers: NYC-DC-01-2 and NYC-CLI-02-2
Page 13 of 15
Windows Server 2008 Centralized Application Access
Tasks Detailed Steps
the Demo Application and the WordPad that you published in an earlier task.
d. Click Demo Application in the TS Web Access webpage.
e. In the Trust Warning pop-up, click Yes.
f. In the RemoteApp dialog box, click Yes
g. In the Windows Security dialog box, enter the username
Woodgrovebank\donhall and the password P@ssw0rd, and then press ENTER.
Note: The application now launches. When the application launches successfully it
will display on the screen as On The Server.
Page 14 of 15
Windows Server 2008 Centralized Application Access
Exercise 4
Using Windows System Resource Manager with Terminal
Services (Optional)
Scenario
Windows System Resource Manager (WSRM) is a feature of Windows Server 2008. Using WSRM, administrators
can control how CPU resources are allocated to applications, services, and processes. Managing these resources
improves system performance and reduces the chance that these applications, services, or processes will interfere
with the rest of the system. WSRM also creates a more consistent and predictable experience for users. In the
terminal services environment it is even more important as it ensures a consistent experience for all users of the
server.
In this exercise, you will add Windows System Resource Manager to NYC-DC-01-2 and then configure a resource
allocation policy.
Note: This exercise uses the following computer: NYC-DC-01-2
Page 15 of 15