Terminal Services Web Access

Terminal Services Web Access (or simply TS Web Access) is another Terminal Services feature that has been enhanced in Windows Server 2008. The previous version of Terminal Services in Windows Server 2003 includes a feature called Remote Desktop Web Connection, which is an ActiveX control that provides essentially the same functionality as the full Terminal Services client but is designed to deliver it using a Web-based launcher. By embedding this ActiveX control in a Web page hosted on Internet Information Services (IIS), you enable a user to access the Web page using a Web browser such as Internet Explorer, download and install the ActiveX control, and initiate a session with a remote terminal server. The user’s computer does not require RDC-instead, the TS session runs within the user’s Web browser using ActiveX functionality.

Remote Desktop Web Connection was limited, however, to running entire remote desktop sessions, not individual applications. In addition, the user had to be able to download and install the ActiveX control to connect to and start a session with the terminal server. And if the security policy on the user’s computer prevented him from downloading and/or installing ActiveX controls, he was out of luck and couldn’t use Remote Desktop Web Connection.

Windows Vista, together with Windows Server 2008, enhances Remote Desktop Web Connection functionality in two basic ways. First, the RDC 6.0 client has this ActiveX control built into it, so users no longer need to download and install an ActiveX control to start a Terminal Services session within a Web browser-at least, they don’t have to do this if their client computer is running Windows Vista (which includes RDC 6.0) or if they are running Windows XP SP2 and have the RDC 6.0 update for Windows XP installed. (The RDC 6.0 update for Windows XP is described in KB 925876 and is available from the Microsoft Download Center or via Windows Update.)

And second, TS Web Access integrates with the TS RemoteApp feature, allowing users to go to a Web page, view a list of available RemoteApp programs they can run, click an icon link for a particular RemoteApp program, and run that program on their computer. In fact, TS Web Access includes a default Web page that you can use for deploying RemoteApp programs from a Web page. This default page consists of a frame together with a customizable Web Part that displays the list of RemoteApp programs within the user’s Web browser. And if you don’t want to use this default Web page, you can add the Web Part into a Microsoft Windows SharePoint Services site.

Once a RemoteApp program has been started from the default Web page, the application appears as if it is running on the local computer’s desktop just like with the TS RemoteApp feature described previously. In addition, if the user starts more than one RemoteApp program from the Web page and these programs are all running on the same terminal server, all the RemoteApp programs will run within the same Terminal Services session.

Using TS Web Access

Let’s take a quick look at how to make TS Web Access work. First you need to add the TS Web Access role service to a server running Windows Server 2008, and when you do this you’re also required to add the Web Server (IIS) role to your server, plus a feature called Windows Process Activation Service (WPAS). Once you’ve installed TS Web Access, you next need to specify a data source to use to populate the list of RemoteApp programs that will be displayed within the Web Part.

Note that IIS can populate the list of RemoteApp programs displayed within the Web Part from either a local or an external data source, plus this list is dynamically updated so that if you add another application to the RemoteApp programs list in TS RemoteApp Manager, it will be displayed to the user the next time she opens the default Web page for TS Web Access. In other words, the Windows Server 2008 machine on which you add the TS Web Access role service (and hence, also IIS 7.0) doesn’t need to have the core Terminal Server role service installed on it as well. Thus, you could have one or more terminal servers for remotely running applications, and a single IIS 7.0 server that has TS Web Access installed on it to provide a way for users to access your terminal servers from a Web page and run RemoteApp programs on your terminal servers.

The data source for populating the Web Part can be a specific terminal server, which causes all applications on the RemoteApp programs list on the terminal server to be made available for all users. In other words, using this approach means that all users will see the same list of RemoteApp programs when they view the page that has the Web Part embedded in it.

Before we look at how to configure the data source, let’s jump ahead and actually try TS Web Access. Remember from our previous discussion of TS RemoteApp earlier in this chapter that, by default, when you add an application to the RemoteApp programs list using the TS RemoteApp Manager snap-in, the application is also made available for users to access via TS Web Access (even if TS Web Access has not been installed at that point). So you’ve already made Paint available using TS RemoteApp, which means the application should also be available to users via TS Web Access.

Let’s check: from a Windows Vista client computer to which we’ve logged on using a domain user (non-admin) account, let’s open Internet Explorer and go to the URLhttp://<server_name>/ts where <server_name> is the name (hostname or FQDN) or IP address of our terminal server. When we open this URL and enter our credentials (and optionally save them in CredMan for future reuse), we see the following Web page:

Note the icon for Paint that is visible within the Web Part. If we click on this icon and respond to a couple of security dialogs (some of these security hurdles will likely go away between now and RTM to make the user’s experience even smoother), we see the same Connecting Remote-App window followed by a “Do you trust the computer you are connecting to?” dialog (unless we previously selected the check box to not display that dialog any more). Then, once we’ve been authenticated and RDC have successfully connected to the terminal server, a remote copy of Paint appears running on our desktop-just as before with the TS RemoteApp feature. Note that Paint runs right on our desktop, not within our Web browser.

What if you are an administrator and you want to configure the data source for TS Web Access? You might have noticed that when you installed the TS Web Access role service to your Windows Server 2008 machine that it didn’t add any TS Web Access sub-node under Terminal Services in Server Manager. That’s because TS Web Access is really just an IIS application, which means you configure it using the Internet Information Services (IIS) Manager console. (See Chapter 11, “Internet Information Services 7.0,” for more information concerning IIS.) But you actually don’t need to do this here-instead, you can configure your data source using your Web browser! Just follow the same steps as shown earlier, but this time instead of specifying domain user credentials from a Windows Vista client computer, open Internet Explorer on your TS Web Access server and use your local Administrator credentials. (Alternatively, you can open IE either locally or remotely and specify credentials that belong to the TS Web Access Administrators local group on the TS Web Access server.) Once you do this, the Web page we just saw is displayed again, but with one significant difference:

Note the Configuration button that was displayed when we accessed this page as an ordinary user.

Of course, the UI might change to some degree by RTM, and this chapter is currently being written using a near-Beta 3 build of Windows Server 2008, but the basic idea of how TS Web Access is deployed, configured, and used should stay pretty much the same. And if you want users to be able to securely access this TS Web Access Web page over the Internet, you can deploy the new TS Gateway feature of Windows Server 2008 to help ensure that users’ remote connections over the Internet to your terminal servers are secure. We’ll learn more about TS Gateway later in this chapter.

Finally, if your client computer is running an older version of Windows, or if it is running Windows XP SP2 but doesn’t have the RDC 6.0 update installed on it, you can still access an entire remote desktop on the terminal server from within your Web browser by opening the URL http://<server_name>/tsweb instead of http://<server_name>/ts. By doing this, you can use Remote Desktop Web Connection on your client computer, download and install the ActiveX control needed, and run a separate remote desktop on top of your physical desktop.

Now let’s learn some more about administering this feature from one of our experts on the Terminal Services team at Microsoft.

First, let’s look at how we can increase the number of remote desktops available to any terminal server on our network. We’ll hear again from our expert on the team concerning this and see that the procedure involves editing the registry so that all the usual warnings apply concerning this:

The RemoteApp manager has only a setting to show the desktop connection for the Terminal Server that the RemoteApp manager is connected to. But you can easily have an arbitrary number of desktops connected to any server in your network. First, for desktops to be available you have to make sure the TS Web Access (TSWA) site is set up in the Terminal Server mode. That is, it should be pointed at a single Terminal Server. There are then two tasks you need to accomplish to make a new desktop available for TSWA: create a registry entry for the new desktop, and create an RDP file that represents the connection settings for the desktop. You can use the WMI interface or manually create the entries, but I will discuss how to manually create the entries. Also, remember you must be an administrator on the Terminal Server box while making these changes.

First, create the registry key for the new desktop. All desktop registry keys are located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Terminal Server\TSAppAllowList\RemoteDesktops.

Create a new key with the name of the desktop-for example, server1.mycorp.net. Inside this new registry key, you need to create the following values:

1. Create IconPath as a REG_SZ. This should be the fully qualified path to either the executable or dll that contains the icon you want to use or the path to the icon file itself. If it is an icon file, it must end in .ico. If you leave this empty, the mstsc client icon will be used instead.

2. Create IconIndex as a REG_DWORD. This should be the index of the icon in the file specified by IconPath. If you use an icon ID instead of an index, it needs to be negative. For example: –2 specifies the icon with an ID of 2, while 2 specifies the third icon in the file. (The index starts at 0.)

3. Create Name as a REG_SZ. This will be the name shown to the users that visit the TSWA site.

4. Create ShowInTSWA as a REG_DWORD. Set this to 1 or the desktop will not be shown in the TSWA site.

   Next, the RDP file needs to be created for the desktop. The easiest way to do this is to open up the mstsc client. Apply the settings that you want to use, and save this from the client as the name of the registry key that you created under the RemoteDesktops registry key. In this example, you want to save it as server1.mycorp.net.rdp. This file needs to be moved to %WINDIR%\RemotePackages\RemoteDesktops, and all users need to be able to read the RDP file. Once this is done, the desktop will show up in the TSWA site (though there might be some lag time until the cache expires or is reset by an administrator of the TSWA site).

   –Kevin London

   Software Design Engineer, Terminal Services

Next, here’s how you can move the Web site for TS Web Access in IIS from the Default Web Site to some other Web site running on your IIS server should you need to do this:

You might want to have TSWA on a non-default Web site because you might want to use a nonstandard port to connect to TSWA. Or you might have other reasons to move TSWA to a non-default Web site. Several steps need to be done before installing TSWA to accomplish this task, but they are easy and straightforward:

1. Install IIS.

2. Start the management console for IIS.

3. Right-click on the top-level node and click Add Website.

4. Give it a name, and note that you need to use a nonstandard port or a different NIC.

5. Create the registry key HKLM\SOFTWARE\Microsoft\Terminal Server Web Access Website (which is a REG_SZ), and set this to the name specified in step 4.

6. Install the TS WebAccess role.

   After you complete this procedure, TS Web Access will be created on a non-default Web site.

   –Kevin London

   Software Design Engineer, Terminal Services

Benefits of TS Web Access

What are some possible benefits of using TS Web Access? How about really simple application deployment? (“Hey user, go to this Web page and click this icon and Excel will open.”) We’re talking about a technology that is ideal for low-complexity scenarios. Plus it can be customized to use with SharePoint, which is enormously popular in the enterprise environment nowadays.

How should you best implement this feature? Use it mainly if you have a single terminal server, as it’s really not intended for multiserver scenarios. That’s about it.