You are currently offline, waiting for your internet to reconnect

Connection Configuration in Terminal Server

This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article discusses the Terminal Server Administration tool, ConnectionConfiguration.
More information
When you open this tool, you see that one connection is created by default,the RDP-TCP connection. Typically, this is the only connection that needsto be defined. Nothing needs to be done to enable this connection.

The RDP-TCP connection is a socket connection over TCP port 3389. In thistool, you can specify how long clients can remain connected, if a specificapplication should run when the client connects, choose the level ofencryption, and so on.

You can have one connection defined per transport per type per adapter. So,in a normal Terminal Server with one adapter, you can define exactly oneconnection since there is only one connection type available. TerminalServer 4.0 by itself with no additional services supports ONLY RDP over TCPconnections. If you add a second adapter, you can define a second RDP-TCPconnection for that adapter.

Citrix's Metaframe product may be installed on the Terminal Server soCitrix's ICA clients rather than Microsoft's RDP client can be used toconnect to Terminal Server. In this tool and in User Manager, you will findoptions that do not apply unless Metaframe is installed on the TerminalServer.

On a Citrix Winframe Server (based on Windows NT 3.51) or on a TerminalServer with Metaframe installed, customers have the option of creatingdifferent connection types for different ICA clients (for example,Macintosh clients, asynch clients, SPX clients).

Right-clicking a defined connection brings up a menu that allows you toedit the connection configuration

Notice that the connection Name, Type, and Transport are unavailable. Thename can be changed under Connection/Rename. But the Type and Transportcannot be changed.

The Lan Adapter drop down list shows "All Lan Adapters..." and anyinstalled adapters. Notice that the connection by default applies to allinstalled adapters, so just because you have multiple adapters does notmean you must define new connections. You can, but it is not a requirement.

Maximum Connection Count means what it says. Do not confuse this withlicensing. This setting governs how many socket connections are allowed.The default is Unlimited.

If you select Client Settings on the Edit Connection screen, you will see alist of options intended primarily for the Citrix ICA client. Thesesettings do not apply to the RDP client. Because the RDP client establishesonly a single data channel between the client and the server, mapping tolocal devices is not possible. Inside an RDP client session, all "local"resources are the Terminal Server's resources.

However, Citrix's ICA clients have been modified to create multiple datachannels between client and server. These settings are included forcustomers who load Metaframe on Terminal Server and use the ICA clients.

Clicking Advanced on the Edit Configuration screen opens many options,although, again, some apply only to the Citrix ICA client.

Note the selections "Inherit user config," "Inherit client config," and"Inherit client/user config." User config selections are also available inTerminal Server User Manager as options for specific users. Client configoptions can be set at the client using Client Configuration Manager(installed with the Client software) or in the client's registry (for 32-bit) or .ini file (for 16-bit) settings.

Any values set on this screen apply to all connections at this TerminalServer (and no others, regardless of domain relationship -- these settingsare specific to the Terminal Server).

Note also that any values set here will override settings for users in UserManager.

Below is a description of the various advanced options:


If you disable Logon, you are disabling client connections. This does notkeep non-client users from connecting to the server (for that you wouldhave to pause or stop the Server or Netlogon services). If you want to keepClients from connecting and establishing terminal sessions, this is whereyou do it.

NOTE: If you are used to pausing or stopping the Server or Netlogonservices to keep users from connecting to the server, you will be temptedto try to stop the Terminal Server service. This service cannot be stopped.You can change it to manual or disabled, but when you restart the server,this service will return to automatic and will start. This is by design.This service is integral to Terminal Server's operation.

NOTE: Stopping the Server or Netlogon services does not keep TerminalServer clients from connecting. These connections use a completelydifferent connection path. Again, disabling logon here in ConnectionConfiguration is the way to deny client connections. Of course, it is alsopossible to deny connections based on permissions (more detail below).

Timeout Settings (in Minutes)

Here you can choose how long a connection should be maintained, how long adisconnected session should be maintained in memory, and how long a sessionshould be allowed to be idle before disconnecting it.

The Connection Timeout determines how long the client can stay connected,regardless of whether the session is idle or not.

The Disconnected Session Timeout determines how long a disconnected sessionshould be held in memory. If a client disconnects (rather than loggingoff), the session is not terminated. Rather, it is held in memory so thatthe client can reconnect and re-establish the session. Applications thatwere running previously should still be available.

The Idle Session Timeout determines how long a session with no activityshould remain connected. Note that turning on the Menu Bar clock willgenerate enough continuous traffic to keep a session from being idle.

If you uncheck No Timeout, the default for Connection is 120 minutes, forDisconnection is 10 minutes, and for Idle is 30 minutes.

Setting these values here affects every Client that uses this connection.If you want to modify the values for a specific user, you can do so in UserManager. However, keep in mind that Connection Configuration valuesoverride values in User Manager. If you need both advanced options set inConnection Configuration AND separate options set for individual users inUser Manager, you will need to add multiple network adapters to yourTerminal Server and define a different connection for each adapter.


Low encryption = Microsoft 40-bit encryption from client to server only.Medium encryption = Same as low but applies in both directions. Highencryption (Non-export) = 128-bit standard RC4 encryption High encryption(Export) = 40-bit standard RC4 encryption

Use Default NT Authentication: This forces any Client on this connection touse Windows NT's MSGINA. Otherwise, a 3rd party GINA might be used.


If a correct user name, domain, and password are entered here, clients willautomatically log on as this user after connection. There are obviousdrawbacks to this approach (for example, profiles, home directories).However, note that, because clients are identified to the system by theirunique SessionIDs, not their logon names, it is possible for all clientusers to use the same logon name.

Initial Program

Here you can specify a program that will run for every Client user afterconnecting and logging on.

If a program is specified here, it is the ONLY application that runs onthis connection. The user will connect, log on, and run this application(provided security is not an issue) but will get no desktop. When the usercloses the application, the session is terminated. This can be a veryuseful feature in a single application environment.

User Profile Overrides: Disable Wallpaper

Disabling wallpaper can significantly decrease screen redraw times. Thisis especially useful for clients connecting over RAS.

On a Broken or Timed out Connection...

If a connection is lost or times out, you have the options of disconnectingthe session, which leaves the session intact so the user can reconnect andkeep working, or you can reset the connection, which terminates thesession.

Reconnect Sessions Disconnected...

This option is used for Citrix direct-serial-port connecting devices only.

From Any Client: If your session is disconnected at one device, you canreconnect from any Client device.

From This Client Only: If you session is disconnected, you cannot reconnectfrom another Client device.


This feature is only available with the Citrix ICA client.

Another feature of Connection Configuration is the Security/Permissionsmenu.

Users or groups can be assigned permissions to the connection. Permissionsare cumulative except for No Access, so a user who normally has guestaccess but who is a member of a group with full access will receive fullaccess.

No Access

As you might expect, this means you have no access to the connection.

Guest Access

This permits logging on and logging off only. Guests cannot disconnectsessions or reconnect to disconnected sessions.

User Access

This allows users to:

  • Log on or log off.
  • Query information through Terminal Server Administrator or at a command prompt with the Query command.
  • Send messages through Terminal Server Administrator.
  • Reconnect to disconnected sessions.
  • Disconnect their own session (leaving it resident on the Terminal Server).

Full Access

This allows all of the above plus permission to:
  • Shadow (ICA Clients only)
  • Reset sessions
  • Delete sessions
Along with Guest, User, and Full permissions, there is a more granular setof permissions called Special Access that is used to grant each of theabove individually.
winnt win2000

Article ID: 186566 - Last Review: 06/22/2014 18:58:00 - Revision: 5.0

  • kbinfo KB186566