Setting up a Windows 2008 R2 environment

[Bilberry]

Hi all,
My friend has his own business with 5 employees. They have now a windows 2003 environment with xp clients. He wants to buy a new server and we will install windows 2008 r2. He has 3 applications which he wants to "host" with remoteApp functionality. His own employees (5) and 10 customers (remote) will use those applications. I have a couple of questions:
- can we install and configure 1 server who needs to be confugred as a active directory and terminal server (remoteapp)?
- is there a need of installing the ts gateway? We will only use one server which should be accessed internally and externally.
- what do i need to buy for licenses? 15 cal licenses, and what else?
- is the archtecture ok, or do i need to have one more server? The applications are easy and not so complex...

Hope to get some advice...

 

[technome]

can we install and configure 1 server who needs to be configured as a active directory and terminal server (remoteapp)?" From a security standpoint, having a DC as terminal server is placing a hungry fox in a hen house, I would not even consider it.

For the lowest cost option, your best off getting a separate, relatively cheap server (64bit), with a relatively fast CPU, 8 meg ram to start, with a raid 1 of SATA drives, installing TSG for SSL security, and having the TS service also on that server (member server,not a DC), having the SSL port open to that server. Approx $1500., the last bare minimum server I purchased for a client in this senario was $ 1350. from Dell .
I consider the TSG critical to security, regular RDP port 3389 access is not all that secure. Getting the TSG running can be a learning experience, you need to get the certificate installed correctly, and MS has left a couple of bugs un-fixed to let you have fun, but once it is working it worthwhile. It will require a bare minimum of a full day of google research on your part to find all the info you need to install TSG, the TS part is relatively easy.

On 2008, you do not pay for the server TSG or TS license but you do pay for each client license. You could purchase a 5 pack.

"The applications are easy and not so complex" That is not the issue, good hackers are complex.


........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[goombawaho]

8 meg ram to start

I know you meant 8 GB

I don't think anyone should leave the RDP port open, but you don't have to use TSG. You can just have a router which supports a VPN like a Cisco RV042. Clients can then create a PPTP connection to the router and then RDP into your server. Of course when they have the VPN running, they are in essence, part of your network with a local IP address. I guess it depends on how much you trust the "10 remote customers".

 

[technome]

I know you meant 8 GB" Yes, 8 meg would'nt power the letter T in Terminal server.

Your idea provides another way to solve the issue, but he still should have a separate (member) server so the users are not logging into a DC, then again it comes down to trust, how many/how much, resources one expects a DC server to use, and how much malware you can stand...
I do not trust users, unless they have phenominal retirement/medical/vacation/severance plans, hefty bonuses, and have common sense <gin>.



........................................
Chernobyl disaster..a must see pictorial

http://www.kiddofspeed.com/default.htm

 

[goombawaho]

If you only have one server then that's the way it's done because usually there's not enough money to set up a second one. Agreed though that, ideally, keep everyone off the DC directly.

Don't get into the <gin>, it's too early.

 

[jkupski]

Buy Windows 2012 Standard, which comes with the right to run 2 virtual instances. Install either vSphere or Hyper-V on the box, whichever you are most comfortable with, and stand up 2 VMs running 2008 R2 (you have downgrade rights)--one to be the DC, the other to be the terminal server.

Go with technome's suggestion on hardware for the most part, but add more RAM. RAM is cheap and is almost certainly going to be your bottleneck for the application you've described.

Last, but certainly not least, licensing. You'll need 5 server CALs and 5 RDS CALs for your internal users. The bad news here is that you cannot use this kind of CAL for your customers--you'll need a Windows Server external connector license, and an RDS external connector license for this. Sadly, I think the cost of these are going to kill your project dead (pushing $10k total for both external connectors) but as far as I know, there's no workaround here.

 

[goombawaho]

Honestly, for a business with 5 employees and some external customers connecting, most of those suggestions are too expensive to be reasonable. Like crazy expensive and too complex. So you can do what I suggested with a little more THEORETICAL risk but probably not real world risk.

 

[jkupski]

For a business with 5 employees and a few external customers, the solution isn't feasible anyway... like I noted, licensing the external users is going to at least triple the cost of the solution, and there's no workaround if you want a Microsoft solution. You simply need the external connectors, and they cost way too much.

As far as complexity goes, though, a pair of windows server VMs running on the free version of vSphere with local storage and without vCenter is pretty damn simple. I haven't done something like this with HyperV, but I don't imagine that it's much more complex.

 

[goombawaho]

I was echoing your "too expensive" comment. See my first post for the redneck way to accomplish it.

 

[jkupski]

Your redneck solution is an unlicensed solution--the external connectors are required for this application. Saying "this external guy is on your internal network because of VPN" doesn't change the fact that he's not your employee, nor is he the employee of your affiliate. Thus, he is not eligible to use whatever CALs you may have purchased.

To be realistic, and at the risk of running afoul of the TOS of this site: my feeling here is that if you're going to run your licensed software in an unlicensed configuration, you may as well go ahead and just pirate the stuff to begin with and implement the solution at zero cost. Microsoft will not care that you were making a good faith effort to comply with their byzantine licensing, you will be expected to cough up, at a minimum, the full list of whatever you were using outside of the license terms, plus (if you're unlucky) penalties.

In other words, if you're going to implement something, implement it correctly--the costs are the same either way.

 

[goombawaho]

Your redneck solution is an unlicensed solution the external connectors are required for this application

BFD - I don't advocate always paying Microsoft every nickel they think they need. Those CALs have been a PITA ripoff since Server 200X. Fight the power.

you may as well go ahead and just pirate the stuff to begin with and implement the solution at zero cost.

No, no that's just crazy talk. Buy the server software at a minimum and 5 CALS and call it a day. You're 87% of the way toward being an upstanding citizen. Pretty good.

Better yet - forget Server 200X and use a Windows 7 PRO 64-bit computer with 12GB RAM as a server with RDP over "my" VPN suggestion. Per this thread on changing network parameters in Win 7

http://serverfault.com/questions/23...-7-shared-folder-from-windows-xp-workstations

http://forums.techguy.org/networking/963622-solved-xp-machines-lose-connectivity.html

 

[jkupski]

We'll have to agree to disagree.

 

[goombawaho]

Duel at 50 paces - loser pays Microsoft licensing?

 

[Bilberry]

Dear friends,
I will post the newest server details here, before buying it. The oldest 2003 has also exchange and is also a DC Maybe we can use this server for DC purposes later, after reinstalling it. A lot of answers, but which one is the best way?

technome: Thanks for your reply! With the solution you've descbribed: Do we have also the licenses to connect external users?
goombawaho: Thanks for your reply! What kind of licenses do i need for your solution with VPN?
jkupski: Thanks for your reply! Pffff: External connectors...the first time that i've heard about it. Thanks for that. Can we not share the CALS externally?? A lot of costs.. Is there not a workaround?

Do i need to setup virtual environment for this setup? I dont know what to do for the external users. I hope that someone can help me out, and give me way to go....

 

[jkupski]

No, you may not share CALs externally, and your customers may not buy their own CALs and use them to connect to your infrastructure. There is no workaround I know of. Sucks, doesn't it?

And goomba: too rich for my blood, sorry.

 

[goombawaho]

I guess it depends on whether you want to pay all that money to Microsoft. I admit that my ORIGINAL idea would not be kosher per Microsoft licensing requirements and you don't want to do that at a business. They will cut off your %($#+ if they bust you. jkupski is correct in that analysis.

I would present the cost of the TSG solution and get a "disapproval" by management due to cost. Then think about other alternatives. There are many more, so just search for "Terminal Services Alternatives"

http://www.techrepublic.com/blog/doityourself-it-guy/diy-four-terminal-server-alternatives/921

https://www.thinstuff.com/licensing/index.php?selected_product=16;14;15

My second idea would be:
Load the OLD server as a Windows 7 Professional or higher computer.
Set up the application on that machine
Set up the users on that machine (internal & external) as local users
Have some type of VPN connection set up. I use the Cisco RV042 as a router/firewall/vpn. Set up PPTP or Cisco VPN.
VPN connection will get the users onto your network
Then they can RDP into the Windows 7 Professional computer.
They can work on the application.


Down side of this idea:
It will NOT be part of active directory
You will have to connect internal users outside of A.D.
You will have to back it up separately (the application data) or copy to another backed up machine.
Without windows ultimate and this little tweak (

http://tsukasa.jidder.de/blog/2012/...dp-multiple-sessions-per-user/comment-page-1)

you could only run one RDP session at a time per license agreement.

Up side of this idea
Very inexpensive
Keeps the outsiders off your domain controller/Exchange server (really a good idea)
No licensing issues

 

[strongm]

>No licensing issues

Yes, there are. It is still against Microsoft's licence - as you yourself comment - to run multiple RDP session on Windows 7 or, indeed, for anyone apart from the primary user of the PC to connect via RDP.

So you are still recommending a dodgy solution.

>loser pays Microsoft licensing?

Like it or not (and certainly some of Microsoft's licensing terms are not beyond criticism), the policies of this site do not approve of or condone solutions that include breach of contract or licencing terms.


Having said that, and disagreeing with jkupski, these days the Microsoft Licensing certainly allows you to buy CALs for external users rather than an External Connector License:

About Licensing
Client Access Licenses and Management Licenses

External Connectors

If you want external users—such as business partners, external contractors, or customers—to be able to access your network, you have two licensing options:
- Acquire CALs for each of your external users.
- Acquire External Connector (EC) licenses for each server that will be accessed by your external users.

In addition, Microsoft have commented "Basically, if you don't intend to authenticate users as Windows users then you don't need any additional CALs. The license only applies if you need to have users connect to your server as Windows users, say through terminal services or file/print shares.

 

[goombawaho]

Are you sure about this aspect of connecting to a Windows 7 computer???
"for anyone apart from the primary user of the PC to connect via RDP."

Smack me if I'm in the wrong here. Wouldn't that be a "soft" violation of the licensing vs. a hard violation like not having enough CALs??

Can the OP use my idea at all within the guidelines of Microsoft licensing?

 

[strongm]

>Are you sure about this aspect of connecting to a Windows 7 computer???

Yes, quite sure.

Here's a quote from the Windows 7 License (specifically MICROSOFT SOFTWARE LICENSE TERMS WINDOWS 7 ULTIMATE N SERVICE PACK 1)

Remote Access Technologies. You may access and use the software installed on the licensed computer remotely from another device using remote access technologies as follows.
• Remote Desktop. The single primary user of the licensed computer may access a session from any other device using Remote Desktop or similar technologies

Apart from conceding that the primary user does not have to connect from a PC or indeed from another Windows product (e.g the Remopte Desktop Client), that is the SOLE allowance for RDP in the license.

Of course you're likley to counter with "what about remote assistance, then?". That's covered (with my bold):

• Other Access Technologies. You may use Remote Assistance or similar technologies to share an active session

i.e. Sure, you can use RA (or GotoMyPC or whatever similar prodcut you wish) but only to piggyback onto the (one) session that the primary user using

 

[Bilberry]

Every day i read your posts. Thanks a lot for all of those idea's. Now im also investigating the "WIndows Small Business server standard" (installing it on the newest server), because i need also a exhange license.