Monday, June 04, 2012 4:18 PM
I have 4 terminal servers (all server 2008r2) I want to set up in a server farm. They are all on a private network (10.x.x.x). Currently we point one public address to port 3389 on one server for remote access from outside the firewall.
My question is: Do I need to set up both the RD Connection Broker AND the RD Gateway services to make this work from both inside and outside the firewall?
If I set up a farm named REMOTE-HQ and join all 4 servers (remote-1, remote-2, remote-3, remote-4) using the RD Connection Broker, can I point port 3389 from the public Internet to the RD Connection Broker server and will it direct connections to a server in the farm, or do I need to also use the RD Gateway service in front of the Connection Broker?
Any help would be appreciated!
Monday, June 04, 2012 5:10 PMModerator
You need both RD Gateway and RD Connection Broker. You would forward tcp port 443 to the RD Gateway. You do not forward port 3389.
When a client from the Internet connects, they will first connect to the RD Gateway on port 443, then the RD Gateway will connect to the farm name (example: farm.yourdomain.com), which will resolve to one of your 4 farm RDSH servers, on port 3389. The RDSH server will contact the RDCB server, and the RDCB will decide which server the client should be redirected to if necessary for load balancing/reconnection purposes.
When a client on your internal network connects they will follow the same process except that they will bypass the RD Gateway and connect directly to your RDSH farm, be redirected, etc.
You will need DNS A records on your internal network for the FQDN of your RDSH farm (one record for each server if using DNS RR) and DNS A records for the FQDN of your RDCB and RD Gateway server. On the external Internet you need a DNS A record for the FQDN of your RD Gateway pointing to the public ip address.
I recommend purchasing a wildcard certificate from a trusted public authority such as GeoTrust, GoDaddy, GlobalSign, Verisgn, Thawte, etc. with a subject of *.yourdomain.com. This will allow you to use a single certificate for all RDS servers and roles. Wildcard certificates are available for less than $100/year.
If you would like to use RD Web Access you may run it on the RD Gateway server if you like.
There are other possible configurations. The above is a basic example.
Monday, June 04, 2012 6:24 PM
So when configuring a RDP connection from home, the user would redirect it to port 443? Example: remote.mydomain.com:443
Monday, June 04, 2012 6:37 PMModerator
No. They would configure the FQDN of the RD Gateway in the Remote Desktop Client options, Advanced tab, Connect from anywhere, Settings button.
In the Computer box they would enter the FQDN of your RDSH farm, for example, remote.mydomain.com
Tuesday, June 12, 2012 11:14 AM
We're having other problems with thin clients - when servers are set up in a farm, the thin clients stop connecting.
Server names are remote-1, remote-2, remote-3, remote-4
There are 4 DNS entries for the farm name "remote-hq" that point to the 4 remote servers, and all 4 servers are in the "Session Directory Computers" security group.
At this point you can no longer connect to any specific server with RDP - such as trying to connect to remote-1 directly, you may get directed to some other server in the farm. This makes admin maintenance difficult as we may need to log into a specific machine. Also thin clients looking for "remote-hq" fail to connect with an error that the machine name does not match the computer name requested in the RDP connector.
Any suggestions? It is time for a paid support call at this point?
Tuesday, June 12, 2012 11:42 AMModerator
When you need to connect to a specific farm server for administrative purposes you need to use the /admin command line switch, like this:
All of the farm servers should have the same certificate with either wildcard of *.yourdomain.com which would cover remote-hq.yourdomain.com, remote-1.yourdomain.com (in the case of you connecting directly to a specific server), etc., or a single-name certificate with remote-hq.yourdomain.com as the subject. With a single-name certificate you will get a certificate warning when connecting to a specific server for administrative purposes because of the name mismatch.
What operating system are you running on your thin clients?
Tuesday, June 12, 2012 12:44 PM
I have not even started on the Gateway setup (which needs the certificate) yet, still trying to gat all internal users on more than one server. Would I need a certificate for each remote server as you described, or only one? If only one, installed where?
The thin clients are Wyse V10L devices using Wyse ThinOS. They do not have gateway server settings (advanced settings), just simple RDP.