John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Terminal Services Gateway and Terminal Services Web Access using Hyper-V (Part 1)

Terminal Services Gateway and Terminal Services Web Access using Hyper-V (Part 1)

  • Comments 27
  • Likes

So over the weekend, I found myself with a few spare hours, and got back to “playing with technology” – something I haven’t had a lot of time to focus on recently. What I ended up with was something which I classify mostly as “because I can”, but nonetheless (IMHO) pretty cool and dead useful! What I was impressed most of all with was the simplicity of it.

Of course, Hyper-V being my favourite technology, that had to be in the mix. The mission was to install a 64-bit Windows Server 2008 virtual machine under Hyper-V, running a Terminal Services gateway and web access with remote applications available on the Internet to manage Hyper-V. I used the beta version of Hyper-V which is present as part of Windows Server 2008 RTM (Release To Manufacturing)

Let’s see how simple it really was.  (Please note, I work in the Hyper-V team. While I get by in many, if not most Microsoft server technologies, I am by no means an expert in configuring or administering Terminal Services, Active Directory Certificate Services, Exchange or ISA Server. Feel free to drop questions you may have my way, but I may have to redirect you if it’s out of my depth!)

On an extremely modest machine (Dual Core desktop, 2GB RAM with a couple of very average 80GB SATA disks), I installed Windows Server 2008 Enterprise Edition and used Server Manager to enable the Hyper-V role. (BTW, Windows Server 2008 RTM is became available to MSDN and Technet subscribers this week).

After the Hyper-V role was installed, I built a Uni-Processor (UP) virtual machine running Windows Server 2008 Enterprise Edition with 1GB RAM on a single VHD. I joined it to my test domain, gave it an appropriate name, assigned a static IP address, enabled remote desktop and created an administrative account (TSAdmin) in my test domain to manage the machine. Finally I made TSAdmin a member of the local administrators group on the Virtual Machine. Nothing complicated so far – all standard operating procedure to get a blank machine up and running and ready to start work on.

The first thing to do is to add the Terminal Services role using Server manager. Much like adding the Hyper-V role, this is a relatively simple wizard, and for most options in a simple configuration, the defaults are what you need.

AddRole1

Click the Terminal Services checkbox and add the Terminal Server, TS Gateway and TS Web Access role service. You’ll note (and this is one thing I think is really quite cool about server manager), that you are prompted for the dependencies needed to make the TS Gateway and TS Web Access roles working correctly. No longer the need like there was in Windows Server 2003 when configuring things like Exchange and Outlook Web Access where you have to manually add all the dependencies such as RPC over HTTP proxy and IIS .

AddRole2

The first challenging question is the Authentication Method for Terminal Server. The answer really depends on which clients you are expecting to be connecting. In my case, it’s Vista SP1 clients, so there’s no need for me to allow computers running any version of Remote Desktop Connection client to be able to connect.

AddRole3

You are then asked for a licensing mode.  By default, you have up to 120 days to configure this, and for this test, I just left it to remind me later.

AddRole4

Next you are asked for the user groups allowed to access the server. In my case, I added the TSAdmin user account and the “Parents” domain group, which I’m a member of on my test domain.

AddRole5

The next page of the wizard asks you to select a Server Authentication Certificate. As I have a Certificate Authority already setup on a Windows Server 2003 virtual machine, a certificate for Server Authentication was already available as part of joining the Virtual Machine to the domain, this was a simple choice. Note that you also have a choice of creating a self signed certificate for test scenarios such as this where a Certificate Authority is not available. I thought that was a really nice touch to include that option in the wizard from the Terminal Server team.

AddRole6

The next steps are to create appropriate policies. In a simple configuration, I allowed myself (obviously) access through the gateway,  and to use the default “password only” option for the connection authorization policy (CAP). On the resource authorization policy step, I allowed users to be able to connect to any network resource (this is not the default). Under Network Policy and Access Services and Web Server (IIS), I just chose the defaults and clicked Next through the steps and allowed the role to be installed. That takes a minute or so for everything to complete.

AddRole7

Finally, you must restart the (virtual) machine – do you know, that at this point, I’d forgotten the machine was a VM, not a physical machine 

AddRole8

Server manager completes the role installation once the restart has been completed and you have logged on again. You’ll note I have a warning as I haven’t yet enabled Automatic Updates on this VM. Time to turn that on….

AddRole9

In part 2, I’ll look at the next steps, including one way of setting up ISA 2006 to provide a secure front end to the gateway.

Cheers,
John.

Comments
  • Sounds exactly like the steps I followed except I add the Licensing Server Role AND I ran into A HUGE PROBLEM!

    I login to my TS machine as the domain admin that I configured the machine with and browsed to http://localhost/ts.  Everything is fine.

    I login with a regular domain user, browse to http://localhost/ts and I get this IIS exception EVERYTIME!!

    Server Error in '/TS' Application.

    Some or all identity references could not be translated.

    I've literally tried to fix this for the last 8 hours.  I removed then added the machine back to the domain.  I added every domain group/user to every setting I could.  (What's weird about that is I can add them, but when I visit Local Users & Groups later and view the groups, my domain users/groups don't show up in the list.  If I add them again, it says I can't because they're already there.)

    New local users work fine, it's regular domain users and I can't find anything anywhere on the net of someone having a similiar problem :(

  • Matt - this isn't something I'd be able to answer from the Hyper-V side. It doesn't sound like a Hyper-V issue. I would suggest you post a question to the TS team on their blog at http://blogs.msdn.com/ts/ or post a question on the Technet forums for TS.

    Sorry!

    Cheers,

    John.

  • Am I correct in assuming that you did the following on  one physical server :

        1.  Installed Server 2008 Enterprise as the PDC

        2.  Installed Hyper-V and created a new virtual machine

        3.  Installed Server 2008 Enterprise on the virtual machine

        4.  Configured the virtual installation to be a terminal server

    Next question....would this configuration be possible and supported by Microsoft if using SBS2008 Premium?  Using SBS as the PDC and the second server license as a 2008 terminal server in the virtual environment.

    Thanks for your time.  If I'm barking up the wrong tree can you point me in the right direction?

  • Rick - it was a while back, and there were multiple physical servers present, but as I recall.....

    Hyper-V was used to create and run the TS machine virtualized. Due to the spec of the box at the time (limited RAM), it was the only VM running on it.

    At the time I had two 2003 DCs seperate from the Hyper-V machine, and the Hyper-V machine was in that domain (as was the root CA, TS machine, ISA machine etc).  Most of the other VMs were running on Virtual server back then, since migrated to Hyper-V and the domain moved to 2008 native.

    Unfortunately, I really don't think I can safely answer any licensing questions and am not familiar with the way licensing works with SBS. A good place to start with those questions may be some of the Windows Server technet forums http://social.technet.microsoft.com/Forums/en-US/category/windowsserver/.

    Thanks,

    John.

  • I found a resolution to my problem above, thanks for your response.

    Apparently you'll encounter strange bugs if you create a VM base image and then copy it to create new VMs (to save time not having to install and update).  Don't do it unless you run SYSPREP!  This was news to me.

  • Matt - glad you resolve it. Yes, correct - cloning any machine without sysprep involved will cause no end of problems. Thanks for the update.

    Cheers,

    John.

  • Hi John

    I am very interested in this scenario.This is my chance for testing  TSGateway.I hope part 2 is comming soon.I intend to clone all steps and therefore my question:why was installed Server2008Enterprise and not Standard? And please an additional question.Is it correct if the virtual MAC is sent to the router?I have expected the MAC of the physical NIC.

    Thanks,

    monikaW

  • monikaW - yes, part 2 is http://blogs.technet.com/jhoward/archive/2008/02/09/terminal-services-gateway-and-terminal-services-web-access-using-hyper-v-part-2.aspx and it goes on to parts 3 and 4 too. Easiest way to find them is choose the posts from February 2008.

    Thanks,

    John.

  • Hi, John,

    I'm a software developer and a Newbie to Hyper-V. The procedure you've described sounds complicated to me, I'm afraid.

    I wanted to install Hyper-V Server on a rack machine at  my providers' and install three virtual machines running IIS as web servers on it. To administer all of them I just wanted to run Remote Desktop to administer Hyper-V and Remote Desktop/SCVMM to administer the VMs from any client machine.

    Is it really necessary to use the Terminal Server role, to create a CA etc. etc. for making such setup secure?

    It's hard enogh for me to administer Hyper-V using the command line. NETSH and NETCFG are all new to me. Yet I don't want to unnecessarily install a Windows 2008 Server with Hyper-V just to provide a Hyper-V role. So I'll guess I've got to get through with the command line and any documentation I'll find...

  • Alex - the TS Gateway solution (AFAIK - not being on the TS team) requires a domain environment and supporting infrastructure. It's not strictly necessary to have your own CA though - a commercial certificate can be used to secure the connection.

    However, a simpler solution may be to have just an RDP connection open to the server and perform management locally for the VMs. In the case of Hyper-V Server though, this will not be possible as the management tools are not available - only for a full installation of Windows Server 2008 (/R2).

    The other alternative would be to configure a VPN connection so that you are able to use the Hyper-V manager tools remotely connecting to the Hyper-V Server box.

    Thanks,

    John.

  • Is it possible to connect to Hyper-V manager with non admin domain account?

  • Nirmal - yes. See code.msdn.microsoft.com/hvremote

    Cheers,

    John.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment