Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9066
Views
10
Helpful
21
Replies

ASA 5510 and remote desktop session broker

Colin_Allman
Level 1
Level 1

‎09-19-2011 09:02 AM

Hey everyone,

The issue I'm having is that we are running a load balanced terminal server farm with 2 terminal servers and using Microsoft Remote Desktop Session Broker for load balancing.  Internally load balancing works excellent.  The issue is when trying to come in from the outside and you don't get load balanced on to the the one TS then your connection is lost.

I have set up a network object containing a Range of the 2 IP addresses, and configured a NAT rule for port forwarding using that Object.  I have also configured an access rule for it.

What we figure is that once you come in through the router it says "ok, you're going here" then the load balancer kicks in and if it matches the router then it's fine, but if the load balancer switches to the other IP, the router says "No way!, that's not where you told me you're going" and drops it.

Any ideas on how to go about setting this up?

Thanks in advance,

Colin

Labels:
0 Helpful
21 Replies 21

jamescrescenzo
Level 1
Level 1

‎05-30-2012 12:17 PM

Hey Colin,

We are in the same boat, were you ever able to get this working?

0 Helpful

paulstone80
Level 3
Level 3
In response to jamescrescenzo

‎06-01-2012 07:02 AM

Hi James,

We had the same problem, where the redirection from the Session Broker server causes the RDP session to disconnect.

The only solution we found was to create a mini 'non-session broker' ts cluster for the use of remote access clients.

I would be interested to know if there is a more technical solution to this problem.

Kind regards,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful

jamescrescenzo
Level 1
Level 1
In response to paulstone80

‎06-01-2012 07:10 AM

Hi Paul,

I am glad to hear of a way to do this.

Can you give some insite to how you created a mini "non-session broker" cluster?

Did you just have different terminal servers and have them go to each one without redirections?

Thanks,

James

0 Helpful

paulstone80
Level 3
Level 3
In response to jamescrescenzo

‎06-01-2012 07:28 AM

Hi James,

Yes, we just deployed a couple of terminal servers but didn't add them to session broker, so they were essentially just two stand alone servers.

We then used dns roundrobin as a simple way of load balancing between the two servers. I would advise setting the TTL to be quite low (30 secs) on these records so the record does not get cached by the client for very long.

Kind regards,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful

Colin_Allman
Level 1
Level 1

‎06-01-2012 07:43 AM

Good morning guys,

Funny you should post on this message that's 8 months old.  Here at our office we just returned to this issue and got it working.

What we had to do was, create the Session broker farm as normal and add the terminal servers like usual.  You then install Remote Desktop Gateway server wherever you want.  Create a new group in AD and then add the terminal servers to this group.  Open RD Gateway, go into Policies, Resource Authorization Policies and open the properties of the RAP you created in setup.

Click network resources and on the radio button "Select an AD Services network resource group, specify the Group that you had created previously for your terminal servers.

When you connect via Windows remote desktop click the advanced tab, click settings under "Connect from anywhere".  Click the radio button for "Use these RD Gateway server settings.  We used ..  Uncheck bypass RD gateway server for local addresses.

For testing we also had 2 public IP addresses set for rdfarm..com. Each public IP address was fowarded to one of the terminal servers (this may not be necessary).  When the user connects it will ask for credentials as normal, now we were testing without certificates on the terminal servers so it would prompt as normal, you sure you wanna connect and show the name of the first terminal server.  With a session already open on the first session, it checks against the broker and then connects you to the second TS and prompts you again, you sure you wanna connect.  Assuming they have proper certificates, obviously this would be transparent to the user.

The key is RD Gateway Services.  Hope this helps!

jamescrescenzo
Level 1
Level 1
In response to Colin_Allman

‎06-01-2012 08:06 AM

Hi Colin,

Thanks. When looking into this I did come accross the Gateway service doing the trick

A few questions with that:

I read that it needs to be outside the inter network, within the DMZ. Do you have it in the network on DMZ?

Also if connecting via Cisco WebVPN, is there a way to tell the remote Desktop link to use the Connect from anywhere.

It doesn't seem to really use an RDP client but a web client instead.

Also do you have this working in Java, properJavaRDP, which uses its own messy RDP client?

Any information would be great.

Thanks,

James

0 Helpful

Colin_Allman
Level 1
Level 1

‎06-01-2012 08:11 AM

It's in the network, not in DMZ.  We have not tested any other variations, only with the Windows RDP for now.

0 Helpful

jamescrescenzo
Level 1
Level 1
In response to Colin_Allman

‎06-01-2012 08:13 AM

Great thanks.

And it works from your asa 5510?

0 Helpful

Colin_Allman
Level 1
Level 1

‎06-01-2012 08:16 AM

We were testing on our in office router which is a 5505, so I imagine it wouldn't be different on the 5510 at our client site.

0 Helpful

paulstone80
Level 3
Level 3
In response to Colin_Allman

‎06-01-2012 08:32 AM

Hi Colin,

Do you use a VPN to connect to the RDP gateway, or do you connect directly?

Thanks,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful

Colin_Allman
Level 1
Level 1
In response to paulstone80

‎06-01-2012 09:09 AM

Connect directly

0 Helpful

jamescrescenzo
Level 1
Level 1
In response to Colin_Allman

‎06-04-2012 09:12 AM

Hey Paul,

I am working with Cisco support now to see if there is a way to get this to work as we want.

I assume you are trying to have the same setup as we are. Connecting to cisco vpn web. Using RDP bookmark of RDP Broker and getting stuck.

0 Helpful

paulstone80
Level 3
Level 3
In response to jamescrescenzo

‎06-05-2012 06:47 AM

Hi James,

Yes  that's the setup we have and we only have the issue with clientless SSL VPN. No problems using the IPSec client.

Could you let me know what Cisco support come back with? PM me if you want.

Thanks,

Paul

HTH Paul ****Please rate useful posts****
0 Helpful

jamescrescenzo
Level 1
Level 1
In response to paulstone80

‎06-05-2012 07:33 AM

Hi Paul,

This is what I heard from Cisco:

The remote desktop protocol plug-in does not support load balancing with a session broker. Because of the way the protocol handles the redirect from the session broker, the connection fails. If a session broker is not used, the plug-in works.

You can get more information from following link:-

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html

I am still waiting to see if there are any parameters that we might be able to use to force it to use RD Gateway, but I doubt it.

We are going to just create a stand alone TS for just remote users

And internal users that us TS we will load balance with the broker.

Customers Also Viewed These Support Documents