Build Your Skills: Managing Terminal Services Advanced Client

Run and manage TSAC in a production environment

Windows 2000’s Terminal Services Advanced Client (TSAC) is a Web server module that allows clients to connect to Terminal Services via a Web browser. And like a lot of enterprise software, it requires some specialized know-how to run it optimally in a production environment. My article “Web-enable Win2K Terminal Services with TSAC” showed you how to set up TSAC for use in a Windows network. This article will provide a roundup of information that will help you successfully operate and manage TSAC.

TSAC protocols
Despite the fact that the Terminal Services session runs from within your Web browser, the protocol used between the client and the terminal server is RDP (the same protocol used by the full version of the Terminal Services client). The only non-RDP traffic occurs when the client first connects to the logon page and receives the ActiveX control of the Web server running the TSAC module. The client will use standard HTTP (or HTTPS if you make the site secure by requiring SSL) until the connection to the terminal server is attempted.

TSAC and firewalls
If you are connecting over the Internet, you will need to open port TCP 3389 for the RDP traffic in addition to your Web traffic. Although you can change this port number for the standard terminal services client (see the Microsoft Knowledge Base article Q187623, ”How to Change Terminal Server’s Listening Port”), this port cannot be changed with TSAC.

Using IE4
TSAC can be downloaded and used with Internet Explorer version 4.0 upward on 32-bit Windows clients. However, note that Microsoft is no longer supporting IE4.

IE settings
The TSAC control will silently download rather than prompt if you configure IE to always trust signed controls from Microsoft or if the Web server from which you download TSAC is a trusted site. These are settings within IE—for example, trusted publishers can be found under Internet Options | Content | Publishers. Or you can simply select Always Trust Content From Microsoft Corporation. Trusted sites are configured under Internet Options | Security | Trusted Sites | Sites. The TSAC control will fail to download if the Web server is configured within IE as a Restricted Site (Internet Options | Security | Restricted Sites | Sites). Similarly, if you are using a Customized Level security zone with IE, and TSAC doesn’t work, check the settings for signed ActiveX controls.

TSAC on Windows CE
You cannot use TSAC on Windows CE—for example, on handheld devices. Instead, you need to use the special version of the terminal services client, which is on the Windows 2000 Server or Professional CD in the \VALUEADD\MSFT\MGMT\MSTSC_HPC folder. Alternatively, you can download it from the Microsoft site.

Web servers that run TSAC
You can install TSAC on IIS5 and IIS4. Because it uses Active Server Pages (ASP), it cannot be used with IIS2 or IIS3. Although Microsoft does not officially support TSAC on other Web servers, TSAC can be used with ChiliSoft (which supports ASP) and, with a couple of simple modifications, can be converted to run on Tomcat as well.

Differences between NT4 and Win2K
You can use the same version of TSAC for both Windows 2000 Terminal Services and Windows NT 4.0 Terminal Server Edition (TSE). When connecting to Windows NT 4.0 Terminal Server, it will support only the RDPv4 feature set, rather than the new features in RDPv5 found with Windows 2000. Also, when connecting to a Windows 2000 server, it can be used in either remote administration mode or application mode, while NT4’s TSE essentially uses only application mode.

TSAC supports 128-bit encryption, even if the browser supports only 56-bit cipher strength. This is because the encryption is using RDP and not HTTPS. For 128-bit encryption to be used, however, the terminal server needs to be able to support 128-bit encryption (e.g., running Service Pack 2), and Terminal Services must be configured for high encryption. Even when using high encryption, some information will pass between client and server that is not encrypted (some initial connection information and printing announcements and acknowledgements). For more information, see the Microsoft Knowledge Base articleQ275727, “High Encryption on a Terminal Services Session Does Not Encrypt All Information.” If this is a concern, you should use alternative means of securing the client/server data, such as IPSec (if using Windows 2000 or Windows XP) or PPTP over a VPN if using a legacy Windows client.

TSAC supports compression and persistent bitmap caching by default, which minimizes bandwidth requirements.

TSWeb permissions
Make sure you use standard IIS authentication methods as well as NTFS permissions on the TSWeb virtual directory to determine who can download TSAC. If you want to audit which users have downloaded the ActiveX control, enable object auditing and audit success on the file Mstscax.cab in the TSWeb directory.

Downloading the ActiveX control
The ActiveX control is just under 330 KB, which doesn’t take too long to download even on a slow WAN link (about a minute on a 28.8-Kbps link). However, if users with laptops will be using this from home, get them to download the control when they are local to the Web server. This will also ensure that it’s installed and working correctly before they use it remotely.

Removing TSAC
To remove TSAC from a client PC, navigate to \%systemroot%\Downloaded Program Files. Right-click on Microsoft Terminal Services Control and select Remove. To remove TSAC from the Web server, use Add/Remove Programs, select Terminal Services Web Client, click on Change/Remove, and follow to the prompts.

Customize the connection page
If you understand a little about HTML programming with ActiveX controls, the connection page (Connect.asp) is simple and completely customizable. For example, you can modify it so that users don’t have to type in the name of the terminal server. Or you could list a number of available terminal servers that users can choose from. You could also change the initial connection page so that your company logo appears on it. Alternatively, you could build your own pages and embed the control within it. For more information, see section 1.1, Embedding the Control, as well as 2.0 Sample Web pages within the document Webclient.doc (Microsoft Terminal Services ActiveX Client Control Deployment Guide), which is installed in the TSWeb directory.

Connecting multiple sessions
The Manyservers.htm sample Web page shows how the control can be loaded multiple times within the same browser session. Out of the box, this will enable you to connect to the same server four times. With a little HTML tweaking, you can change this so it connects to four different servers by editing the page to display four edit boxes that pass the connection details to each instance of the control.

TSAC as diagnostic tool
TSAC can be used as a diagnostic tool to help determine why a terminal server is unexpectedly disconnecting clients. For more details, refer to the Microsoft Knowledge Base articleQ284439,“Using the Terminal Services Advanced Client to Troubleshoot Terminal Services Disconnection Issues.”

Securing the ActiveX control
The Resource Kit tools Drive Share and File Copy will not work with TSAC because an ActiveX control, for security reasons, should not have access to local PC resources. To adhere to this rule, you should also disable printer and clipboard redirection by adding DWORD keys with a value of 1 under HKLM\Software\Microsoft\Terminal Server. The keys are DisableClipRedirection and DisablePrinterRedirection.

Summing up
This little package offers a number of significant advantages for admins who want to streamline client administration. Armed with these tips, you should be ready to successfully deploy TSAC in a Windows network and sidestep common problems.

What kind of TSAC tips do you have?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.


Editor's Picks