For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohamedabogamil's avatar
Mohamedabogamil
Icon for Nimbostratus rankNimbostratus
Nov 16, 2023

Load balance_RDP

Hello team,  I create rdp  VS:192.168.3.143:3389 and access it through APM-VPN.  I added 4 servers to the pool  (10.5.13.122 / 10.5.13.123 /10.5.13.124 / 10.5.13.125)   I used the Least session(me...
application delivery
Lucas_Thompson's avatar
Lucas_Thompson
Icon for Employee rankEmployee
Nov 16, 2023

This type of LB configuration is typically solved using Microsoft's RD Connection Broker. It handles the persistence and user-redirection itself.

I can't think of why a persistence profile would make any difference as to what certificate is transmitted, or even what a certificate over the proprietary MSRDP protocol would look like. This Microsoft article has some information that might be helpful:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11)#selecting-which-certificate-to-use

One thing I have seen is that untrusted-certificate error WILL pop-up if you use the Remote Desktop client to access an RD Gateway server that presents an untrusted TLS certificate, but that's over HTTPS (443), not RDP (3389). Hopefully in your tests you are 100% using good certificates that are trusted on your client PCs.

You can read more about the RDP-to-HTTP translation functionality of RD Gateway here:

https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-access-from-anywhere

Finally, APM does implement RD Gateway-like functionality itself, so you don't need to use Microsoft's. You can read about how that works here:

https://my.f5.com/manage/s/article/K08943176