• Creator
  • #2150284

    Terminal Services – can’t get users to log on


    by rich j ·

    Hi all. I’m a proper newbie and have just set up 2 servers:
    1x W2K3 SBS Standard as the main server
    1x W2K3 Standard as a terminal server
    (This is a configuration advised to us by the developers of the database package we are using.)

    I seem to have both servers talking to each other quite happily. I’ve set up all my users and given them the necessary permissions (as far as I can see).
    We are operating from two offices and I need 3 people in the satellite office to connect by remote desktop.

    The bit where I’m stumped (for now at least!) is ascertaining what IP address to give to my colleagues in order for them to connect. Can anyone offer any assistance in this respect?

All Answers

  • Author
    • #2907954


      by rich j ·

      In reply to Terminal Services – can’t get users to log on


    • #2907953

      Connect to TS

      by churdoo ·

      In reply to Terminal Services – can’t get users to log on

      Well tell us more about the internet connection at HQ and more specifically the router/firewall.

      Generally, if you log onto the term server and browse to, that will display the public IP of that server, and will likely be the IP that the users will need to connect. Further, you will have to configure your router to forward port 3389 (TCP) to the term server internal IP.

      I’m assuming by the way, that your intent is to have the users connect directly to the term server rather than going through SBS’ remote web workplace.

      To make it easier for the users, I typically set up a DNS name, like with the appropriate IP address. This way the users have an easier time remembering the name instead of some otherwise meaningless series of numbers. This also makes changes fur you easier in case the IP ever needs to change, you simply change the DNS record and the users don’t need to do anything differently.

      edited: clarification

      • #2911962


        by rich j ·

        In reply to Connect to TS

        Thanks for the help so far – the hint is one to save for future reference!

        Regarding the internet connection and router, info as follows:
        Internet: ADSL (up to 8MB) supplied by Nildram through BT lines.
        Router: Billion BiPac 5200G R4 (as supplied by Nildram when the ADSL was set up).

        I’ve looked at the firewall settings on the router and all I am shown is Friewall on/off and SPI on/off.
        Firewall is on, SPI is off. Can’t see any way to do the port forward thing.

        Regarding the DNS name, how would I go about setting that up? (did I mention how new to this I am?!)

        • #2912923

          Billion Router and DDNS

          by churdoo ·

          In reply to Router/firewall

          Well the next thing you need to know or figure out is if you have a static or dynamic IP address related to your ADSL service. This looks like a business grade router so I suspect your DSL service may have been ordered as a Business Package with Static IP, and if so, setting up DNS will be easy.

          Your company likely has its own domain name which it uses for email addresses and www presence, like What I like to do is to find out your ISP that manages the DNS zone for your domain, and have them create an A record like or for example, and populate that with the IP address that corresponds to your terminal server. Doing so means that you give the users the above name which is easier for them to remember than the IP address, and if the IP address ever changes in the future, you simply change the DNS A record accordingly and you don’t have to re-train your users.

          Next, for the port forwarding, your router calls it “Virtual Server” so go to Advanced Settings / NAT / Virtual Server section and forward port 3389 (call it RDP or something like that) to the internal IP of your term server.

        • #2912633

          Virual server

          by rich j ·

          In reply to Billion Router and DDNS

          Hi and thanks again.
          My colleagues are well versed in using TS (at the remote desktop end – we used it at our previous company) so I think they’ll be fine with IP addresses. I only say this because I tried calling our ISP and felt an overwhelming urge to bang my head on my desk several times! It’s not that they’re are stupid, just a tad unhelpful.

          Under ‘virtual server’, should I be choosing anything for ‘application’ or ‘protocol’?

        • #2912618

          Virtual Server

          by churdoo ·

          In reply to Virual server

          >> Under ‘virtual server’, should I be choosing anything for ‘application’ or ‘protocol’?

          Application looks like a free-form field, so just type in something like “RDP” or “TS”. The Protocol for RDP is TCP

        • #2912606

          Success! Now for the next bit?

          by rich j ·

          In reply to Virtual Server

          Success! One external user successfully connected to TS – thanks! 🙂
          Now, is there anything I should be considering in terms of security for this?
          Before trying here, I looked at lots of different sites and there was, quite frankly, a lot of differing and conflicting information regarding security.

        • #2913537

          TS Security

          by churdoo ·

          In reply to Success! Now for the next bit?

          Well now you’re asking me and I may give you yet another set of conflicting information.

          Yes there is a certain vulnerability there, as you have port 3389, a fairly common and well known port, exposed to the internet. One would-be perp would have to find that one exposed port on your IP, and then try to exploit a weak password or some yet unknown term server vulnerability.

          Weak passwords are probably your biggest vulnerability in this setup, so if you’re going to keep your configuration that way, then make sure that you give TS remote logon rights to only those usernames that require it, lock down the term server so that even users with TS logon access have only enough access to do what they need to do on the term server, force good passwords for at least those TS user accounts and any administrators, and force password changes regularly and/or any time there is significant staff turnover.

          To answer the part of the well known port, you can change the port that the TS uses to something non-standard. Change the port number in your virtual server setting accordingly, and a simple change to how the users connect to your TS and you can use a different port number than 3389.

          You did say that you have SBS, so you could undo the exposure of your term server and have the users access the TS via SBS RWW, but I’m not convinced that’s any more secure, plus there’s an extra port exposed (would need 443 and 4125 virtual server’d to your SBS, instead of 3389 to your TS).

          Lastly, if you wanted tighter security than exposed RDP or RWW port(s), then you could use VPN. I’m not convinced that the built-in SBS VPN would be much more secure since it would still depend on the users’ AD passwords. So if that was still a concern, then you could go with a VPN appliance at your edge firewall that would require a specific VPN client and separate VPN credentials or some other kind of VPN authentication.

          So, lots of options here.

    • #2907951

      Connect by remote desktop. More info here…

      by Anonymous ·

      In reply to Terminal Services – can’t get users to log on

    • #2923967

      Have you explicitly allowed TS users to connect?

      by khongphutu ·

      In reply to Terminal Services – can’t get users to log on

      Just to be thorough. Have you explicitly allowed TS users to connect?

      In W2K3, you have to explicitly specify the authorized users of TS by adding them to the TS group.

      It’s rather hard to troubleshoot without more facts.


Viewing 3 reply threads