Remove From My Forums

RD Session Broker + NLB doesn't work for external users (internal users on network/WAN are OK)

Question
0

Sign in to vote

Hi all,

I have run into an issue as the title of this question suggests.

So the senario is, I have (all Virtual):

2x 2008 R2 Remote Desktop Servers

1x 2008 R2 with Session Broker install

I haven't configured any RD settings on the session broker server (i.e. RD virtual desktop, RD Gateway, etc) It's purely setup as the RD Connection Broker

Each of the RD servers I have configured 2 NIC's. The 1st NIC is configured with NLB (NLB only setup for traffic on port 3389 all other traffic isn't handled by NLB). The other NIC is configured to be used only for session reconnection. I'm hoping this is the right configuration as it's how I have interpreted these guides:

http://technet.microsoft.com/en-us/library/cc772418%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc771300%28WS.10%29.aspx

Please correct me if I have setup the servers incorrectly and what should be differently.

I have setup the NLBs Cluster IP. A rule has been set on the router to make it available externally

This worked fine with an old single RD Server (same IP as NLB Cluster IP, currently offline so no conflict) before the RD Farm was implemented. So I know the port forwarding is OK.

So NLB and Connection Broker Load-Balancing work well for users inside the network. It spreads sessions evenly and there is no problem with DNS resolving the farm name etc. Sessions that are disconnected are reconnected to the same server, etc.

Accessing the TS Farm from the external address isn't so successful

Connectivity is random. Rarely it works, sometimes it gets to "initiating remote connection..." and then disconnects. It doesn't work more times than it does.

So what do I need to do to get this working? Is there another component or something else that I need to configure to get it all working?

I look forward you your help

Thanks,

Trent

Tuesday, January 4, 2011 12:14 PM

Answers

0

Sign in to vote
Hi Trent,

Generally, when a user connections through the initial loadbalancing mechanism (NLB) it will be redirected to the RDSH server with the least load based on your NLB settings, and then the RDSH server then contacts the RD Connection Broker to find out whether this user has an existing (disconnected, idle or active session), if so, the session will be redirected to the RDSH server that holds that session. Hence I think the RDS server will directly talk with the external user through the local IP address, not cluster IP.

Furthermore, have you configured the self-signed certificate on the RDS server? If so, please also import this certificate into the external client through computer account.

If you are interesting in Deploying Remote Desktop Gateway, please refer to the step-by-step guide below:

Deploying Remote Desktop Gateway Step-by-Step Guide

http://technet.microsoft.com/en-us/library/dd983941(WS.10).aspx

Thanks.
- Marked as answer by Alan Zhu Wednesday, January 12, 2011 3:03 AM
Tuesday, January 11, 2011 3:10 AM

All replies

0

Sign in to vote

I just wanted to add too that when you connect externally you are promted for authentication and to accept the unsigned certificate. So it appears to be connecting to the server and then authenticating correctly as it accepts the username and password and rejects it if it's an incorrect password.

Hope that gives some further insight.

Tuesday, January 4, 2011 12:22 PM
0

Sign in to vote

Hi Trent,

If both the RD session broker and the NLB are working fine in the internal network, I suspect that there is something wrong with the external connection. I’d like to confirm the following questions to narrow down this issue:

1.       Can you PING and telnet this RDS farm name when encountering the “disconnect” issue? For example: telnet farmname 3389.

2.       Can you individually connect to the RDS server when failing to connect it via farm name?

3.       Did you configure any certificate on the RDS server or RD gateway server?

4.       Do you get any event log when this issue happens on the server and client side? If yes, please let me know it word-by-word including the event ID.

Thanks.

Thursday, January 6, 2011 1:18 AM
0

Sign in to vote

TrentL,
If you are sure things are working correctly inside, then I would look at how your rule is setup in your router. Do you show anything in your router logs? What about event logs on the server?

In the past you had to use two NICs if you were using Unicast, but now unicast supports the intracluster communication on one NIC. So that is nice. I never had to use a second NIC just for reconnects.

If you are giving direct access to the IP externally, I wuldl advise you to stand up RD Gateway instead.

In your present situation, how do you actually access the farm from outside your network, meaning, what name are you using? It must be an externally known DNS entry that resolves to your router, and then gets sent to the farm name?

Hope this helps,

Kristin L. Griffin

SUPER BIG fan of the Remote Desktop Virtualization Team!!!)

My RDS blog: blog.kristinlgriffin.com

The new Microsoft Windows Server 2008 R2 Remote Desktop Services Resource Kit is now available!

Thursday, January 6, 2011 1:25 AM
0

Sign in to vote

Thanks for the replies. Sorry for the delay in response.

OK so I'll answer the questions the best I can

@Alan

1. Ping from external is no go as we have ICMP turned off. I was able to telnet to the farm successfully.

2. Yes I have no problem connecting to the servers in the farm individually. I can only do this internal.

3. At this point I am only using the self signed certificates. I'm assuming there's no problem there.

4. That was one of the first things I checked and there is no corresponding event logs that relate to this in either the application or system log. There's also no Audit failure events in the security log.

@Kristin

I don't have access to the event logs on the router at this time but I will see if I can arrange some logging when I'm testing this.

Remote access is done by remoting to mail.domain.com.au:3390 the router then routes 3390 traffic to 3389 on internal IP x.x.x.99 the x.x.x.99 is the NLB cluster IP. I'm wondering if this is where the problem lies. Once the inital connection is made to the NLB custer IP which then goes to one of the RDS servers does that server try to talk to the external connection through its local IP or does it go back out through the cluster IP? Could that limitation in the routing prevent it from working correctly?

Is there any information on how to configure the TS Gateway and get it to work with session broker? I have no use for remote apps or virtualised desktops at this time.

Thanks again,

Trent

Monday, January 10, 2011 11:46 PM
0

Sign in to vote
Hi Trent,

Generally, when a user connections through the initial loadbalancing mechanism (NLB) it will be redirected to the RDSH server with the least load based on your NLB settings, and then the RDSH server then contacts the RD Connection Broker to find out whether this user has an existing (disconnected, idle or active session), if so, the session will be redirected to the RDSH server that holds that session. Hence I think the RDS server will directly talk with the external user through the local IP address, not cluster IP.

Furthermore, have you configured the self-signed certificate on the RDS server? If so, please also import this certificate into the external client through computer account.

If you are interesting in Deploying Remote Desktop Gateway, please refer to the step-by-step guide below:

Deploying Remote Desktop Gateway Step-by-Step Guide

http://technet.microsoft.com/en-us/library/dd983941(WS.10).aspx

Thanks.
- Marked as answer by Alan Zhu Wednesday, January 12, 2011 3:03 AM
Tuesday, January 11, 2011 3:10 AM
0

Sign in to vote

hello.
I'm having the same problem.
Did you it solve?
How?
Thanks
caso tenha ajudado, favor avaliar

Tuesday, March 22, 2011 1:53 PM
0

Sign in to vote

Did you ever find a proper solutions for routing the RDP requests through the router to the session hosts/broker?
I'm having a very similar issue now and pulling my hair out trying to sort it.

Thanks

Thursday, May 19, 2011 3:34 PM
0

Sign in to vote
I am having very similar issues! I haven't messed with the certificate yet but It was working initially and just stopped (from the outside)! Internally all is well. I am using an enterprise SonicWall 4300 firewall and opened up ICMP, 3389 and can telnet to the farm external IP but after I get to Initiating connection it fails! ANY HELP IS GREATLY APPRECIATED!!
- Proposed as answer by DentaP Thursday, July 26, 2012 6:32 AM
- Unproposed as answer by DentaP Thursday, July 26, 2012 6:32 AM
Wednesday, February 29, 2012 2:47 AM
1

Sign in to vote
This issue seems to be related to a FW/Router problem.

When you connect to the NLB address and then get routed to one of the hosts in the NLB cluster the traffic then only communicates between the source and the physical server in the cluster. My guess here is that you need to add a rule in your FW/Router allowing RDP (3389) traffic not only to the NLB address but also to the servers in the cluster.
- Proposed as answer by BushyTop Thursday, July 25, 2013 1:17 PM
Thursday, July 26, 2012 6:41 AM
0

Sign in to vote

I had this issue, adding an additional NAT policy to my firewall allowing RDS traffic to my second RDS server resolved the issue.

Thursday, July 25, 2013 1:22 PM
0

Sign in to vote

I had this issue, adding an additional NAT policy to my firewall allowing RDS traffic to my second RDS server resolved the issue.

Can you detail what the additional NAT policy in the firewall allowing the RDS traffic to the 2nd RDS Server was like?

Also did you have the Participate in load balancing option in the Connection broker on each RDS server?

Thursday, August 1, 2013 2:33 AM
0

Sign in to vote

i am also interested in more details on this solution as I believe I am having the same problem. 2 servers on an NLB with one of them configured as the session broker - works perfectly for all internal users, but externally sometimes users get on other times not and I think it is beceause the firewall isn't allowing the session to be toggled between the two servers in the farm once the connection is established. any clarification on the type of firelwall entry needed would be great.
JeremySadler

Monday, October 21, 2013 12:29 PM
0

Sign in to vote

Same issues here. Anyone have a solution? I'm in agreement that it's the fact that the firewall is confused when it's seeing traffic from a different IP replying to these requests.

Friday, April 4, 2014 11:56 PM
0

Sign in to vote

Did anyone ever sort this??

Tuesday, August 1, 2017 11:25 AM
0

Sign in to vote

1st. look into affinity rules on your NLB configuration

2nd. look into the gateway event log and search for eventID 210

if there is error 210, think about the SSL / TCP persistency for RDP traffic

Friday, June 19, 2020 11:51 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

RD Session Broker + NLB doesn't work for external users (internal users on network/WAN are OK)

Question

Answers

All replies