RDP access to an Exchange server is one of the most
common methods to remotely access a server. With most servers hosted in
data centers that might be halfway around the world, RDP give
administrators a fast, easy, and secure method to get complete console
access.
In
this section, two methods of using RDP are discussed. The first is
Remote Desktop for Administration, which enables a maximum of two
connections and has no licensing implications. This is great for basic
access to the Exchange Server 2010 server remotely. The second is
Terminal Services, which enables many users to connect and has licensing
costs associated with it. This is great for setting up a jump box to
enable many administrators to use an SMC.
Planning and Using Remote Desktop for Administration
As mentioned earlier,
Remote Desktop for Administration is included and installed with the
Windows Server 2008 operating system and needs only to be enabled. This
eases automated and unattended server deployment by enabling an
administrator to deploy servers that can be managed remotely after the
operating systems have completed installation. This enables Exchange
Server administrators in central offices to manage servers in branch
offices or Exchange Server administrators in one region (such as the
America region) to manage servers in another region (such as the Asian
region). This can reduce the required headcount to manage Exchange
Server infrastructure and facilitate a follow-the-sun model of global
support.
This model can also be
used to manage a headless server, which can reduce the amount of space
needed in any server rack. More space can be dedicated to servers
instead of switch boxes, monitors, keyboards, and mouse devices.
This also provides for
an improved security model because Exchange Server administrators can
administer the Exchange servers without having to get physical access to
the servers. This is an effective security strategy for large data
centers with various application servers that might be collocated in the
same racks as the Exchange servers. It enables the Exchange Server
administrators to perform their job functions without needed access to
the data center.
Remote Desktop
for Administration limits the number of terminal sessions to two, with
only one RDP or Secure Sockets Layer (SSL) for remote administration
connection per network interface. Only administrators can connect to
these sessions. No additional licenses
are needed to run a server in this Terminal Services mode, which
enables an administrator to perform almost all the server management
duties remotely.
Even though Remote
Desktop for Administration is installed by default, this mode does need
to be enabled. Some organizations might see Remote Desktop for
Administration as an unneeded security risk and choose to keep it
disabled. This function can easily be disabled throughout the entire
Active Directory (AD) forest by using a Group Policy setting to disable
administrators from connecting through Remote Desktop for
Administration.
Planning for Remote Desktop for Administration Mode
Unless Remote
Desktop for Administration is viewed as a security risk, you should
enable it on all internal servers to allow remote administration. For
servers that are on the Internet or for demilitarized zone (DMZ)
networks, Remote Desktop for Administration can be used, but access
should be even more restricted. For example, consider limiting access to
a predefined IP address or set of IP addresses, using firewall access
control lists (ACLs) to eliminate unauthorized attempts to log on to the
server. Another option is to limit connections to the server based on
protocol.
Note
The level of
encryption for remote sessions by default is 128-bit (bidirectional). It
is also important to note that some older Terminal Services clients
might not support that level of encryption. See the section “Securing Remote Desktop for Administration” for more details and how to increase the security.
Enabling Remote Desktop for Administration
Remote
Desktop for Administration mode is installed on all Windows Server 2008
servers by default and needs only to be enabled. To manually enable this
feature, follow these steps:
1. | Launch Server Manager.
|
2. | In the Server Summary, Computer Information section, click the Configure Remote Desktop link.
|
3. | In the Remote Desktop section, check Allow Connections from Computers
Running Any Version of Remote Desktop (Less Secure), as shown in Figure 1
(or alternately choose Allow Connections Only from Computers Running
Remote Desktop with Network Level Authentication (More Secure) if you
have a more current version of the RDP client that supports network
level authentication).
|
4. | At the Remote Desktop Firewall exception will be an enabled pop-up; click OK to allow the firewall exception to be made.
|
5. | Click OK on the Systems Properties page to complete this process.
|
The connection can be
tested by launching the Remote Desktop Client from Start, All Programs,
Accessories and selecting the Remote Desktop Connection icon. Enter in
the name of the Exchange server to connect to.
Enabling Remote Desktop for Administration After the Fact
Sometimes,
an Exchange server is built and deployed, but the Remote Desktop option
is not enabled. This is a problem when subsequently attempting to
remotely administer the server. The Terminal Services Client will behave
as if the server could not be found.
Even though Remote
Desktop is not enabled, the Exchange server can still be accessed
administratively. In particular, the Registry can still be modified
remotely and the Remote Desktop setting can be enabled using the RegEdit
tool.
To enable Remote Desktop remotely on a Windows Server 2008-based Exchange Server 2010 server, complete the following steps:
1. | From a domain member computer, log on as a user with Administrator privileges on the server.
|
2. | Launch regedit.exe.
|
3. | Click File and then select Connect Network Registry.
|
4. | Enter the name of the server on which you want to enable Remote Desktop, and click OK.
|
5. | Under the Exchange server tree, go to the key HKLM\System\CurrentControlSet\Control\Terminal Services\.
|
6. | Change the value fDenyTSConnections from 1 to 0.
|
7. | Close regedit.exe.
|
8. | The change takes effect immediately.
|
The server now accepts Terminal Services connections.
Remote Desktop Client Command-line Options
The Remote Desktop Connection client (mstsc.exe) can be launched from the command line for additional control.
The command line for the Remote Desktop Client is as follows:
mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]
A handful of
switch commands for the Remote Desktop Client can be used to choose
specific servers and options. The commands are as follows:
/v:ServerName[ :Port]— Specifies the remote computer and, optionally, the port number to which you want to connect.
/admin— Connects to the console session of the specified Windows Server 2008 family operating system.
/f— Starts the Remote Desktop connection in full-screen mode.
/w:Width/h:Height— Specifies the dimensions of the Remote Desktop screen.
In particular, the /admin
switch setting is useful. It enables the Exchange Server administrator
to connect directly to the console session on the Exchange server, which
is the session used when logging on at the keyboard of the Exchange
server. This, in effect, enables the Exchange Server administrator to
assume control of the keyboard of the Exchange server.
Remote Desktop Administration Tips and Tricks
You should consider
several key points before using Remote Desktop for Administration,
including, but not limited to, the following:
Make sure resources are available—
What information technology (IT) personnel resources, if any, are
available at the remote location or at the Exchange server’s location?
If a problem arises with the connection to the remote Exchange server or
the server itself (for example, a disconnection), contingency plans
should be available to recover and continue to remotely manage the
system. Generally speaking, it is a good idea to have someone in the
vicinity who can assist the administrator.
Use care when modifying network configurations—
With any remote administration tool, you are dependent upon the
connectivity between the client computer and the Exchange server that is
remotely managed. If network configuration settings must be modified
remotely, consider having alternative methods of access. For instance,
dial-up or a separate network connection might minimize downtime or
other issues stemming from loss of connectivity.
Use disconnect and reset timeout values—
Anytime a connection is accidentally broken or an administrator
disconnects, the remote session is placed into a disconnected state that
can later be reconnected and used to manage a server remotely.
Disconnect and reset timeouts are not configured by default for Remote
Desktop administration tools. These values can be used to ensure that
administrators are not unintentionally locked out (for example, when
there are two remote sessions that are active but in a disconnected
state). Generally speaking, using a five-minute timeout value allows
enough time for administrators to reconnect if they were accidentally disconnected. Moreover, it helps minimize the number of sessions that are disconnected and not used.
Coordinate remote administration efforts—
The number of remote administration connections is limited to a
precious two. Therefore, plan and coordinate efforts to reduce the
number of attempts to access Exchange servers remotely. This also helps
ensure that remote administration activities do not conflict with other
administrators and sessions or, in the worst of cases, corrupt
information or data on the server.
Remote Desktop Administration Keyboard Shortcuts
The keyboard shortcuts that work on the server have equivalents when running in Terminal Services. Table 1 lists the most common ones.
Table 1. Keyboard Shortcuts in a Remote Desktop Session
| Windows Keyboard Shortcut | Terminal Services Keyboard Shortcut | Description |
|---|
| Alt+Tab | Alt+Page Up | Switches between programs from left to right |
| Alt+Shift+Tab | Alt+Page Down | Switches between programs from right to left |
| Alt+Esc | Alt+Insert | Cycles through the programs in the order they were started |
| | Ctrl+Esc | Switches the client between a window and full screen |
| Ctrl+Esc | Alt+Home | Displays the Start menu |
| | Alt+Delete | Displays the Windows menu |
| Prnt Scrn | Ctrl+Alt+Minus (–) symbol on the numeric keypad | Places a snapshot of the active window in the Remote Desktop session on the Clipboard |
| Ctrl+Alt+Del | Ctrl+Alt+End | Displays the Task Manager or Windows Security dialog box |
| Alt+Prnt Scrn | Ctrl+Alt+Plus (+) symbol on the numeric keypad | Places a snapshot of the entire Remote Desktop session window on the Clipboard |
These keyboard shortcuts
can be handy when working within Terminal Services sessions to capture a
screen for documentation, check the performance in Task Manager, or
quickly switch between windows in the session.
Planning and Preparing Terminal Services for Exchange Administration
Terminal Services
mode is available in all editions of Windows Server 2008 (that is,
Standard, Enterprise, and DataCenter) except the Web Edition. It enables
any authorized user to connect to the server and run a single
application or a complete desktop session from the client workstation.
Because
the applications are loaded and running on the Terminal Services
server, client desktop resources are barely used; all the application
processing is performed by the Terminal Services server. This enables
companies to extend the life of old, less-powerful workstations by
running applications only from a Terminal Services server session.
Terminal Services
is generally not considered a viable technology to manage Exchange
Server remotely. Although it is possible to use Terminal Services to
manage Exchange Server 2010, several planning considerations must be
addressed to determine whether Terminal Services is suitable in your
environment.
The narrow use for Terminal
Services is in the case of a centralized tool platform where multiple
administrators (more than two at a time) log on and use the
administration tools. Terminal Services in this case allows the
organization to set up a central server or set of servers with all the
tools that the administrators use. This server is sometimes referred to
as a Jump Server, as administrators establish a Remote Desktop to the
system, and then they jump to other servers using console administration
applications.
Planning Considerations for Using Terminal Services
Terminal Services can
require a lot of planning, especially when you’re considering whether to
use it to manage Exchange Server remotely. Because Terminal Services is
intended to make applications available to end users rather than serve
as a remote management service, security, server performance, and
licensing are key components to consider before using it in a production
environment.
Terminal Services Security
Terminal Services
servers should be secured following standard security guidelines defined
in company security policies and as recommended by hardware and
software vendors. Some basic security configurations include removing
all unnecessary services from the Terminal Services nodes and applying
security patches for known vulnerabilities on services or applications
that are running on the terminal server.
Terminal
Services in Windows Server 2008 supports three different security
levels. The main difference is in the support for Network Level
Authentication, which uses certificates to authenticate the server
identity to the client. This prevents man-in-the-middle attacks. The
three security levels follow:
RDP Security— This is the native RDP encryption and does not support Network Level Authentication.
SSL (TLS 1.0)—
Network Level Authentication is performed to verify the identity of the
server to the client. Certificates are used to secure the transmission
and to perform Network Level Authentication.
Negotiate—
The most secure level that the client supports will be used. If the
client supports SSL (TLS 1.0), that will be used. If not, then RDP
security will be used. This is the default setting.
In
addition to the security levels, Windows Server 2008 terminal services
can be run in four different encryption levels to provide the
transmission protection appropriate for the organization. The four
levels of encryption follow:
Low—
Encryption is performed at the highest level supported by the client,
but only on the data sent from the client to the server. Data sent from
the server to the client is not encrypted. This is insecure and not
recommended.
Client Compatible— Encryption is performed at the highest level supported by the client, but all data between the client and server is encrypted.
High—
128-bit encryption is performed on all data between the client and the
server. If the client cannot support 128-bit encryption, the connection
is refused by the server.
FIPS Compliant—
Federal Information Process Standard (FIPS) 140-1 validated encryption
is performed on all data between the client and the server. If the
clients cannot support FIPS encryption, the connection is refused by the
server.
An administrator can
use Group Policy to limit client functionality as needed to enhance
server security, and if increased network security is a requirement, can
consider requiring clients to run sessions in 128-bit high-encryption
mode.
In addition to the
more common security precautions that are recommended for Terminal
Services, you must also consider how running Terminal Services on an
Exchange Server 2010 server affects security. Using a server with both
Terminal Services and Exchange Server 2010 roles and responsibilities
can be a dangerous combination and should be considered only in the
smallest of environments with very relaxed security requirements. In any
circumstance, the combination is not recommended.
Combining the two
services and configuring Terminal Services to remotely manage Exchange
Server can result in many security-related hazards, including the
following:
A single misconfiguration or setting can enable users to change specific Exchange Server settings or parameters.
Users authorized to shut down or restart the system might inadvertently do so, causing messaging downtime.
Application-specific
security might conflict or, in some cases, unintentionally allow or
restrict access to messaging components on the server.
Terminal Server Licensing
Terminal Services
requires the purchase of client access licenses (CALs) for each client
device or session. A Terminal Services License Server also must be
available on the network to allocate and manage these CALs. When a
Terminal Services server is establishing a session
with a client, it checks with the Terminal Services License Server to
verify whether this client has a license. A license is allocated if the
client does not already have one.
Note
Using Terminal
Services to connect to and remotely manage an Exchange Server 2010
server does not exempt you from needing a Terminal Services CAL. This
adds to the overall cost of supporting Exchange Server 2010.
To install licenses
on the Terminal Services License Server, the Terminal Services License
Server must first be installed and then activated online. The Terminal
Services License Server requires Internet access or dial-up modem access
to activate the CALs added to the server.
When a Terminal
Services server cannot locate a Terminal Services License Server on the
network, it still allows unlicensed clients to connect. This can go on
for 120 days without contacting a license server, and then the server
stops serving Terminal Services sessions. It is imperative to get a
license server installed on the network as soon as possible—before
Terminal Services servers are deployed to production.
Installing Terminal Services for Remote Administration
To install Terminal Services, a network administrator can use the Server Manager as follows:
1. | Launch Server Manager. Right-click on Roles and select Add Roles.
|
2. | Click Next.
|
3. | Select the Terminal Services role and click Next.
|
4. | Click Next at the Introduction page.
|
5. | Select Terminal Server for the role services and click Next.
|
6. | Click Next.
|
7. | Select the Authentication Method for the Terminal Server and click Next.
|
8. | Select the Licensing Mode and click Next.
|
9. | Select the User Groups that can connect to the Terminal Server and click Next.
|
10. | Click Install to complete the installation of Terminal Services.
|
11. | Click Close to finish. A reboot might be required.
|
Terminal Services is now accessible.
