Microsoft Virtual Labs

®

Windows Server 2008 Centralized Application Access

Windows Server 2008 Centralized Application Access

Table of Contents
Windows Server 2008 Centralized Application Access ............................................................. 1
Exercise 1 Implementing Terminal Services Gateway ..................................................................................................2 Exercise 2 Implementing Terminal Services RemoteApp .............................................................................................9 Exercise 3 Implementing Terminal Services Web Access .......................................................................................... 13 Exercise 4 Using Windows System Resource Manager with Terminal Services (Optional)....................................... 15

Windows Server 2008 Centralized Application Access

Windows Server 2008 Centralized Application Access
Objectives
After completing this lab, you will be better able to: Implement a Terminal Services Gateway Implement Terminal Services RemoteApp Utilize Windows System Resources Manager on a Terminal Services Server In this lab, you perform the function of an administrator for a company that has users who work both within the corporate network and remotely. Some of the users who work remotely, access the internet via shared computers. These users only require access to specific applications. You need to allow authorized users on an Internet-connected computer running Microsoft Windows Vista to easily and securely connect to remote computers on the corporate network through a Terminal Services Gateway. In addition, you need to provide access to standard Microsoft Windows programs from virtually any location to any Windows device with Internet access. As a Terminal Server administrator you will also configure policies on the server to ensure that all users connecting to the server have an equal share of the server’s resources and ensure a consistent and predictable experience for users of applications and services. To achieve this goal you will implement a resource management policy on the server using Windows Server Resource Manager. Before working on this lab, you must have: Experience (level 200+) with Windows Server 2000 and/or Windows Server 2003 A MCSA/MCSA Certification or equivalent knowledge. You should be familiar with basic networking concepts and Active Directory concepts.

Scenario

Prerequisites

• •

Estimated Time to Complete This Lab Computer used in this Lab

90 Minutes NYC-DC-01 NYC-CLI-01 NYC-CLI-02 NYC-DC-01-2 NYC-CLI-01-2 NYC-CLI-02-2

Page 1 of 15

Windows Server 2008 Centralized Application Access

Exercise 1 Implementing Terminal Services Gateway
Scenario
In this exercise, you will configure a Terminal Services Gateway Server and a Terminal Services Gateway Client. You will configure the Terminal Services Gateway Server by first obtaining, importing and mapping a security certificate for the server. You will then configure the server with a Connection Authorization Policy, a Resource Group and a Resource Authorization Policy. After configuring the Terminal Services Gateway Server, you will then configure a Terminal Services Gateway Client and then establish a connection to the Terminal Services Gateway Server. Note: This exercise uses the following computers: NYC-DC-01 and NYC-CLI-01 Note: Before you begin this exercise, you must start and log on to the computers. Note: The Terminal Services Gateway Server has already had the Terminal Services Gateway role installed. Tasks Complete the following 3 tasks on: NYC-DC-01 1. Confirm the Terminal Server Gateway Server services have started Detailed Steps Note: In this task you will confirm that the required services to run Terminal Services Gateway Server have been installed and have started correctly. In the case that you have been given a pre-configured server this should always be your first action to ensure that the relevant services have successfully started. These services are required for clients to connect via the Terminal Services Gateway. You will also confirm that the default Web Site is configured to start automatically. The web site on the Terminal Services Gateway server is used by clients to establish the connection to the Terminal Server. The gateway enables users to connect using a secure web connection port (port 443) rather than using the standard Terminal Services port (port 3389). Note: This task uses the following computer: NYC-DC-01 and NYC-CLI-01 a. Log on to NYC-DC-01 as Administrator with the password of P@ssw0rd. b. On the Start menu, navigate to All Programs/Administrative Tools and then click Server Manager. c. In Server Manager, in the Explorer pane, expand Roles and then select Terminal Services. d. In the Contents pane, examine the contents of the System Services area. Note: The services required for terminal services should all be shown as running. This is confirmed by the heading of System Services: All Running e. In the Explorer pane, expand Roles/Web Server (IIS) and then select Internet Information Services (IIS) Manager. f. In the Connections pane, navigate to NYC-DC-01 (WOODGROVEBANK\administrator)/Sites and then select Default Web Site. g. In the Action pane, click Advanced Settings…. h. In the Advanced Settings window, confirm that Start Automatically is set to True and then click OK. i. In Server Manager, in the File menu, click Exit to close the Server Manager window. j. A dialog box may occur during this step. If Server Manager Error Dialog pops up click Cancel to close the dialog box. Note: The reason for ensuring that the web services are set to start automatically is that connections to the Gateway server are managed by Internet Information Services.

Page 2 of 15

Windows Server 2008 Centralized Application Access Tasks
2. Create and Map a

Detailed Steps Note: In this task you will use the Terminal Services Gateway management console snap-in to create and map a certificate to the Terminal Services Gateway server. In order to be able to use a server as a Terminal Services Gateway server, you must first install a SSL Compatible X.509 certificate. This ensures that the Terminal Services Gateway will use this certificate when providing connection security. This task uses a self-signed certificate. Self signed certificates are appropriate for use in environments that do not have an established public key infrastructure, or do not wish to create one. Note: The use of a self signed certificate is recommended in environments that do not have an established public key infrastructure. a. On the Start menu, navigate to All Programs/ Administrative Tools/Terminal Services and then click TS Gateway Manager. b. In TS Gateway Manager, in the Explorer pane, select NYC-DC-01 (Local). c. On the Action menu, click Properties. d. In the NYC-DC-01 Properties dialog box, select the SSL Certificate tab, and then select Create a self-signed certificate for SSL encryption, and then click Create Certificate…. e. In the Create Self-Signed Certificate dialog box, in File name, type C:\Public\NYC-DC-01.cer and then and then click OK. f. In the TS Gateway dialog box, click OK. Note: The Issued to, Issued By and Expiration date fields now have values. This indicates that you have successfully installed the certificate. g. Click on OK to close the NYC-DC-01 Properties dialog box. h. On the Start Menu, in Start Search, type MMC and then press ENTER. i. In Console1, on the File menu, select Add/Remove Snap-in…. j. In the Add or Remove Snap-ins dialog box, select Certificates, and then click Add. k. In the Certificates snap-in dialog box, select Computer account, and then click Next. l. In the Select Computer dialog box, ensure Local computer is selected, and then click Finish. m. In the Add or Remove Snap-ins dialog box, click OK. n. In Console1, navigate to Console Root/Certificates (Local Computer)/Trusted Root Certification Authorities and then select Certificates. o. In the Action menu, select All Tasks and then Import…. p. In the Certificate Import Wizard, click Next. q. In the Certificate Import Wizard, on the File to Import Page, in the File name text box, enter C:\Public\NYC-DC-01.cer, and then click Next. r. In the Certificate Import Wizard, on the Certificate Store page, ensure Place all certificates in the following store is selected and then click Next. s. In the Certificate Import Wizard, on the Completing the Certificate Import Wizard, click Finish. t. On the Certificate Import Wizard dialog box, click OK. u. In Console1, on the File menu, click Exit, Do not save changes.

certificate for the Terminal Services Gateway Server

3. Configure Group

Policy to distribute Security Certificate

Note: In this task you will use group policy to ensure that the security certificate for your company is installed automatically on all client computers. This will ensure that use and installation of the security certificates are uniform across the business environment.

Page 3 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps Note: This task uses the following computer: NYC-DC-01 a. On the Start navigate to Start Search, and type GPMC.MSC. b. In Group Policy Management, in the Explorer pane, navigate to Group Policy Management/Forest: Woodgrovebank.com/Domains/Woodgrovebank.com/Group Policy Objects and then select Default Domain Policy. c. In Group Policy Management, on the Action menu, click Edit…. d. In Group Policy Management Editor, navigate to Computer Configuration/Windows Settings/Security Settings/Public Key Policies and then select Trusted Root Certification Authorities. e. In Group Policy Management Editor, on the Action menu, click Import…. f. In the Certificate Import Wizard dialog box, click Next. g. In the Certificate Import Wizard, on the File to Import page, click Browse…. h. In the Open dialog box, in File Name type, \\NYC-DC-01\Public\ and then click Open. i. In the Open dialog box, select NYC-DC-01 and then click Open. j. In the Certificate Import Wizard, on the File to Import page, click Next. k. In the Certificate Import Wizard dialog box, on the Certificate Store page, ensure Place all certificates in the following store is selected and then click Next. l. In the Certificate Import Wizard dialog box, on the Completing the Certificate Import Wizard page, click Finish. m. In the Certification Import Wizard dialog box, click OK. n. In Group Policy Management Editor, on the File menu, click Exit. o. Close Group Policy Management. Complete the following task on: NYC-CLI-02 4. Client Configuration Note: In this task you will configure the computer that will be hosting the remote applications. For this purpose configurations will be made that allow other computers to connect via RDP. Note: This task uses the following computer: NYC-CLI-02 a. Log on to NYC-CLI-02 as Woodgrovebank\Administrator using the password P@ssw0rd. b. On NYC-CLI-02, in the Start menu, right click Computer and select properties c. On the System dialog select Remote Settings (upper left of dialog) d. On the System Properties Dialog select the Remote Tab. e. In the Remote Desktop Region select Allow Connections from computers running any version of Remote Desktop radio button. f. System Properties Dialog, Click OK. g. System Dialog, Click File, Close h. Log Off from NYC-CLI-02 Complete the following task on: NYC-CLI-01 5. Force application of the Group Policy settings to client Note: In this task you will force the application of the newly created group policy settings by using the GPUPDATE command on the client machines. This will ensure that the self-signed certificate is available for the clients to use in the following exercises. Note: This task uses the following computers: NYC-CLI-01 a. The NYC-CLI-01 has been prelogged in as Woodgrovebank\DonHall using the password P@ssw0rd.

Page 4 of 15

Windows Server 2008 Centralized Application Access Tasks machines Detailed Steps b. On NYC-CLI-01, in the Start menu, in Start Search, type CMD and press ENTER. c. In the command prompt window, type the following command, and then press ENTER.
GPUPDATE /FORCE

d. Log off NYC-CLI-01 Complete the following 3 tasks on: NYC-DC-01
6. Create a Connection

Note: In this task you will create a Connection Authorization Policy (CAP) that will allow you to control who can connect to the Terminal Services Gateway server. A CAP allows you to specify detailed connection requirements, including requirements such as group membership, domain membership, and the requirement to use a smart card. Note: This task use the following computer: NYC-DC-01 a. In TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01 (Local)/Polices and then select Connection Authorization Policies. b. In the Actions pane, click Create New Policy and then click Wizard. c. In the Authorization Policies dialog box, ensure that Create only a TS CAP is selected, and then click Next. d. Complete the Authorization Policies with the following values: Setting Name for the TS CAP: Windows authentication method: User group membership(required): Client computer group membership (optional): Value Remote User Access Password Remote Application Users No group selected

Authorization Policy (CAP)

TS Gateway device redirection Enable device redirection for all client devices e. In the Authorization Policies dialog box, click Finish to complete the policy creation. f. Click Close to close the Authorization Policies dialog box.
7. Create a computer

group to control access to the Terminal Services Gateway

Note: In this task you will create a group containing computers that can connect remotely through the Terminal Services Gateway. If a computer tries to connect to the Terminal Services Gateway that is not part of this group they will be denied access. a. In the TS Gateway Manager, In the Explorer pane, expand NYC-DC-01 (Local), Polices and then select Resource Authorization Policies. b. In the Actions pane, click Manage Local Computer Groups. c. In the Manage locally stored computer groups dialog box, click Create group…. d. In the New TS Gateway-Managed Computer Group dialog box, on the General tab, enter the following values, do not click OK. Setting Name: Value Remote Access Computers

Page 5 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps Description: Computers allowed to connect to TS Gateway

e. In the New TS Gateway-Managed Computer Group dialog box, on the Network resources tab, in the text box, type NYC-CLI-01 and then click Add. f. In the New TS Gateway-Managed Computer Group dialog box, on the Network resources tab, in the text box, enter NYC-CLI-02 and then click Add. g. In the New TS Gateway-Managed Computer Group dialog box, on the Network resources tab, in the text box, enter NYC-DC-01 and then click Add. h. In the New TS Gateway-Managed Computer Group dialog box, click OK. i. In the Manage locally stored computer groups dialog box, click Close. Note: You are only adding the computers that will access the Gateway server remotely. Normally you would not add the Gateway server to the policy. As the gateway server is NYC-DC-01 and in this lab is used to host the terminal services it is required to be added.
8. Create a Resource

Authorization Policy (RAP)

Note: In this task you will create Resource Authorization Policy (RAP). The RAP is used to identify which computers users that connect to a Terminal Services Gateway can connect to. In order to connect to a computer using the Terminal Services Gateway, the client must meet the conditions of one CAP and one RAP. a. In the TS Gateway Manager, in the Explorer pane, navigate to NYC-DC-01 (Local)/Polices and then select Resource Authorization Policies. b. In the Actions pane, click Create New Policy and then click Wizard. c. In the Authorization Policies dialog box, ensure that Create only a TS RAP is selected, and then click Next. d. Complete the Authorization Policies with the following values: Setting Name for the TS RAP: User group membership: Computer Group: Value Remote Resource Access Remote Application Users Select an existing TS Gateway-managed computer group or create a new one

Select an existing TS Remote Access Computers Gateway-managed computer group Allowed Ports Allow connections only through TCP port 3389

e. In the Authorization Policies dialog box, click Finish to complete the policy creation f. Click Close to close the Authorization Policies dialog box. Complete the following task on: NYC-CLI-01 9. Configure Remote Desktop Connection Settings on the Client Computer Note: In this task, you will modify the Remote Desktop Connection settings on NYCCLI-01 to connect through the Terminal Services Gateway that you have configured. You will first attempt to connect directly to NYC-CLI-02 using the default settings of Remote Desktop Connection. NYC-CLI-02 has had the default Windows Firewall settings modified to only accept connections from the IP address of NYC-DC-01. Note: In order to connect to NYC-CLI-02 you will need to modify the settings of the Remote Desktop Connection to use the Terminal Services Gateway to connect through. Note: This task uses the following computers: NYC-CLI-01, NYC-CLI-02 and NYC-

Page 6 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps DC-01 a. Log on to the NYC-CLI-01 as DonHall with a password of P@ssw0rd. b. On the Start menu, navigate to Start/All Programs/ Accessories, and then click Remote Desktop Connection. c. In Remote Desktop Connection, in the Computer text box, type NYC-CLI02.Woodgrovebank.com and then click Connect. d. In the Windows Security box, use the following values and then click OK. Setting User Name: Password: Value Woodgrovebank\DonHall P@ssw0rd

Note: There will be a delay and then the connection will fail. This is because the Windows Firewall on NYC-CLI-02 is configured to only accept Remote Desktop connections from NYC-DC-01. e. In the Remote Desktop Disconnected dialog box, click OK. f. In the Remote Desktop Connection dialog box, click Options, and then click the Advanced tab. g. In the Remote Desktop Connection dialog box, in Connect from anywhere, click Settings…. h. In the Gateway Server Settings dialog box, select Use these TS Gateway server settings:. i. In the Gateway Server Settings dialog box, in the Server name, type NYC-DC01.Woodgrovebank.com and select Logon method: Ask for password (NTLM). j. In the Gateway Server Settings dialog box, uncheck Bypass TS Gateway server for local addresses. k. Click OK to accept the settings. l. In Remote Desktop Connection, click on the General tab. m. In the Computer text box, type NYC-CLI-02.Woodgrovebank.com and then click Connect. n. In the Windows Security box, use the following values: Setting User Name: Password: Value Woodgrovebank\DonHall P@ssw0rd

o. Click OK. Note: There will be a slight delay before the next step appears. When the next box appears, observe that this is for the Gateway Server Credentials. p. In the Windows Security box, use the following values: Setting User Name: Password: Value DonHall P@ssw0rd

q. Click OK. Note: There will be a slight delay before the desktop of NYC-CLI-02 appears. When it

Page 7 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps does appear, you can observe in the connection toolbar, the padlock which symbolizes that the connection is using security. r. If you are prompted that there is a user RDPed into the NYC-CLI-02 machine, log off the other user and log on. s. Log off the NYC-CLI-02 remote session.

Page 8 of 15

Windows Server 2008 Centralized Application Access

Exercise 2 Implementing Terminal Services RemoteApp
Scenario
RemoteApp applications are programs that are accessed remotely through Terminal Services and appear as if they are running on a user's local computer. Users can run RemoteApp applications side-by-side with their local programs. If a user is running more than one Remote Program on the same terminal server, RemoteApp will share the same Terminal Services session. You can use TS Web Access to make RemoteApp applications available through a Web site. In this exercise, you will configure NYC-DC-01 to be able to publish remote applications. In addition you will create packages for deploying remote applications to the client machines and then distribute these packages. You will also test the connection of the remote program application from a client machine. In order to test these RemoteApp, you will also modify the allow list to allow an application to be accessed remotely. Note: This exercise uses the following computers: NYC-DC-01, NYC-CLI-01, NYC-DC-01-2, and NYC-CLI-01-2 Tasks Complete the following 4 tasks on: NYC-DC-01 1. Install Terminal Server Role Service Detailed Steps Note: In this task you will add the Terminal Server role to NYC-DC-01. Note: This task uses the following computer: NYC-DC-01 a. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. b. In Server Manager, in the Explorer pane, navigate to Roles/Terminal Services. c. In Server Manager, in the Contents pane, under Role Services, click Add Roles Services. d. In the Add Role Services dialog box, in the Select Role Services page, select Terminal Server. e. In the Add Role Services dialog box, click Install Terminal Services anyway (not recommended). f. In the Add Role Services dialog box, click Next. g. In the Add Role Services dialog box, in the Uninstall and Reinstall Applications for Compatibility page, click Next. h. In the Add Role Services dialog box, in the Select RDP Version page, select Require Network Level Authentication then click Next. i. In the Add Role Services dialog box, in the Specify the Terminal Services Licensing Mode page, select Configure later then click Next. j. In the Add Role Services dialog box, in the Select User Groups Allowed Access to This Terminal Server page, click Next. k. In the Add Role Services dialog box, in the Confirm Installation Selections screen, click Install. Note: On the Confirm Installation Selections screen, there is one warning. The warning is advising that you may need to reinstall applications. In the lab it is safe to ignore, however in a production environment it is important to remember that applications may need to be reinstalled. The reason for the need to reinstall the applications is that on a Terminal Server applications are installed into a different section of the registry. This is so that the applications can be safely accessed by multiple users simultaneously. The installation process will take approximately 5 minutes. After this you will need to Page 9 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps restart NYC-DC-01. l. In the Add Role Services dialog box, in the Installation Results screen, click Close. m. In the Add Role Services dialog box, click Yes to begin the restart. n. It takes a couple of minutes to restart the NYC-DC-01. Due to the network limitation of machine reboot in the Virtual environment, please continue the rest of the exercises on the NYC-DC-01-2 machine. Note: The reboot will take several minutes. After completing the log in the PostReboot Configuration Wizard will appear to confirm that the Terminal Services role has been installed successfully. Complete the following 3 tasks on: NYC-DC-01-2
2. Add a program to the

Note: In this task you will add two existing program to the Allow list for Terminal Services RemoteApp. In order for a user to be able to access a program with RemoteApp the application must be on the Allow List. The Allow List settings also includes the ability to change settings for the remote applications, such as additional command line arguments and changes to the default icons. You will use a sample program named OnTheServer.exe and in addition will add WordPad to the Allow List. a. The NYC-DC-01-2 machine has been prelogged in as Administrator with the password of P@ssw0rd. b. In the Post-Reboot Configuration Wizard dialog box, click Close. c. On the Start menu, navigate to All Programs/Administrative Tools/Terminal Services/TS RemoteApp Manager. d. In RemoteApp, in the Action menu, click Add RemoteApps. e. In the RemoteApp Wizard, click Next. f. In the Choose RemoteApp to add to the allow list, click Browse. g. In the Choose a program dialog box, in File name type C:\Public\OnTheServer.exe, and then click Open. h. In the RemoteApp Wizard, in the Choose programs to add to the RemoteApps list page, click Next. i. In the RemoteApp Wizard, in the Review Settings page, click Finish. j. In the RemoteApp console, in the Contents pane, select OnTheServer.exe. k. In the RemoteApp console, in the Actions pane, click Properties. l. In the RemoteApp Demo Properties, in the RemoteApp name text box, change OnTheServer.exe to Demo Application and click OK. m. In RemoteApp, in the Action pane, click Add RemoteApps. n. In the RemoteApp Wizard, click Next. o. In the Choose programs to add to the RemoteApps list, check the box next to WordPad and then click Next. p. In the RemoteApp Wizard, in the Review Settings page, click Finish.

Allow list

3. Create a RDP file

that publishes a connection to an application

Note: In this task you will create a RDP file that can then be distributed to clients either via e-email or USB Flash Disk (UFD). This will then enable users to connect remotely to the remote program that was added to the allow list. Any settings that have been added to the application in the allow list will also be added to the RDP file. a. In TS RemoteApp Manager, select Demo Application in the Contents pane, b. In TS RemoteApp Manager, in the Actions pane, click Create .rdp File. c. In the RemoteApp Wizard, click Next. d. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the package to C:\Public\

Page 10 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click Change…. f. In the Configure TS Gateway Settings dialog box, select Use these TS Gateway Server settings: and enter the following settings and then click OK. Setting Server name: Logon method: Use the same user credentials for TS Gateway and TS Server Bypass TS Gateway Server for local addresses Value NYC-DC-01.Woodgrovebank.com Ask for password (NTLM) Checked

Unchecked

g. In the RemoteApp Wizard, in the Specify Packages Settings page, click Next. h. In the RemoteApp Wizard, in the Review Settings page, click Finish. Note: Windows Explorer will now appear displaying the created RDP file. The created file is named OnTheServer.rdp
4. Create a MSI file that

installs an application

Note: In this task you will create a MSI file that can be distributed as an installation package. This package could be distributed for users to manually install or installed as part of a Group Policy Object. As part of the configuration of an MSI package it is possible to define where the remote program will appear in the User’s environment and also to associate the remote program with client file associations. An example of using this would be to publish Microsoft Word – to be intergrated into the user’s Start Menu and to be opened when they click on a Word Document. This gives a seamless integration for the users to the remote program. Any settings that have been added to the application in the allow list will also be added to the MSI file. a. In TS RemoteApp Manager, in the Contents pane, select WordPad b. In the Actions pane, click Create Windows Installer Package. c. In the RemoteApp Wizard, click Next. d. In the RemoteApp Wizard, in the Specify Packages Settings page, modify the location for saving the package to C:\Public\ e. In the RemoteApp Wizard, in the Specify Packages Settings page, in TS Gateway Settings, click Change…. f. In the Configure TS Gateway Settings dialog box, select Use these TS Gateway Server settings: and enter the following settings and then click OK. Then click Next. Setting Server name: Logon method: Use the same user credentials for TS Gateway and TS Server Value NYC-DC-01.Woodgrovebank.com Ask for password (NTLM) Checked

Page 11 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps Bypass TS Gateway Server for local addresses Unchecked

g. In the RemoteApp Wizard, in the Configure Distribution Package page, accept the default settings by clicking Next. h. In the RemoteApp Wizard, in the Review Settings page, click Finish. Note: Windows Explorer will now appear displaying the created installation file. The created file is named wordpad.rap.msi Complete the following task on: NYC-CLI-01-2 5. Using RemoteApp Access Note: In this task, you will use the RDP file and the MSI file that you created in the previous tasks. This will be achieved by accessing the files on the Public share on NYC-DC-01. Note: This task uses the following computer: NYC-CLI-01-2 Note: Log on to NYC-CLI-01-2 as Woodgrovebank\Administrator with the password of P@ssw0rd a. On the Start menu, in Start Search, type \\NYC-DC-01\Public and then press ENTER. b. In Windows Explorer, double click OnTheServer.RDP. c. In the Windows Security dialog box, enter the following values:
Setting User Name: Password: Value DonHall P@ssw0rd

d. Check Remember my credentials and then click OK. e. In the RemoteApp dialog box, check Don’t prompt me again for connections to this computer, and then click Yes. Note: The application now launches. When the application launches successfully it will display on the screen as On The Server. This is the remote application running on the server. f. Close the On The Server remote program. g. In Windows Explorer, double click WordPad.rap.msi. Note: The remote WordPad application now installs. Observe the name of the application matches the name that was entered during the creation of the MSI file. h. After the application has completed installation, on the Start menu, navigate to All Programs – RemoteApp – WordPad. Note: The application now launches. When the application launches successfully it will display on the screen as WordPad. i. In the remote WordPad application, in the File menu, click Exit to close.

Page 12 of 15

Windows Server 2008 Centralized Application Access

Exercise 3 Implementing Terminal Services Web Access
Scenario
TS Web Access is a feature that makes RemoteApp available to users from a Web browser. With TS Web Access, a user can visit a Web site—either from the Internet or from an intranet—to access a list of available RemoteApp applications. When a user starts a RemoteApp applicaion, a Terminal Services session is started on the terminal server that hosts the Remote Program. TS Web Access includes a default Web page that you can use to deploy RemoteApp applications over the Web. The Web page consists of a frame and a customizable Web Part, where the list of RemoteApp application is displayed. In this exercise, you will configure the terminal server to support Terminal Services Web Access and then configure an application to be made unavailable via the web interface. Note: This exercise uses the following computers: NYC-DC-01-2 and NYC-CLI-02-2 Tasks Complete the following task on: NYC-DC-01-2 1. Install Terminal Server Web Access Role Service Detailed Steps Note: In this task you will modify NYC-DC-01-2 to include the Terminal Server Web Access role. This will then extend our Terminal Server to now be able to provide Remote Applications via a web interface. Note: This task uses the following computer: NYC-DC-01-2 Note: Log on to NYC-DC-01-2 using the username Administrator and the password P@ssw0rd. a. On the Start menu, navigate to All Programs/Administrative Tools/Server Manager. b. In the Explorer pane, navigate to Roles/Terminal Services. c. In the Contents pane, in Role Services, click Add Roles Services. d. In the Select Role Services dialog box, check TS Web Access. e. In the Add Role Services dialog box, select Add Required Role Services. f. In the Add Role Services dialog box, in the Select Role Services page, click Next. g. In the Add Role Services dialog box, in the Web Server (IIS) page, click Next. h. In the Add Role Services dialog box, in the Select Role Services page, click Next. i. In the Add Role Services dialog box, in the Confirm Installation Selections page, click Install. Note: The installation process will take approximately 5 minutes. Wait until the installation has completed before continuing to the next task. Complete the following task on: NYC-CLI-02-2 2. Connect to Terminal Server Web Access and launch application Note: In this task, use the Terminal Server Web Access to access to the applications that you have previously published. Note: This task uses the following computer: NYC-CLI-02-2 a. On the Start menu, click Internet Explorer. b. In the address bar, enter the address http://NYC-DC-01/ts and then press ENTER. (The TS site may not be created . If this fails, continue with next exercise.) c. In the Connect to nyc-dc-01 dialog box, enter the User name Woodgrovebank\Administrator and the password P@ssw0rd. Note: The TS Web Access page is now displayed. There is two programs displayed –

Page 13 of 15

Windows Server 2008 Centralized Application Access Tasks Detailed Steps the Demo Application and the WordPad that you published in an earlier task. d. Click Demo Application in the TS Web Access webpage. e. In the Trust Warning pop-up, click Yes. f. In the RemoteApp dialog box, click Yes g. In the Windows Security dialog box, enter the username Woodgrovebank\donhall and the password P@ssw0rd, and then press ENTER. Note: The application now launches. When the application launches successfully it will display on the screen as On The Server.

Page 14 of 15

Windows Server 2008 Centralized Application Access

Exercise 4 Using Windows System Resource Manager with Terminal Services (Optional)
Scenario
Windows System Resource Manager (WSRM) is a feature of Windows Server 2008. Using WSRM, administrators can control how CPU resources are allocated to applications, services, and processes. Managing these resources improves system performance and reduces the chance that these applications, services, or processes will interfere with the rest of the system. WSRM also creates a more consistent and predictable experience for users. In the terminal services environment it is even more important as it ensures a consistent experience for all users of the server. In this exercise, you will add Windows System Resource Manager to NYC-DC-01-2 and then configure a resource allocation policy. Note: This exercise uses the following computer: NYC-DC-01-2 Tasks Complete the following task on: NYC-DC-01-2 1. Implement a Windows System Resource Manager Policy Detailed Steps Note: In this task, you will implement a Windows System Resource Manager Policy that will ensure that all sessions will share equal processor time. This will ensure that the access to the terminal server by all users is not affected by a single user running an application that may attempt to take more server resources. Note: Log on to NYC-DC-01-2 using the username Administrator and the password P@ssw0rd. a. On the Start menu, navigate to All Programs\Administrative Tools and then click Services. b. In the Contents pane, double click Windows System Resource Manager. c. In the Windows System Resource Manager Properties (Local Computer) dialog box, in Startup type, select Manual, click Apply, and then click Start. d. Click OK to close the Windows System Resource Manager (Local Computer) dialog box. e. In the Start menu, navigate to All Programs\Administrative Tools\Windows System Resource Manager. f. In the Connect to computer dialog box, select Connect. g. In Windows System Resource Manager, expand Resources Allocation Policies. h. In the Contents pane, select Equal_Per_Session {Manage} i. In the Action pane, select Set as Managing Policy. j. In the Warning dialog box, click OK. k. In Windows System Resource Manager, in the Explorer pane, select Resource Monitor. Note: In the Resource Monitor, there is a counter that has been added, System Managed CPU% with an instance of Equal_Per_Session. This is the display of WSRM monitoring that all sessions are obtaining equal access to the CPU.

Page 15 of 15