Overview of Terminal Services in Windows Server 2008

Terminal Services:

Terminal Services is an extension of Remote Desktop Services. Using TS, a client can access a session on a Terminal server using the Remote Desktop Client.

The main difference between terminal services and remote desktop services is licensing. Remote desktop services has limited no of connection available where as terminal services have unlimited no of licenses based on CAL.

Remote Desktop and TS Similarities:

    • Full access to desktop
    • Permission required
    • Use port 3389
    • Uses same remote desktop client
    • Client configuration is same.

Remote Desktop and TS differences:

Remote Desktop Terminal Services
Can have max 2 connections Unlimited connections unless we specify
Full desktop only Full desktop and can add remote applications
RDP client only RDP client and TS web access
Limited to a single computer Multiple servers hosting terminal services and these can be available using techniques such as round robin, NLB, TS session broker
Firewall, VPN issues TS gateway
No extra license required CALs required, can be used for 120 days without CALs


Below are the new name for Terminal services in Windows 2008 R2:


Different ways to configure terminal server sessions behavior:

1. on the user properties –> sessions tab under active directory users and computers, these settings will be applicable only to specific users where we are configuring settings.

2. Through group policy – if we configure session settings at default domain policy level, it will be applicable to users in entire domain. Group policy path is user configuration –> policies–>Windows components–>Terminal services –> Terminal server –>session time limits

How to override user session settings which was configured under user properties:

Go to below console on treminal server:


Redirecting terminal services user profile:

Any user who logs in to a terminal settings, a profile will be created under docs and settings and configuration will be stored under ntuser.dat file.

To re-direct profile folder other than terminal server:

1. Go to active directory users and computers, select the user account and go to terminal service profile as below:


Here, the profiles will be saved on a shared folder named profiles on server fileserver1

2. Use group policy – We can apply policy to default domain policy so that all user’s profile will be redirect to a file server instead of storing on terminal server.

Computer configuration –> policies–>administrative templates –>Windows components–>terminal services–>terminal server –> profiles


Terminal server licensing:

When installing TS first time, it can be used as free for 120 days. Before completion of 120 days, admin has to obtain appropriate CAL.

Two types of CALs – Per device and per user

Eg, if there are 10 computers and there are 100 factory employees who use these 10 computers when they get time. In this case, per device licensing can be used.

On other hand, in an organization, each user has a laptop computer and a desktop computer, which means a single user has two devices, in this case per user license can be used where one user can make 2 connections.

In order to use terminal server licensing, first activate the terminal server licensing server. There is no charge for activating the licensing server.

After activation, purchased TS CAL license can be installed from licensing manager.

Go to terminal services configuration open terminal services licensing mode:


From the licensing tab, select per device or per user.

Terminal Service Remote App and Gateway:

Terminal Services applications fact:

    • Applications must be TS compatible
    • Must be multi-user for example MS office

To install an application on a terminal server:

  • change user /query
  • change user /install
  • change user /execute
    Alternatively, go to control panel and select install application on Terminal Server using GUI.

What TS Remote Apps does:

Users can run applications from terminal server by using web page, RDP.


    • Useful for roaming users who switch between one desktop to other desktops. For example factory floor.
    • Client HW insufficient or OS incompatible
    • No IT support in branch
    • Minimize software deployment cost

How to distribute Remote Apps to users:

1. Configure and provide RDP file to users to use remote apps – RDP file can be distributed using SMS, SCCM, place on file server, e-mail etc.

Can specify port 3389 or TS gateway

2. Distribute apps using MSI file – using this way, user will have to install .MSI and they must have local admin privileges.

MSI files can also be installed to users using GPO without admin privileges.

How to access remote Apps using Web browser:

By default remote app web will be installed as part of IIS. After installing an application in TS, open an IE browser and type


In Windows 2008 R2, https:///RDWeb


How to create RDP file to distribute:

From Remote App manager, go to remote app programs in bottom, right click on the app and select create .RDP file


Once file is created, give it to users.

In order to avoid security warning, attach certificate while creating RDP file.

How to create Windows installer package (MSI):

From Remote App manager, go to remote app programs in bottom, right click on the app and select create windows installer package.


Select the certificate and below options:


Once the MSI file is created, publish or assign using GPO. This MSI will place a shortcut of application on User’s desktop.

TS Gateway:

  • It allows to connect to a terminal server behind a firewall
  • It uses only port 443 and allows to use SSL and HTTPS
  • No need for VPN
  • Allows secured and encrypted connection VIA SSL
  • Gateway runs on IIS


If a user try to access terminal server from outside the network, he has to provide TS gateway info in his RDP settings such as:


This connection will use TCP port 443 to get connected with TS gateway. TS gateway will receive this request in form of HTTPS, unwrap them and send request to terminal server using port 3389.

Terminal Services Gateway Components:

Certificates – Trusted 3rd party, self-signed (testing in lab purpose)or trusted local CA (within an org)

TS connection authorization policy (TSCAP) – Identifies who can use TS gateway

TS Resource authorization policy (TSRAP) – Identifies which terminal server we can use

Monitor with TS gateway manager – monitor gateway connections.

Configure RDP clients


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: