Terminal Services for Windows Server 2008

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Terminal Services for Windows Server 2008

Not applicable

Our current setup for terminal services for Windows Server 2008 is setup through our ISA 2004 firewall. We plan to move to the PA-500 and and the Terminal Services Agent only works for Windows Server 2003, is there anything we can do to fix this?

12 REPLIES 12

L3 Networker

Wait until PANOS 3.1 is released in a week or two which I assume its ts-agent software will support 2008 (unless it already does)? 🙂

Windows 2008 is not supported in 3.0 or 3.1. It is something that is being worked on for a release later in the year.

Mike

Is there a fix that I could use for now? Can I make a rule on the firewall that directs to a specific port to the terminal server? I am new at this, I used to use ISA Server 2004 and it had that as a feature.

You can set "source user = any" as workaround.

Another method would be to use captive portal along with ntlm but I dunno if pan-agent will work on 2008 or if it have the same issues as ts-agent.

Is there any more specific term than "later this year"? Because it's 2010, and more and more people are starting to use Windows 2008 server.

The most detail I can provide at this point would be to take the r off of the previous statement and say late this year.

We are running into this more and more and it is a priority. It also turns out to be a decent amount of work due to changes in the OS between 2003 and 2008.

Mike

Not applicable

This firewall is great, I just have small issues with them catching up to the current Server software. Terminal Server is a big deal where I work at, every officer on the road remotes in to get things done. I have to wait until 3.1 before I can put this in production.

Hopefully the session-based ntlm in 3.1 will be a good workaround/replacement for when you cannot use ts-agent.

Today the PAN will do the ntlm caching based on ip which along with terminalservers is a very bad thing because you usually have more than one user per terminalserver. The bad thing is that the wrong user is being logged (the PAN unit believes that traffic from one terminalserver is only one user where in fact it can be several users).

The workaround until 3.1 is released could be to enable ntlm auth in captive portal and setup policy to allow only the ad-group of users you want to be able to surf (or set it to "known-users"). However note that the logging of which user who did what will be incorrect (but it will work in terms of blocking users who are not allowed to surf).

L4 Transporter

In 3.1 the User mapping is still to IP Address when using NTLM.  The Session cookie is to help prevent multiple challenges for Captive Portal on timeout and also to provide "roaming" (IP Address Change) support.

So this will not help with the TS 2008 conundrum.  Therefore Mike's comments will still stand as to "late this year" I'm afraid.

Hmpf that was bad to hear since I have an ongoing case where ts-agent is failing after a few hours and a sufficient workaround for that case would be to use ntlm auth instead. However this will fail as long as the PAN unit does the ntlm auth caching per ip instead of per session (which was what both me and the company we have for support believed that the session cookie thingy enhancement in 3.1 would solve regarding ntlm auth).

L4 Transporter

If you have Win2K8, maybe this can help?

http://www.thincomputing.net/blog/windows-server-2008-r2-remote-desktop-ip-virtualization.html

I have not tried it - but there is a possible solution here.

Unfortunately not since its not 2008 boxes, its 2003 boxes Smiley Happy

But in case using 2008 that looks like a possible workaround for the workaround 😃

  • 6011 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!