Forum Discussion
RDP Load balancing (pool routing) based on user or hostname
We have a Microsoft TS cluster of 4 machines with a session directory and load balancing across this cluster is handled by our LTM. Everything works really well and overall we are very happy with the solution.
These existing 4 machines have software installed that enables the use dual monitors and we would like to bring another 2 TS servers online but not have to install this additional dual monitor software. The idea that we have is to put our users into 2 different groups: One that has dual monitors and one that doesn't.
When the user tries to connect to the TS using their RDP client we would like to:
1) Intercept the RDP request,
2) Extract the username,
3) Check against the AD to see what group the user is in and then,
4) Depending on the response send them the a dual_monitor_pool or a single_monitor_pool.
I have seen posts that do this type of interception and extraction for purpose of persistence but the other two parts (1) querying the Active Directory and (2) selecting a pool based on the resultant search of group is something that I haven't really been able to figure out.
Thanks in advance
Dominique
- hooleylistCirrostratusHi Dominique,
- dhotman_22537NimbostratusThanks for the really quick reply.
I was thinking along those lines at first but managing those data groups will be quite challenging. These data groups would need to be managed in the LTM config while the users and everything about them is managed in the Active Directory. There are over 300 active users and things are changing with them all the time (i.e. new ones coming on, users changing their names and users being removed from the system). If possible it would be much better not to have data groups but rather look up the information straight out of the AD.
Dominique
- hooleylistCirrostratusSorry, I completely missed the AD part. In order to make an LDAP query you'd either need to license Access Policy Manager or the Advanced Client Auth module. APM offers a GUI based config with iRule extensibility. ACA is not nearly as admin-friendly as it's (complicated) iRules-based.
- dhotman_22537NimbostratusWe do have:
ADD CLIENT AUTHENTICATION -is that something different?Are there any other options for looking up a group value from a remote source or do all of them require an advanced license? (Maybe radius or something like that?)
thanks
- hooleylistCirrostratusOn second thought, could you use a TS server broker to do this instead of LTM?
- dhotman_22537Nimbostratus
I checked now and understand that the TS broker is something that was introduced in Windows 2008 server so unfortunately we cant use that :(
We have a 2003 TS server configuration.
- hooleylistCirrostratusI don't know enough about the Microsoft options to give a specific recommendation, but I believe they have a few solutions for load balancing TS servers. If they do and they're not too expensive, I'd guess it would be a simpler solution.
- dhotman_22537NimbostratusThat "Add client Auth" is under optional modules so we don't have it.
We actually moved from the MS cluster manager onto the LTM because it wasnt very good. And by the looks of things MS have actually changed that whole thing now to use the server broker for load balancing.
Thanks for your help, appreciate your feedback.
- JRahmAdminmaking any decisions by username is problematic unless you can force users to supply credentials in the initial handshake, otherwise LTM has no visibility.
- dhotman_22537NimbostratusI understand that username could be a problem but we do also have the IP address of the workstation that is making the request. So the other way we thought this could possibly work was:
1) Extract the IP address from which the request originates
2) Reverse lookup the address to retrieve the hostname
3) Lookup the machine's group in the AD
4) Choose the pool based on the machines group
There are two accounts in the AD, one for the machine and one for the user. Essentially the machine is the thing that is capable of dual screen and not really the user so checking the machine's group instead of the user is a little more correct.
Extracting the source addr is not a problem and easily achievable but I'm not sure its possible to:
1) do a DNS lookup in the iRule
2) do an search for the group, using either LDAP, SMB or potentially even Radius.
Are these things two things possible?
thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com