Propalms TSE Deployment Guide Version 7.0 Propalms Ltd. Published October 2013 Overview This guide provides instructions for deploying Propalms TSE in a production environment running Windows Server 2003, 2008, 2008 R2 or Windows Server 2012 operating systems. It is intended for information technology (IT) professionals who want to implement an end-to-end application delivery solution using Propalms TSE. This guide gives step by step information on setting up a functional Propalms TSE team. Propalms TSE Microsoft Remote Desktop Services (also known as Terminal Services or Thin Client architecture) is the most cost effective method of application delivery for small-medium sized businesses up to Enterprise Level organizations. Propalms TSE is designed to make the most of your Windows Remote Desktop Services deployment by leveraging the most recent enhancements to the Microsoft Remote Desktop Protocol (RDP). Propalms TSE adds indispensable management capabilities and scales to accommodate growing numbers of users, applications and servers, securely, reliably, and cost-effectively. Planning This guide is intended for use by system administrators and system engineers. Before installing TSE it is important to decide on the deployment mode. Propalms TSE Server supports Windows Server 2003, 2008, 2008 R2 and 2012. A Propalms TSE team is made up of a combination of the following Propalms TSE roles:- WEB APP LB SPR DB Provides Management Console and User LaunchPad websites + Authentication (required) + Authentication Delivers applications to user devices (required) + Authentication Provides intelligent resource load balancing of applications (required) + Authentication TSE Secure Gateway (optional). Propalms OneGate is our recommended Remote Access solution. + Authentication SQL or SQL Express instance for TSE configuration DB (required) + Authentication
Propalms TSE Unibox Setup Publish applications/desktops from a single Remote Desktop server This is a single server deployment of Propalms TSE. The server may be a member of a domain or can be a part of a workgroup. This deployment will install all TSE roles on a single server and is suitable for small businesses where costs need to be minimized and no load balancing of applications and fault tolerance is required. Remote access, if required would be enabled directly through the firewall to the internal TSE server. Propalms TSE Multiple Server Team Publish and load balance applications/desktops across multiple application servers This is multi server deployment of Propalms TSE. All servers which are part of the deployment should be members of the same domain. This deployment is used in an AD based infrastructure where applications will be published to Domain Users, Groups, and OU s. A team of servers can host a complete set of applications to be made available to domain users and load balance these user requests for applications or desktops ensuring they are directed to the least loaded available application server at that time.
Propalms TSE Server Team with SSL Remote Access Gateway Publish and load balance applications/desktops to internal (LAN) and external (WAN/Internet) users This is similar to Propalms TSE Server Domain install with an addition that this design also allows external/remote users to access Propalms TSE published applications via a secure SSL gateway. Although external access can be provided using the inbuilt TSE SPR role, we advise customers who are looking for a scalable, robust appliance based gateway for remote access to deploy Propalms OneGate. OneGate is a hardened, Linux based SSL VPN with built in integration for TSE access. It provides the most intuitive access experience for remote users to get connected to their corporate applications and desktops from any device such as laptops or mobile devices. Propalms TSE Server Team with High Availability Publish and load balance applications/desktops across multiple application servers with High Availability This design utilizes the TSE multi-server team approach but add redundancy / high availability for core TSE roles. All servers which are part of the deployment should be members of the same domain. This deployment is used in an AD based infrastructure where applications will be published to Domain Users, Groups, and OU s. A team of servers can host a complete set of applications to be made available to domain users and load balance these user requests for applications or desktops ensuring they are directed to the least loaded available application server at that time. In addition to multiple TSE App Servers, the team should contain a secondary (backup) Web and Load Balancer role ensuring that the team can still function in the event that the Primary Web/Load Balancer server is not available. The database server role is defined when you install the 1 st TSE server in the team. In order to add redundancy to this role you need to setup another SQL (SQL Express) instance on the network. Once this is available a Backup Database can be configured in the TSE Management Console under Option > Database Servers. If the Primary DB fails then this backup database will automatically take over. High Availability is a configurable option for the OneGate gateway also. Please refer to OneGate documentation for more information.
TSE Multi Server Team + High Availability Primary WEB LB Backup WEB LB APP WAN / INTERNET Allow connections to OneGate on port 443 only DB DB Primary Backup TSE Server Specification TSE can be deployed on Physical or Virtual server infrastructure ROLE SPECIFICATION TSE WEB and Load Balancer Windows Server 2003 / 2008 / 2008 R2 / 2012 / 2012 R2 Minimum 2 GB RAM and 1.4GHz CPU TSE APP Windows Server 2003 / 2008 / 2008 R2 / 2012 / 2012 R2 Same as for Native Remote Desktop Services. SPR / DMZ SPR Windows Server 2003 / 2008 / 2008 R2 / 2012 Minimum 2GB RAM and 1.4 GHz CPU Primary / Backup Database Windows server running dedicated SQL 2005 (x32, x64 and Express) or higher.
Propalms uses Microsoft Remote Desktop Protocol as its core delivery protocol and the Remote Desktop Session Host (Terminal Server) to run the applications. Hence the scaling and sizing requirement for TSE Application server roles is exactly the same as it is for native remote desktop services. Propalms TSE Application role is the only role that requires higher resources as it will host user s remote desktop sessions running the published app. The other Propalms TSE roles do not need higher resources and work efficiently on any modest hardware server specification. An administrator can install the Propalms TSE Web and Load-Balancer roles on TSE App servers but it is recommended to have them on separate servers. How many concurrent Remote Desktop Sessions can run on a single Windows Remote Desktop Server? Generally anywhere between 5 and 100+, depending on the following factors: Speed, type and number or CPUs installed on the TSE APP (remote desktop) server. Amount of RAM installed in the TSE APP (remote desktop) server. Server's Host Operating System, i.e. Windows 2003, 2008, 2008 R2 or 2012 server. Client settings, i.e. local resource redirection, screen resolution & color depth. Other services running on the server, i.e. Active Directory, Exchange, SQL... (NOT recommended). Bandwidth available for Remote Desktop sessions (a main consideration for WAN connections). End-user applications being used in each session, i.e. Microsoft Office, Acrobat Reader, Internet Explorer... Here are Microsoft s general recommendations and suggestions for sizing and scaling Remote Desktop Servers. NOTE: This is just a reference guide. Propalms do not guarantee server sizing as the actual sizing of servers depends on the applications and resources made available to users within their Propalms Session. RDS Host recommendations (taken from TechNet): Estimated 150 sessions per host Windows Server OS x64 10 CPU cores (vcpus) 24-32GB RAM General guidelines: 2GB RAM is the optimum limit for each core of a CPU. For example, if you have 4 GB RAM then for optimum performance there should be Dual core CPU. 2 Dual Core CPU perform better then single Quad core processor. On a RDS session host 64 MB per user is the base memory (RAM) requirement + 2 GB for OS. For example, (100 users * 64) + 2000 = 8.4 GB i.e. 8GB RAM. Each application will then add more memory per user which will need to be added to the calculation. 15 RDS sessions per CPU core is the optimum performance limit. 64kbps is the ideal bandwidth per user session. See bandwidth calculations at the end of this document for more information. RDS performance is significantly enhanced when running x64 hardware and OS. Remember that enabling Desktop Composition will have a significant impact on resource usage and will affect server capacity negatively. When running RD Session Host servers in a virtualized environment, make sure the processor supports paging at the hardware level (RVI for AMD, EPT for Intel). For more information you can download the Remote Desktop Session Host Capacity Planning document from Microsoft. http://www.microsoft.com/en-us/download/details.aspx?id=17190
Getting Started After you collect information about your environment and you decide on a Propalms TSE team design, you can begin the deployment of your organization s Propalms TSE team. Note: This guide is based on installation on Windows Server 2012. However, it is also applicable if you are using a previous version of Windows Server. This guide walks you through installing the first server in a Propalms TSE 7 Team. Once complete you will have a Windows 2012 Server running Remote Desktop Services and the following Propalms TSE roles:- TSE WEB Server TSE Load Balancer TSE Application Server TSE Database (database can be hosted on TSE server or another server running SQL) Note: This guide presumes your server is a member server in a domain. Software Requirements: Propalms TSE 7.0 Windows Server 2012 Microsoft SQL Server / SQL Express Edition Network Configuration The Windows Server needs to be configured on the network, preferably with a static IP address and should be joined to the domain prior to installing Propalms TSE. Install Database Software Propalms TSE can use the following versions of database engines only: Microsoft SQL Server OR SQL Express Edition SQL Express is included in the support directory on the TSE 7 media. An install script (InstallSQLEXPRESS.cmd) is included which when run on the server will install SQL Express with the required settings for use with Propalms TSE. The install script creates a SQL instance named Propalms. When prompted for the database server name in the propalms installation, use the format SERVERNAME\Propalms. Note: For increased security please edit the installsqlexpress.cmd file and change the value for the SA password. Currently set to SET SAPWD=propalms Enable Network DTC Access You should ensure these settings are configured on all Propalms TSE Servers including the database server if this is running on another server. Firewall settings Go to Control-Panel and turn off Windows Firewall if it is currently on.
Propalms TSE 7.0 Installation The Propalms TSE 7.0 installer now performs an automated installation of all server OS prerequisites providing a much simpler and faster installation experience. From installation media, right click Propalms-TSE.exe and select Run as administrator option. Read and accept license agreement to continue. Choose Domain or Local users for purpose of securing published application access. Domain User option is not available unless the server is a member of a domain. Choose Create New Team.
TSE installer ensures pre-requisite checks are met. TSE installer configures required COM+ settings for system automatically. In addition to the TSE Web and Load balancer roles which are installed automatically on the 1 st TSE server in the team, the administrator can optionally install the Application Server and Relay Server roles at this time. Select Application Server Role and continue. In order for the TSE Web role to function, Internet Information Service is required along with a number of other web components. Check the box to Install required Windows roles and services to allow the TSE installer to automatically install these required services and components.
The TSE Application server role requires Remote Desktop Services to be enabled. Check the box to Install required Windows roles and services to allow the TSE installer to automatically install these required services and components. Enter Licensing information. Leave as default option for 30 day - 5 user evaluation license. Alternatively, if you already have a Base Key issued from Propalms then you can enter it by selecting the Product Key option. Type your chosen Database name. Provide a valid SQL instance in format of SERVERNAME or SERVERNAME\instancename. If SQL Express was installed using the script provided with the TSE 7 media then use SERVERNAME\Propalms as the value.
Enter a Team Name. This can be changed later from the TSE Console. Enter user credentials for the Propalms TSE Identity Account. It is recommended to create a dedicated domain user for this account as certain TSE services will be installed to run under this user context. Therefore any password changes to this account will cause disruption to the TSE environment. This account should already have been created in the Domain or on the local machine. The TSE Identity account should have a local server profile. We recommend installing TSE logged in as the TSE Identity account itself. Enter a Propalms TSE Administrator Group. The account specified above automatically becomes a member of this group. Any users added to this group are provided permission to administer the TSE system. (i.e. Logon to the TSE Management Console) This group should already have been created in the Domain or on the local machine Choose a Destination Folder for installation.
Click Next to begin the installation. Shortly after install starts a second installer window will be displayed showing TSE Role installation progress. Please be aware that the Web role can take a number of minutes to complete due to the list of pre-requisite installs it has to perform including.net install which can take some time. Note that.net 2/3.5 install on Windows 2012 downloads files from the MS download site. This may take some time based on the internet connection. If for some reason the.net install fails, the TSE Dashboard page in TSE Console may not function. This can be easily fixed by manually installing.net 2/3.5 on the server. To resolve this, install the.net framework manually on the Windows 2012 server through Server Manager- Add Roles- Features option. You may need to specify the source path for the.net framework install files, available on the 2012 server install media in the \Sources\Sxs folder. Once.Net 2.0 is installed, run the RegNetConsole script available in the Console directory of TSE WEB server \Inetpub\wwwroot\Console folder. Run the script from an Admin Command prompt and then do iisreset.this will register the required.net version with the TSE Console Web directory in IIS. Post Installation Management Once the install has finished and the server has been restarted, we need to start configuring, adding and managing the various options within Restart when the installation is complete. the Propalms TSE system. The first Propalms Server installed, by default also becomes the Propalms TSE Web server or the Propalms TSE server with the WEB role. Propalms TSE Web role provides the Web based Admin and User interface for Propalms TSE. To login to the Propalms Admin User Interface or in Propalms terminology referred to as Propalms Management Console, open a IE browser windows and type> Http://<Propalms_ServerName_or_IPaddr>/Console The /Console directs the browser to open the Management Console.
In the example above, we are logging in using the IP address of the 1 st Propalms TSE server. You can equally use the hostname of the server also. To login into Propalms TSE Console, enter a username that is member of the Propalms TSE Admin group. Propalms TSE Admin group is the AD or local group that was specified during Propalms Installation as the TSE Admin group. Refer to the TSE Install guide for more details. On successful login, it should bring up the TSE Admin Dashboard page
Add a new TSE Server Navigate to the Manage > Servers page On this page we can see that the Web, Load Balancer and Application roles have all been installed by default on the 1 st Propalms TSE server. This setup is the Unibox design described earlier where all roles run on a single server. If a multi-server team is required then the administrator can add more servers by running the TSE installer manually on each Windows Server instance and choosing the Join Team install or by adding TSE servers from within the Management Console. Adding Server from the Console Choose Actions > Add Server Enter the Server Name of the Windows Server instance that you want to install TSE to. Remember to enable Network DTC access.
Use the existing credentials or enter an account to use for installation if existing user doesn t have admin rights to the server. Ideally the TSE administrator account you use to login to the Management Console should have local admin rights on each TSE server. Click Add to install the TSE software to the server remotely. The server should appear in the console but maybe shown as Offline. Refresh the screen to confirm that the server comes online. To add roles to the new TSE server select the server object and go to Actions > Add Roles Choose the TSE roles that you want this server to take and go through the sequence of screens and follow the instructions on them, you can keep the default settings or change them. The settings can be changed at a later time too, after the role has been installed. Once you finish the ADD role sequence, a silent install of the roles will be started. On completion, the server will auto restart. After reboot login to the Management Console.
The server will display a red icon until the role has installed and either the services start or a reboot has occurred if applicable. Note: you may need to refresh the console for the icon to turn green. Import Groups / OUs from Domain In order for TSE admins to publish applications to domain users you need to add the domain groups or organizational units to the TSE Management Console. Navigate to Manage > Groups Choose Actions > Add Group You will see a list of the domain groups for the domain that your TSE server is a member of. Add the groups that you want to use for TSE deployment and complete the wizard leaving settings as default.
For assigning applications to Organizational Units please repeat the steps above in the Manage > OUs page. Adding an Application to Propalms TSE team At this stage you have a set up that is ready to ADD Applications, Publish them to Users and Users can start launching them. For a functional TSE Team, at-least one instance of the Web, LoadBalancer (LB) and Application role is required. Navigate to Manage > Applications page, click on Actions > Add Application You can publish a Full Desktop Experience or an individual application. To publish an applications click on the start menu to pull up the list of available applications on the server. (If this is the first time you have accessed this screen from this browser you will be prompted to install a start menu ActiveX control). Select the appropriate app server from the drop down list before clicking on the start menu. The application details will be automatically populated. Note: Some applications may not be available through the start menu if those applications do not create shortcuts in the ALL USERS Program list. In that case, the admin needs to manually enter the application name and path.
Other options on the Add Application page that an admin may wish to set are choosing the Connection Setting to associate with the App, set a limit of concurrent sessions of the App per server or in total, creating an App folder to organize similar apps in a single folder, enabling desktop and start menu shortcuts for this app on client desktops etc. They can be set now or altered later. If the requirement is to publish a Windows Desktop (Remote Desktop), simply choose the radio button shown below. The details will be auto populated. On the Select Servers page, select the TSE App server/s where the application will be hosted from. Admins can select multiple servers to publish the app on which will automatically configure load balancing of the application or desktop session across all designated servers.
Select the AD groups for assigning the apps. If the desired group is not shown, you may later add it after adding the group to Propalms TSE system. At this point, we have a summary of the application to be added before submitting it. If any changes need to be made, use the Back option to navigate. Clicking the ADD button will submit the Job to the Propalms TSE system. Every task performed within Propalms TSE such as Adding, Removing Apps, Users, and Groups is treated as a Job which is audited and logged. So all changes made to the Propalms TSE system can be reviewed and tracked. On successful adding of the application, the application/s should be listed under the Applications page. After adding the app, if any changes need to be done, they can be done using the Actions > Update Application option. Add Backup Database Server In order to add a backup database server to the TSE system go to Options > Database Servers
Choose Actions > Add Backup DB Enter the path to the SQL instance and choose the synchronization interval Either enter an account with create database rights or continue to use the TSE admin account and Add. Launching the Published Apps The first step in getting the users to connect to Propalms published apps is installing the Propalms Windows client. An admin can pre-install the client for users or the users can be directed to the Propalms Web Launchpad site. TSE LaunchPad Http://PropalmsWEBServer/launchpad The Launchpad page runs an ActiveX control that checks if the Propalms client is installed. If it is installed it will start it or else it will redirect user to the Download Client page. After installing the client click on the Done button and it should take you to the Log On page. If it still redirects to the Download Client page, then either Propalms ActiveX controls are being blocked by IE security or the client install did not complete. Check and click on the Done tab again.
Once at the Web LaunchPad authentication page you can log in using your domain username and password. Note: If you have not added any groups to TSE yet you may only log in as a member of the TSE Administrators group. On a successful Logon, the user will see the favorite s page, with the published apps listed. Click on the application icon to launch the App. The Propalms client window detailing the launch process will show up and the application will be launched. Alternate ways to start the published app are via Start Menu and Desktop Shortcuts or from the TSE notification area icon. The shortcuts will be created only if Admin has enabled them in Application properties and has not set other overwrite policies using Propalms TSE Client Groups.
TSE Desktop Client The new TSE Desktop Client (TSE-DC) offers users a browser-less way to access, manage and configure TSE published applications. The TSE- DC removes browser dependency but offers a user experience and capability similar to that of the TSE Launchpad web portal. TSE-DC is included with the standard v7 TSE Client installation and requires Microsoft.NET 4.0 client profile framework installed on the client machine. TSE v7 client installation will verify if.net 4.0 is available on the client machine, if not it will prompt for approval and also install.net 4.0 client profile framework. The installation package for.net 4.0 is downloadable from the TSE Launchpad portal Download client page and can be installed manually. Alternately the TSE v7 client will prompt the user for a download from MS download site if it does not detect.net v4 client profile framework installed. This needs an internet connection. You can launch the Desktop Client using the icon on the desktop or by a right click on the Propalms Connection Manager icon in the notification area.
Universal Client Propalms Universal Client provides access to applications and windows desktops from your ipad/iphone or Android tablet device whether you are in the office, at home or mobile. The universal client connects to Propalms OneGate and TSE/VDI solutions enabling Bring Your Own Device services by offering the ability for the users to access business applications such as Microsoft Office from their tablet device or smartphone. You can download the Universal Client from both Apple and Google s appstores. Apple - https://itunes.apple.com/us/app/propalmsuniversal-client/id467347561?mt=8 Android - https://play.google.com/store/apps/details?id=org.propalms.tseclient Simply tap on the app to launch Click Add to create a connection profile. You can connect to TSE directly by entering the address of the TSE Web server in the Server Address box. Optionally, enter domain user credentials to allow login by simply tapping the profile. Note: If you are using OneGate for remote access then users should add a OneGate connection profile specifying the OneGate server address. Once authenticated the user s TSE applications will be displayed. The user can simply tap to launch an app.
Once a user has launched an application they can use the Universal Client taskbar to open and close the onscreen keyboard and mouse controls along with other session related functions. Secure Remote Access via OneGate Users can access their applications easily and securely via the OneGate secure application gateway. Propalms OneGate and TSE solution provides the secure application and data access for businesses of all sizes. Propalms OneGate seamlessly integrates with Propalms TSE allowing secure remote access to TSE applications through the gateway. This single sign-on feature creates an intuitive user experience where the user only has to enter their domain credentials once and can immediately access the applications that he/she has been assigned. Logging in using the OneGate desktop client Simply enter the OneGate server address and username and password
Logging in using the OneGate Portal Simply browse to https://onegate server address and enter username and password For more information on installation and configuration of OneGate please refer to the OneGate Quick Start Guide. Propalms Ltd is a global provider of application delivery and secure remote access solutions for Remote Desktop Services and Virtual Desktop Infrastructures. Delivering to Enterprises of all sizes we offer reliable, scalable and affordable solutions that simply work. Our belief is that application delivery solutions should be flexible, dynamic and above all, simple to use. 2013 Propalms Ltd. All Rights Reserved. Microsoft, Windows are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners.