Providing Cloud Services

Technical Requirements

A Windows Terminal Server is the basic requirement for technical implementation.
The NTCS program can be made available to clients using Remote Desktop services.

It is not possible to operate without a Windows Terminal Server (this means that the NTCS client cannot be started directly from a VPN connection) – The bandwidth between the database server and the client must be at least 100mbit (1 GBit recommended).

The following Microsoft licenses are required per client

SQL database license (optional sourced through BMD as a so-called runtime license or use own full license)
Windows user License (Windows CAL)
Remote Desktop (= Terminal Server) license (Remote Desktop CAL)
Microsoft Office licenses (if a client also needs office in the Remote Desktop environment, please note that an open license of office must be used on the terminal server)

That means for every client who accesses the ASP appropriate Microsoft licenses are needed.

The client must be able to access the Terminal Server in a secure manner. For example, a secure VPN connection has to be established, or the Remote Desktop services are made available via an encrypted Web page (SSL portal). This requires a broadband Internet connection with a fixed, public IP address. Each active client must have a bandwidth of approximately 200 kbit to 250 kbit (up-and download) available.

The client must be restricted on the terminal server in order to only be able to start the NTCS program. The corresponding user must not have access to other programs or to the internal network. Therefore, security precautions must be taken at the level of the operating system and the client's access rights have to be restricted.

For each client to whom NTCS is provided, a Remote Desktop license and a Windows User license must be rented from Microsoft. In addition, a SQL client license must be rented.
The terminal server should be a dedicated server for clients only. The server should be installed in a DMZ. This has the advantage that the Terminal server runs completely isolated from internal users and applications as well as disconnected from the internal network.
The Terminal Server runs the NTCS client, which connects to the internal database. The network connection between the Terminal server (in the DMZ) and the database servers should be at least 100 Mbit (a 1 Gbit network connection is prefered).

Technically, it would also be possible to have internal users and clients work on a common (internal) Terminal Server. We do not recommend this, however, as the risk is accordingly higher in such cases.

The terminal server must be included in the Active Directory so that necessary permissions can be mapped to the file system.
The ASP clients are created as user objects in Active Directory during setup and defined as members in different Active Directory groups.
ASP clients must have the right to log on to the Terminal server and should be restricted by using Active Directory Group Policy so that only NTCS can be started.

If the terminal server is operating in a DMZ, the following ports must be opened to the database server (if the database server is running in a default configuration):

TCP 81 → BMDNTCSService
TCP 445 → Microsoft SMB
TCP 1433 → Microsoft SQL Server
TCP/UDP 1434 → Microsoft SQL Browser
TCP AD ports:
1. UDP port 88 for Kerberos authentication
2. UDP and TCP port 135 for domain controllers-to-domain controller and client to domain controller operations
3. UDP port 389 for LDAP to handle normal queries from client computers to the domain controllers
4. TCP and UDP port 464 for Kerberos Password change
5. TCP port 3268 and 3269 for global catalog from client to domain controller
6. TCP and UDP port 53 for DNS from client to domain controller and domain controller to domain controller

In addition, the BMD.COM client platform can also be operated on the Terminal server.

The following sketch illustrates the structure:

BMD in der Cloud - NTCS für Klienten