Load balance_RDP

Question

Hello team,&nbsp;I create rdp&nbsp; VS:192.168.3.143:3389 and access it through APM-VPN.&nbsp;I added 4 servers to the pool&nbsp;(10.5.13.122 /&nbsp;10.5.13.123 /10.5.13.124 /&nbsp;10.5.13.125)&nbsp; &nbsp;I used the Least session(member) and I tried using round robbin but the same behavior&nbsp;if the first user&nbsp; is connected&nbsp; to&nbsp;10.5.13.122 all users will come to this server and the session will be terminatedI used the default&nbsp;Persistence Type:&nbsp;Microsoft® Remote Desktop.Fallback Persistence Profile used :&nbsp;source addressI expect this to happen because of the persistence profile I removed it, and I received the below issues:The Connection Has Been Terminated Because An Unexpected Server Authentication Certificate Was Received From The Remote Computer&nbsp;I used cli ti see the connection to check the user name&nbsp; and I found all users come with&nbsp; different names:tmsh show /ltm persistence persist-records mode msrdpmsrdp kamc-jd\a 192.168.3.143:3389 10.5.13.122:3389 (tmm: 3)msrdp KAMC-JD\z 192.168.3.143:3389 10.5.13.122:3389 (tmm: 2)msrdp KAMC-JD\A 192.168.3.143:3389 10.5.13.122:3389 (tmm: 2)msrdp kamc-rd\M 192.168.3.143:3389 10.5.13.122:3389 (tmm: 0)&nbsp;&nbsp;

lucas_thompson · Answer

This type of LB configuration is typically solved using Microsoft's RD Connection Broker. It handles the persistence and user-redirection itself.
I can't think of why a persistence profile would make any difference as to what certificate is transmitted, or even what a certificate over the proprietary MSRDP protocol would look like. This Microsoft article has some information that might be helpful:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)#selecting-which-certificate-to-use
One thing I have seen is that untrusted-certificate error WILL pop-up if you use the Remote Desktop client to access an RD Gateway server that presents an untrusted TLS certificate, but that's over HTTPS (443), not RDP (3389). Hopefully in your tests you are 100% using good certificates that are trusted on your client PCs.
You can read more about the RDP-to-HTTP translation functionality of RD Gateway here:
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-access-from-anywhere
Finally, APM does implement RD Gateway-like functionality itself, so you don't need to use Microsoft's. You can read about how that works here:
https://my.f5.com/manage/s/article/K08943176
&nbsp;

Forum Discussion

Load balance_RDP

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

Four Active/Active load balancing examples with F5 BIG-IP and Azure Load Balancer

What is Load Balancing?

Load Balancing WebSockets

Load Balancing TCP TLS Encrypted Syslog Messages

Transparent Load Balancing in Azure

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS