09-19-2011 09:02 AM
Hey everyone,
The issue I'm having is that we are running a load balanced terminal server farm with 2 terminal servers and using Microsoft Remote Desktop Session Broker for load balancing. Internally load balancing works excellent. The issue is when trying to come in from the outside and you don't get load balanced on to the the one TS then your connection is lost.
I have set up a network object containing a Range of the 2 IP addresses, and configured a NAT rule for port forwarding using that Object. I have also configured an access rule for it.
What we figure is that once you come in through the router it says "ok, you're going here" then the load balancer kicks in and if it matches the router then it's fine, but if the load balancer switches to the other IP, the router says "No way!, that's not where you told me you're going" and drops it.
Any ideas on how to go about setting this up?
Thanks in advance,
Colin
05-30-2012 12:17 PM
Hey Colin,
We are in the same boat, were you ever able to get this working?
06-01-2012 07:02 AM
Hi James,
We had the same problem, where the redirection from the Session Broker server causes the RDP session to disconnect.
The only solution we found was to create a mini 'non-session broker' ts cluster for the use of remote access clients.
I would be interested to know if there is a more technical solution to this problem.
Kind regards,
Paul
06-01-2012 07:10 AM
Hi Paul,
I am glad to hear of a way to do this.
Can you give some insite to how you created a mini "non-session broker" cluster?
Did you just have different terminal servers and have them go to each one without redirections?
Thanks,
James
06-01-2012 07:28 AM
Hi James,
Yes, we just deployed a couple of terminal servers but didn't add them to session broker, so they were essentially just two stand alone servers.
We then used dns roundrobin as a simple way of load balancing between the two servers. I would advise setting the TTL to be quite low (30 secs) on these records so the record does not get cached by the client for very long.
Kind regards,
Paul
06-01-2012 07:43 AM
Good morning guys,
Funny you should post on this message that's 8 months old. Here at our office we just returned to this issue and got it working.
What we had to do was, create the Session broker farm as normal and add the terminal servers like usual. You then install Remote Desktop Gateway server wherever you want. Create a new group in AD and then add the terminal servers to this group. Open RD Gateway, go into Policies, Resource Authorization Policies and open the properties of the RAP you created in setup.
Click network resources and on the radio button "Select an AD Services network resource group, specify the Group that you had created previously for your terminal servers.
When you connect via Windows remote desktop click the advanced tab, click settings under "Connect from anywhere". Click the radio button for "Use these RD Gateway server settings. We used
For testing we also had 2 public IP addresses set for rdfarm.
The key is RD Gateway Services. Hope this helps!
06-01-2012 08:06 AM
Hi Colin,
Thanks. When looking into this I did come accross the Gateway service doing the trick
A few questions with that:
I read that it needs to be outside the inter network, within the DMZ. Do you have it in the network on DMZ?
Also if connecting via Cisco WebVPN, is there a way to tell the remote Desktop link to use the Connect from anywhere.
It doesn't seem to really use an RDP client but a web client instead.
Also do you have this working in Java, properJavaRDP, which uses its own messy RDP client?
Any information would be great.
Thanks,
James
06-01-2012 08:11 AM
It's in the network, not in DMZ. We have not tested any other variations, only with the Windows RDP for now.
06-01-2012 08:13 AM
Great thanks.
And it works from your asa 5510?
06-01-2012 08:16 AM
We were testing on our in office router which is a 5505, so I imagine it wouldn't be different on the 5510 at our client site.
06-01-2012 08:32 AM
Hi Colin,
Do you use a VPN to connect to the RDP gateway, or do you connect directly?
Thanks,
Paul
06-01-2012 09:09 AM
Connect directly
06-04-2012 09:12 AM
Hey Paul,
I am working with Cisco support now to see if there is a way to get this to work as we want.
I assume you are trying to have the same setup as we are. Connecting to cisco vpn web. Using RDP bookmark of RDP Broker and getting stuck.
06-05-2012 06:47 AM
Hi James,
Yes that's the setup we have and we only have the issue with clientless SSL VPN. No problems using the IPSec client.
Could you let me know what Cisco support come back with? PM me if you want.
Thanks,
Paul
06-05-2012 07:33 AM
Hi Paul,
This is what I heard from Cisco:
The remote desktop protocol plug-in does not support load balancing with a session broker. Because of the way the protocol handles the redirect from the session broker, the connection fails. If a session broker is not used, the plug-in works.
You can get more information from following link:-
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html
I am still waiting to see if there are any parameters that we might be able to use to force it to use RD Gateway, but I doubt it.
We are going to just create a stand alone TS for just remote users
And internal users that us TS we will load balance with the broker.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide