Beruflich Dokumente
Kultur Dokumente
Microsoft Corporation Published: January 2008 Writer: Tessa Wooley Editor: Linda Caputo
Abstract
Terminal er!ices "emote#pp$ %T "emote#pp& is a feature that enables users to access pro'rams remotely throu'h Terminal er!ices( The remote pro'rams appear as if they are runnin' on the user)s local computer( *sers can run "emote#pp pro'rams side+by+side ,ith their local pro'rams( -f a user is runnin' more than one "emote#pp pro'ram on the same terminal ser!er. the "emote#pp pro'rams ,ill share the same Terminal er!ices session( /ou can use Terminal er!ices Web #ccess %T Web #ccess& to ma0e "emote#pp pro'rams a!ailable throu'h a Web site(
Copyrig t !n"ormation
This document supports a preliminary release of a soft,are product that may be chan'ed substantially prior to final commercial release. and is the confidential and proprietary information of Microsoft Corporation( -t is disclosed pursuant to a non+disclosure a'reement bet,een the recipient and Microsoft( This document is pro!ided for informational purposes only and Microsoft ma0es no ,arranties. either e1press or implied. in this document( -nformation in this document. includin' *"L and other -nternet Web site references. is sub2ect to chan'e ,ithout notice( The entire ris0 of the use or the results from the use of this document remains ,ith the user( *nless other,ise noted. the e1ample companies. or'ani3ations. products. domain names. e+mail addresses. lo'os. people. places. and e!ents depicted herein are fictitious. and no association ,ith any real company. or'ani3ation. product. domain name. e+mail address. lo'o. person. place. or e!ent is intended or should be inferred( Complyin' ,ith all applicable copyri'ht la,s is the responsibility of the user( Without limitin' the ri'hts under copyri'ht. no part of this document may be reproduced. stored in or introduced into a retrie!al system. or transmitted in any form or by any means %electronic. mechanical. photocopyin'. recordin'. or other,ise&. or for any purpose. ,ithout the e1press ,ritten permission of Microsoft Corporation( Microsoft may ha!e patents. patent applications. trademar0s. copyri'hts. or other intellectual property ri'hts co!erin' sub2ect matter in this document( E1cept as e1pressly pro!ided in any ,ritten license a'reement from Microsoft. the furnishin' of this document does not 'i!e you any license to these patents. trademar0s. copyri'hts. or other intellectual property( 4 2005 Microsoft Corporation( #ll ri'hts reser!ed( Active Directory, Microsoft, MS-DOS, RemoteApp, Visual Basic, Visual Studio, Windows, Windows N , and Windows Server are either re'istered trademar0s or trademar0s of Microsoft Corporation in the *nited tates and6or other countries( #ll other trademar0s are property of their respecti!e o,ners(
Contents
Windo,s er!er 2008 Terminal er!ices "emote#pp tep+by+ tep 7uide((((((((((((((((((((((((((((((((((((8 #bstract((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((8 Copyri'ht -nformation((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2 Contents((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((9 Windo,s er!er 2008 Terminal er!ices "emote#pp tep+by+ tep 7uide((((((((((((((((((((((((((((((((((((: What are "emote#pp pro'rams;((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((: Client re<uirements((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((: Who should use T "emote#pp;((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((= >ey scenarios for T "emote#pp((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((= ?o, should - deploy "emote#pp pro'rams;((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((5 #bout deployin' "emote#pp pro'rams throu'h T Web #ccess((((((((((((((((((((((((((((((((((((((((((((8 #bout deployin' "emote#pp pro'rams throu'h a file share or other distribution mechanism( @ Confi'ure the ser!er that ,ill host "emote#pp pro'rams((((((((((((((((((((((((((((((((((((((((((((((((((((((((((80 -nstall the Terminal er!er role ser!ice(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((80 -nstall pro'rams on the terminal ser!er((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((88 Aerify remote connection settin's(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((82 #dd "emote#pp pro'rams and confi'ure 'lobal deployment settin's((((((((((((((((((((((((((((((((((((((82 #dd pro'rams to the "emote#pp Pro'rams list(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((89 Confi'ure 'lobal deployment settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((8B Confi'ure terminal ser!er settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((8B Confi'ure T 7ate,ay settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((8: Confi'ure common "CP settin's %optional&((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((8= Confi'ure custom "CP settin's %optional&((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((85 Confi'ure di'ital si'nature settin's %optional&(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((88 Mana'e "emote#pp pro'rams and settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((20 Chan'e or delete a "emote#pp pro'ram(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((20 E1port or import "emote#pp pro'rams and settin's((((((((((((((((((((((((((((((((((((((((((((((((((((((((((28 Ceploy "emote#pp pro'rams to users((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((22 Ceploy "emote#pp pro'rams throu'h T Web #ccess(((((((((((((((((((((((((((((((((((((((((((((((((((((((((22 -nstall the T Web #ccess role ser!ice(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((22 Populate the T Web #ccess Computers security 'roup((((((((((((((((((((((((((((((((((((((((((((((((((((29 Confi'ure the data source for T Web #ccess(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2B Connect to T Web #ccess((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2: Ceploy "emote#pp pro'rams throu'h file sharin' or other distribution methods(((((((((((((((((((2= Create an (rdp file from a "emote#pp pro'ram((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2= Create a Windo,s -nstaller pac0a'e from a "emote#pp pro'ram(((((((((((((((((((((((((((((((((((((25 Ma0e "emote#pp pro'rams a!ailable from the -nternet((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((2@
Confi'ure the T Web #ccess ser!er to allo, access from the -nternet((((((((((((((((((((((((((((((((90 #dditional information((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((98 Confi'ure er!er Mana'er and -nitial Tas0s not to run in administrator)s "emote#pp session ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((98 Confi'ure "emote Ces0top Web Connection beha!ior((((((((((((((((((((((((((((((((((((((((((((((((((((((((((98 Chan'e the install location of the default T Web #ccess Web site(((((((((((((((((((((((((((((((((((((((99
Client re$uirements
To access "emote#pp pro'rams that are deployed as (rdp files or as Windo,s -nstaller pac0a'es. the client computer must be runnin' "emote Ces0top Connection %"CC& =(0 or "CC =(8( # supported !ersion of the "CC client is included ,ith Windo,s er!er 2008 and Windo,s AistaD( To do,nload "CC =(0 for Windo,s er!er 2009 ,ith er!ice Pac0 8 % P8& or
Windo,s EP ,ith er!ice Pac0 2 % P2&. see article @2:85= in the MicrosoftD >no,led'e Fase %http:66'o(microsoft(com6f,lin06;Lin0-dG5@959&( %ote "CC =(8 %=(0(=008& supports "emote Ces0top Protocol =(8( To access "emote#pp pro'rams throu'h T Web #ccess. the client computer must be runnin' "CC =(8( "CC =(8 is included ,ith the follo,in' operatin' systems: Windo,s er!er 2008 Windo,s Aista ,ith er!ice Pac0 8 % P8& Feta and Windo,s Aista ,ith P8 "elease Candidate %"C& Windo,s EP ,ith er!ice Pac0 9 % P9& Feta and Windo,s EP ,ith P9 "C
-T professionals ,ho deploy or administer terminal ser!ers. line+of+business %LHF& applications. or applications that can be more efficiently deployed ,ith T "emote#pp
necessary pro'rams installed locally( Fy usin' T "emote#pp. you can install the pro'rams on a terminal ser!er and ma0e them a!ailable to users as if those pro'rams ,ere installed locally(
or client computer ,here they ha!e "emote Ces0top access( /ou can determine ,hether you ,ant this feature to be a!ailable to users( Jor more information. see Confi'ure "emote Ces0top Web Connection Feha!ior( To deploy "emote#pp pro'rams by usin' T Web #ccess. you must complete the follo,in' tas0s(
Tas. Re"erence
8( Confi'ure the ser!er that ,ill host "emote#pp pro'rams( This includes installin' Terminal er!er. installin' pro'rams. and !erifyin' remote connection settin's( 2( *se T "emote#pp Mana'er to add "emote#pp pro'rams that are enabled for T Web #ccess. and to confi'ure 'lobal deployment settin's( 9( -nstall T Web #ccess on the ser!er that you ,ant users to connect to o!er the Web to access "emote#pp pro'rams( B( #dd the computer account of the T Web #ccess ser!er to the T Web #ccess Computers 'roup on the terminal ser!er( :( Confi'ure the T Web #ccess ser!er to populate its list of "emote#pp pro'rams from a sin'le terminal ser!er or sin'le farm(
Populate the T Web #ccess Computers security 'roup Confi'ure the data source for T Web #ccess
About deploying RemoteApp programs t roug a "ile s are or ot er distribution mec anism
/ou can also deploy "emote#pp pro'rams throu'h (rdp files or Windo,s -nstaller pac0a'es that are made a!ailable throu'h file sharin'. or throu'h other distribution mechanisms such as Microsoft ystems Mana'ement er!er or #cti!e Cirectory soft,are distribution( These methods enable you to distribute "emote#pp pro'rams to users ,ithout usin' T Web #ccess( %ote -f you distribute "emote#pp pro'rams throu'h Windo,s -nstaller pac0a'es. you can also confi'ure ,hether the terminal ser!er ,ill ta0e o!er client file name e1tensions for the "emote#pp pro'rams( -f this is the case. a user can double+clic0 a file ,here the file name e1tension is associated ,ith a "emote#pp pro'ram( /ou must complete the follo,in' tas0s to prepare "emote#pp pro'rams for distribution throu'h a file share or some other distribution mechanism(
Tas.
Re"erence
8( Confi'ure the ser!er that ,ill host "emote#pp pro'rams( This includes installin' Terminal er!er. installin' pro'rams. and !erifyin' remote connection settin's( 2( *se T "emote#pp Mana'er to add "emote#pp pro'rams and to confi'ure 'lobal deployment settin's( 9( *se T "emote#pp Mana'er to create (rdp files or Windo,s -nstaller pac0a'es from "emote#pp pro'rams(
#dd "emote#pp pro'rams and confi'ure 'lobal deployment settin's Create an (rdp file from a "emote#pp pro'ram Create a Windo,s -nstaller pac0a'e from a "emote#pp pro'ram
#fter you create (rdp files or Windo,s -nstaller pac0a'es. you can distribute them to users(
%ote These procedures apply to an en!ironment ,here you are usin' a sin'le terminal ser!er to host "emote#pp pro'rams( To perform these procedures. you must be a member of the Administrators 'roup on the terminal ser!er(
:( Hn the Terminal Services pa'e. clic0 %e1t( =( Hn the Select Role Services pa'e. select the Terminal Server chec0 bo1. and then clic0 %e1t( 5( Hn the 2ninstall and Reinstall Applications "or Compatibility pa'e. re!ie, the information. and then clic0 %e1t( 8( Hn the Speci"y Aut entication /et od "or Terminal Server pa'e. select the desired authentication method. and then clic0 %e1t( @( Hn the Speci"y )icensing /ode pa'e. select the licensin' mode that applies to your Terminal er!ices en!ironment. and then clic0 %e1t( 80( Hn the Select 2ser Groups Allowed Access To T is Terminal Server pa'e. add any users or 'roups that you ,ant to add to the "emote Ces0top *sers 'roup. and then clic0 %e1t( 88( Hn the Con"irm !nstallation Selections pa'e. !erify that the Terminal er!er role ser!ice ,ill be installed. and then clic0 !nstall( 82( Hn the !nstallation Results pa'e. you are prompted to restart the ser!er to finish the installation process( Clic0 Close. and then clic0 0es to restart the ser!er( 89( #fter the ser!er restarts. the "esume Confi'uration Wi3ard completes the installation( When you see an !nstallation succeeded status messa'e on the !nstallation Results pa'e. clic0 Close(
11
-n T "emote#pp Mana'er. you can also delete. modify. import "emote#pp pro'rams and settin's from another terminal ser!er. or e1port "emote#pp pro'rams and settin's to another terminal ser!er( Jor more information. see Mana'e "emote#pp pro'rams and settin's(
12
5( Hn the Review Settings pa'e. re!ie, the settin's. and then clic0 8inis ( The pro'rams that you selected should appear in the RemoteApp 5rograms list(
9( To pro!ide a lin0 to the full terminal ser!er des0top throu'h T Web #ccess. under Remote des.top access. select the S ow a remote des.top connection to t is terminal server in TS Web Access chec0 bo1( B( *nder Access to unlisted programs. choose either of the follo,in': 6o not allow users to start unlisted program on initial connection *Recommended, To help protect a'ainst malicious users. or a user unintentionally startin' a pro'ram from an (rdp file on initial connection. ,e recommended that you select this settin'( !mportant This settin' does not pre!ent users from startin' unlisted pro'rams remotely after they connect to the terminal ser!er by usin' the "emote#pp pro'ram( Jor e1ample. if Microsoft Word is in the RemoteApp 5rograms list and Microsoft -nternet E1plorer is not. if a user starts a remote Word session. and then clic0s a hyperlin0 in a Word document. they can start -nternet E1plorer( Allow users to start bot listed and unlisted programs on initial connection Caution -f you choose this option. users can start any pro'ram remotely from an (rdp file on initial connection. not 2ust those pro'rams in the RemoteApp 5rograms list( To help protect a'ainst malicious users. or a user unintentionally startin' a pro'ram from an (rdp file. ,e recommend that you do not select this settin'( :( When you are finished. clic0 +&(
open T 7ate,ay ?elp on a Windo,s er!er 2008+based ser!er. clic0 Start. clic0 Run. type ts9gateway'c m. and then clic0 +&(& -f you select 2se t ese TS Gateway server settings. do the follo,in': a( Confi'ure the T 7ate,ay ser!er name and the lo'on method( !mportant The ser!er name must match ,hat is specified in the T 7ate,ay ser!er( L certificate for the
b( -f you ,ant the connection to try to use the same user credentials to access both the T 7ate,ay ser!er and the terminal ser!er. select the 2se t e same user credentials "or TS Gateway and terminal server chec0 bo1( ?o,e!er. users may still recei!e t,o prompts for credentials if conflictin' credentials e1ist from any source such as 7roup Policy settin's. and those credentials do not ,or0( They may also recei!e t,o prompts for credentials if default credentials are used for the connection and those credentials do not ,or0( c( -f you ,ant the client computer to automatically detect ,hen T 7ate,ay is re<uired. select the (ypass TS Gateway server "or local addresses chec0 bo1( % electin' this option optimi3es client performance(& To al,ays use a T 7ate,ay ser!er for client connections. clear the (ypass TS Gateway server "or local addresses chec0 bo1( 9( When you are finished. clic0 +&(
%ote -f you do not si'n (rdp files ,ith a di'ital si'nature. or if you si'n (rdp files ,ith a di'ital si'nature that clients do not reco'ni3e %such as a certificate from a pri!ate certification authority&. some redirection settin's that you specify in T "emote#pp Mana'er may be o!erridden by the client( Jor e1ample. if you enable all redirection settin's on the Common R65 Settings tab. and a user connects to an (rdp file that is not si'ned. dis0 dri!es. and supported Plu' and Play de!ices ,ill not be redirected automatically( These de!ices and resources ,ill only be redirected if the user enables these redirection settin's in the RemoteApp ,arnin' dialo' bo1 that appears ,hen they try to connect( This default beha!ior helps to reduce potential security !ulnerabilities( %Iote that the same beha!ior occurs if you enable serial port redirection on the Custom R65 Settings tab(&
a( Hpen the "CC client. and then clic0 +ptions( b( Confi'ure the settin's that you ,ant. such as audio redirection( c( When you are finished. on the General tab. clic0 Save As. and then sa!e the (rdp file( d( Hpen the (rdp file in Iotepad. and then copy the desired settin's into the Custom R65 settings bo1 on the Custom R65 Settings tab( 9( When you ha!e finished addin' the settin's that you ,ant. clic0 Apply( B( -f the :rror wit Custom R65 Settings dialo' bo1 appears. do the follo,in': a( Clic0 Remove to automatically remo!e the settin's that are either not !alid or cannot be o!erridden. or clic0 +& to remo!e the settin's manually( b( #fter the settin's are remo!ed. clic0 Apply a'ain( :( To close the RemoteApp 6eployment Settings dialo' bo1. clic0 +&(
18
To con"igure t e digital certi"icate to use 8( -n the Actions pane of T "emote#pp Mana'er. clic0 6igital Signature Settings( %Hr. in the +verview pane. ne1t to 6igital Signature Settings. clic0 C ange(& 2( elect the Sign wit a digital certi"icate chec0 bo1( 9( -n the 6igital certi"icate details bo1. clic0 C ange( B( -n the Select Certi"icate dialo' bo1. select the certificate that you ,ant to use. and then clic0 +&( %ote The Select Certi"icate dialo' bo1 is populated by certificates that are located in the local computer)s certificates store or in your personal certificate store( The certificate that you ,ant to use must be located in one of these stores( Group 5olicy settings to control client be avior w en opening a digitally signed 'rdp "ile /ou can use 7roup Policy to confi'ure clients to al,ays reco'ni3e "emote#pp pro'rams from a particular publisher as trusted( /ou can also confi'ure ,hether clients ,ill bloc0 "emote#pp pro'rams and remote des0top connections from e1ternal or un0no,n sources( Fy usin' these policy settin's. you can reduce the number and comple1ity of security decisions that users face( This reduces the chances of inad!ertent user actions that may lead to security !ulnerabilities( The rele!ant 7roup Policy settin's are located in the Local 7roup Policy Editor at the follo,in' location. in both the Computer Confi'uration and in the *ser Confi'uration node: Administrative Templates;Windows Components;Terminal Services;Remote 6es.top Connection Client The a!ailable policy settin's are: Speci"y S-A< t umbprints o" certi"icates representing trusted 'rdp publis ers This policy settin' allo,s you to specify a list of ecure ?ash #l'orithm 8 % ?#8& certificate thumbprints that represent trusted (rdp file publishers( -f you enable this policy settin'. any certificate ,ith an ?#8 thumbprint that matches a thumbprint on the list ,ill be considered trusted( Allow 'rdp "iles "rom valid publis ers and user=s de"ault 'rdp settings This policy settin' allo,s you to specify ,hether users can run (rdp files from a publisher that si'ned the file ,ith a !alid certificate( This policy settin' also controls ,hether the user can start an "CP session by usin' default (rdp settin's. such as ,hen a user directly opens the "CC client ,ithout specifyin' an (rdp file( Allow 'rdp "iles "rom un.nown publis ers This policy settin' allo,s you to specify ,hether users can run unsi'ned (rdp files and (rdp files from un0no,n publishers on the client computer( !mportant To use these 7roup Policy settin's. the client computer must be runnin' "CC =(8(
19
Jor more information about these policy settin's. !ie, the 7roup Policy E1plain te1t in the Local 7roup Policy Editor(
20
21
,ill appear in the RemoteApp 5rograms list( ?o,e!er. the name ,ill be displayed ,ith stri0ethrou'h te1t( %ote Hnly the RemoteApp 5rograms list and deployment settin's are e1ported or imported( #ny (rdp files or Windo,s -nstaller pac0a'es that ,ere created from the pro'rams ,ill not be e1ported or imported( /ou must create ne, (rdp files or Windo,s -nstaller pac0a'es on each terminal ser!er unless the ser!er is a member of a terminal ser!er farm( -f you specified a farm name ,hen you created the (rdp files or Windo,s -nstaller pac0a'es. and the ser!er ,here you ,ant to copy the files to is a member of the same terminal ser!er farm. you can manually copy the files(
T Web #ccess role ser!ice( Jor more information. see the Chan'e the install location of the default T Web #ccess Web site section later in this 'uide( Membership in the local Administrators 'roup is the minimum re<uired to complete this procedure( To install TS Web Access 8( Hpen er!er Mana'er( To open er!er Mana'er. clic0 Start. point to Administrative Tools. and then clic0 Server /anager( 2( -f the Terminal er!ices role is already installed: a( *nder Roles Summary. clic0 Terminal Services' b( *nder Role Services. clic0 Add Role Services' c( Hn the Select Role Services pa'e. select the TS Web Access chec0 bo1( -f the Terminal er!ices role is not already installed: a( *nder Roles Summary. clic0 Add Roles( b( Hn the (e"ore 0ou (egin pa'e. clic0 %e1t( c( Hn the Select Server Roles pa'e. select the Terminal Services chec0 bo1. and then clic0 %e1t( d( "e!ie, the Terminal Services pa'e. and then clic0 %e1t( e( Hn the Select Role Services pa'e. select the TS Web Access chec0 bo1( 9( "e!ie, the information about the re<uired role ser!ices. and then clic0 Add Re$uired Role Services( B( Clic0 %e1t( :( "e!ie, the Web Server *!!S, pa'e. and then clic0 %e1t( =( Hn the Select Role Services pa'e. ,here you are prompted to select the role ser!ices that you ,ant to install for -- . clic0 %e1t( 5( Hn the Con"irm !nstallation Selections pa'e. clic0 !nstall( 8( Hn the !nstallation Results pa'e. confirm that the installation succeeded. and then clic0 Close(
B( -n the TS Web Access Computers 5roperties dialo' bo1. clic0 Add( :( -n the Select 2sers> Computers> or Groups dialo' bo1. clic0 +b?ect Types( =( -n the +b?ect Types dialo' bo1. select the Computers chec0 bo1. and then clic0 +&( 5( -n the :nter t e ob?ect names to select bo1. specify the computer account of the T Web #ccess ser!er. and then clic0 +&( 8( Clic0 +& to close the TS Web Access Computers 5roperties dialo' bo1(
#dditionally. the Terminal er!ices #cti!eE Client control must be enabled( The #cti!eE control is included ,ith "CC =(8( -f you are runnin' Windo,s er!er 2008. Windo,s Aista ,ith P8 Feta. or Windo,s Aista ,ith P8 "C. and you recei!e a ,arnin' messa'e on the -nternet E1plorer -nformation bar about the site bein' restricted from sho,in' certain content. clic0 the messa'e line. point to Add-on 6isabled. and then clic0 Run ActiveB Control( When you do this. you may see a security ,arnin'( Ma0e sure that the publisher for the #cti!eE control is MMicrosoft CorporationM before you clic0 Run( %ote -f the -nternet E1plorer -nformation bar does not appear. and you cannot connect to T Web #ccess. you can enable the Terminal er!ices #cti!eE control by usin' the /anage Add-ons tool on the Tools menu of -nternet E1plorer( The add+on appears as /icroso"t Terminal Services Client Control( -f you are runnin' Windo,s EP ,ith P9 "C. you must modify the re'istry to enable the #cti!eE control( To do this. follo, these steps: Caution erious problems mi'ht occur if you modify the re'istry incorrectly by usin' "e'istry Editor or by usin' another method( These problems mi'ht re<uire that you reinstall the operatin' system( Microsoft cannot 'uarantee that these problems can be sol!ed( Modify the re'istry at your o,n ris0( To enable t e ActiveB control in Windows B5 wit S5C RC by modi"ying t e registry 8( tart "e'istry Editor( To do this. clic0 Start. clic0 Run. type regedit in the +pen bo1.
25
and then clic0 +&( 2( Locate the follo,in' re'istry sub0ey: -&:09C2RR:%T92S:R;So"tware;/icroso"t;Windows;Current4ersion;:1t;Settings 9( -n case you need to restore. ,e recommend that you bac0 up the Settings sub0ey( To do this. ri'ht+clic0 Settings. clic0 :1port. type a file name in the 8ile name bo1. and then clic0 Save( B( *nder the Settings sub0ey. delete the follo,in' sub0eys( %To delete a sub0ey. ri'ht+ clic0 the sub0ey. clic0 6elete. and then clic0 0es to confirm(& DEeb8F""E-G"G8-Ea0"-8b8d-2b"02eFEeEb2H DGCF0"Cd8-0ECF-Ec0I-F<eC-c"Icb2F0cCd0H
:( Close "e'istry Editor( =( "efresh the T Web #ccess Web pa'e( The T Web #ccess Web pa'e should display correctly( %ote Cependin' on your -nternet E1plorer security settin's. you may recei!e a ,arnin' messa'e on the -nternet E1plorer -nformation bar that as0s if you ,ant to allo, the add+on to run( -f you recei!e the messa'e. clic0 the messa'e line. and then clic0 Run ActiveB Control( When you do this. you may see a security ,arnin'( Ma0e sure that the publisher for the #cti!eE control is MMicrosoft CorporationM before you clic0 Run(
%ote -f you selected multiple pro'rams. the settin's described in the rest of this procedure apply to all of the selected pro'rams( # separate (rdp file is created for each pro'ram( B( Hn the Welcome to t e Remote App Wi7ard pa'e. clic0 %e1t( :( Hn the Speci"y 5ac.age Settings pa'e. do the follo,in': a( -n the :nter t e location to save t e pac.ages bo1. accept the default location or clic0 (rowse to specify a ne, location to sa!e the (rdp file( b( -n the Terminal server settings area. clic0 C ange to modify the terminal ser!er or farm name. the "CP port number. and the Re$uire server aut entication settin'( %Jor more information about these settin's. see Confi'ure terminal ser!er settin's(& When you are finished. clic0 +&( c( -n the TS Gateway settings area. clic0 C ange to modify or to confi'ure ,hether clients ,ill use a T 7ate,ay ser!er to connect to the tar'et terminal ser!er across a fire,all( %Jor more information about these settin's. see Confi'ure T 7ate,ay settin's(& When you are finished. clic0 +&( %ote Jor more information about T 7ate,ay. see the T 7ate,ay tep+by+ tep 7uide %http:66'o(microsoft(com6f,lin06;Lin0-dG8:852&( d( To di'itally si'n the (rdp file. in the Certi"icate Settings section. clic0 C ange to select or to chan'e the certificate to use( elect the certificate that you ,ant to use. and then clic0 +&( %Jor more information about these settin's. see Confi'ure di'ital si'nature settin's %optional&(& =( When you are finished. clic0 %e1t( 5( Hn the Review Settings pa'e. clic0 8inis ( When the ,i3ard is finished. the folder ,here the (rdp file ,as sa!ed opens in a ne, ,indo,( /ou can confirm that the (rdp file ,as created(
!nstaller pac.age( %ote -f you selected multiple pro'rams. the settin's described in the rest of this procedure apply to all of the selected pro'rams( # separate Windo,s -nstaller pac0a'e is created for each pro'ram( B( Hn the Welcome to t e RemoteApp Wi7ard pa'e. clic0 %e1t( :( Hn the Speci"y 5ac.age Settings pa'e. do the follo,in': a( -n the :nter t e location to save t e pac.ages bo1. accept the default location or clic0 (rowse to specify a ne, location to sa!e the Windo,s -nstaller pac0a'e( b( -n the Terminal server settings area. clic0 C ange to modify the terminal ser!er or farm name. the "CP port number. and the Re$uire server aut entication settin'( %Jor more information about these settin's. see Confi'ure terminal ser!er settin's(& When you are finished. clic0 +&( c( -n the TS Gateway settings area. clic0 C ange to modify or to confi'ure ,hether clients ,ill use a T 7ate,ay ser!er to connect to the tar'et terminal ser!er across a fire,all( %Jor more information about these settin's. see Confi'ure T 7ate,ay settin's(& When you are finished. clic0 +&( %ote Jor more information about T 7ate,ay. see the T 7ate,ay tep+by+ tep 7uide %http:66'o(microsoft(com6f,lin06;Lin0-dG8:852&( d( To di'itally si'n the file. in the Certi"icate Settings section. clic0 C ange to select or to chan'e the certificate to use( elect the certificate that you ,ant to use. and then clic0 +&( %Jor more information about these settin's. see Confi'ure di'ital si'nature settin's %optional&(& =( When you are finished. clic0 %e1t( 5( Hn the Con"igure 6istribution 5ac.age pa'e. do the follo,in': a( -n the S ortcut icons area. specify ,here the shortcut icon for the pro'ram ,ill appear on client computers( b( -n the Ta.e over client e1tensions area. confi'ure ,hether to ta0e o!er client file name e1tensions for the pro'ram( -f you associate the file name e1tensions on the client computer ,ith the "emote#pp pro'ram. all file name e1tensions that are handled by the pro'ram on the terminal ser!er ,ill also be associated on the client computer ,ith the "emote#pp pro'ram( Jor e1ample. if you add Microsoft Word as a "emote#pp pro'ram. and you confi'ure the option to ta0e o!er client file name e1tensions. any file name e1tensions on the client computer that Word ta0es o!er ,ill be associated ,ith "emote Word( This means that any e1istin' pro'ram on the client computer ,ill no lon'er handle file name e1tensions such as (doc and (dot( Iote that users are not prompted ,hether the terminal ser!er should ta0e o!er file e1tensions for the pro'ram( To !ie, ,hat file name e1tensions are associated ,ith a pro'ram on the terminal
28
ser!er. clic0 Start. clic0 Control 5anel. and then double+clic0 6e"ault 5rograms( Clic0 Associate a "ile type or protocol wit a program to !ie, the file name e1tensions and their default associated pro'ram( Caution Co not install Windo,s -nstaller pac0a'es that ,ere created ,ith this settin' enabled on the terminal ser!er itself( -f you do. clients that use the Windo,s -nstaller pac0a'e may not be able to start the associated "emote#pp pro'ram( 8( #fter you ha!e confi'ured the properties of the distribution pac0a'e. clic0 %e1t( @( Hn the Review Settings pa'e. clic0 8inis ( When the ,i3ard is finished. the folder ,here the Windo,s -nstaller pac0a'e ,as sa!ed opens in a ne, ,indo,( /ou can confirm that the Windo,s -nstaller pac0a'e ,as created(
29
b( Create a Terminal er!ices resource authori3ation policy %T "#P& that pro!ides access to the terminal ser!ers that host the "emote#pp pro'rams( When you create the T "#P. add the user 'roups that you defined in the T C#P( #lso. create a ne, T 7ate,ay+mana'ed computer 'roup that contains both the IetF-H names and the fully <ualified domain names %JQCIs& of the terminal ser!ers that host the "emote#pp pro'rams( %ote -f you are usin' a terminal ser!er farm. specify the name of the farm. and not the indi!idual farm members( Jor more information. see the MCreate a T "#P and specify computers that users can connect to throu'h the T 7ate,ay ser!erM section of the T 7ate,ay tep+by+ tep 7uide( B( Confi'ure T 7ate,ay settin's in T "emote#pp Mana'er %either in the 'lobal deployment settin's or ,hen you create an (rdp file or Windo,s -nstaller pac0a'e&( When you do so. ma0e sure that you specify the JQCI of the T 7ate,ay ser!er( When you confi'ure 'lobal deployment settin's. the chan'es ,ill be reflected immediately on the T Web #ccess Web site( %ote -f you ha!e pre!iously created (rdp files and Windo,s -nstaller pac0a'es. the ne, settin's ,ill not be reflected in those pac0a'es( /ou must create ne, pac0a'es ,ith the correct settin's. and then distribute them to users( :( To allo, -nternet access to "emote#pp pro'rams throu'h T Web #ccess. confi'ure fire,all and authentication settin's( Jor more information. see Confi'ure the T Web #ccess ser!er to allo, access from the -nternet in the follo,in' section(
To veri"y t at Windows aut entication is enabled 8( Hn the T Web #ccess ser!er. clic0 Start. point to Administrative Tools. and then clic0 !nternet !n"ormation Services *!!S, /anager( 2( -n the left pane of -nternet -nformation er!ices %-- & Mana'er. e1pand the ser!er name. e1pand Sites. e1pand 6e"ault Web Site. and then clic0 TS( 9( -n the middle pane. under !!S. double+clic0 Aut entication( B( Ensure that Windo,s #uthentication is set to :nabled( -f it is not. ri'ht+clic0 Windows Aut entication. and then clic0 :nable( %ote -f you placed T Web #ccess in a custom Web site. you must ensure that the authentication method that is used for the Web site can map to the user)s Windo,s account( /ou can do this by usin' inte'rated Windo,s authentication on the custom Web site(
Additional in"ormation
Con"igure Server /anager and !nitial Tas.s not to run in administratorAs RemoteApp session
-f a user has administrati!e access to the terminal ser!er ,here the "emote#pp pro'rams are installed. ,hen the user starts a "emote#pp pro'ram. the er!er Mana'er tool and -nitial Confi'uration Tas0s also start in the "emote#pp session( /ou can control this beha!ior by usin' the follo,in' 7roup Policy settin's in the Computer Con"iguration;Administrative Templates;System;Server /anager node of the Local 7roup Policy Editor on the terminal ser!er: 6o not display !nitial Con"iguration Tas.s window automatically at logon /ou must enable this policy settin' to pre!ent the -nitial Confi'uration Tas0s ,indo, from openin' ,hen a user ,ith administrati!e access starts a "emote#pp session( 6o not display Server /anager automatically at logon /ou must enable this policy settin' to pre!ent er!er Mana'er from openin' ,hen a user ,ith administrati!e access starts a "emote#pp session(
# user can access "emote Ces0top Web Connection by clic0in' the Remote 6es.top tab on the T Web #ccess pa'e( #s an administrator. you can confi'ure ,hether the Remote 6es.top tab is a!ailable to users( #dditionally. you can confi'ure settin's such as ,hich T 7ate,ay ser!er to use. and the default de!ice and resource redirection options( Membership in the local Administrators 'roup. or e<ui!alent. is the minimum re<uired to complete this procedure( To con"igure Remote 6es.top Web Connection be avior 8( Hn the T Web #ccess ser!er. start -nternet -nformation er!ices %-- & Mana'er( To do this. clic0 Start. point to Administrative Tools. and then clic0 !nternet !n"ormation Services *!!S, /anager( 2( -n the left pane. e1pand the ser!er name. e1pand Sites. e1pand 6e"ault Web Site. and then clic0 TS( 9( -n the middle pane. under AS5'%:T. double+clic0 Application Settings( B( To chan'e "emote Ces0top Web Connection settin's. modify the !alues in the Application Settings pane( To confi'ure a default T 7ate,ay ser!er. double+clic0 6e"aultTSGateway. enter the fully <ualified domain name of the ser!er in the 4alue bo1 %for e1ample. server<'contoso'com&. and then clic0 +&( To specify the T 7ate,ay authentication method. double+clic0 GatewayCredentialsSource. type the number that corresponds to the desired authentication method in the 4alue bo1. and then clic0 +&( The possible !alues include: 0 G #s0 for pass,ord %ITLM& < G mart card E G #llo, user to select later To confi'ure ,hether the Remote 6es.top tab appears on the T Web #ccess pa'e. double+clic0 S ow6es.tops( -n the 4alue bo1. type true to sho, the Remote 6es.top tab. or type "alse to hide the Remote 6es.top tab( When you are finished. clic0 +&( To confi'ure default de!ice and resource redirection settin's. double+clic0 the settin' that you ,ant to modify %1Clipboard. 16riveRedirection. 15n5Redirection. 15ortRedirection. or 15rinterRedirection&( -n the 4alue bo1. type true to enable the redirection settin' by default. or type "alse to disable the redirection settin' by default. and then clic0 +&( :( When you are finished. close -- Mana'er( /our chan'es should ta0e effect immediately on the T Web #ccess Web site( -f the Web pa'e is open. refresh the pa'e to !ie, the chan'es(
32
%ote /ou can also confi'ure these settin's by modifyin' the K,indirKLWebLtsLWeb(confi' file directly by usin' a te1t editor such as Iotepad(
you specify another port. ensure that the fire,all is confi'ured to permit ?TTP or ?TTP traffic on that port. dependin' on your confi'uration(& :( When you are finished. clic0 +&( =( tart "e'istry Editor( To do this. clic0 Start. type regedit in the Start Searc bo1. and then press EITE"( 5( Locate the follo,in' re'istry sub0ey: -&:09)+CA)9/AC-!%:;S+8TWAR:;/icroso"t 8( To specify a ne, install location for the T Web #ccess Web site. do the follo,in': a( "i'ht+clic0 /icroso"t. point to %ew. and then clic0 &ey( b( Type Terminal Server Web Access as the sub0ey name. and then press EITE"( c( "i'ht+clic0 Terminal Server Web Access. point to %ew. and then clic0 String 4alue( d( Type Website as the entry name. and then press EITE"( e( "i'ht+clic0 Website. and then clic0 /odi"y( f( -n the 4alue data bo1. type the name of the Web site ,here you ,ant to install the T Web #ccess Web site %the site name that you specified in step B of this procedure&. and then clic0 +&( @( Close "e'istry Editor( 80( -nstall T Web #ccess( Jor more information. see -nstall the T Web #ccess role ser!ice earlier in this 'uide(
34