共用方式為

Terminal Services Gateway and Terminal Services Web Access using Hyper-V (Part 1)

  • 發行項

So over the weekend, I found myself with a few spare hours, and got back to “playing with technology” – something I haven’t had a lot of time to focus on recently. What I ended up with was something which I classify mostly as “because I can”, but nonetheless (IMHO) pretty cool and dead useful! What I was impressed most of all with was the simplicity of it.

Of course, Hyper-V being my favourite technology, that had to be in the mix. The mission was to install a 64-bit Windows Server 2008 virtual machine under Hyper-V, running a Terminal Services gateway and web access with remote applications available on the Internet to manage Hyper-V. I used the beta version of Hyper-V which is present as part of Windows Server 2008 RTM (Release To Manufacturing)

Let’s see how simple it really was.  (Please note, I work in the Hyper-V team. While I get by in many, if not most Microsoft server technologies, I am by no means an expert in configuring or administering Terminal Services, Active Directory Certificate Services, Exchange or ISA Server. Feel free to drop questions you may have my way, but I may have to redirect you if it’s out of my depth!)

On an extremely modest machine (Dual Core desktop, 2GB RAM with a couple of very average 80GB SATA disks), I installed Windows Server 2008 Enterprise Edition and used Server Manager to enable the Hyper-V role. (BTW, Windows Server 2008 RTM is became available to MSDN and Technet subscribers this week).

After the Hyper-V role was installed, I built a Uni-Processor (UP) virtual machine running Windows Server 2008 Enterprise Edition with 1GB RAM on a single VHD. I joined it to my test domain, gave it an appropriate name, assigned a static IP address, enabled remote desktop and created an administrative account (TSAdmin) in my test domain to manage the machine. Finally I made TSAdmin a member of the local administrators group on the Virtual Machine. Nothing complicated so far – all standard operating procedure to get a blank machine up and running and ready to start work on.

The first thing to do is to add the Terminal Services role using Server manager. Much like adding the Hyper-V role, this is a relatively simple wizard, and for most options in a simple configuration, the defaults are what you need.

AddRole1

Click the Terminal Services checkbox and add the Terminal Server, TS Gateway and TS Web Access role service. You’ll note (and this is one thing I think is really quite cool about server manager), that you are prompted for the dependencies needed to make the TS Gateway and TS Web Access roles working correctly. No longer the need like there was in Windows Server 2003 when configuring things like Exchange and Outlook Web Access where you have to manually add all the dependencies such as RPC over HTTP proxy and IIS .

AddRole2

The first challenging question is the Authentication Method for Terminal Server. The answer really depends on which clients you are expecting to be connecting. In my case, it’s Vista SP1 clients, so there’s no need for me to allow computers running any version of Remote Desktop Connection client to be able to connect.

AddRole3

You are then asked for a licensing mode.  By default, you have up to 120 days to configure this, and for this test, I just left it to remind me later.

AddRole4

Next you are asked for the user groups allowed to access the server. In my case, I added the TSAdmin user account and the “Parents” domain group, which I’m a member of on my test domain.

AddRole5

The next page of the wizard asks you to select a Server Authentication Certificate. As I have a Certificate Authority already setup on a Windows Server 2003 virtual machine, a certificate for Server Authentication was already available as part of joining the Virtual Machine to the domain, this was a simple choice. Note that you also have a choice of creating a self signed certificate for test scenarios such as this where a Certificate Authority is not available. I thought that was a really nice touch to include that option in the wizard from the Terminal Server team.

AddRole6

The next steps are to create appropriate policies. In a simple configuration, I allowed myself (obviously) access through the gateway,  and to use the default “password only” option for the connection authorization policy (CAP). On the resource authorization policy step, I allowed users to be able to connect to any network resource (this is not the default). Under Network Policy and Access Services and Web Server (IIS), I just chose the defaults and clicked Next through the steps and allowed the role to be installed. That takes a minute or so for everything to complete.

AddRole7

Finally, you must restart the (virtual) machine – do you know, that at this point, I’d forgotten the machine was a VM, not a physical machine 

AddRole8

Server manager completes the role installation once the restart has been completed and you have logged on again. You’ll note I have a warning as I haven’t yet enabled Automatic Updates on this VM. Time to turn that on….

AddRole9

In part 2, I’ll look at the next steps, including one way of setting up ISA 2006 to provide a secure front end to the gateway.

Cheers,
John.

Comments

  • Anonymous
    January 01, 2003
    Sorry for the dearth of posts - I have been rather busy lately.  As such I thought I would quickly

  • Anonymous
    January 01, 2003
    In the Hyper-V shiproom, we have signed off on Hyper-V RTM (Release To Manufacturing). The build and

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Sorry for the dearth of posts - I have been rather busy lately.  As such I thought I would quickly

  • Anonymous
    January 01, 2003
    Hyper-V HW & SW requirement: http://technet.microsoft.com/en-us/library/cc816844.aspx Hyper-V RTM

  • Anonymous
    January 01, 2003
    Naga - as I mentioned at the very top of the post, I don't know - I would have to defer to a TS expert to answer specific TS deployment scenarios. Thanks, John.

  • Anonymous
    January 01, 2003
    Saravanan V S - this is far out of my area of expertise I'm afraid. As I understand it, this is possible using WSMan, but what it would take, I really don't know. More information on WinRM is http://msdn.microsoft.com/en-us/library/aa384291(VS.85).aspx. From reading so far, it sounds like this is very possible. Thanks, John.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Matt - this isn't something I'd be able to answer from the Hyper-V side. It doesn't sound like a Hyper-V issue. I would suggest you post a question to the TS team on their blog at http://blogs.msdn.com/ts/ or post a question on the Technet forums for TS. Sorry! Cheers, John.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    Matt - glad you resolve it. Yes, correct - cloning any machine without sysprep involved will cause no end of problems. Thanks for the update. Cheers, John.

  • Anonymous
    January 01, 2003
    Nirmal - yes. See code.msdn.microsoft.com/hvremote Cheers, John.

  • Anonymous
    January 01, 2003
    PingBack from http://www.internetdirectory.co.cc/terminal-services-gateway-and-terminal-services-web-access-using-hyper-v

  • Anonymous
    January 01, 2003
    Saravanan - Hyper-V exposes this information through WMI and certainly it is available. There are a number of resources which will assist here: The official documentation for the Hyper-V WMI interfaces is on MSDN and has recently been updated with a first wave of sample code (as I understand it, this will be built on over time). http://msdn.microsoft.com/en-us/library/cc136992(VS.85).aspx James has a powershell library posted up on codeplex: http://blogs.technet.com/jamesone/archive/2008/06/18/hyper-v-powershell-library-now-on-codeplex.aspx Taylor also has a number of powershell samples on his blog: http://blogs.technet.com/taylorb

  • Anonymous
    January 01, 2003
    Hi John I am very interested in this scenario.This is my chance for testing  TSGateway.I hope part 2 is comming soon.I intend to clone all steps and therefore my question:why was installed Server2008Enterprise and not Standard? And please an additional question.Is it correct if the virtual MAC is sent to the router?I have expected the MAC of the physical NIC. Thanks, monikaW

  • Anonymous
    January 01, 2003
    monikaW - yes, part 2 is http://blogs.technet.com/jhoward/archive/2008/02/09/terminal-services-gateway-and-terminal-services-web-access-using-hyper-v-part-2.aspx and it goes on to parts 3 and 4 too. Easiest way to find them is choose the posts from February 2008. Thanks, John.

  • Anonymous
    March 14, 2008
    Hi , While starting virtual machine in Hyper-v mangement iam getting error like Virtual Machine failed to start , Hypervision not initialised.Please help me how to solve this problem..... Thanks Manohar

  • Anonymous
    July 24, 2008
    Is it possible to get the list of VMs and its associated details using web services from Hyper-V like what ESX supports?

  • Anonymous
    July 29, 2008
    Thanks Jhon, James and Taylor. I have java application. Through which I would like to read all VMs from Hyper-V and list down in my application. For ESX, I write web services and talk using SOAP. Is it possible to use SOAP to communicate with Hyper-V also to get the VM details.

  • Anonymous
    October 22, 2008
    Hi John, I'm in a situation where I had installed TSRemote on a LAN and TSG on the WAN, this works fine for me. Now I want to use TSWeb where should I place this ?

  1. On TSGateway and then allow TSWEB to communicate.
  2. On TSremote app ? putting everything in a single machine works fine.

  • Anonymous
    October 22, 2008
    Hi Saravanan, I have the same requirement as you have- " I have java application. Through which I would like to read all VMs from Hyper-V and list down in my application. For ESX, I write web services and talk using SOAP. Is it possible to use SOAP to communicate with Hyper-V also to get the VM details." Were you able to find a solution ? If so, can you please throw some light on it ? Appreciate your help. Thanks and Regards, Priya

  • Anonymous
    October 31, 2008
    Priya, Saravanan, Did you get any information about this? Thanks, shashi

  • Anonymous
    January 25, 2009
    Sounds exactly like the steps I followed except I add the Licensing Server Role AND I ran into A HUGE PROBLEM! I login to my TS machine as the domain admin that I configured the machine with and browsed to http://localhost/ts.  Everything is fine. I login with a regular domain user, browse to http://localhost/ts and I get this IIS exception EVERYTIME!! Server Error in '/TS' Application. Some or all identity references could not be translated. I've literally tried to fix this for the last 8 hours.  I removed then added the machine back to the domain.  I added every domain group/user to every setting I could.  (What's weird about that is I can add them, but when I visit Local Users & Groups later and view the groups, my domain users/groups don't show up in the list.  If I add them again, it says I can't because they're already there.) New local users work fine, it's regular domain users and I can't find anything anywhere on the net of someone having a similiar problem :(

  • Anonymous
    January 26, 2009
    Am I correct in assuming that you did the following on  one physical server :     1.  Installed Server 2008 Enterprise as the PDC     2.  Installed Hyper-V and created a new virtual machine     3.  Installed Server 2008 Enterprise on the virtual machine     4.  Configured the virtual installation to be a terminal server Next question....would this configuration be possible and supported by Microsoft if using SBS2008 Premium?  Using SBS as the PDC and the second server license as a 2008 terminal server in the virtual environment. Thanks for your time.  If I'm barking up the wrong tree can you point me in the right direction?

  • Anonymous
    January 27, 2009
    I found a resolution to my problem above, thanks for your response. Apparently you'll encounter strange bugs if you create a VM base image and then copy it to create new VMs (to save time not having to install and update).  Don't do it unless you run SYSPREP!  This was news to me.

  • Anonymous
    July 20, 2009
    The comment has been removed

  • Anonymous
    February 27, 2010
    Is it possible to connect to Hyper-V manager with non admin domain account?