Skip to main content

Terminal Server Users

Used for remote work with the provision of a separate desktop for each user. Provides a service for the work of dozens and even hundreds of users.

Terminal Server Authorization

If the admin does not need the separate authorization of terminal server users, and the same access settings (content filtering and user firewall) can be applied to them, the server can be authenticated as a single user.

The best option is authorization by IP address.

Please note that when the number of users on the terminal server is large, it may be necessary to increase the number of simultaneous sessions from one address in advanced security settings.

Authorization of Terminal Server Users

Separate authorization of terminal server users (running under Windows Server 2008 R2 and Windows Server 2012 OS) is possible using SSO (NTLM). In such a case server authorization by IP is not necessary.

For separate authorization of terminal server users, Remote Desktop IP Virtualization must be configured on the terminal server, and user authorization via web authorization (SSO or NTLM) must be configured on the SafeUTM server. Authorization of terminal server users based on logs of the AD domain controller has not yet been implemented.

Configuring Remote Desktop IP Virtualization on Windows Server 2012

For the Remote Desktop IP Virtualization to work on one of Windows servers, the role of a DHCP server must be added (this function may not work correctly with other DHCP servers) and an IP address area for terminal server users must be allocated.

In Group Policy Management Editor, you need to navigate to Computer Configuration –> Administrative Templates –>Windows Components -> Remote Desktop Services –> Remote Desktop Session Host –> App Compatibility.

Enable the option Turn on Remote Desktop IP Virtualization in group policy with the option Per Sessions:
1. Terminal Server Users.png

It is also recommended to enable the option Do not use the IP address of the remote desktop session host server if the virtual IP address is unavailable.

Use command gpupdate /force to update all policies.

You can check that the settings have changed using the following command in PowerShell:

Get-WmiObject -Namespace root\cimv2\TerminalServices -query "select * from Win32_TSVirtualIP"

Where values must be: VirtualIPActive = 1 (virtualization on) and VirtualIPMode=0 (for a session).