Designing Deploying and Supporting Windows Terminal Services At

Designing, Deploying and Supporting Windows Terminal Services At CERN by Ruben Gaspar IT – Internet Services Group CERN

Overview l What is? l What for? l Architecture l Implementation l System Management issues l Conclusions HEPIX - October 2004 Ruben Gaspar IT/IS CERN

What are “Terminal Services” Alias “Remote Desktop” l Allows a remote windows session from a computer to another computer, not necessarily running Windows l Multi user environment supported in Windows 2000 Server and Windows 2003 Server – Also built-in Windows XP professional, but restricted to 1 simultaneous user (remote desktop) l HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Introduces duality on something that is today very successful Windows / Mac / Linux Client with X-terminal software Windows Terminal Services HEPIX - October 2004 Linux / Mac / Windows Client with remote desktop software LXPLUS Ruben Gaspar IT/IS CERN

Motivations l l A step forward in Linux / Windows / Mac integration Reduces (but does not replace) the need for … – VMWare, Virtual PCs and windows emulators, Multi boot installation, … – “does not replace” because network access is required l User’s motivations – – I am on Macintosh/Linux and I need access to Windows applications I am not at CERN and I want access to the CERN environment Security (Controls, ACB, VPN, …) I do not have that particular application installed, I cannot install it, but I need it. • License reasons • Complex installations centrally managed – I have a slow computer and I want a faster one HEPIX - October 2004 Ruben Gaspar IT/IS CERN

The service l Service started at 1 st April 2004 following March Desktop Forum – Limitation of 50 simultaneous sessions (manpower issue) l Well defined Service Manifest establishes an SLA – – – Active sessions have no time limit Idle and disconnected sessions will be logged off after 18 hours RSA RC 4 (128 bits encryption key) required to connect Profile limited to 500 MB Only core 16 applications available to users. Additional applications can be installed only following management approval and must pass technical criteria. Dedicated service may be necessary for some applications (see later) – It becomes the recommended solution for other services: • Public PC areas • GPRS – Designed to be clonable and customized to cover specific needs, while preserving central manageability (see later) • Complete documentation available in the Internals site HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Core Applications Microsoft Office Professional Edition 2003 MS Project Client 2003 Microsoft Office Front. Page 2003 Dreamweaver. MX 6. 1 Putty (SSH for Windows) 0. 55 Adobe Reader & Professional 6. 0. 1 Remedy Client 6. 0 Humming. Bird Exceed version 9 GSView – Postscript Viewer 4. 6 HP-GL Viewer 5. 30 Whip! Autodesk DWF Viewer 4. 0 -102 Win. Zip 9. 0 CERN Phone Book CERN Printing Package HEPIX - October 2004 Ruben Gaspar IT/IS CERN

The architecture A farm of servers behind a unique name: cernts. cern. ch l Load balancing automated across farm nodes + session directory l – Able to reconnect to the correct node on disconnected sessions User profiles and settings independent on the application server node l License Server: provides a client pc with rights to access an application server l Highly scalable, redundant, reliable l HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Architecture - Session Directory 8. Session broken down on TS-2. Client reconnects to load-balancer with token and credentials LB-1 TS-3 Jane. Doe *********** 1. User connects to 4. User enters load-balancer credentials HEPIX - October 2004 TS-3 Session Directory 5. Server authenticates “Jane. Doe” and checks Session Directory for existing session 6. SD informs TS that user has a session on TS – 3 LB-1 TS-1 LB-1 TS-3 Jane. Doe ******(LB-1) Load-Balancer 3. Server responds 7. TS returns TS-2 user credentials 2. Load Balancer (F 5, 9. Load-balancer with Radware) user to token and examinesroutes token and “least-loaded” server directs connection totells client to reconnect User session 10. Original session TS 3, passing through on TS-3 to from TS 3 presented credentials user Ruben Gaspar IT/IS CERN TS-3

User profiles and settings l Terminal services profile different from standard NICE profiles – Avoid incompatibilities with desktop application settings l One profile server for Windows terminal services – Provide an homogenous look and feel (feeling of connecting always to the same machine) l Desktop, Favorites, My Documents are redirected – Same home directory server – Provide an homogenous, similar environment between desktop and TS sessions HEPIX - October 2004 Ruben Gaspar IT/IS CERN

4 1 CERNTS. cern. ch 2 6 cernts 0 X cernts 04 Standard Windows Desktop session cernts 03 5 LICENSE Server HEPIX - October 2004 7 cernprofts 3 cernprof Home Directory Server (My documents, Favorites, Desktop) Ruben Gaspar IT/IS CERN

License Server All Application servers in the farm require the existence of a license server that keeps tracks of client certificates l This service was installed in the session directory server l It is also used by non-central terminal services farms l – A central accounting mechanism for all Application servers within the organization – Licenses rely on the Microsoft Campus agreement HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Technical implementation l Currently two machines CERNTS 03/04 – – Load balancing installed All machines in the same network segment. Foreseen 8 IPs. Data and System located in different Volumes Careful permission settings on File System • Write privilege only on User profile location • Quotas possible but not yet enforced l l Dedicated server for the session directory and license server Dedicated server for terminal service profiles – Configured as Windows roaming profile servers – Can be used also by non-official terminal servers l l l All based on Dual Xeon CPU and Server 2003 technology Standard backup mechanism Several scripts developed for monitoring the service and logging usage – Aim to reach a complete automated service HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Using the service Windows Terminal Services site: http: //cern. ch/terminalservices/ l Registration is mandatory l – Under discussion to void this requirement l l User can manage its TS profile Internet explorer users can connect from the browser – http: //cern. ch/wts/TSWeb/cerntslb. htm l l Service address: cernts. cern. ch Client software available to all platforms – Detailed instructions and documentation on the WTS web site – See Windows clients, Linux clients, Macintosh clients HEPIX - October 2004 Ruben Gaspar IT/IS CERN

DEMO HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Terminal services site HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Outlook 2003 at WTS HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Saving a doc in your WTS profile HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Usage Statistics Registered users: 782 - Active Users: 460 l License server has distributed 400 client licenses l – Client licenses expires after 90 days l Peak of simultaneous sessions: 45 – Remember: Max limit set to 50 Average sessions per day: 36 l Average session duration per day: 10 h 20 l HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Average Simultaneous sessions HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Applications Usage HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Conclusions and Issues l l l Feedback from the User community encouraging Stable set of applications Manpower available for long term service evolution still unclear – Remember Max 50 users limit will be hit soon – Applications management and Security (Patch, hot fix installation) l Many requests to install additional application, centrally managed – No clear process to decide what is core and non core l Many pending requests from other groups to have “cloned” services running specific applications – – l Currently we can give only technical advices They need to use official service infrastructure, profiles, licensing • LHCB build service • AB/CO controls applications • ST/MA Asset Tracking and Maintenance Management • EP/SFT for several custom applications • IT/PS for some engineering applications Support (support-terminalservices@cern. ch): – Second and third line support missing – User questions and answers HEPIX - October 2004 Ruben Gaspar IT/IS CERN

Questions HEPIX - October 2004 Ruben Gaspar IT/IS CERN