cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9452
Views
10
Helpful
21
Replies

ASA 5510 and remote desktop session broker

Colin_Allman
Level 1
Level 1

Hey everyone,

The issue I'm having is that we are running a load balanced terminal server farm with 2 terminal servers and using Microsoft Remote Desktop Session Broker for load balancing.  Internally load balancing works excellent.  The issue is when trying to come in from the outside and you don't get load balanced on to the the one TS then your connection is lost.

I have set up a network object containing a Range of the 2 IP addresses, and configured a NAT rule for port forwarding using that Object.  I have also configured an access rule for it.

What we figure is that once you come in through the router it says "ok, you're going here" then the load balancer kicks in and if it matches the router then it's fine, but if the load balancer switches to the other IP, the router says "No way!, that's not where you told me you're going" and drops it.

Any ideas on how to go about setting this up?

Thanks in advance,

Colin

21 Replies 21

jamescrescenzo
Level 1
Level 1

Hey Colin,

We are in the same boat, were you ever able to get this working?

Hi James,

We had the same problem, where the redirection from the Session Broker server causes the RDP session to disconnect.

The only solution we found was to create a mini 'non-session broker' ts cluster for the use of remote access clients.

I would be interested to know if there is a more technical solution to this problem.

Kind regards,

Paul

HTH Paul ****Please rate useful posts****

Hi Paul,

I am glad to hear of a way to do this.

Can you give some insite to how you created a mini "non-session broker" cluster?

Did you just have different terminal servers and have them go to each one without redirections?

Thanks,

James

Hi James,

Yes, we just deployed a couple of terminal servers but didn't add them to session broker, so they were essentially just two stand alone servers.

We then used dns roundrobin as a simple way of load balancing between the two servers. I would advise setting the TTL to be quite low (30 secs) on these records so the record does not get cached by the client for very long.

Kind regards,

Paul

HTH Paul ****Please rate useful posts****

Colin_Allman
Level 1
Level 1

Good morning guys,

Funny you should post on this message that's 8 months old.  Here at our office we just returned to this issue and got it working.

What we had to do was, create the Session broker farm as normal and add the terminal servers like usual.  You then install Remote Desktop Gateway server wherever you want.  Create a new group in AD and then add the terminal servers to this group.  Open RD Gateway, go into Policies, Resource Authorization Policies and open the properties of the RAP you created in setup.

Click network resources and on the radio button "Select an AD Services network resource group, specify the Group that you had created previously for your terminal servers.

When you connect via Windows remote desktop click the advanced tab, click settings under "Connect from anywhere".  Click the radio button for "Use these RD Gateway server settings.  We used ..  Uncheck bypass RD gateway server for local addresses.

For testing we also had 2 public IP addresses set for rdfarm..com. Each public IP address was fowarded to one of the terminal servers (this may not be necessary).  When the user connects it will ask for credentials as normal, now we were testing without certificates on the terminal servers so it would prompt as normal, you sure you wanna connect and show the name of the first terminal server.  With a session already open on the first session, it checks against the broker and then connects you to the second TS and prompts you again, you sure you wanna connect.  Assuming they have proper certificates, obviously this would be transparent to the user.

The key is RD Gateway Services.  Hope this helps!

Hi Colin,

Thanks. When looking into this I did come accross the Gateway service doing the trick

A few questions with that:

I read that it needs to be outside the inter network, within the DMZ. Do you have it in the network on DMZ?

Also if connecting via Cisco WebVPN, is there a way to tell the remote Desktop link to use the Connect from anywhere.

It doesn't seem to really use an RDP client but a web client instead.

Also do you have this working in Java, properJavaRDP, which uses its own messy RDP client?

Any information would be great.

Thanks,

James

Colin_Allman
Level 1
Level 1

It's in the network, not in DMZ.  We have not tested any other variations, only with the Windows RDP for now.

Great thanks.

And it works from your asa 5510?

Colin_Allman
Level 1
Level 1

We were testing on our in office router which is a 5505, so I imagine it wouldn't be different on the 5510 at our client site.

Hi Colin,

Do you use a VPN to connect to the RDP gateway, or do you connect directly?

Thanks,

Paul

HTH Paul ****Please rate useful posts****

Connect directly

Hey Paul,

I am working with Cisco support now to see if there is a way to get this to work as we want.

I assume you are trying to have the same setup as we are. Connecting to cisco vpn web. Using RDP bookmark of RDP Broker and getting stuck.

Hi James,

Yes  that's the setup we have and we only have the issue with clientless SSL VPN. No problems using the IPSec client.

Could you let me know what Cisco support come back with? PM me if you want.

Thanks,

Paul

HTH Paul ****Please rate useful posts****

Hi Paul,

This is what I heard from Cisco:

The remote desktop protocol plug-in does not support load balancing with a session broker. Because of the way the protocol handles the redirect from the session broker, the connection fails. If a session broker is not used, the plug-in works.

You can get more information from following link:-

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html

I am still waiting to see if there are any parameters that we might be able to use to force it to use RD Gateway, but I doubt it.

We are going to just create a stand alone TS for just remote users

And internal users that us TS we will load balance with the broker.