Secure Global Desktop Administration Guide > Getting started > Configuring Microsoft Windows Terminal Services for use with Secure Global Desktop

Configuring Microsoft Windows Terminal Services for use with Secure Global Desktop

To use Microsoft Windows Terminal Services with Secure Global Desktop you may have to configure:

• Authentication settings
• Session resumability
• Encryption levels
• Windows Server 2003 session restrictions
• Windows Server 2003 remote desktop users
• Windows Server 2003 time zone redirection
• Windows Server 2003 audio redirection
• Windows Server 2003 smart card device redirection

Note For detailed information on configuring Terminal Services, see the Microsoft sites for Windows 2000 Server and Windows Server 2003.

Authentication settings

By default, Windows 2000 Server always prompts for a password when users log in, whether or not Secure Global Desktop supplies the password for the application server from its password cache. By default, Windows Server 2003 does not prompt for passwords.

To configure a Windows Server to stop prompting for passwords for Secure Global Desktop users:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Logon Settings tab.
4. Clear the Always Prompt for Password box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Session resumability

Windows Terminal Services allow users' sessions to continue running following a connection loss. We recommend that you disable this feature on the Windows Server, and let Secure Global Desktop handle session resumability. This prevents unnecessary use of resources on the application server, and ensures that if users share accounts on the application server, they do not resume each other's Windows sessions.

For example, with session resumability enabled on Windows, an application configured in Secure Global Desktop to be Webtop session resumable does not end when the user logs out of Secure Global Desktop. Windows preserves the session so that it may be resumed later.

Resources may be consumed unnecessarily on more than one application server if the application is configured to run on multiple application servers.

To illustrate how shared accounts may lead to "stolen" sessions, consider this example. The Windows resume mechanism is enabled on the application server rome. Secure Global Desktop user Bill Orange starts the Write-o-Win application on rome with the Windows username "guest". Bill then logs out of Secure Global Desktop without closing Write-o-Win. Secure Global Desktop user Rusty Spanner then starts Write-o-Win as "guest" on the same application server. Rusty resumes the copy of Write-o-Win running in Bill's Windows session because of the Windows resume mechanism.

To configure a Windows Server to allow Secure Global Desktop to handle session resumability:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Sessions tab.
4. For the When Session Limit Is Reached Or Connection Is Broken option, choose End Session. (If necessary, clear the Override User Settings box to do this.)

Changes to these settings only apply to new Windows Terminal Server sessions.

Encryption levels

Because of the performance penalties associated with the higher encryption levels, we recommend the Low encryption level for use with Windows Terminal Services applications.

Note Windows Server 2003 has a FIPS (Federal Information Processing Standards) encryption level. Secure Global Desktop does not support this encryption level.

This encryption only occurs between the Secure Global Desktop server and the application server. For secure connections from client devices to Secure Global Desktop servers, you need to use the Sun Secure Global Desktop Security Pack.

To change the encryption level on a Windows Server:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the General tab.
4. In the Encryption Level list, choose Low.

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Server 2003 session restrictions

By default, Windows Server 2003 only allows users one Terminal Services session each. If a user starts another desktop session or another instance of an application (with the same arguments), the second Terminal Services session "grabs" the first session and disconnects it. This means from the webtop it is not possible to launch two desktops or two instances of the same application on the same Windows Server 2003.

To change this behavior:

1. In Terminal Services Configuration, click Server Settings.
2. Double-click Restrict each user to one session.
3. Clear the Restrict each user to one session box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 remote desktop users

For Windows Server 2003, users can only use Terminal Services if they are members of the Remote Desktop Users group.

Windows 2003 time zone redirection

Windows Server 2003 allows client computers to redirect their time zone settings to the Terminal Server so that users see the correct time for their time zone in their desktop/application sessions. Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time in the session. This feature may be useful if you have clients in different time zones.

By default, this feature is disabled. To enable the feature on a Windows 2003 Server:

1. Either:
   • start the Microsoft Group Policy Management Console; or
   • start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in.
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Open Allow Time Zone Redirection.
5. Click Enabled.
6. Click OK.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 audio redirection

Windows Server 2003 can redirect sound to a Windows Terminal Server session. By default, this feature is disabled. To enable the feature:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Clear the Audio mapping box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 smart card device redirection

Windows Server 2003 can redirect smart card devices to a Windows Terminal Server session. This is enabled by default. Follow these steps if it has been disabled:

1. Either:
   • start the Microsoft Group Policy Management Console; or
   • start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in.
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Double-click the Do not allow smart card device redirection setting.
5. Click enabled.

Changes to this setting only apply to new Windows Terminal Server sessions.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.