Secure Global Desktop 4.31 Administration Guide > Getting started > Configuring Microsoft Windows Terminal Services for use with Secure Global Desktop

Configuring Microsoft Windows Terminal Services for use with Secure Global Desktop

To use Microsoft Windows Terminal Services with Secure Global Desktop you may have to configure:

• Authentication settings
• Session resumability
• Windows printer mapping
• Windows Server 2003 FIPS encryption level
• Windows Server 2003 session restrictions
• Windows Server 2003 remote desktop users
• Windows Server 2003 time zone redirection
• Windows Server 2003 audio redirection
• Windows Server 2003 smart card device redirection
• Windows Server 2003 COM port mapping

Note For detailed information on configuring Terminal Services, see the Microsoft sites for Windows 2000 Server and Windows Server 2003.

Authentication settings

By default, Windows 2000 Server always prompts for a password when users log in, whether or not Secure Global Desktop supplies the password for the application server from its password cache. By default, Windows Server 2003 does not prompt for passwords.

To configure a Windows Server to stop prompting for passwords for Secure Global Desktop users:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Logon Settings tab.
4. Clear the Always Prompt for Password box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Session resumability

Windows Terminal Services allow users' sessions to continue running following a connection loss. We recommend that you disable this feature on the Windows Server, and let Secure Global Desktop handle session resumability. This prevents unnecessary use of resources on the application server, and ensures that if users share accounts on the application server, they do not resume each other's Windows sessions.

For example, with session resumability enabled on Windows, an application configured in Secure Global Desktop to be Webtop session resumable does not end when the user logs out of Secure Global Desktop. Windows preserves the session so that it may be resumed later.

Resources may be consumed unnecessarily on more than one application server if the application is configured to run on multiple application servers.

To illustrate how shared accounts may lead to "stolen" sessions, consider this example. The Windows resume mechanism is enabled on the application server rome. Secure Global Desktop user Bill Orange starts the Write-o-Win application on rome with the Windows username "guest". Bill then logs out of Secure Global Desktop without closing Write-o-Win. Secure Global Desktop user Rusty Spanner then starts Write-o-Win as "guest" on the same application server. Rusty resumes the copy of Write-o-Win running in Bill's Windows session because of the Windows resume mechanism.

To configure a Windows Server to allow Secure Global Desktop to handle session resumability:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Sessions tab.
4. For the When Session Limit Is Reached Or Connection Is Broken option, choose End Session. (If necessary, clear the Override User Settings box to do this.)

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows printer mapping

To support printing to client printers from a Windows Terminal Server session, Windows printer mapping must be enabled (it is by default). Follow these steps if it has been disabled:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Clear the Windows printer mapping box.

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Server 2003 FIPS encryption level

Secure Global Desktop does not support the Federal Information Processing Standards (FIPS) encryption level, available on Windows Server 2003.

If you have enabled FIPS encryption, you must change it as follows:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the General tab.
4. In the Encryption Level list, choose an encryption level.

Changes to these settings only apply to new Windows Terminal Server sessions.

Windows Server 2003 session restrictions

By default, Windows Server 2003 only allows users one Terminal Services session each. If a user starts another desktop session or another instance of an application (with the same arguments), the second Terminal Services session "grabs" the first session and disconnects it. This means from the webtop it is not possible to launch two desktops or two instances of the same application on the same Windows Server 2003.

To change this behavior:

1. In Terminal Services Configuration, click Server Settings.
2. Double-click Restrict each user to one session.
3. Clear the Restrict each user to one session box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 remote desktop users

For Windows Server 2003, users can only use Terminal Services if they are members of the Remote Desktop Users group.

Windows 2003 time zone redirection

Windows Server 2003 allows client computers to redirect their time zone settings to the Terminal Server so that users see the correct time for their time zone in their desktop/application sessions. Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time in the session. This feature may be useful if you have clients in different time zones.

By default, this feature is disabled. To enable the feature on a Windows 2003 Server:

1. Either:
   • start the Microsoft Group Policy Management Console; or
   • start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in.
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Open Allow Time Zone Redirection.
5. Click Enabled.
6. Click OK.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 audio redirection

Windows Server 2003 can redirect sound to a Windows Terminal Server session. By default, this feature is disabled. To enable the feature:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Clear the Audio mapping box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 smart card device redirection

Windows Server 2003 can redirect smart card devices to a Windows Terminal Server session. This is enabled by default. Follow these steps if it has been disabled:

1. Either:
   • start the Microsoft Group Policy Management Console; or
   • start an empty Microsoft Management Console and add the Group Policy Object Editor snap-in.
2. Select the group policy object you want to edit.
3. Click Computer configuration, Administrative Templates, Windows Components, Terminal Services, Client/Server Data Redirection.
4. Double-click the Do not allow smart card device redirection setting.
5. Click enabled.

Changes to this setting only apply to new Windows Terminal Server sessions.

Windows Server 2003 COM port mapping

Windows Server 2003 allows users to access the serial ports on the client device from a Windows Terminal Server session. By default, this feature is disabled. To enable the feature:

1. In Terminal Services Configuration, click Connections.
2. Double-click RDP-Tcp.
3. Click the Client Settings tab.
4. Clear the COM port mapping box.

Changes to this setting only apply to new Windows Terminal Server sessions.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.