I have blogged about the terminal services capabilities of Microsoft Server 2008 on previous, now defunct, blog sites and as it came up in a support call today I thought it was worth resurrecting my old article.

Terminal Services is a component of Microsoft Windows and Windows Server. If you have used Remote Desktop to remote control another Windows-based computer, then you have used terminal services already. It is so-called after the days when computing power used to be consigned to a central mainframe, and remote thin-client “terminals” would be used to access the processing power and applications held on that mainframe.
Simply put, Terminal Services allows users to access centrally-located application resources: suppose a user needs to edit a document written using Word 2007, but doesn’t have Word 2007 on his or her PC, and can’t justify the expense of a license for Office 2007 as they may only need to edit an Office 2007 document once in a blue moon – they can access a legitimately-licensed copy of Office 2007 installed on a terminal services server for the length of time they need to do their work, and then when they have finished, this application is then free for someone else to use, without having to install and then uninstall the software from their PC to maintain licensing adherence: the application has been “virtualised”.
At this point I should mention that this is probably not a good example: there are converters available for Word 2007 which can be used with previous versions of Office. Quark, perhaps, would have been a better example, but I’d already taken lots of screenshots of running Word 2007 in a remote terminal session before I started writing this post!

Windows Server 2008 has extended upon the terminal services capabilities of previous versions of the operating system.
Server 2008 Terminal Services Remote Application requires that the client machine be running Remote Desktop version 6.1 – in real terms this means Windows XP Service Pack 3, or Windows Vista Service Pack 1. This can be installed via Windows Update if not already installed.
The principal difference between this release and previous implementations, is that with Server 2003 and prior, applications were run in a remote desktop session, whereas with Server 2008 applications are still running “remotely”, but appear to run on the local machine desktop as if they were installed locally: the same remote desktop protocol is used, but the single application loads and is displayed in single application window, alongside other running applications, rather than the entire desktop of the remote machine. The remote application has its own entry in the taskbar along with local applications, and the window can be maximised and minimised as well as resized, as with local applications. The remote application can also use the “notification area” on the local PC (the system tray). Local drives and printers can also be directed to the remote application.
As far as the user is concerned, they have no means of knowing, necessarily, that the application isn’t running on the local machine, virtualisation technology hiding the physical characteristics of the application from the end user.

Applications can be accessed in two ways:

• Terminal Services Remote Application (TS RemoteApp)
• Terminal Services Web Access (TS Gateway)

RemoteApp programs can be launched in a number of ways: an RDP file can be launched from the client PC, which contains details of the program’s location, as well as security parameters concerning what the application can access on the local machine, or alternatively the remote application can be installed on the PC from an MSI file, which adds the program to the Start Menu and associates the correct file extensions for use with the application.

Terminal Services Web Access enables users to launch applications by selecting them from a web site.

Benefits

Besides the benefit of ease of license administration, there are other clear benefits: client devices can be used simply as thin-clients: no data need be stored on the local machine, meaning that should a laptop be lost or stolen there is no sensitive information held on it.
There is no need to keep multiple copies of the same application installed on multiple workstations, kept up to date and patched: only a single copy of the application needs to be maintained.
Because the application is running on central hardware that is more than capable of running that application, the client hardware does not necessarily need to be able to run the application natively. Therefore PCs that could never hope to run Office 2007 locally can access it – provided that they support the Remote Desktop Protocol (RDP).
As opposed to Remote Desktop, which transmits the entire desktop to the remote user, and can quickly generate a large amount of data to be transferred; application virtualisation only requires that key-presses and mouse movements be transmitted over the network (and the remote session can be encrypted using TLS encryption is desired). This means that relatively “complicated” applications can still be accessed even over low-bandwidth connections. Also, because the data that is sent between client and server can be encrypted, applications can be accessed remotely even when out of the office, without the need for a separate VPN infrastructure.
This remote access technology can also be combined with Server 2008 Network Access Protection (NAP) technology to ensure that remote clients can only access the application server if they have current anti-virus definitions and meet 'baseline' security requirements defined by the administrator.

Configuring the server

The Terminal Services role is added to the server via the Server Manager application. If you wish to use the Web Access component, then the Web Server (IIS) role should be added also. Once installed, the TS RemoteApp Manager will be listed within the Server Manager:

Applications installed on the server can be “enabled” for RemoteApp use selecting the Action to Add RemoteApp Programs. The Add RemoteApp Program wizard will be displayed:

Click Next. A list of available applications will be displayed:

Select the application(s) you wish to enable and click Next

Click Finish. The wizard is now complete and the applications are enabled. Available applications are listed in the RemoteApp Programs window pane:

Right clicking on a program allows the administrator to create an RDP or MSI configuration file for the application which can be deployed to the client machines. Applications can also be hidden or added to the Web Access view from here:

Selecting the option to create an RDP file will launch the RemoteApp Wizard:

Click Next. Specify the location where you wish the RDP file to be saved, and also configure certificate and Terminal Server Gateway settings:

A Terminal Server Gateway can be deployed in a DMZ environment which accepts RemoteApp from client machines and relays them through a corporate firewall to the Terminal Server on the local network. Click Next:

The wizard is now complete, click Finish.

Selecting the option to create a Windows Installer Package will launch the same wizard:

Click Next. Specify where you want the resulting MSI file to be saved and configure certificate and TS Gateway settings:

Click Next. Specify where on the client machine you want the resulting shortcut to be installed:

Click Next and then Finish.

Configuring the client

Once the RDP or MSI file has been created on the server, it will need to be copied to the client machine.
Running the MSI file will create a shortcut on the client machine in the location specified when the MSI file was created:

RDP files can be double clicked to initiate them. When launched, a connection to the Terminal Server will be established and the user will be prompted to enter a username and password to access the program:

Once authenticated, the user can then specify what resources on the local machine they wish the remote application to have access to:

The application will then load:

(the above screenshot shows that Office is not installed locally on the machine).

Web Access

By default, web access to the Terminal Server is located at http://(servername)/ts (https would be required if certificate-based access had been configured). The web interface will display a list of programs that have been enabled for web access:

Clicking an icon will launch the connection to the RemoteApp. The user will be prompted to specify what local resources the remote application should have access to:

The user will then be prompted to enter a username and password to authenticate the connection:

The application will then launch. The fact that the application is remote will be indicated by the presence of “(Remote”) in the name of the application window.

From an administrative point of view, web access is the simplest means of deploying applications: the client does not need an RDP or MSI file to be sent to it, the user simply needs the address of the web site.