Secure Global Desktop 4.40 Administration Guide > Getting Started > Configuring Microsoft Windows Terminal Services for Use With SGD

Configuring Microsoft Windows Terminal Services for Use With SGD

To use Microsoft Windows Terminal Services with SGD you might have to configure the following:

• Authentication Settings
• Session Resumability
• Windows Printer Mapping
• Windows Server 2003 FIPS Encryption Level
• Windows Server 2003 Session Restrictions
• Windows Server 2003 Remote Desktop Users
• Windows Server 2003 Time Zone Redirection
• Windows Server 2003 Audio Redirection
• Windows Server 2003 Smart Card Device Redirection
• Windows Server 2003 COM Port Mapping

Note For detailed information on configuring Terminal Services, see the Microsoft sites for Windows 2000 Server and Windows Server 2003.

Authentication Settings

By default, Windows 2000 Server always prompts for a password when users log in, whether or not SGD supplies the password for the application server from its password cache. By default, Windows Server 2003 does not prompt for passwords.

To configure a Windows Server to stop prompting for passwords for SGD users:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Logon Settings tab.
4. Deselect the Always Prompt for Password box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Session Resumability

Windows Terminal Services allow users' sessions to continue running following a connection loss. It is best to disable this feature on the Windows Server, and let SGD handle session resumability. This prevents unnecessary use of resources on the application server, and ensures that if users share accounts on the application server, they do not resume each other's Windows sessions.

For example, with session resumability enabled on Windows, an application configured in SGD to be user session resumable does not end when the user logs out of SGD. Windows preserves the session so that it can be resumed later.

Resources might be consumed unnecessarily on more than one application server if the application is configured to run on multiple application servers.

To illustrate how shared accounts can lead to "stolen" sessions, consider this example. The Windows resume mechanism is enabled on the application server rome. SGD user Bill Orange starts the Write-o-Win application on rome with the Windows user name "guest". Bill then logs out of SGD without closing Write-o-Win. SGD user Rusty Spanner then starts Write-o-Win as "guest" on the same application server. Rusty resumes the copy of Write-o-Win running in Bill's Windows session because of the Windows resume mechanism.

To configure a Windows Server to allow SGD to handle session resumability:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Sessions tab.
4. For the When Session Limit Is Reached Or Connection Is Broken option, choose End Session. (If necessary, deselect the Override User Settings check box to do this.)

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Printer Mapping

To support printing to client printers from a Windows Terminal Server session, Windows printer mapping must be enabled (it is by default). Follow these steps if it has been disabled:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Deselect the Windows printer mapping check box.

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Server 2003 FIPS Encryption Level

SGD does not support the Federal Information Processing Standards (FIPS) encryption level, available on Windows Server 2003.

If you have enabled FIPS encryption, you must change it as follows:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the General tab.
4. In the Encryption Level list, choose an encryption level.

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Server 2003 Session Restrictions

By default, Windows Server 2003 only allows users one Terminal Services session each. If a user starts another desktop session or another instance of an application (with the same arguments), the second Terminal Services session "grabs" the first session and disconnects it. This means from the webtop it is not possible to launch two desktops or two instances of the same application on the same Windows Server 2003.

To change this behavior:

1. In Terminal Services Configuration, click Server Settings.
2. Double-click Restrict each user to one session.
3. Deselect the Restrict each user to one session check box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 Remote Desktop Users

For Windows Server 2003, users can only use Terminal Services if they are members of the Remote Desktop Users group.

Windows 2003 Time Zone Redirection

Windows Server 2003 allows client computers to redirect their time zone settings to the Terminal Server so that users see the correct time for their time zone in their desktop/application sessions. Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time in the session. This feature might be useful if you have clients in different time zones.

By default, this feature is disabled. To enable the feature on a Windows 2003 Server:

1. Do one of the following:
   • Start the Microsoft Group Policy Management Console
   • Start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in.
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Open Allow Time Zone Redirection.
5. Click Enabled.
6. Click OK.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 Audio Redirection

Windows Server 2003 can redirect sound to a Windows Terminal Server session. By default, this feature is disabled. To enable the feature:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Deselect the Audio mapping check box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 Smart Card Device Redirection

Windows Server 2003 can redirect smart card devices to a Windows Terminal Server session. This is enabled by default. Follow these steps if it has been disabled:

1. Do one of the following:
   • Start the Microsoft Group Policy Management Console
   • Start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Double-click the Do not allow smart card device redirection setting.
5. Click enabled.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 COM Port Mapping

Windows Server 2003 allows users to access the serial ports on the client device from a Windows Terminal Server session. By default, this feature is disabled. To enable the feature:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Deselect the COM port mapping check box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.