Wednesday, October 22, 2008

Setup Linux For Wndows Terminal Services

Windows Server 2003+ only supports ( last I checked ) two remote desktop connections at the same time. At least that's the default behaviour. I believe one can increase this through the purchase of a Terminal Server license. Essentially in order to allow more than two users to use Remote Desktop to log in to a machine on your LAN at the same time, you need to start paying extra.

The only reason - and its a good one - for needing to do this is because your vpn assigned ip address is not on the same subnet ( for security reasons ) as the servers you need to access.

Specifically: your dynamically assigned VPN IP address is not listed as an object on your firewalls. So when you try to RDP from your laptop at home, to that server in your data centre you get nowhere because your IP address is blocked by the firewall.

JUMP BOX TO THE RESCUE. I call that box you set up and leave running at work a jump box because you will use it for receiving your remote desktop connection and then establishing a new RDP session from there to your servers in the data centre. Because the Jump Box has its IP address confiured in the firewall you should be ok.

Fedora and all linuxes don't have a restriction to the number of concurrent desktop sessions. ( RAM might get in the way eventually ) but even then that can be mitigated. More that later.

Laptop at home  ( WINDOWS )
| |
FIREWALL ( CISCO for example)
Destination Server. ( WINDOWS )
( please excuse the ASCII art )

  • Windows have RDP clients built into them already.
  • Fedora will require one to be installed. ( use tsclient )
  • The Laptops have dynamic IP addresses not in the same subnet as the destination servers.
  • The jump box has a static IP address with access allowed through the firewall on RDP ( 3389 ) to the destination servers.
  • The destination servers support remote desktop connections ( limited to 2 concurrent connections )
We will install xrdp on the jump box and enable port 3386 through the built in IPTABLES firewall:

Before you start make sure you have an up to date version of gcc and all the required dependancies. I usually make sure I have kernel-devel installed too. These installation steps are for Fedora. Checkout this link for Debian based distros:
//Make sure you have the right dependancies.  INCLUDING X.  So I did mine on a default gnome fedora.

# yum install pam-devel openssl-devel vnc-server

//Download the xrdp source tar ball
# wget

//Extract the tar ball
# tar xvfz xrdp-0.4.1.tar.gz

//Enter the source tree
# cd xrdp-0.4.1

# make

# make install
xrdp is now installed in /usr/local/xrdp/

If you are like me and want a nice lightweight, no-nonsense desktop environment presented when you rdp in over your 3g connection from your laptop then you will need to install fluxbox.
# yum install fluxbox fluxconf
Now you need to create a new script so that fluxbox and not Gnome will be used for the window manager ( desktop environment ) once you have successfully opened an RDP session on your linux box.
# mv /usr/local/xrdp/ /usr/local/xrdp/
# vim /usr/local/xrdp/

make it look like this:
exit 0

Ensure you have an account and password set up so that when you establish the RDP session you will be able to log in.
# system-config-users
//Add user and set password.
Make sure you have tsclient installed
# yum install tsclient
Now test xrdp with:
# /usr/local/xrdp/ start
Allow port 3389 through the firewall. I am not sure if UDP is required by TCP is definately required. I could give you the IPTABLES script but its easier to use the tools provided by Fedora.
# system-config-firewall
//Custom -> Add -> Select 3389 TCP. ( add UDP if it doesn't work. )
//Save Configuration

# service iptables restart

Now use RDP from a windows machine to log into your linux box. You will be asked for credentials by a utility that came with xrdp called sessman which will check your username / password with pam and if approved xrdp will start fluxbox up and you will see adefault fluxbox session.

Now when you want to connect to those remote servers, start up tsclient either by typing it into a session or using the run tool on the fluxbox menu.

That's about it. You can do all sorts of cool things with fluxbox to make it nicer to look at but remember, this is a JUMP BOX. Not a desktop. It's sole purpose is to provide a means for your access those remote servers.

No comments: