Proposed benefits of Terminal Services

[ysabeau-p40]

OkJ
Most people can’t read the following or it bores them to tears. A full length white paper covering all aspects is impractical, so let’s start with an outline and develop from there, k? Incidentally, that’s why I use results oriented bullet points like in my original post – the idea is to generate interest. I am going to stay very basic. Ask me when/where you need more and let me know if I’m moving too fast or too slow, k?

1. Begin with a server farm in a secure data center on a very high speed backbone connection. T-1 is slow here, so let’s consider an OC-3 starting point.
a. this is not the client’s connection, this is the server connection. We want the server to be able to upload information at an actual throughput of not less than 10mb/sec.

2. Install a Server running Windows 2003. Because this is a beginning discussion, we will consider a single machine that is both a domain controller and terminal server all in one box. An old Dell 1750 will do nicely, but let’s put in high speed drives (I use 146gb, 15k rpm, scsi drives).

3. Set up your domain, populate with organizational units and users. Make each user a member of the Remote Desktop User’s Group. Apply group policies to the organizational units (the default policies are rarely enough for me so I custom write my own). Restrict everything.
a. Some software requires the user to be an Administrator. Fine. Make them an Administrator and cut the Administrator’s Group off at the knees. Hide everything. Drives, tools, right click options, control panel, etc. Control their environment so they get only what you want. Group policy + NTFS permissions give granular control.
b. Let me emphasize for the non-Windows administrators out there. I can make your background purple, hide any drive I want, prevent you from running any program I don’t want (by only allowing you to run program 1 and 2 or by preventing you from running program x and y). I can exercise iron-clad control over every aspect of your user experience.

4. Enable Terminal Services and configure correctly.

5. Configure the client machine to connect to the remote server.

6. The user logs in locally. The user double clicks an icon. The user enters a username and password to connect to the remote server and their desktop GUI becomes a picture of the remote server’s desktop GUI. It looks exactly like sitting in front of a standard windows 2000 desktop.
a. The user does everything normally, just like they were working on their local machine.
b. No data is ever stored on the local machine. No programs are ever run on the local machine. All client/server communications are encrypted.

8. The user’s machine is an irrelevant terminal. A Pentium 2 running Windows 95 is fine. This is why you can save a lot of money on hardware. You never upgrade the terminals. If they wipe out, you don’t care. Data is valuable. Hardware not so much. My personal computer is a 7 yr old laptop weighing in at 10lbs. I look awful at trade shows next to people with sleek new machines. But that’s my point, right? Toss my laptop in a lake and I’m out $500 for a new one.
a. Let me repeat: Never upgrade your hardware.
b. Let me repeat: New hardware doesn’t need bells and whistles. It just connects to the internet and displays images.
c. Can you throw all your personal computers in the lake and not care about having lost valuable data? I can.

9. If you hit my previous #8 with comments like “you can’t say ‘never upgrade your hardware’”, I’m going to respond by indicating that the church has a hardware recycling program of x-y years. Probably 4-8 would be my guess. More for Church businesses, less for ward buildings, all scaled based on geographical location. My 20% hardware savings comment is based on extending the time frame 1-2 years. 1 year for higher intensity scenarios, 2 for the ward buildings. I’d be shocked if the savings isn’t more than that.

If you like the post so far, I will expand with a lengthy post for each bullet point. I relish discussing the benefits of 99.99% uptime in a secure data center with 5 days fuel supply for Caterpillar Generators, secure card access, constant temp control, high level fire suppression, multiple inbound trunks with rollover, complete infrastructure redundancy… the list goes on. Put your data in a bunker. Church likes that, from my understanding. I hear they have a big granite one somewhereJ.

PS – I do like having my ideas challenged. Please be polite and professional. I LOVE answering questions.

Also, thanks for the further clarifications, i can see how my post might have been taken as spam at first blush. I've been trying to share it for a while and have been unable to get through to real people and this may be the cause of my over-zealousness. Those I've talked to generally assume they know what i'm talking about but don't, and get frustrated when I try and develop it. and no one will actually take a look outside the orlando mission/ers offices and my bishop/member friends. everyone who's seen it loves it.
but no profit motive here. my full time professional efforts are always available to the church for room and board if they want me. until then, all my time/effort belongs to the church on a volunteer, free basis. I'll even set up a trial group for free in my atlanta data center and host it free. i just want someone to listen and I feel people are now listening.

yours,
Edward

[ysabeau-p40]

works over dial up. i havent tried it on 56k or less personally to see how performance actually is. Multi-media (streaming video content) is out, as are the viewing of large image files at that speed. regular text type data and display should be very usable, but again, i havent actually tried it.
and the question isn't 'can i universally implement this tomorrow' as much as 'where would implementation be practical, easy, useful, and save money'. begin with that answer and expand the user base over time as the technology proves itself. too many people want to dream big. i like to implement clearly useful and clearly saving money now. (the reference to the bottom line here is not a sales pitch. it's a practical consideration of any business, ecclesiastical or otherwise... a matter of good stewardship if you will. 'that was cool' or 'that was fun' should more often be 'did that accomplish anything and was the cost worth th result'. cheap here is not a reference to skimping on quality, but to something that clearly pays for itself thru diret savings)

from microsoft:
The Terminal Server component of Windows Server 2003 builds on the solid foundation provided by the application server mode in Windows 2000 Terminal Services. Terminal Server lets you deliver Windows-based applications, or the Windows desktop itself, to virtually any computing device—including those that cannot run Windows.
Terminal Server can enhance an enterprise's software deployment capabilities for a variety of scenarios that remain difficult to solve using traditional application distribution technologies. When users run an application on Terminal Server, the application execution takes place on the server, and only keyboard, mouse and display information is transmitted over the network. Users see only their own individual sessions, which are managed transparently by the server operating system, and remain independent of any other client session.
Terminal Server considerably reduces the amount of network bandwidth required to access data remotely.
Using Terminal Server to run an application over bandwidth-constrained connections, such as dial-up or shared WAN links, is very effective for remotely accessing and manipulating large amounts of data because only a screen view of the data is transmitted, rather than the data itself.
Terminal Server helps users become more productive by enabling access to current applications on any device—including under-powered hardware and non-Windows desktops.
And because Terminal Server lets you use Windows anywhere, you can take advantage of extra processing capabilities from newer, lighter-weight devices such as the Pocket PC.

citrix is awesome, but more expensive. terminal server using microsoft's rdp is an embedded technology in 2003 and is cheap/cheap. if you've used citrix, you have an idea of what we are talking about.
encryption is 128 bit, rc-4 bi-directional.
supports reconnection of a disconnected session (if connection is intermittent). in other words, if your connection goes down, i can set the session to still be there so you can log back in without losing data or progress in your work. i can set the reconnect allowance interval to 10 minutes, 1 hour, or anything else i want up to infinity.
you can securely connect to the same desktop and all your programs/data from any computer with an internet connection anywhere that can support the rdp client, including a mac.
i logged in to my personal desktop at an orlando ers office, did work, printed documents, etc without ever having been there before or used there machine or configured it at all as a client. i can do the same thing anywhere i go. the client is embedded in xp.
that means any windows xp computer anywhere is my personal computer as soon as i sit down. including public library computers or my dad's computer at my parents or whatever. how's that for convenient? boot up any computer anywhere and it's your personal desktop/programs/data. nice, huh?
happyto take questions, and i'll start developing outline points more in depth.
yours,
edward

[RossEvans]

I doubt this solution is very practical for the Church's distributed architcture and lack of ubiquitous broadband. But before even delving into those technical details, I think there is a legal red flag.

At its core this method depends on abuse of Windows Terminal Services licensing, which is intended to allow this service to be used out of the box without additional license for purposes of remote sysadmin administration. But using it for running applications directly -- similar to the way the third-party Citrix product is used -- requires purchasing additional licensing from Microsoft.

The proposal here is to game the operating system by making every user an "administrator" without real administrative privileges. That might work technically, but I think it violates the license. Even if I am wrong, I would not want to fight Microsoft in court over it -- not to mention the problem of passing my next temple-recommend interview.

[brado426]

I used to support a huge Citrix Metaframe environment at my previous job. The benefits of Citrix are awesome, especially when you have a bunch of thick applications that you want to allow clients to run remotely across a slower WAN or Internet. It is great to be able to keep these applications centralized.

However, Russell is right that the Church's Infrastructure is not currently ready to do this. I don't think dial-up would be an option... think of the huge long-distance charges that would be racked up by the wards that need to be constantly connected in order to use MLS or any other software.

Also, since I have experience with Citrix Metaframe, I know that converting the Church's PCs over to such a system would be a huge and very expensive project. Think about how many ward buildings the Citrix Metaframe servers would need to be able to support. We're talking tens of thousands of simultaneous connections since most of the traffic would occur on Sunday.

While I'm sure the Church could leverage Citrix or Terminal Services in some areas, I don't think it is a viable solution for the Ward Clerk computer at this time. I think a web-enabled solution via a VPN would probably be the most cost-effective and efficient solution.

I love Citrix Metaframe and Terminal Services and I have completed projects that have saved the company hundreds of thousands of dollars as a result of it. I'm just not convinced that it is something that the Church should push out to the ward buildings... at least not at this time.

Brad O.

[ysabeau-p40]

The above post reflects problems I have in working with people unfamiliar with the technology. For the record, I am a Microsoft partner (it’s a cheap and easy program, they take anyone) and understand licensing.
Point by point:

Distributed architecture:
A persistent, high speed connection is only required for the data center/server farm. The client can have any connection, though I have not tested at speeds of 56k or less.

Licensing:
In Windows Server 2003, there is an Administrator’s group. You can have as many users in that group as you want. Every user should have a client access license (CAL). Every terminal server needs a terminal server client access license (TSCAL). There are other types of licensing (per user vs per seat, etc), but this example encompasses 90+% of windows server licensing.
Therefore, there is no dependence on abusing Windows Terminal Server Licensing

Administrators:
The ability to define permissions and privileges for all security groups, not just the Administrator’s group, is an integral part of how Windows Server operating systems are meant to be used. It was why Group Policy was developed by Microsoft and put on their systems. I’m interested in why you might think that would ever be a licensure violation.
Therefore, there is no attempt to ‘game the system’.

Some software, poorly written IMHO, must run with full administrative privileges because it makes calls on many different OS components (run as Administrator, therefore does not always work). You’ve seen this with ‘Limited’ and ‘Administrator’ accounts in XP. You can’t hardly run anything on a limited account, so many people run multiple Administrator accounts on their home Windows XP machine. I only brought up this example because many people who have tried this technology naturally encounter the problem. Quickbooks is my favorite example. There are workarounds, namely using event logs to determine every resource an app calls on and giving administrative privileges over every resource, but that’s typically a couple hundred individual entries.
No problem with Microsoft in Court. No problem with a temple recommend interview.

Additional notes:
Windows Server 2003 and Windows XP both allow limited remote licensing for the purposes of remote administration.
We are talking about something totally different. We are talking about the legal use of a Microsoft product, with full Microsoft licensing, for its Microsoft intended purpose.
Additionally, we will have to deal with application licensing, which can vary in a terminal server environment, but which is generally either:
a) a server license per box or per chip
b) a per user license
One software program I have experience with is per network, and allows unlimited users on a terminal server. We have communicated directly with their licensing department about these issues.
No gaming. No work arounds. No persistent connection to the internet needed.

Microsoft licensing links:
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

[ysabeau-p40]

Terminal Server = way cheaper than Citrix

that said, I agree that ward buildings, where access is once a week, briefly, on Sundays, is a bad idea.

however, may i suggest that ward buildings on Sunday is only a limited part of network/data usage in the church as a whole? from a previous post:

the question isn't 'can i universally implement this tomorrow' as much as 'where would implementation be practical, easy, useful, and save money'. begin with that answer and expand the user base over time as the technology proves itself.

how many church users run apps and access data as part of their work week? from all the different efforts of the church? including salt lake? (no need to start with Mongolia folks).
how many of those have high speed, persistent access? could we agree it is at least several thousand? even if only several hundred, we could implement for those people and save a lot of money.

working with a 1,000 user base (and calculate your savings as a multiplier or percentage of that) and figuring hardware replacement costs alone...
side note: hardware cost savings are the small part. data access and data security is where it's at
... you get 1,000 computers and/or laptops replaced every 4 years at a cost of $500 each. That's $500,000...
no i dont know what the real numbers are, if you do, plug them in
... every four years or $125,000/yr. extending the life cycle by 2 years to 6 years would yield an annual cost of $83,333/yr or a savings of about 33% or $40,000 per $1,000 users.

Ward buildings are the last people to get this technology. and, for the record, the usage wouldn't be that bad. these are extremely lightweight applications, we're not talking CAD here. i would guess a given server cluster with load balancing (say, 8 servers on data center) could a couple thousand Sunday users with ease... like a few hundred per box. the application will largely determine that, but we can push a lot of data in a data center.... think what a typical server farm pushes on a typical day? i'd hate to think what the genealogy hits are like.
while processing apps and downloading an ongoing screenshot is more intensive, it isn't radically different from a web server that gets hit umpteen thousand times. there is an amount of data that must be processed in an amount of time. solve for resources required and see if it is worth the investment.
ward buildings are the last people to get this technology.

think also of reduced support costs. the cost to support a terminal server user, in my personal experience, is very low because we've restricted them so much that they can't damage the system quite so easily. Collaboration because everyone is on the same computer, etc. etc.

take the work you've done in Citrix, make it Microsoft, and if it only saves tens of thousands rather than hundreds of thousands because it was applied to a smaller user base, I’d say it was worth the look.

thanks for great comments from everyone. please keep the questions coming.

yours,
Edward Wilson

[RossEvans]

Every user should have a client access license (CAL). Every terminal server needs a terminal server client access license (TSCAL).

If you are buying the TSCAL licenses, that is different. Your initial post did not mention that. I thought you were proposing to make everyone an adminstrator to avoid this additional license, which is what I was referring to.

I use TS for remote system administration at work, and have used it for remote system administration of a dedicated server at a third-party hosting company, but I know that I cannot use this service for remote applications without such licensing. We have no such remote applications.

[Mikerowaved]

First of all, I was the one that flagged your original post as spam for the reasons already stated. I have released the flag. FYI, we are used to getting substance in posts, not posts letting us know the substance will follow. That was one of the things not mentioned that led me to flag it. I apologize if I was too quick on the draw.

A persistent, high speed connection is only required for the data center/server farm. The client can have any connection, though I have not tested at speeds of 56k or less.

Although there are many circumstances when TS is a great idea, this one thing has always been the Achilles heel. Your ability to be productive is 100% dependent on a broadband connection that you often have little or no control over. Without it, you have in front of you an outdated piece of hardware incapable of doing anything except maybe play solitaire.

When I was designing custom ATE systems for the microwave community, (both hardware and software) one requirement I had was if someone came along and ripped the LAN cable out of the back of the equipment rack, it would continue to function without the slightest hiccup. Now I realize our various ward and stake computers are not as mission critical, but the thought of being completely dead in the water for a few weeks because a neighbor's backhoe tore up a broadband cable would cause me some concern.

Mike

[ysabeau-p40]

With regard to this working for everyone, let me put it another way:

If the user base of persons who frequently and daily access Church applications, data, and other resources, and who have a persistent high speed internet connection is only 20, this will be worth it for those 20. Since I deal with these systems professionally…

And I am not doing so here. This is 100% free, no charge, no sales, nothing profit oriented at all

… I can tell you that client offices of over 20 people are a no brainer. We can save them hardware costs, software costs (by not upgrading local machines to Vista for a starter), support costs (not much to support anymore and we have access to all the marbles remotely through remote boot and kvm over ip devices if we can’t solve the problem through remote admin which is never), and provide real data integrity and security.

My thought is that the Church user base fitting those criteria is several hundred at least. The savings can be 20% total costs on that user pool of only several hundred and that will be a significant impact on usage of the widow’s mite.
It doesn’t have to be millions and millions and millions of dollars to be worthwhile. 20% cost reduction on supporting and maintaining a defined user base of x persons is awesome.

Let me draw a comparisonJ

My big idea may be for everyone in the world to read the Book of Mormon and come to Jesus Christ
What I can actually and effectively implement, however, may be a missionary program that finds those who are ready to hear the Word.

In a similar manner, I may want everyone to use terminal servers.
What I can actually and effectively implement, however, may be practical only for a defined base of users. That’s ok, the cost savings for those users I can reasonable effect don’t go away just because I can’t affect everyone.

JJ

Did I mention the technology is usable on Windows 95? That it is integrated in Windows XP? If you’re sitting in front of an XP machine right now, just click ‘Start’ ‘Run’ and type ‘mstsc’. The first time you will need to enter a site name (ts.example.com) or IP address (38.124.38.124). Thereafter, just enter a username and password. After that it looks, feels, and works just like a normal Windows desktop, so not much training required. Add a server side program for printing and/or a cpl client side, scripted probably, registry changes, and printing is a breeze… if you the admin want it to be. If you don’t have Windows XP, the client is a very small program that you download from Microsoft.

Conversion costs? Nothing for the client. The hardware setup, including basic OS and box, is roughly $100/simultaneous user (ie – if you have 300 users per server but only 50 online at once, then you have 50 simultaneous users that your hardware/OS must support which is $5,000 in this example). User CAL and TS CALs are around $150/user (or $150/device if that makes more sense). Volume licensing and larger set-ups reduce the per user costs. There might be a way to look at an External Connector License (ECL) as well, but I’ve never messed with them at all. Compare these costs to the costs savings referenced earlier, adding in the lack of local OS software/hardware upgrades.

Note: Not everything was in any of my original posts, nor is everything in the current posts. Please keep the questions coming.

Yours,
Edward Wilson

[PS deleted by Mikerowave]

[ysabeau-p40]

Mike,

Great Post and Excellent Insight!

i'm off for FHE, but will respond to your post and any others when i return. Four quick points:

1) as mentioned above, i'm not recommending universal, immediate implementation
2) just as the wards currently (never been a clerk, correct me where i am wrong) push data up to church servers, a terminal server can be configured to push data back to the local computer (though i like locally held data less)
3) data center server farms should have roll over capability. I always say it's in case Atlanta gets nuked.
4) There is a business decision model here, taking into account the following factors:
a. How often local machines go down in the current system vs how often they would go down in the new system.
b. how important the difference is

regarding 4, we can make sure the data centers effectively never go down and the data is effectively never lost (very high availability). we cannot guarantee local access to the data, particularly in remote locations or locations where persistent connectivity is a problem (read previous comments on a defined user base, not universal coverage). Local internet downtime is a definable quantity. local downtime because of hardware failure, user discombobulation, etc is another definable quantity. Add data security to the ts side of the equation and weigh. push back to local systems where desired.

ps, if the backhoe takes out the church connection, the bishop or clerk can always drive home and use the internet there... or at another ward building if we're filtering access for specific IP's or even individual, pre-defined client computers... or anywhere with an internet connection... even in Mongolia. if the computer dies with all the data and apps on it, that option is not available.

many of my clients have reduced their office space requirements/leasing because it is suddenly easier and effective for many users to work at home and use the office on a more limited basis. It's a funny viscious cycle. People are willing to take less money because of the freedom to work at home (savings on everything from wardrobe to gas money + convenience), while the employer saved money on resource usage.
I'm not suggesting thatworks well for the church in any given situation, but I know a mortgage brokerage that was able to close 2 of their 5 offices... allowing them to compete more readily in an economic downturn.

thanks for a great post!

Edward