How to set up TS over SSH, for Windows NTx
(aka. Terminal Services SSH tunnelling)

***
A quick overview
***

Here's what is going to be accomplished:

Server side:
* TS configured to only accept connection requests from localhost
	(so people can't bypass the ssh tunnel protection, or a firewall)

* OpenSSH installed and configured
	(the easy part, surprisingly)

Client side:
* PuTTY (ssh client) configured to "ssh tunnel" the TS traffic

* TS client configured to use the ssh tunnel
	(another easy part)

I've only set this up for a single user (an admin) to use SSH by.  You're on your 
own if you want multiple user access to this, but this guide should initially 
help.

SSH servers have a feature to do ssh tunnelling.  It's that feature that we're 
using, and the SSH client needs the most configuring.

Basic run-down of what happens:

* Install a basic install and setup of OpenSSH
* Configure TS to point at localhost only
* (Client-end) Configure puTTY to ssh tunnel
* (Client-end) Point TS client at localhost

***
Step-by-step
*****

Pre-requisites:

On server, make sure these are working properly too:
* Set up MS loopback adapter, give it an internal IP 
* Install Terminal Services (default install)

(all server side until noted otherwise)

(I'll go through OpenSSH first, that's an easy bit)

1.  Download OpenSSH (URL provided at top of article)

2.  Run OpenSSH installer.  Installation EXE in a zip file.  If you're stumped 
    by that, give up now :).

3.  Install OpenSSH to desired location.  I'd advise installing everything it 
    has to offer.  Untested otherwise.

4. When installation finishes, open the quickstart guide and keep that handy just
    in case.

5.  Get up a command prompt, CD your way to the OpenSSH directory, and CD into the 
    'bin' directory inside that.

5a. Run the following commands:
	mkgroup -l >> ..\etc\group
	mkpasswd -l -u 'administrator' >> ..\etc\passwd
    ('administrator' is an example (don't include the apostrophies).  But the desired username to log into the
     machine)

6.  Start the OpenSSH Server (net start opensshd).

7.  Test OpenSSH.  Use puTTY to connect to the server as you would a normal 
    SSH server.  If puTTY immediately exits after login, there are two possible 
    things wrong:
	* You didn't type the two commands correctly in step 5a (try them again)
	* Restart the computer (so sayeth the quickstart guide)

Once that works, you should be able to log in to a standard Win2k command prompt.  
Logout when done.

(Now for TS Server configuration)

Please note the following changes only take place once the server is restarted.  Here's the 
plan: Configure it right first time, restart, new changes are applied, and SSH tunnelling
will be the only way to talk to TS remotely.

TS Server by default accepts connections on all interfaces, but *doesn't* allow 
loopback connections, and doesn't allow configuration on an per-IP basis, only per-adapter.
Stupid, yes.  So a few things need to be configured.

8. Start > Settings > Control Panel > Admin Tools > Terminal Services Configuration
	Double-click on the only RDP connection in the list.	


9. Network adapter tab > configure MS loopback adapter as the one being bound to.  OK.

(PuTTY config on client)

Run putty, create a saved session that we'll be saving to.

10.  Right down the bottom of the category list, there's a 'SSH' subcategory, and another
     'tunnels' category inside that.  Go into the 'tunnels' category.
     (if you can't see that category, you're using an old version of puTTY)

11.  In the 'tunnels' section, there's some options down the bottom which need to be 
     configured:

11a. 'Source port'.  Type in '3389'. (the port number that TS talks over)
     'Destination'.  'IP address that MS loopback adapter is bound to:3389' (eg. '172.16.0.10:3389')
     Radio buttons underneath that, select 'Local'.
     Hit 'Add'.
     The large white box above the ones we've just been playing with should read something like:
	L5900	172.16.0.10:3389

11b. You might want to save those settings :)  Go into the top category on the left hand 
     side 'Session'.  Give the stored session a name, such as 'hostname ssh tunnel'.
     Hit 'Open'.

12.  Log in to your server via ssh, just check that SSH works as a backup plan.

14.  Restart the server.

15.  When the server has fully restarted, fire up puTTY, load the saved settings for the 
     SSH tunnel, hit 'Open', log in to the server via SSH, then fire up TS client, pointing
     at localhost.  You should then get the normal TS remote window you would normally get.


TIP: You may want to create a user that will be used to connect via ssh, and then an admin
	account to log in on afterwards.  Otherwise, when you log out of TS, it will take ages
	to log out because the ssh connection is still using running processes under the admin 
	account's name that you logged in with, and an error will be logged in the app log, 
	saying your profile couldn't be saved.  A workaround is to change the group policy entry
	about the max retries for saving a profile, but that doesn't stop the log out process in 
	TS from taking ages.

Modified: 16/03/2005, Mike Coppins.
Tested on: Win2k.
www.mikeymike.org.uk