The RRAS in SBS 2003 provides important security features to your network. It also provides remote access capabilities via VPN and dial-up. Configuring these services can be achieved by running the built-in wizards and further modified to add more advanced features.
This chapter focused on detailing the features of the RRAS, configuring it as a NAT/basic firewall and to accept incoming VPN and dial-up connections. Also, the VPN capabilities of SBS were described in depth with special attention on enhancing the security of your network. However, firewalls and VPNs are a vast subject, and only so much can be covered in one chapter. The reader is encouraged to further familiarize himself with other firewall and VPN options not covered in this book.
Best Practice Summary
Chapter 8. Terminal Services
IN THIS CHAPTER
Of all the changes that Microsoft implemented in SBS 2003, the one that met with the largest uproar from the SBS community was the removal of Terminal Services support from the SBS server. Not all of the responses were negative, however. A large portion of the SBS community celebrated the loss of Terminal Services in Application mode because it removed one of the most significant security threats from the server.
Still, small companies that had been using Terminal Services on their SBS 2000 installations need to provide Terminal Services in the SBS 2003 environment. This chapter explains the basics of setting up Terminal Services in an SBS 2003 network and touches on some of the more common issues that network administrators may face.
Understanding Terminal Services Operating Modes
In the 2003 series of server products, Terminal Services features are provided in one of two modes: Remote Administration and Application. Remote Administration provides two remote desktop connections to a server for administration purposes. Application mode allows users to connect to run shared applications. But there are more differences than that, and they are detailed in the following two sections.
Remote Administration Mode
Almost all Windows 2003 servers support Remote Administration mode for remote access to the server console. A maximum of two simultaneous connections is allowed, and only members of the Domain Admins group can make a remote connection to the server when this mode is enabled.
When connecting to a server in Remote Administration mode, the administrator account has full access to the server as if she had logged on to the server console directly. The key thing to remember, however, is that you have not logged on to the server console directly unless you jump through a few hoops first.
By default, the SBS server is preconfigured with remote administration access enabled. You do not have to do any manual configuration to allow remote access to the server from inside the network. You need to enable Terminal Services access through the SBS firewall in the Connect to the Internet Wizard (CEICW) if you want to get access to the server desktop from outside the local network.
Terminal Services in Application mode is what most people think of when they think about a terminal server. When in this mode, a number of users can log in to the terminal server, run applications, and save data just as if they were logged in on a "normal" PC. There are a number of licensing restrictions regarding Terminal Services, more than can be appropriately addressed in this book. However, the section "Configuring Terminal Services Licensing Service" later in the chapter covers how to install appropriate Terminal Services licensing so that users can connect to the terminal server.
Before that can happen, however, a server has to become a terminal server first, and that involves installing Terminal Services in Application mode. Before you do this installation, consider a few items: