For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrew_Smith_16's avatar
Andrew_Smith_16
Icon for Nimbostratus rankNimbostratus
Apr 07, 2015

Microsoft Windows Server 2012 R2 RDS

I have a simple scenario which is not working as expected however I've probably made the wrong assumption.

 

Currently all we want to achieve is load balance RDS sessions (tcp/3389) via the F5 and using the session directory to allow reconnections to disconnected sessions.

 

Test Lab which duplicates on a small scale what is required:

 

  • 1x RD Connection Broker (with RD Web access role).
  • 4x RD Session Host.
  • F5 sits in a VLAN
  • RD servers are in a 2nd VLAN
  • Clients are in a 3rd VLAN.
  • VLANs are separated using a firewall and clients should not have direct connectivity to RD servers

Scenario 1 from the deployment guide has been followed and I get the following result:

 

  1. Client connects to a VIP on the F5
  2. F5 makes a connection to one of the RDSH servers
  3. RDCB receives a request for a new connection
  4. Client receives a new IP address and connects directly to a RDSH server bypassing the F5. The

I made the assumption that all traffic is passed via the F5 and no direct connections should be made so I wondering if what I'm seeing is correct or have I missed configuration somewhere. As I'm writing this I think there has to be a way to stop the RDCB from handling the initial connection...Any help would be appreciated.

 

application delivery
design
LTM
microsoft

2 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Apr 08, 2015

    Hi Zalchor, the traffic should all pass through the RDSH virtual server. If you save your RDP connection as an .rdp file, do you see any indication that it's trying to connect directly to the server? In my connection file, I have a field called "full address" with the value that matches the RDSH farm FQDN (not the individual server name), and I always reconnect via the VIP.

     

  • Andrew_Smith_16's avatar
    Andrew_Smith_16
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2015

    I've resolved this by applying a GPO to the RDSH servers with the following: "User RD Connection Broker load balancing" and "Use IP Address Redirection" disabled in - Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\

     

    A Kemp load balancing guide for RDS 2012 mentions the "User RD Connection Broker load balancing" option. "Use IP Address Redirection" makes sense for when you don't want to allow direct connections to the RDSH servers.