Forum Discussion
NimbostratusIssue in APM publishing F5 VIP for Load balanced RDP servers
Hello All,
We have some strange issue publishing a Remote Desktop in APM. We have a VIP on our external F5 which load balances two 2 MS RDP servers (Win 2k8R2). The VIP address we have published in application access remote desktop in APM (with full webtob, acl is in place and everything). When logging on to apm we can see the remote desktop icon but are unable to connect to. We get the Unable to connect to the server message. When making a tcpdump on the internal interface you can see a rdp connection being setup to one of the terminal servers but nothing is shown in the APM sessions. All clients using APM are windows 7 clients and the apm portal url is in trusted computers zone in internet explorer. The load balanced vip for the terminal server also works when connecting to it using rdp client.
We use Big ip 11.4.1 HF1. Setup at the moment is FW <-> F5 ltm/apm <-> FW <-> LAN (here reside the RDP servers).
So there is something wrong with publishing of the Remote Desktop in RDP. It would be nice of someone could provide me with some extra information what to look for because I have run out of options.
Thanks,
Jorg
8 Replies
Hi Jorg, it's odd that you aren't even seeing an APM session being created, yet you are seeing a connection to the RDP servers.
If you go to System ›› Logs : Configuration : Options and set the Access Policy log level to Debug, you can then tail the /var/log/apm file for APM log errors.
If you want to sanitize and post those here, I'll take a look.
Mike
JorgDC_137265Hi Mike,
In the meantime i have discovered the rdp servers were signed with certificate which is apparently something APM does not like. Have asked to remove the signing from the servers.
Have added two (non rdp signed) servers as members in the pool and this works fine.
Will make some tests tomorrow and upload a log of the previous setup. Can maybe be handy for someone in the future.
Kind regards,
Jorg
- JorgDC_137265
Hello Mike,
We made some test today and found out our problem only occurs when adding the remote desktop session host role to one of the terminal servers (without the role active it all works fine). In the apm log in the link below we cannot find anything special. The last session is one with a faulty connections (with the role active). The previous is a working one with the role deinstalled. http://users.telenet.be/inktvis/apm.zip
Kind regards,
Jorg
That's less than desirable, since the point is to load balance Session Host servers.
Is it only the server with Session Host installed that fails? Can you go directly to that server with Session Host running?
Have you checked the event logs on the Session Host server for any indication of the problem?
- JorgDC_137265
Session host do not display any problems with the session host role installed or without. The VIP works perfectly have tested it by putting 2 clients in the same subnet and also once making a NAT from outside our perimeters to the VIP. Clients connect perfectly and load balanced.
The moment we put the VIP in a Remote Desktop in APM with the session host role installed it does not work. I am afraid there is some kind of bug in the edition we are using or something
Have already raised a tickets with F5 support together with our supplier/f5 partner.
Kind regards,
Jorg
- JorgDC_137265
Session host do not display any problems with the session host role installed or without. The VIP works perfectly have tested it by putting 2 clients in the same subnet and also once making a NAT from outside our perimeters to the VIP. Clients connect perfectly and load balanced.
The moment we put the VIP in a Remote Desktop in APM with the session host role installed it does not work. I am afraid there is some kind of bug in the edition we are using or something
Have already raised a tickets with F5 support together with our supplier/f5 partner.
Kind regards,
Jorg
supportrsd_1762Did you get any solution for this? I have not my rdp server load balanced, but i cant connect to them (with wireshark i see the connection on the removeserver, but for some reason it wont work)
- JorgDC_137265
The only way we could solve it was create a NAT to the VIP on our firewall and publish the NAT address. Have done this on the internal interface of our big ip. Our setup is Internet <--> Firewall <--> Big IP <--> Firewall (NAT to VIP on this firewall) <--> LAN
Hope this helps.
Kind regards,
Jorg
