Terminal Server with 2 NIC's
in [Terminal Services]
|
Prev: "\\tsclient\D is not accessible" message
Next: unable to logon using remote desktop - desktop heap exhaustion
From: Vera Noest [MVP] on 4 Dec 2007 16:05 I'm absolutely no networking specialist, but yes, you could setup your TS as a SSH host (others will jump in if this is not good practice, I hope). Here's a short explanation about SSH, what it does and how it works: http://en.wikipedia.org/wiki/Ssh I'm a bit puzzled about the heavy rdp traffic that you see on your network, though. How many concurrent sessions do you have on your TS? What are these users doing on your TS that takes so much bandwidth? _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "TR" <TR(a)somehwere.com> wrote on 04 dec 2007 in microsoft.public.windows.terminal_services: > Hi Vera, > > I am not familiar with SSH. Is this something I would setup > directly on the TERMINAL server? Is SSH an open source product? > We are having the remote people use VPN now, but the VPN's are > created through the SBS2003 box and this is generating alot of > traffic on our local lan. Hence my idea about the second network > card directly on the TERMINAL server itself with a public IP. > > thanks > TR > > > "Vera Noest [MVP]" <vera.noest(a)remove-this.hem.utfors.se> wrote > in message > news:Xns99FBE2B9BBCFAveranoesthemutforsse(a)207.46.248.16... >> First of all, I agree with Hank that you are taking a big risk. >> It doesn't matter that rdp is encrypted, because your TS is >> open for logon attempts from the Internet, and all it needs is >> just one single user account with a weak password and you're >> hacked. So I would definitively set your users up with a VPN >> connection, or SSH, directly to the TS (doesn't have to go >> through the SBS 2003 server). >> >> That said, to answer your original question: I believe that you >> need to manually configure your Windows routing tables, using >> the route.exe command. Only one NIC should have a default >> gateway assigned through the GUI. >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> "TR" <TR(a)somehwere.com> wrote on 03 dec 2007 in >> microsoft.public.windows.terminal_services: >> >>> >>> Geez Hank... >>> >>> Well I am no an expert on routing. How do I give our remote >>> employees access to the terminal server without burdening our >>> current SBS network with all the VPN's and all the traffic >>> they generate on the internal network. >>> >>> If the only thing i have enabled on this TERMINAL nic is >>> TCP\IP and they are using RDP which is supposedly encrypted, >>> how do i set this up? >>> >>> Thanks >>> TR >>> >>> >>> "Hank Arnold (MVP)" <rasilon(a)aol.com> wrote in message >>> news:O07iPQZNIHA.2376(a)TK2MSFTNGP02.phx.gbl... >>>> TR wrote: >>>>> Hello, >>>>> >>>>> I have a member server on a SBS 2003 network that is a >>>>> terminal server. I added a second network card to the >>>>> Terminal Server and purchased a public IP so that our remote >>>>> employees can log into it from the internet on this second >>>>> network card without having to create a VPN through our SBS >>>>> server and generate more traffic on our internal network. >>>>> When I configure the second NIC with the public ip and try >>>>> to input the Default Gateway that was provided to me by my >>>>> ISP, i get the error: Warning - Multiple default gateways >>>>> are intended to provide redundancy to a single network(such >>>>> as an intranet or internet). They will not fumction properly >>>>> when the gateways are on two separate, disjoint >>>>> networks(such as one on your intranet and one on the >>>>> internet). Do you want to save this configuration? >>>>> >>>>> Is what i am trying to do not a valid configuration? >>>>> >>>>> Thanks >>>>> >>>>> TR >>>>> >>>>> >>>> Ack!!! What you are trying to do is opening the door to >>>> hackers!!! Your serve ris now a gateway into your network!! >>>> Never, ever, put a server on an internal network on the >>>> internet.... >>>> >>>> -- >>>> >>>> Regards, >>>> Hank Arnold >>>> Microsoft MVP >>>> Windows Server - Directory Services
From: TR on 8 Dec 2007 18:12 Hi Vera, Thanks for the input. We have approximately between 10 and 15 remote employees accessing our TERMINAL at any time. They use the basic Office package, Word, Excel, Outlook, the Shared Fax service of SBS and a web based propietary medical claims database system that resides on another internal member server. I may need to do some more investigating to determine whether it really is our remotes that are generating all the traffic, but they are the only ones complaining right now. TR "Vera Noest [MVP]" <vera.noest(a)remove-this.hem.utfors.se> wrote in message news:Xns99FCE0ADA41EEveranoesthemutforsse(a)207.46.248.16... > I'm absolutely no networking specialist, but yes, you could setup > your TS as a SSH host (others will jump in if this is not good > practice, I hope). > > Here's a short explanation about SSH, what it does and how it > works: > http://en.wikipedia.org/wiki/Ssh > > I'm a bit puzzled about the heavy rdp traffic that you see on your > network, though. How many concurrent sessions do you have on your > TS? What are these users doing on your TS that takes so much > bandwidth? > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "TR" <TR(a)somehwere.com> wrote on 04 dec 2007 in > microsoft.public.windows.terminal_services: > >> Hi Vera, >> >> I am not familiar with SSH. Is this something I would setup >> directly on the TERMINAL server? Is SSH an open source product? >> We are having the remote people use VPN now, but the VPN's are >> created through the SBS2003 box and this is generating alot of >> traffic on our local lan. Hence my idea about the second network >> card directly on the TERMINAL server itself with a public IP. >> >> thanks >> TR >> >> >> "Vera Noest [MVP]" <vera.noest(a)remove-this.hem.utfors.se> wrote >> in message >> news:Xns99FBE2B9BBCFAveranoesthemutforsse(a)207.46.248.16... >>> First of all, I agree with Hank that you are taking a big risk. >>> It doesn't matter that rdp is encrypted, because your TS is >>> open for logon attempts from the Internet, and all it needs is >>> just one single user account with a weak password and you're >>> hacked. So I would definitively set your users up with a VPN >>> connection, or SSH, directly to the TS (doesn't have to go >>> through the SBS 2003 server). >>> >>> That said, to answer your original question: I believe that you >>> need to manually configure your Windows routing tables, using >>> the route.exe command. Only one NIC should have a default >>> gateway assigned through the GUI. >>> _________________________________________________________ >>> Vera Noest >>> MCSE, CCEA, Microsoft MVP - Terminal Server >>> TS troubleshooting: http://ts.veranoest.net >>> ___ please respond in newsgroup, NOT by private email ___ >>> >>> "TR" <TR(a)somehwere.com> wrote on 03 dec 2007 in >>> microsoft.public.windows.terminal_services: >>> >>>> >>>> Geez Hank... >>>> >>>> Well I am no an expert on routing. How do I give our remote >>>> employees access to the terminal server without burdening our >>>> current SBS network with all the VPN's and all the traffic >>>> they generate on the internal network. >>>> >>>> If the only thing i have enabled on this TERMINAL nic is >>>> TCP\IP and they are using RDP which is supposedly encrypted, >>>> how do i set this up? >>>> >>>> Thanks >>>> TR >>>> >>>> >>>> "Hank Arnold (MVP)" <rasilon(a)aol.com> wrote in message >>>> news:O07iPQZNIHA.2376(a)TK2MSFTNGP02.phx.gbl... >>>>> TR wrote: >>>>>> Hello, >>>>>> >>>>>> I have a member server on a SBS 2003 network that is a >>>>>> terminal server. I added a second network card to the >>>>>> Terminal Server and purchased a public IP so that our remote >>>>>> employees can log into it from the internet on this second >>>>>> network card without having to create a VPN through our SBS >>>>>> server and generate more traffic on our internal network. >>>>>> When I configure the second NIC with the public ip and try >>>>>> to input the Default Gateway that was provided to me by my >>>>>> ISP, i get the error: Warning - Multiple default gateways >>>>>> are intended to provide redundancy to a single network(such >>>>>> as an intranet or internet). They will not fumction properly >>>>>> when the gateways are on two separate, disjoint >>>>>> networks(such as one on your intranet and one on the >>>>>> internet). Do you want to save this configuration? >>>>>> >>>>>> Is what i am trying to do not a valid configuration? >>>>>> >>>>>> Thanks >>>>>> >>>>>> TR >>>>>> >>>>>> >>>>> Ack!!! What you are trying to do is opening the door to >>>>> hackers!!! Your serve ris now a gateway into your network!! >>>>> Never, ever, put a server on an internal network on the >>>>> internet.... >>>>> >>>>> -- >>>>> >>>>> Regards, >>>>> Hank Arnold >>>>> Microsoft MVP >>>>> Windows Server - Directory Services
From: Vera Noest [MVP] on 8 Dec 2007 18:49 Aaah, but *complaining* about performance doesn't mean that these users are actually *causing* the performance problems! Unless these users are printing heavily, it would amaze me if they could saturate your internal network. What is the bandwidth and latency of the connection these remote users are connecting through? This might also be helpful: How can I measure RDP bandwidth usage? http://ts.veranoest.net/ts_faq_administration.htm#monitor_bandwidth _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "TR" <TR(a)somehwere.com> wrote on 09 dec 2007 in microsoft.public.windows.terminal_services: > Hi Vera, > > Thanks for the input. We have approximately between 10 and 15 > remote employees accessing our TERMINAL at any time. They use > the basic Office package, Word, Excel, Outlook, the Shared Fax > service of SBS and a web based propietary medical claims > database system that resides on another internal member server. > I may need to do some more investigating to determine whether it > really is our remotes that are generating all the traffic, but > they are the only ones complaining right now. > > TR > > > "Vera Noest [MVP]" <vera.noest(a)remove-this.hem.utfors.se> wrote > in message > news:Xns99FCE0ADA41EEveranoesthemutforsse(a)207.46.248.16... >> I'm absolutely no networking specialist, but yes, you could >> setup your TS as a SSH host (others will jump in if this is not >> good practice, I hope). >> >> Here's a short explanation about SSH, what it does and how it >> works: >> http://en.wikipedia.org/wiki/Ssh >> >> I'm a bit puzzled about the heavy rdp traffic that you see on >> your network, though. How many concurrent sessions do you have >> on your TS? What are these users doing on your TS that takes so >> much bandwidth? >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> "TR" <TR(a)somehwere.com> wrote on 04 dec 2007 in >> microsoft.public.windows.terminal_services: >> >>> Hi Vera, >>> >>> I am not familiar with SSH. Is this something I would setup >>> directly on the TERMINAL server? Is SSH an open source >>> product? We are having the remote people use VPN now, but the >>> VPN's are created through the SBS2003 box and this is >>> generating alot of traffic on our local lan. Hence my idea >>> about the second network card directly on the TERMINAL server >>> itself with a public IP. >>> >>> thanks >>> TR >>> >>> >>> "Vera Noest [MVP]" <vera.noest(a)remove-this.hem.utfors.se> >>> wrote in message >>> news:Xns99FBE2B9BBCFAveranoesthemutforsse(a)207.46.248.16... >>>> First of all, I agree with Hank that you are taking a big >>>> risk. It doesn't matter that rdp is encrypted, because your >>>> TS is open for logon attempts from the Internet, and all it >>>> needs is just one single user account with a weak password >>>> and you're hacked. So I would definitively set your users up >>>> with a VPN connection, or SSH, directly to the TS (doesn't >>>> have to go through the SBS 2003 server). >>>> >>>> That said, to answer your original question: I believe that >>>> you need to manually configure your Windows routing tables, >>>> using the route.exe command. Only one NIC should have a >>>> default gateway assigned through the GUI. >>>> _________________________________________________________ >>>> Vera Noest >>>> MCSE, CCEA, Microsoft MVP - Terminal Server >>>> TS troubleshooting: http://ts.veranoest.net >>>> ___ please respond in newsgroup, NOT by private email ___ >>>> >>>> "TR" <TR(a)somehwere.com> wrote on 03 dec 2007 in >>>> microsoft.public.windows.terminal_services: >>>> >>>>> >>>>> Geez Hank... >>>>> >>>>> Well I am no an expert on routing. How do I give our remote >>>>> employees access to the terminal server without burdening >>>>> our current SBS network with all the VPN's and all the >>>>> traffic they generate on the internal network. >>>>> >>>>> If the only thing i have enabled on this TERMINAL nic is >>>>> TCP\IP and they are using RDP which is supposedly encrypted, >>>>> how do i set this up? >>>>> >>>>> Thanks >>>>> TR >>>>> >>>>> >>>>> "Hank Arnold (MVP)" <rasilon(a)aol.com> wrote in message >>>>> news:O07iPQZNIHA.2376(a)TK2MSFTNGP02.phx.gbl... >>>>>> TR wrote: >>>>>>> Hello, >>>>>>> >>>>>>> I have a member server on a SBS 2003 network that is a >>>>>>> terminal server. I added a second network card to the >>>>>>> Terminal Server and purchased a public IP so that our >>>>>>> remote employees can log into it from the internet on this >>>>>>> second network card without having to create a VPN through >>>>>>> our SBS server and generate more traffic on our internal >>>>>>> network. When I configure the second NIC with the public >>>>>>> ip and try to input the Default Gateway that was provided >>>>>>> to me by my ISP, i get the error: Warning - Multiple >>>>>>> default gateways are intended to provide redundancy to a >>>>>>> single network(such as an intranet or internet). They will >>>>>>> not fumction properly when the gateways are on two >>>>>>> separate, disjoint networks(such as one on your intranet >>>>>>> and one on the internet). Do you want to save this >>>>>>> configuration? >>>>>>> >>>>>>> Is what i am trying to do not a valid configuration? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> TR >>>>>>> >>>>>>> >>>>>> Ack!!! What you are trying to do is opening the door to >>>>>> hackers!!! Your serve ris now a gateway into your network!! >>>>>> Never, ever, put a server on an internal network on the >>>>>> internet.... >>>>>> >>>>>> -- >>>>>> >>>>>> Regards, >>>>>> Hank Arnold >>>>>> Microsoft MVP >>>>>> Windows Server - Directory Services
From: Leythos on 8 Dec 2007 21:44 In article <#vbJR$eOIHA.5224(a)TK2MSFTNGP02.phx.gbl>, TR(a)somehwere.com says... > Thanks for the input. We have approximately between 10 and 15 remote > employees accessing our TERMINAL at any time. They use the basic Office > package, Word, Excel, Outlook, the Shared Fax service of SBS and a web based > propietary medical claims database system that resides on another internal > member server. I may need to do some more investigating to determine > whether it really is our remotes that are generating all the traffic, but > they are the only ones complaining right now. What you should have done is purchase a Firewall Appliance that allows for it to be a PPTP/VPN server or to allow users to authenticate with it first - then you can allow RDP in to the T/S from their authenticated firewall session. We NEVER expose terminal server directly to the interet and have almost 100 users on a Dual Xeon 2.8ghz, 4GB RAM, Win 2003 Std Sp2 using Office 2003 and a nasty database application along with IE/Fire Fox - runs smooth and we never get external traffic. We also never let the users setup the firewall authentication and the user/pwd is controlled by the IT Dept and the user is completely different than their Windows user/password. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free(a)rrohio.com (remove 999 for proper email address)
From: TR on 9 Dec 2007 23:58 Thanks for the input. I will take a look at the article about measuring bandwith. Our terminal server is currently a member server in an SBS 2003 network and ISA 2004 handles the VPN's and the passwords. "Leythos" <void(a)nowhere.lan> wrote in message news:MPG.21c5208ae49aec5b989881(a)Adfree.usenet.com... > In article <#vbJR$eOIHA.5224(a)TK2MSFTNGP02.phx.gbl>, TR(a)somehwere.com > says... >> Thanks for the input. We have approximately between 10 and 15 remote >> employees accessing our TERMINAL at any time. They use the basic Office >> package, Word, Excel, Outlook, the Shared Fax service of SBS and a web >> based >> propietary medical claims database system that resides on another >> internal >> member server. I may need to do some more investigating to determine >> whether it really is our remotes that are generating all the traffic, but >> they are the only ones complaining right now. > > What you should have done is purchase a Firewall Appliance that allows > for it to be a PPTP/VPN server or to allow users to authenticate with it > first - then you can allow RDP in to the T/S from their authenticated > firewall session. > > We NEVER expose terminal server directly to the interet and have almost > 100 users on a Dual Xeon 2.8ghz, 4GB RAM, Win 2003 Std Sp2 using Office > 2003 and a nasty database application along with IE/Fire Fox - runs > smooth and we never get external traffic. > > We also never let the users setup the firewall authentication and the > user/pwd is controlled by the IT Dept and the user is completely > different than their Windows user/password. > > -- > > Leythos > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free(a)rrohio.com (remove 999 for proper email address)
First
|
Prev
|
Pages: 1 2 Prev: "\\tsclient\D is not accessible" message Next: unable to logon using remote desktop - desktop heap exhaustion |