Terminal Servers Intro
From Ubuntu Doctors Guild
Another method of providing remote access to your network is through the use of terminal servers. A terminal server is a PC that has access to and runs the programs available on the LAN using its own hardware resources (CPU, RAM, hard drive, etc.). Individual remote users login to the terminal server one-by-one and each run their own user instance on the server. Resources are therefore divided by the number of users logged in at any one time. After a threshold number of simultaneous users is reached, performance slows noticeably.
The terminal server then sends display data back to the remote user desktop (known as the "thin client").
The choice of the OS of the Terminal Server itself depends on the applications that run within the organization's internal network. If the organization uses software that runs only on one particular OS (such as MS Windows), then the Terminal Server must specifically be able to run those applications. For a purely Windows-centric organization, for example, the Terminal Server ought to be a MS Windows-based server (Windows 2003, XP server, etc.) If the organization is mostly Mac-based, a Mac-based Terminal Server is desirable. Linux servers (such as Ubuntu) are generally much faster, more secure, easier to configure, and far less expensive than either of the other OS's, so they are more desirable as Terminal Servers if the software within the organization is cross-platform or can be run within Linux.
Windows Server as a Terminal Server
Terminal servers can be a Windows server (such as Windows Server 2003, Windows XP server, or Windows 2008 Server). This is an expensive proposition, as Windows licenses its terminal servers based on the projected number of users (about $1000 per 5 users).
Linux-based Terminal Server (LTSP)
(K)Ubuntu Linux terminal servers, of course, are free. However, not all Windows programs can run on a (K)Ubuntu Linux Terminal Server, so this consideration must be taken into account if there are Windows-only programs on the network.
Thin client solutions
The connections between the remote user and the Terminal Server are enabled by one of several commercial thin-client connection solutions (such as Citrix), by the Windows Remote Desktop Protocol (considered less secure by many experts), by an SSH tunnel, or by the Linux LTSP package.
Clients for almost all of these communication protocols are available in every operating system (OS). Because generally only display-related data is exchanged between the remote user and the Terminal Server, the remote user can use almost any OS. This is helpful for an organization in which its remote employees may have a variety of operating systems on their home or remote computers.
Further, because only display data is exchanged between the Terminal Server and the remote thin client, the internet connection between them does not need to be a high-bandwidth connection. The remote client can use a low-bandwidth DSL (or perhaps even dial-up) connection.
- Citrix is a company that provides terminal server connectivity to thin clients. The solution is not inexpensive, but is popular.
- Windows Remote Desktop Protocol
- SSH tunnels
Terminal Servers and the DMZ
Secure methods of networking protects critical computing processes (and most servers) within the local network behind firewalls. They are never exposed directly to the Internet.
A remote employee that wishes to access these processes or servers first logs in to a Terminal Server, which in turn will access the network's internal servers and processes directly. (The remote user's computer is known as a thin client; his computer generally only provides display functions. The Terminal Server actually acts as his CPU and will perform all the processing ("thick client" functions) for him.)
The Terminal Server is placed in a "DMZ" zone within the network, protected by firewalls. Security on the Terminal Server must be robust, as all attacks from the Internet will be focused on this Terminal server. If it is hacked, the firewalls between the DMZ and the rest of the LAN are meant to protect the rest of the organization's network (from the compromised Terminal Server).