Question

Locked

Terminal Services - can't get users to log on

By Rich J ·
Hi all. I'm a proper newbie and have just set up 2 servers:
1x W2K3 SBS Standard as the main server
1x W2K3 Standard as a terminal server
(This is a configuration advised to us by the developers of the database package we are using.)

I seem to have both servers talking to each other quite happily. I've set up all my users and given them the necessary permissions (as far as I can see).
We are operating from two offices and I need 3 people in the satellite office to connect by remote desktop.

The bit where I'm stumped (for now at least!) is ascertaining what IP address to give to my colleagues in order for them to connect. Can anyone offer any assistance in this respect?
Cheers
R

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Connect to TS

by Churdoo In reply to Terminal Services - can't ...

Well tell us more about the internet connection at HQ and more specifically the router/firewall.

Generally, if you log onto the term server and browse to http://whatismyip.com, that will display the public IP of that server, and will likely be the IP that the users will need to connect. Further, you will have to configure your router to forward port 3389 (TCP) to the term server internal IP.

I'm assuming by the way, that your intent is to have the users connect directly to the term server rather than going through SBS' remote web workplace.

To make it easier for the users, I typically set up a DNS name, like hq.yourcompany.com with the appropriate IP address. This way the users have an easier time remembering the name hq.yourcompany.com instead of some otherwise meaningless series of numbers. This also makes changes fur you easier in case the IP ever needs to change, you simply change the DNS record and the users don't need to do anything differently.

edited: clarification

Collapse -

Router/firewall

by Rich J In reply to Connect to TS

Hi,
Thanks for the help so far - the whatismyip.com hint is one to save for future reference!

Regarding the internet connection and router, info as follows:
Internet: ADSL (up to 8MB) supplied by Nildram through BT lines.
Router: Billion BiPac 5200G R4 (as supplied by Nildram when the ADSL was set up).

I've looked at the firewall settings on the router and all I am shown is Friewall on/off and SPI on/off.
Firewall is on, SPI is off. Can't see any way to do the port forward thing.

Regarding the DNS name, how would I go about setting that up? (did I mention how new to this I am?!)

Collapse -

Billion Router and DDNS

by Churdoo In reply to Router/firewall

Well the next thing you need to know or figure out is if you have a static or dynamic IP address related to your ADSL service. This looks like a business grade router so I suspect your DSL service may have been ordered as a Business Package with Static IP, and if so, setting up DNS will be easy.

Your company likely has its own domain name which it uses for email addresses and www presence, like yourcompany.com. What I like to do is to find out your ISP that manages the DNS zone for your domain, and have them create an A record like hq.yourcompany.com or remote.yourcompany.com for example, and populate that with the IP address that corresponds to your terminal server. Doing so means that you give the users the above name which is easier for them to remember than the IP address, and if the IP address ever changes in the future, you simply change the DNS A record accordingly and you don't have to re-train your users.

Next, for the port forwarding, your router calls it "Virtual Server" so go to Advanced Settings / NAT / Virtual Server section and forward port 3389 (call it RDP or something like that) to the internal IP of your term server.

Collapse -

Virual server

by Rich J In reply to Billion Router and DDNS

Hi and thanks again.
My colleagues are well versed in using TS (at the remote desktop end - we used it at our previous company) so I think they'll be fine with IP addresses. I only say this because I tried calling our ISP and felt an overwhelming urge to bang my head on my desk several times! It's not that they're are stupid, just a tad unhelpful.

Under 'virtual server', should I be choosing anything for 'application' or 'protocol'?

Collapse -

Virtual Server

by Churdoo In reply to Virual server

>> Under 'virtual server', should I be choosing anything for 'application' or 'protocol'?

Application looks like a free-form field, so just type in something like "RDP" or "TS". The Protocol for RDP is TCP

Collapse -

Success! Now for the next bit?

by Rich J In reply to Virtual Server

Success! One external user successfully connected to TS - thanks! :)
Now, is there anything I should be considering in terms of security for this?
Before trying here, I looked at lots of different sites and there was, quite frankly, a lot of differing and conflicting information regarding security.

Collapse -

TS Security

by Churdoo In reply to Success! Now for the next ...

Well now you're asking me and I may give you yet another set of conflicting information.

Yes there is a certain vulnerability there, as you have port 3389, a fairly common and well known port, exposed to the internet. One would-be perp would have to find that one exposed port on your IP, and then try to exploit a weak password or some yet unknown term server vulnerability.

Weak passwords are probably your biggest vulnerability in this setup, so if you're going to keep your configuration that way, then make sure that you give TS remote logon rights to only those usernames that require it, lock down the term server so that even users with TS logon access have only enough access to do what they need to do on the term server, force good passwords for at least those TS user accounts and any administrators, and force password changes regularly and/or any time there is significant staff turnover.

To answer the part of the well known port, you can change the port that the TS uses to something non-standard. Change the port number in your virtual server setting accordingly, and a simple change to how the users connect to your TS and you can use a different port number than 3389.

You did say that you have SBS, so you could undo the exposure of your term server and have the users access the TS via SBS RWW, but I'm not convinced that's any more secure, plus there's an extra port exposed (would need 443 and 4125 virtual server'd to your SBS, instead of 3389 to your TS).

Lastly, if you wanted tighter security than exposed RDP or RWW port(s), then you could use VPN. I'm not convinced that the built-in SBS VPN would be much more secure since it would still depend on the users' AD passwords. So if that was still a concern, then you could go with a VPN appliance at your edge firewall that would require a specific VPN client and separate VPN credentials or some other kind of VPN authentication.

So, lots of options here.

Collapse -

Connect by remote desktop. More info here...

http://technet2.microsoft.com/windowsserver/en/library/af5a47e0-92ac-4568-83a2-a9ca8565982a1033.mspx?mfr=true

Please post back if you have any more problems or questions.

Collapse -

Have you explicitly allowed TS users to connect?

by KhongPhuTu In reply to Terminal Services - can't ...

Just to be thorough. Have you explicitly allowed TS users to connect?

In W2K3, you have to explicitly specify the authorized users of TS by adding them to the TS group.

It's rather hard to troubleshoot without more facts.

Regards,

Back to Networks Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums