In Windows Server 2008, Terminal Server has a single IP address, which is shared among all TS users. This makes the TS experience different from that of regular desktops and introduces some application compatibility problems. In Windows Server 2008 R2, Remote Desktop Session Host server, formerly known as Terminal Server, supports per-session and per-program Remote Desktop IP Virtualization for Winsock applications. This essentially means assigning individual IP addresses to user sessions to avoid application incompatibility issues by simulating a single user desktop.
Per-Session mode: In per-session mode, Remote Desktop IP Virtualization assigns an IP address per user session.
Per-program mode: In per-program mode, Remote Desktop IP Virtualization facilitates shared-session IP, but only uses it for specified applications instead of the whole session. That is, a “per session” IP will still be used, but it will only be scoped for a specified set of applications. The remaining applications in the session will continue using the overall server IP.
Compatibility problems with applications: Some legacy applications run in user mode and listen for requests on a specific port. If there is only one IP address for the entire Remote Desktop Session Host (RD Session Host) server, the application will not work if multiple RDS users use it at the same time. In addition, Business Planning and Control System (BPCS) applications use the client’s IP address as a workstation ID, causing a variety of consistency problems. Enabling per-program Remote Desktop IP Virtualization will resolve this issue.
Support tracking and logging solutions for ISP regulatory requirements: Regulatory requirements call for the ISP to track user traffic originating from an IP address. Today, monitoring devices mostly look at DHCP logs and identify users based on the MAC address of their network adapters, which is a good approach for desktops but not for users logged onto RD Session Host servers. Enabling per-session Remote Desktop IP Virtualization will log per-session IP addresses to DHCP.
Compatibility problems with ISP metrics collection devices: ISPs need the ability to monitor network traffic per-user. A user is charged based on traffic generated on behalf of the user, and the measuring tools use the IP address. For RDS, enabling per-session Remote Desktop IP Virtualization and creating monitoring services can facilitate measurement of traffic generated by each user.
Compatibility problems with network filtering security devices and resource access control based on IP: For devices in the network that filter URLs and audit by IP address, the corporation or ISP may want to allow or disallow access to certain resources based on IP addresses. Enabling per-session IP virtualization and creating some rules on the RD Session Host Server that will control access to resources for different users helps address this.
In Windows 2008 R2 server, after successfully installing the RD Session Host server role, open the RD Session Host Configuration MMC snap-in. On the RD Session Host Configuration console, in the “Edit Settings” table, you can see a new entry: “RD IP Virtualization”
· To remove a program from the list, select the entry in the list box, and then click “Remove Program.” Click “Apply.”
3. The final step is to reboot the RDSH server so that new user sessions logging on will get virtual IP addresses for their virtualized applications.
1. Select the “Per session” radio button. This automatically grays out the list box view under “Assign virtual IP Addresses to these programs” and the “Add Program” and “Remove Program” buttons which are applicable only to the per-program” mode. Click “Apply.”
2. Reboot the RDSH server so that new user sessions logging on will get virtual IP addresses for their virtualized applications.
To disable RD IP Virtualization, clear the “Enable IP virtualization” check box, and then click “Apply.”
In addition to RD Session Host Configuration MMC snap-in, Remote Desktop IP Virtualization can also be configured by using GPO, RDS Provider for Windows PowerShell and also through WMI.
Part II of this blog post series has information on configuring RD IP Virtualization automatically on managed computers by using Group Policy objects.
Part III (coming soon) of this blog post series has information on configuring RD IP virtualization through RDS Provider for Windows PowerShell.
I like the content. Before I go down this route I would like to know does the RDTR2008 Server solve the vulnerability to Man in the Middle attacks inherent in R2003
Yes WS08 Server does address MITM - see blog post here for more info: http://blogs.msdn.com/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx
We are trying to monitor internet usage/traffic from our RDS users. Should I set IP virtualiztion "Per program" and specify ieexplorer.exe or do something different?
I am facing problem while accessing multiple user sessions of IE if I enable IP virtualization on "Per Session" basis.
IE opens without any problem without IP virtualization configured on two different remote sessions. Is there any solution for this?
The above mentioned problem is that when I have done IP Virtualization and launched IE in two different instances then Internet worked in only one instance and not in another instance but when I removed IP Virtualization then it worked fine in both the instances.
Is there any solution for this issue.
Does this feature even work? My testing is fantastically inconsistent.
I have the same issue as Rahul.
Since I have activated IP virtualization I can't use HTTP traffic with my web browser, but I can use HTTPS.
does anyone has found a solution?
Please answer the above question anyone from microsoft. It has been a over a year.
Bump. Same here exactly as Rajesh, Rahul, and beck7 have stated
Is there a Group Policy method of applying this? I'e i want a policy to apply to all servers not going onto each one and run up the RDSH mmc to configure?
Thanks Team , but I desperately need help on how to do it with Windows 2012, tried:
GUI Method: it does not exist
PShell: does not work
GPO: partially work but unstable when I have to two servers, one wokr on the second one not, secondly if you do an IPconfig in the case it works you see the TWO ipaddreses ( the server and the assigned), so this does not help at all
Thanks much !
Same problem as beck7.
I found out that Antivirus program caused the problem.
If i disable Trend Micro Security Agent (WFBS 7.0) then http and https browsing works fine.
If i enable Trend Micro Security Agent again, then only https traffic works but no http.