Forum Discussion
dhotman_22537
Nimbostratus
NimbostratusRDP Load balancing (pool routing) based on user or hostname
Hi everyone,
We have a Microsoft TS cluster of 4 machines with a session directory and load balancing across this cluster is handled by our LTM. Everything works really well and overall we are very happy with the solution.
These existing 4 machines have software installed that enables the use dual monitors and we would like to bring another 2 TS servers online but not have to install this additional dual monitor software. The idea that we have is to put our users into 2 different groups: One that has dual monitors and one that doesn't.
When the user tries to connect to the TS using their RDP client we would like to:
1) Intercept the RDP request,
2) Extract the username,
3) Check against the AD to see what group the user is in and then,
4) Depending on the response send them the a dual_monitor_pool or a single_monitor_pool.
I have seen posts that do this type of interception and extraction for purpose of persistence but the other two parts (1) querying the Active Directory and (2) selecting a pool based on the resultant search of group is something that I haven't really been able to figure out.
Thanks in advance
Dominique
hooleylistCirrostratus
Hi Dominique,
You could configure a datagroup with the usernames that should go to one pool and then try taking the logic for extracting the username, do a class lookup of the username against the datagroup and select the pool. If you have questions on how to implement this, let us know. Else, if you get stuck, post the iRule and debug logging from /var/log/ltm with a description of the issue.
Aaron
dhotman_22537Thanks for the really quick reply.I was thinking along those lines at first but managing those data groups will be quite challenging. These data groups would need to be managed in the LTM config while the users and everything about them is managed in the Active Directory. There are over 300 active users and things are changing with them all the time (i.e. new ones coming on, users changing their names and users being removed from the system). If possible it would be much better not to have data groups but rather look up the information straight out of the AD.
Dominique
- hooleylistSorry, I completely missed the AD part. In order to make an LDAP query you'd either need to license Access Policy Manager or the Advanced Client Auth module. APM offers a GUI based config with iRule extensibility. ACA is not nearly as admin-friendly as it's (complicated) iRules-based.
I think either module would be an expensive option just to route TS users to a server that supports dual monitors.
Aaron - dhotman_22537We do have:
ADD CLIENT AUTHENTICATION -is that something different?Are there any other options for looking up a group value from a remote source or do all of them require an advanced license? (Maybe radius or something like that?)
thanks
- hooleylistOn second thought, could you use a TS server broker to do this instead of LTM?
Aaron - dhotman_22537
I checked now and understand that the TS broker is something that was introduced in Windows 2008 server so unfortunately we cant use that :(
We have a 2003 TS server configuration.
- hooleylistI don't know enough about the Microsoft options to give a specific recommendation, but I believe they have a few solutions for load balancing TS servers. If they do and they're not too expensive, I'd guess it would be a simpler solution.
Assuming the "ADD CLIENT AUTHENTICATION" license token is in the active modules section (as opposed to the optional odules section) it looks like you do have ACA licensed. So you can make LDAP calls from an iRule. But it's not a simple implementation. Take a look at the _sys_auth_ldap iRule for an example. That's for HTTP, but I think you could adapt the logic to parse TCP data and do an auth lookup via LDAP to an AD virtual server (or server).
Edit: Actually, after looking at the AUTH::response_data wiki page, I'm not sure you can do anything but an LDAP request with a username and password sent and an auth status returned. So ACA might not be an option at all...
Aaron - dhotman_22537That "Add client Auth" is under optional modules so we don't have it.
We actually moved from the MS cluster manager onto the LTM because it wasnt very good. And by the looks of things MS have actually changed that whole thing now to use the server broker for load balancing.
Thanks for your help, appreciate your feedback.
- JRahm
Admin
making any decisions by username is problematic unless you can force users to supply credentials in the initial handshake, otherwise LTM has no visibility.
Maybe it's not an option for you, but you could instruct dual-screen users to use virtual A and others to use virtual B. Alternatively, if you fronted these resources with APM, you could potentially have an HTTP logon page that would do all the credential work for you and then auto-launch the rdp session to the correct resources. - dhotman_22537I understand that username could be a problem but we do also have the IP address of the workstation that is making the request. So the other way we thought this could possibly work was:
1) Extract the IP address from which the request originates
2) Reverse lookup the address to retrieve the hostname
3) Lookup the machine's group in the AD
4) Choose the pool based on the machines group
There are two accounts in the AD, one for the machine and one for the user. Essentially the machine is the thing that is capable of dual screen and not really the user so checking the machine's group instead of the user is a little more correct.
Extracting the source addr is not a problem and easily achievable but I'm not sure its possible to:
1) do a DNS lookup in the iRule
2) do an search for the group, using either LDAP, SMB or potentially even Radius.
Are these things two things possible?
thanks
