Appendix 1 – Virtual Private Networking & Terminal Services

 

 

TERMINAL SERVICES OVERVIEW

Terminal Services is similar to pcAnywhere, in so much as the program is run on the host (e.g. the Server) with the remote user just getting the screen image, mouse & keyboard controls.

 

You can run Terminal Services either directly over a LAN, or indirectly via the Internet and a VPN. In either case, because the remote user is doing almost no processing this machine can have a very low spec. Conversely the server needs to be powerful and have a lot of RAM (e.g. 128 Mb RAM per Terminal Services user).   

 

Terminal Services used to be supplied by a third party & cost around £4,000. Then Microsoft bought them and included this technology as a free element of Windows 2000 Server. You get two Terminal Server licenses in “Administrator” mode included free. You may then add “Application” mode licenses, which are supplied in packs of five.

 

In “Administrator” mode Terminal Services run the actual Server, which is ideal for remote administration, but dangerous for end users, who get access to the entire server.

 

In “Application” mode Terminal Services run just a given program on the Server, and automatically end the session when that program is ended.

 

The default is to set up Windows 2000 Server in “Administrator” mode. However, as programs have to be loaded differently if they are to be run in “Application” mode, then if you think the server is ever likely to be required for “Application” mode it is best to set it up in this way right from the very beginning.

 

With Terminal Services you can print directly through the remote workstation provided it has its own printer attached AND the server has the same printer’s driver loaded (i.e. the printer must be attached to the remote workstation’s printer port and both host & remote computers must have the printer driver loaded). You cannot print indirectly from the remote workstation via a networked printer. If the remote workstations need to share a printer the best solution is to use a very simple printer sharer with a manual switch – do not try to use an automatic switch as it will probably not work.

 

Windows 2000 Server comes with its own faxing facility and the Terminal Services clients are actually running on it, rather than on their own boxes. Hence if you choose the “Fax” printer on the remote workstation the fax will actually be sent via the server’s modem.

 

N.B. As a general principle you are most strongly advised to ensure that only machines running Windows 2000 and XP are used for Virtual Private Networking. These are more likely to work without hitch and can have additional security added, as required. However I have set-up Windows 98 machines at Scott & Casey (Harlow), so it will work at a push.

 

VIRTUAL PRIVATE NETWORKING OVERVIEW

A VPN is a kind of network running over the Internet. The VPN software knows the IP address allocated by the ISP at the remote user’s end, so provided you tell it the static IP address of the host end, and what protocol to use, it can then connect the two points via packets of data sent in a suitably encrypted form.

 

The host machine really ought to be running ADSL so that…

• It is open all the time
• It is fast
• It doesn’t cost any extra even though it is always on

 

The host ADSL account can be the basic wires-only one from Legend, which costs around £34 per month. Unlike FreeUK, etc, the Legend account comes with a static IP address, which is essential (n.b. though you have to explicitly ask Legend for it). Note that Legend also include DMCS Email at no extra charge, which effectively removes the need for Microsoft Exchange Server.

 

You ought to use a Vigor 2600 router and ADSL account at the host end. In contrast the remote user can use any type of Internet connection, such as a modem dial-up or an ADSL account with a router. If you are using a router you must use the Vigor 2600 one, or one that you know is VPN compatible. The last time I tried a D-Link one it did not work, so my strong recommendation is always use a Vigor 2600 and save yourself the grief!

 

PROCEDURE

1)      Initial set-up of router and computer

2)      Initial set-up of computer’s networking

3)      Set-up Internet Explorer to use LAN instead of Dial-ups

4)      Set-up the Vigor router (host or remote) to work with ADSL

5)      Set-up the Vigor router at the host end to accept VPN dial-in users

6)      Set-up the host user accounts on Windows 2000 Server

7)      Set-up Virtual Private Networking support on the remote user’s PC

8)      Set-up the remote user’s Internet access

9)      Set-up the remote user’s VPN dial-up

10)  Connect using the VPN dial-up

11)  Check that protocols & encryption levels match

12)  Set-up Terminal Services on the Windows 2000 Server (and select mode)

13)  Set-up Terminal Services applications: MS Office

14)  Set-up Terminal Services applications: Durell

15)  Set-up Terminal Services on the remote computer

16)  Connect using Terminal Services as Administrator

17)  Connect using Terminal Services as an application client

 

1) Initial set-up of router

·    Connect the phone lead from the Vigor to the ADSL micro-filter (or splitter)

·    (N.B. If the ADSL phone line has other outlets then ensure every one has a micro-filter)

·    Connect the power lead to the Vigor router and switch on at the mains

·    Connect your computer to the Vigor router with Ethernet Cat-5 cable (i.e. not a cross-over)

·    (N.B. If connecting the Vigor to a LAN, use the “Uplink” port on the network switch)

·    Switch on the Vigor router (ON/OFF power switch at the rear)

·    Reset Vigor by pushing a Biro into “Factory Reset” hole until ACT LED blinks rapidly

 

2) Initial set-up of computer’s networking (using automatic IP addresses)

·    Switch on your computer, then wait till it settles down at the Windows Desktop

·    Go to the Networking icon, by either…

For Windows 2000 or XP…

Right-click “My Network Places”, click “Properties”

Right-click “Local Area Network”, click “Properties”

…or…

For Windows 95 or 98…

Double-click “My Computer”, double-click “Control Panel”

Double-click “Network”

·    Remove all references to the NetBEUI protocol

·    Remove all references to Dial-up adapters

·    Ensure your computer’s networking includes the TCP/IP protocol

·    If you have more than one adapter then ensure you have TCP/IP pointing to your LAN adapter

·    Edit the TCP/IP linked to your LAN adapter so that it obtains an IP address automatically

·    Reboot your computer, as required, to ensure the above settings apply

·    After re-booting, at the Windows Desktop, then either….

If Windows 95, 98 or ME, click Start / Run, then enter “WinIpCfg” and click “OK”, then

Click “More info” button, then click “Renew all” button

               …or…

If Windows NT, 2000 or XP, click Start / Programs / Accessories / Command prompt, then

Type “IPconfig /renew” and press “Enter”

·    You should get an IP address for your computer in the 192.168.1.n range

·    You should see the “Default gateway” address (i.e. the Vigor router) set at 192.168.1.1

·    If you don’t get the above IP addresses then repeat “Factory Reset”, described above

3) Set-up Internet Explorer to use LAN instead of Dial-ups

·    Right-click your Internet Explorer icon

·    Click “Properties”

·    Click the “Connections” tab

·    Click the “Set-up” button at the top right

·    Select the option to connect to the Internet

·    Select the option to create the connection manually

·    Select the option to connect via a LAN or broadband account that is always on

·    If asked to set-up “Proxy server” details, ensure they are all cleared

·    After finishing the set-up, exit your Internet Explorer

 

4) Set-up the host ADSL account on the Vigor 2600

·    Double-click your Internet Explorer icon

·    Wait till your Internet Explorer settles down

·    At the “Address” prompt enter the IP address 192.168.1.1 and click “Go”

·    At the “User name” prompt enter “Admin”

·    Leave the password blank

·    Click and thereby tick the “Remember my password” tickbox

·    Click “OK”, which should get you to a screen like the one below…

 

 

·    Click “Internet Access Setup”

·    Click “Auto detect ATM/DSL settings”

·    Click “Cancel” to the question about your ISP providing a fixed IP

·    Select your country from the drop-down as “UK” and click “OK”

·    Click “OK” when it has finished detecting the settings

·    On the ensuing PPPoE/PPPoA setup screen…

·    The “PPPoE/PPPoA Client” must be “Enabled”

·    The “Username” must be something@ISP.suffix (e.g. vpnadsl@Legend.co.uk)

·    The “Password” must be entered correctly in the correct case (usually lower case)

·    The “Always on” must be ticked

·    The finished PPPoE/PPPoA setup screen should then look like the one below…

 

 

 

·    When the PPPoE/PPPoA screen is correctly set-up, click “OK” button

·    Click “MainMenu” at top right of screen

·    On the Main Menu click “LAN TCP/IP and DHCP Setup”

·    Enter the two DNS server numbers as 194.164.0.3 and 194.62.44.10

·    Check the other settings are similar to those illustrated below then click “OK”

·    (N.B. The Internet Explorer will not find Internet addresses until the DNS has been set)

·    (N.B. All computers attached to the router should now work with the Internet)

 

 

5) Set-up the Vigor router at the host end to accept VPN dial-in users

·    (N.B. The host will not support incoming VPNs unless its ADSL account has a static IP)

·    Start from the Vigor’s Main Menu

·    Click “VPN and Remote Access Setup”

·    Click “Remote Dial-in User Setup”

·    Click “1.” to get to the screen illustrated below

·    Enter the first “Username” as “UserTS01” (N.B. the second will be UserTS02, etc)

·    Enter the password as “happy” (if you’d prefer greater security use “happiness”)

·    Set the “Idle timeout” to 999 (maximum value – approx 16 minutes)

·    Set the “L2TP…policy” to “Nice to Have”

·    Click “OK”

·    Repeat the above for the required number of dial-in users

 

 

6) Set-up the host user accounts on Windows 2000 Server

·    On the Windows 2000 Server…

·    Click Start / Programs / Administrative tools/ Active Directory Users and Computers

·    On the Tree on the left side double-click the “Users” folder

·    On the words above the toolbar at the top of the screen, click Action / New / User

 

 

·    Complete the user details as shown in the illustration above

·    On the following screen…

·    Add the password as happy (or happiness for greater security)

·    Set the user as unable to change the password

·    Set the password to never expire

·    Click “Next” then “Finish” to complete the basic user set-up (N.B. which will not work yet)

·    Find the new username in the list of users and double-click it to edit its properties

·    On the “Dial-in” tab click “Allow access” then click “Apply”

·    On the “Members of” tab click “Add”, then double-click “Administrators” then click “OK”

·    (N.B. Alternatively use any other group membership that will give adequate control)

 

 

7) Set-up Virtual Private Networking support on the remote user’s PC

·    Skip this section if your computer runs Windows 2000 or XP, as it already has VPN support

·    If your computer is running Windows 95 it will need an upgrade

·    For machines running Windows 98…

·    Double-click “My Computer”

·    Double-click “Control Panel”

·    Double-click “Add / Remove Programs”

·    Click the “Windows setup” tab

·    Double-click “Communications”

·    Scroll to the bottom of the list of communication items

·    If “Virtual Private Networking” is not already ticked, then click it, then click “OK”

·    If you have added VPN then re-boot the computer, otherwise just cancel out

 

8) Set-up the remote user’s Internet access

·    The remote user must have some form of normal Internet access, either by Dial-up or LAN

 

9) Set-up the remote user’s VPN dial-up

·    Set-up the Dial-up for the VPN on Windows 98 computers by…

Double-click “My Computer”

Double-Click “Dial-up Networking”

Click “Make a new connection”

Call the new connection something like “VPN to Durell”

In the “Select a device” drop-down select “Microsoft VPN Adapter” then click “Next”

Enter the static IP address of the host (for Durell this is 212.69.251.14) then click “Next”

Click “Finish”

Then edit its properties via the “Server Types” tab to clear NetBEUI & IPX protocols

 

·    Set-up the Dial-up for the VPN on Windows 2000 & XP computers by…

Right-click “My Network Places”, then click “Properties”

Click “Create a new connection”

Click “Connect to the network at my workplace” then click “Next”

Click “Virtual Private Network connection” then “Next”

Enter the name as something like “VPN to Durell” then click “Next”

Either if the remote computer connects to the Internet via a LAN…

Click “Do not dial…”

…or..

Click “Automatically dial…” and select the dial-up Internet account to use

Enter the static IP address of the host (for Durell this is 212.69.251.14) then click “Next”

Click “Finish”

Then edit its properties via the “Security” tab to clear the “Require data encryption”

 

10) Connect using the VPN dial-up

·    Double-click the VPN dial-up icon on the remote machine

·    If you use a modem dial-up to connect to your ISP you will be prompted to connect to this first

·    Then you’ll be prompted to connect to the VPN, where…

The “Username” will be UserTS01, etc

The password will be “happy” (or “happiness”)

 

11) Check that protocols & encryption levels match

·    You should get a message saying that the VPN network has started

·    If you get an error message check whether you’ve used the wrong logon name or password

·    If the error is to do with protocols (on Windows 98 machines) clear NetBEUI & IPX

·    If the error is to do with encryption (on Windows 2000 & XP) clear the Security / Encryption

 

12 ) Set-up Terminal Services on the Windows 2000 Server

·    Double-click “My Computer” then double-click “Control Panel”

·    Double-click “Add / Remove Programs” then click “Add / Remove Windows Components”

·    Click the boxes for “Terminal Services” & “Terminal Services Licensing” then click “Next”

·    Set the Terminal Services to “Application server mode” and click “Next”

 

13) Set-up Terminal Services applications: MS Office

·    You’ll require a copy of the file TermSrvr.MST to make Office work multi-user

·    You’ll find this in Durell’s F:\Documents\All Windows Versions\VPN & Terminal Services

·    Copy the file into the root of Drive C: on the Windows 2000 Server

·    Double-click “My Computer” then double-click “Control Panel”

·    Double-click “Add / Remove Programs” then click “Add New Programs”

·    Click the “CD of Floppy” button

·    Insert the MS Office CD (for example, in Drive D)

·    In the “Open” prompt type “D:\Setup.exe TRANSFORMS=C:\TermSrvr.MST”

·    Click “OK” and continue with Office installation as normal

 

14) Set-up Terminal Services applications: Durell

·    You cannot use mapped or substituted drive letters with Terminal Services

·    You should use the same drive letters for Durell on the Server as on the workstations

·    If the server has multiple drives, then reset the second one to Drive Letter F, as follows…

Double-click “My Computer”

Double-click “Control Panel”

Double-click “Administrative Tools”

Double-click “Computer Management”

Double-click “Disk Management”

Right-click the “Healthy” drive volume

Click “Change Drive Letter” and set it to Drive F:

·    If the server doesn’t have multiple drives then you should…

Reduce the partition size of Drive C; to approx 10 Gb (for Win 2000 & TS applications)

Create a second partition, Drive F:, covering the rest of the hard drive for all shared data

·    You require separate IMW user folders for each Terminal Services user

·    In addition you should keep the standard IMW user folder for the Administrator to use

·    Install Durell (using Drives C & F) all as normal but start from “Add / Remove Programs”

·    Complete and test the standard installation of Durell using C:\Imw-User & F:\Imw-Data

·    Copy the folder Imw-User for each Terminal Services user, as Imw-UserTS01, etc

·    Copy the shortcut for Durell for each Terminal Services user, editing the path accordingly

·    Test that each shortcut runs in the correct folder by going into Durell’s “Setup / Filepaths”

 

15) Set-up Terminal Services on the remote computer

·    You’ll require some set-up disks from the Server to use on all remote computers

·    On the Windows 2000 Server…

Click “Start”

Click “Programs”

Click “Administrative Tools”

Click “Terminal Services Client Creator”

Select the 32 bit version

Click and thereby tick the “Format disks” tick-box

Put your first floppy disk (of the two required) into the Server’s Drive A:

Click “OK”

Follow the prompts for the second floppy

·    Put the first TS Client Setup disk in the remote computer, then

Click “Start”

Click “Run”

Enter “A:\Setup.exe”

Click “OK”

 

16) Connect using Terminal Services as Administrator

·    Double-click the VPN dial-up to create the network connection (as described before)

·    This takes a little while and that you’ll be required to confirm your username & password

·    Once the VPN has been established…

Click “Start”

Click “Programs”

Click “Terminal Services Client”

Click “Terminal Services Client” (on the subsequent menu)

You should tick the options to allow caching & data compression

Your should select the screen resolution you prefer (recommend 800 x 600)

Select the Server to connect to (probably called NTServer, and probably already displayed)

Click “Connect”

Logon to the domain in question as normal, with the correct username & password

·    When finished, use the icon in the top LEFT of the TS window to end the session

·    If you use the cross in the top RIGHT of the TS window your old session will remain open

·    If a large number of sessions are left open the Server will run out of memory

 

17) Connect using Terminal Services as an application client

·    The problem with a user connecting as Administrator is that they can mess up the system

·    Instead you should set-up application connections that will only run the desired program

·    You are advised to subsequently right-click & delete the other TS menu options

·    To set-up a Durell application client on the remote workstation….

Click “Start”

Click “Programs”

Click “Terminal Services Client”

Click “Client Connection Manager”

Click “File”

Click “New connection” the click “Next”

Enter “Financial Adviser by TS” or similar description for the “Connection name”

Enter the Server’s name (e.g. NTServer) or IP address (e.g. 10.0.0.1) then click “Next”

Click and thereby tick the “Logon automatically..” tick-box

Enter username (e.g. UserTS01), password (e.g. happy) and Domain (e.g. DURELL)

Click “Next”

Click your preferred screen resolution (recommend 800 x 600) then click “Next”

Click and thereby tick the options for data compression and caching then click “Next”

Click and thereby tick the two options to “Start the following program”

Enter the FULL path (e.g. C:\Imw-UserTS01\Im-Win.exe F:\Imw-Data\Imw-Data.mdb)

Enter the Start-in path (e.g. C:\Imw-UserTS01) then click “Next” & “Finish” to end

Copy the TS icon to create a shortcut on the remote user’s Desktop