S 6.142 Use of redundant terminal servers

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

As a large number of users can be affected by the failure of a terminal server environment in most cases, safeguards must be taken to reduce the damage in the event of a failure.

Furthermore, terminal servers can only be expanded further to a limited extent so that it might be necessary to distribute system loads that occur across several servers. More detailed information can also be found in S 2.465 Analysis of the required system resources of terminal servers.

In these two cases, compliance with the availability requirements can be ensured by terminal server systems. For this purpose, the user sessions must be distributed adequately to different terminal servers. In this respect, it must be taken into consideration to what extent the terminal servers, which are assigned terminal server sessions, are accessible and utilised.

In practice, two procedures are usually applied in this context: load balancers and system mechanisms of the respective terminal server solution.

In most cases, internal load balancing solutions can also check and monitor influences such as processor or memory usage in addition to the load of the network. Thus, it can be prevented that terminal servers with little input and output, but processor-intensive processes, can be assigned too many users. In terminal server environments with high availability requirements, the load balancing mechanisms should thus be used to also take these factors into account.

If solutions are used for the automatic session distribution, a session directory should be made use of. Only then is it possible that a disconnected connection to a specific terminal server is established again later and the users can continue their sessions.

For Citrix Presentation Server and Windows Terminal Server, the session directories are stored in databases and should be installed on dedicated systems. The session directory of the Microsoft Terminal Server is called Session Directory. For Citrix, session information is stored in the so-called IMA (Independent Management Architecture) Datastore and partially in the ZDC (Zone Data Collector).

Information within these databases is critical for the security of the terminal server farm. They should be protected adequately against failure, manipulation and misuse (see also S 5.7 Databases). In the basic installation, both the Session Directory and the IMA Datastore have a default password that must be changed. Especially when applications which potentially allow direct database access or are subject to high protection requirements are made available on the terminal servers, the database systems must be operated in a separate network segment. In this case, connections from the terminal server farm to the administration/management services should be monitored by firewalls.

Review questions:

• Were redundant terminal servers set up to compensate failures?
• Are the user sessions distributed adequately to different terminal servers?
• Was the default password for the database of the session directory changed for the terminal servers?