locked
UAG Directaccess and RD Connection Broker? RRS feed

  • Question

  •  

    Hi, 

    I have a problem with UAG and my Remote Desktop solution. 

    Setup: 

    All servers are Windows 2008 R2

    All clients are Windows 7 x64 Enterprise

    UAG 2010 (current update) configured with DirectAccess

    1 Remote Desktop Connection Broker

    2 Remote Desktop Session Host

    Users connect thru the DirectAccess tunnel to the RD server with mstsc.exe and the farmname. I only use full desktop, no RemoteApp or VDI.

     

    Everything works if I disable RD Connection Broker and let the users connect to the servername

     

    Problem:
    When the users connect and enter their domain credentials at the initial Terminal Session Broker one of two things happens

    1.     If the Connection Broker tells the initial TS Broker that it is to use another server in the farm as the Session Host then the connection fails and the RD client gives a generic timed-out error.

    2.     If the Connection Broker tells the initial TS Broker to use itself as the Session Host then the session continues as normal and logs the user on as normal.

     

    Regards /J


    jaek

     

     


    Tuesday, May 24, 2011 12:23 PM

Answers

  • Hi,
    Quick summary:
    I use RDP to a farm through a DA tunnel and have two RDCB inside my LAN, i also have a firewall between my UAG and my RDCB.
    The problem was that the DA client can not find back to the RDS server when the RDCB did a redirection to another server in the farm, this is normal behavior för a DA client with only IPv4 configured (se eirlier post).
    I get it work with the following config
    - IPv6 activated on RDS servers
    - ISATAP Address on RDS servers
    - Protocol 41 open between my VLANS (for the ISATAP traffic)
    - Activate the ISATAP address in RD Connection Broker settings on the RDS server, select both IPv4 and ISATAP
    When I configure ISATAP to the reconection address the DA client "find" back to the redirected RDS server.
    ISATAP address works for the DA client sees this as an internal address and send the reconnection back through th DA tunnel.
    Regard /J

    jaek
    • Marked as answer by Jaek (SP) Wednesday, June 15, 2011 8:42 AM
    Wednesday, June 15, 2011 8:42 AM

All replies

  • Anyone?

    It´s look like the reply från RDCB don´t get back to the client...

     

    //J


    jaek
    Wednesday, May 25, 2011 8:29 AM
  • Is anyone using a Connection Broker in a Directaccess solution?
    Friday, May 27, 2011 7:39 AM
  • Hi Amig@. How does the broker work? Does it inform the DA client to open a new connection to the back-end server? If so, does it refer the new connection by name or IP address?

    regards


    // Raúl - I love this game
    Friday, May 27, 2011 9:00 AM
  • Hi,

    I do not see any new connection created in UAG.

    It looks like when RDCB will redirect the connection another RD server  the client not get the data.

    The connection comes from UAG's internal IP address, could this be the problem? that the RDCB not "find" back to the client?

     

    Is anyone get it work with a Connection Broker in a Directaccess solution?


    jaek
    Friday, May 27, 2011 11:52 AM
  • Hi Amig@. When connecting to the broker from the internal network, to where is the client redirected? To an IP address or to a FQDN name?

     

    Regards


    // Raúl - I love this game
    Sunday, May 29, 2011 7:39 PM
  • Hi Amig@. I found this:

    By default, a terminal server uses IP address redirection, where a client queries TS Session Broker and is redirected to their existing session by using the IP address of the server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to terminal servers in the farm.

    This suggests me that the issue with DirectAccess is that the broker is sending a redirection to the DA client to go to an IP and not to a computer name (the DA client needs a name that can be resolved by UAG to a IPv6 address). DA client will try to reach that IP through its local network interface, not through the DA tunnel. I am not sure if the behavior if the broker can be changed

    Regards


    // Raúl - I love this game
    Monday, May 30, 2011 11:30 AM
  • Can confirm this, do a netmon trace on your client and you will see when it's redirected it tries to reach the server by ip address. We disabled ip address redirection in the gpo on the RDS servers.
    Regards, Alfred
    Monday, May 30, 2011 3:07 PM
  • Hi,

    I tried to activate the Token Redirection but with this so it looks like it works but in the logs, it turns out that the Connection Broker does not redirect the connection, this means that the Connection Broker does not work, but only DNS Round Robin is used.

    I don´t know if Token Redirection works if I have 2 UAG in array with NLB...

    Do you have a single UAG (DA)?

    Regards


    jaek
    Tuesday, May 31, 2011 1:01 PM
  • To the IP address.

     

    //J


    jaek
    Tuesday, May 31, 2011 2:31 PM
  • Hi,
    I ran netmon on the client and when a redirection is done so the client can not find their way back to RDServer. This is probably due to RMoros describes the DA client can not find back to the internal network.
    Can Microsoft confirm Rdcb not work with a UAG DA solution?
    Can IP Redirection changed to FQDN redirection?
    I tried to activate the Token Redirection but with this so it looks like it works but in the logs, it turns out that the Connection Broker does not redirect the connection, the client connect to the server who is first in DNS list. This means that load balancing is only DNS Round Robin...
    I don´t know if Token Redirection works if I have 2 UAG in array with NLB...
    Regards

    jaek
    Tuesday, May 31, 2011 2:38 PM
  • Can i configure Connection Broket to sent FQDN to the client?

    Default settings i IP-address redirection.

    Regards /J


    jaek
    Tuesday, June 7, 2011 5:48 AM
  • Hi,
    Quick summary:
    I use RDP to a farm through a DA tunnel and have two RDCB inside my LAN, i also have a firewall between my UAG and my RDCB.
    The problem was that the DA client can not find back to the RDS server when the RDCB did a redirection to another server in the farm, this is normal behavior för a DA client with only IPv4 configured (se eirlier post).
    I get it work with the following config
    - IPv6 activated on RDS servers
    - ISATAP Address on RDS servers
    - Protocol 41 open between my VLANS (for the ISATAP traffic)
    - Activate the ISATAP address in RD Connection Broker settings on the RDS server, select both IPv4 and ISATAP
    When I configure ISATAP to the reconection address the DA client "find" back to the redirected RDS server.
    ISATAP address works for the DA client sees this as an internal address and send the reconnection back through th DA tunnel.
    Regard /J

    jaek
    • Marked as answer by Jaek (SP) Wednesday, June 15, 2011 8:42 AM
    Wednesday, June 15, 2011 8:42 AM
  • I know this thread is old, but I'm just wondering how you added the ISATAP address to the broker.  The ISATAP address doesn't show up as a selectable option, only the IPv4 address does.
    Thursday, October 24, 2013 1:34 PM