Windows Remote Access and Terminal Services

Here are my notes on how Windows 2000 server can be accessed remotely using two technologies:

"Access Denied" by man and woman

Topics this page:

Related:
Application Development

Site Map  
About this site  

Transport Product Options Overview

There are several transports to remotely connect into a Windows 2000 machine:
• Dial-up using analog modems over phone lines on the Public Switched Telephone Network (PSTN).

• Through a TCP/IP NIC card, create a VPN (Virtual Private Network) connection using encrypted traffic over the public TCP/IP Internet. Two protocols are used to encapsulate PPP frames for secure transmission over IP:
  • PPTP (Point-to-Point Tunneling Protocol)
  • L2TP (Layer 2 Tunneling Protocol), a combination of PPTP and L2F (Layer 2 Forwarding) protocols.

For Network Diagnostics:

netsh diag gui

Microsoft provides for free the Terminal Services Remote Desktop Connection for Windows XP SP1, Windows 2000, and even prior systems. Download it

Windows 2000 Terminal Services and "thin-clients" were previously a separate Terminal Server edition of Windows NT 4.

RRAS (Routing and Remote Access Service)

Configure inbound connections on the domain controller.
Configure outbound connections for domain members.

To grant new user accounts dial-up access, first create a Universal group such as “Dialup Users” and modify the remote access policy to allow dial-up access. Then, add users to the group.

In an NT or Windows 2000 mixed-mode domain, individual accounts are Allowed or Denied access.

In a native Windows 2000 domain, control access using the remote access policy. It is by default set to deny access.

netsh ras ip show config
Negotiation mode: allow
Access mode: all
Address request mode: deny
Broadcast name resolution: disabled
Assignment method: auto
Pool:

To add an entry to the routing table using scriptfilex:

netsh ras add -f scriptfilex


To set time limits for sessions, use the “Routing and Remote Access” MMC console, Properties for the RRAS server, Profile, Dial-in Constraints.

By default, the Windows 2000 system event log only contains RAS errors. To control the level of RRAS data captured ...

RRAS servers that use Windows accounting store authentication events into log files within folder
%systemroot%\System32\LogFiles.

To set RRAS to output activity data to trace logs, configure tracing in the registry.

RRAS configured to use one of these formats:

• Internet Authentication Service (IAS) 1.0
• Open Database Connectivity (ODBC)

ProdRRAS

To use RRAS as a router: ...

To send multicast audio and video through an intranet, create an IP-in-IP tunnel interface:

1. Open the RRAS snap-in,
2. right-click Routing Interfaces under the router in the console tree,
3. Under IP Routing in the console tree, right-click General
4. select New Interface from the context menu
5. In the New Interface for IP dialog box, select the interface.
6. On the Tunnel tab of the Properties sheet, specify the IP addresses of the Windows 2000 router, the remote Windows 2000 router; the TTL value before OK.

En/Disabling PPP Connection Logging

To enable PPP logging for troubleshooting PPP connections to file PPP.LOG in the %systemroot%\Tracing folder.
netsh ras set tracing ppp enabled

To stop PPP logging:

netsh ras set tracing ppp disabled

Add, set (update), and delete entries in -alias configuration files.

Modem logs are contained in %systemroot%\Modemlog_model.txt. It is automatically overwritten unless you adjust the logging settings using Control Panel applet “Phone and Modem Options”.

Windows Terminal Services

Terminal Services enables all client application execution, data processing, and data storage to be performed over any TCP/IP connection to a Terminal Server. Terminal Services provides remote access to a server desktop through terminal emulation software. This means that users can disconnect from a session without logging off. So they can leave a session active (running) while disconnected and then reconnect to the existing session at another time or even from another machine.

The Terminal Services client software is a “super-thin client”. it sends keystrokes and mouse movements to the Terminal server, which manipulates the data locally and passes back the display. This brings Windows desktops to machines that cannot run Windows, such as legacy desktops including Win16, Macintosh, and Unix.

Terminal Services contains its own methods for licensing clients that log on to Terminal servers. This enables users to simultaneously log on to multiple Terminal Server sessions from different desktops.

The Terminal Services licensing method is separate from the method used for Windows 2000 Server clients.

With Windows NT4, Terminal Services Edition was a separate product called Terminal Server Edition.

With Windows 2000, Terminal Services is a built-in feature of Windows 2000 Server.

Terminal Services Licensing includes four primary components:

• the Microsoft Clearinghouse,
• a license server,
• a Terminal server, and
• client licenses.

Terminal Services is enabled in either Remote Administration mode or Application Server mode. Remote Administration allows you to administer a Windows 2000 Server computer remotely over any TCP/IP connection. You can administer file and print sharing, edit the registry, or perform any task as if you were sitting at the console. Remote Administration installs only the remote access components of Terminal Services. It does not install application sharing components, which means you can use Remote Administration with little overhead. Terminal Services allows up to two concurrent Remote Administration connections. No additional licensing is required, and you do not need a license server. In Application Server mode, you can deploy and manage applications from a central location. You can install applications directly on the Terminal server, or you can use remote administration. After an application is deployed in Terminal Services, clients can connect through a remote access connection, a LAN or WAN, and from many types of clients. Client licensing is required when deploying a Terminal server as an application server. Each client computer must have the Terminal Services Client Access License as well as the Windows 2000 Server Client Access License .

The three standard permission levels for Access Control Settings:

• Full Control
• User Access
• Guest Access

There are no group policies to control Terminal Services connections.

Microsoft White Paper: Using Terminal Services for Remote Administration of the Windows 2000 Server Family

Microsoft's Product Catalog

Citrix

Terminal Services uses TCP port 3389, so make sure that's open on your firewalls such as IPCop.

Announcements

• June 98 Press Release
• Beta 1 Reviewer's Guide
• Terminal Server Edition Home
• Deployment Guide (316K)
• Instant access to Microsoft's White Papers:
  • 
  • June, 98 Microsoft Windows NT Server 4.0, Terminal Server Edition: Bringing Windows to Desktops That Can't Run Windows Today
  • June, 98 Optimizing Applications for Windows NT Server 4.0, Terminal Server Edition
  • Terminal Server Technologies
• Books from Amazon about Terminal Server
• Search Throughout Microsoft
• Training and Certification Resources
• Winntmag's Thin Client/Server Computing Community Join in on the official Microsoft discussion forum for Windows®-based Terminal Server (previously codenamed "Hydra") and thin client technology.
  • Support Forum
  • Open discussions
  • Articles Securing Your Thin or Lean Client/Server Environment

Associated Software

• office2000solutions.com
• Compaq Support Software for Terminal Server

• Microsoft's Partners Product Index
• Cubix
• Wyse Technology, Inc manufactures general purpose terminals and Winterm thin-client devices.
• Digital servers
• Netier Technologies, Inc. manufactures thin client terminals for Citrix and Microsoft servers, high performance network servers, and RAID storage arrays.