Required Product Version
This article describes how to deploy your Barracuda Load Balancer ADC version 5.1, 5.2, 5.3, 5.4, and 6.0 with Microsoft® Remote Desktop Services.The Barracuda Load Balancer ADC increases the performance and reliability of Microsoft Remote Desktop Services by load balancing between multiple terminal servers. It can also maintain session persistence by honoring the routing tokens provided by the Connection Broker, allowing a client that disconnects from an active session on a terminal server to reconnect from another location and resume its session.
Terminology
Term | Definition |
---|---|
Domain Controller | A server that responds to security authentication requests. |
Fully Qualified Domain Name (FQDN) | The unique name for a specific computer or host that can resolve to an IP address (for example, www.example.com). |
Remote Desktop Connection Broker | A component of Remote Desktop Services. Maintains a list of active and disconnected sessions so that a disconnected user is transparently redirected and reconnected to the server. The Connection Broker (also known as the Session Broker) can be configured to load balance remote desktop sessions. However, this guide describes load balancing provided by the Barracuda Load Balancer ADC. |
Remote Desktop Gateway | Reformats information from one network so that it's compatible with another network. |
Remote Desktop Services | Known as Terminal Services in Windows Server 2003 and Windows Server 2008. This component of Microsoft Windows lets users remotely access applications and data. |
Remote Desktop Session Host | The terminal server that runs the applications for the Remote Desktop users. |
Remote Desktop Web Access | Creates a web interface for clients to easily access applications and desktop environments hosted on the session host. |
Routing Token | Redirects users to their existing sessions on the correct terminal server. |
Service | A service is defined by a combination of a virtual IP (VIP) address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC listens on. Traffic arriving over the specified ports is directed to one of the real servers associated with that service. |
Microsoft TechNet References
For Windows Server 2008 R1:
For Windows Server 2008 R2:
For Windows Server 2012:
Remote Desktop Services Deployment Options
Deployments of Remote Desktop Services are supported in either a Choosing Your Deployment Mode and Service Types, with either a single or multiple subnet configuration. Unless users must directly access individual servers, it is recommended that the servers be placed in one or more subnets that are reachable by an internal-facing port of the Barracuda Load Balancer ADC. If clients must directly access individual servers, a one-armed deployment is recommended.
Direct Server Return (DSR) is not supported in a Remote Desktop Services deployment.
Deployment Scenario
Prerequisites
To complete this procedure, you must have the following:
- Windows Server 2008 R2 or newer. Barracuda Networks recommends using the latest release of Windows Server.
- The Barracuda Load Balancer ADC must be connected to the web interface with its subscription activated.
- If you want to deploy Remote Desktop Services with high availability, cluster two or more Barracuda Load Balancer ADCs. For more information, see High Availability.
Step 1. Configure the Servers
- Setup the servers that provide the Remote Desktop Services.
- Configure the Remote Desktop (RD) Session Host, RD Web Access (optional), and RD gateway (optional) on at least 2 servers so they can be load balanced.
- If you deploy an RD Licensing Server, ensure that it is properly configured and operational.
- Install and configure the necessary certificates for each role on each server.
- If you deploy an RD Gateway, configure the gateway server name (under deployment properties). The gateway server name is tied to the FQDN. The FQDN is tied to the DNS entry you create for the VIP.
- When you have deployed a Session or Connection Broker, you must also complete the steps listed in this article: Remote Desktop Services Configuration When the Session or Connection Broker Is Deployed.
Step 2. Create Services on the Barracuda Load Balancer ADC
Add the Remote Desktop Service on the active Barracuda Load Balancer ADC (you can load balance any of these services):
- Go to the BASIC > Certificates page, and create or upload a certificate for the service.
- Go to the BASIC > Services page.
- To add a Remote Desktop services (RDP, RDWeb and RD Gateway), click Add Service.
If you are load balancing Remote Desktop Session Hosts, configure the RDP Session Host services as follows:
Table 1. RDP Session Host Services
NameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RDP TCP Proxy VIP address for the FQDN of your Remote Desktop Service
For example: 10.5.7.193
3389 1800 - Persistence Type: Source IP
Testing Method: RDP Test
Ensure that your session host servers do not require NLA (Network Level Authentication) clients
If you are load balancing Remote Desktop Session Hosts with a Connection Broker, configure the RDP Session Host services as follows:
Table 2. RDP Session Hosts with a Connection BrokerNameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RDP RDP Proxy VIP address for the FQDN of your Remote Desktop Service
For example: 10.5.7.193
3389 1800 N/A Testing Method: RDP Test
Ensure that your session host servers do not require NLA (Network Level Authentication) clients
If you are load balancing Remote Desktop Session Hosts and Remote Desktop Gateway Servers with a Connection Broker, configure the RDP Session Host services as follows:
Table 3. RDP Session Hosts and RD Gateway Servers with a Connection BrokerNameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RDP RDP Proxy VIP address for the FQDN of your Remote Desktop Service
For example: 10.5.7.193
3389 1800 N/A Testing Method: RDP Test
Ensure that your session host servers do not require NLA (Network Level Authentication) clients
If you are load balancing only Remote Desktop Gateway Server(s) with a Connection Broker 2008R2, configure the Remote Desktop Gateway Services as follows:
Table 4. RD Gateway Services with a Connection Broker 2008R2
NameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RD_GATEWAY_RDWeb HTTPS or Instant SSL VIP address for the FQDN of your RD Gateway
For example: 10.5.7.193443 1800 - Persistence Type: HTTP Header
- Header Name: Authorization
- Persistence Time: 1200
Testing Method: Simple HTTPS Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx
Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor
Status Code: 200
Test Delay: 30 seconds
HTTP Method: HEAD
If you are load balancing only Remote Desktop Gateway Server(s) with a Connection Broker 2012R2, configure the Remote Desktop Gateway Services as follows:
Table 5. RD Gateway Servers with a Connection Broker 2012R2Name Type IP Address Port Session Timeout Load Balancing Server Monitor RD_GATEWAY_RDWeb HTTPS, Instant SSL, or UDP Proxy VIP address for the FQDN of your RD Gateway
For example: 10.5.7.193443 (HTTPS)
3391 (UDP Proxy)1800 - Service Groups Persistence Type: Source IP
- Persistence Time: 1200
Testing Method: Simple HTTPS Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx
Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor
Status Code: 200
Test Delay: 30 seconds
HTTP Method: HEAD
If you are load balancing both Remote Desktop Session Hosts and Remote Desktop Gateway Server(s) with a Connection Broker 2008R2, configure the RDP and Remote Desktop Gateway Services as follows:
Table 6. RDP and RD Gateway Services with a Connection Broker 2008R2NameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RDP
RDP Proxy
VIP address for the FQDN of your Remote Desktop Service
For example: 10.5.7.193
3389
1800 - Persistence Type:Source IP
- Persistence Time: 1200
Testing Method: RDP Test
Ensure that your session host servers do not require NLA (Network Level Authentication) clients
RD_GATEWAY_RDWeb HTTPS or Instant SSL VIP address for the FQDN of your RD Gateway For example: 10.5.7.193 443 1800 - Persistence Type:HTTP Header
- Header Name: Authorization
- Persistence Time: 1200
Testing Method: Simple HTTPS Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx
Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor
Status Code: 200
Test Delay: 30 seconds
HTTP Method: HEAD
On the BASIC > Services page for the RD_GATEWAY_RDWeb service, configure the following:
SSL Settings section (only for Instant SSL service type):
- Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:
*.barracuda.com
. - If your Barracuda Load Balancer ADC is running version 5.1.1 and above, set the Rewrite Support option to Off. For versions below 5.1.1, this option is named Instant SSL.
- Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:
- Certificates section:
- Select the certificate that was uploaded for the service.
- Select the certificate that was uploaded for the service.
If you are load balancing both Remote Desktop Session Hosts and Remote Desktop Gateway Server(s) with a Connection Broker 2012R2, configure the RDP and Remote Desktop Gateway Services as follows:
Table 7. RDP Session Hosts and RD Gateway Services with a Connection Broker 2012R2
NameTypeIP AddressPortSession Timeout Load Balancing Server Monitor RDP RDP Proxy VIP address for the FQDN of your Remote Desktop Service
For example: 10.5.7.193
3389 1800 - Persistence Type: Source IP
- Persistence Time : 1200
Testing Method: RDP Test
Ensure that your session host servers do not require NLA (Network Level Authentication) clients
RD_GATEWAY_RDWeb HTTPS, Instant SSL, or UDP Proxy VIP address for the FQDN of your RD Gateway For example: 10.5.7.193 443 (HTTPS)
3391 (UDP Proxy)1800 - Service Group Persistence Type: Source IP
- Header Name: Authorization
- Persistence Time : 1200
Testing Method (HTTPS): Simple HTTPS Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx
Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor
Status Code: 200
Test Delay: 30 seconds
HTTP Method: HEAD
On the BASIC > Services page for the RD_GATEWAY_RDWeb service, configure the following:
SSL Settings section (only for Instant SSL service type):
- Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:
*.barracuda.com
. - If your Barracuda Load Balancer ADC is running version 5.1.1 and above, set the Rewrite Support option to Off. For versions below 5.1.1, this option is named Instant SSL.
- Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:
- Certificates section:
- Select the certificate that was uploaded for the service.
Step 3. Add the Real Servers
Add your Remote Desktop servers to your services. For each Remote Desktop server:
On the BASIC > Services page, verify that the correct service for the server is displayed.
- Click Add Server.
- Enter the IP address and port of the server.
- If you are adding the Session Host server to an RDP service, use Port 3389
- If you are adding the Web or Gateway server to an RD_GATEWAY_RDWeb service, use Port 443.
- If the server is part of a cluster, specify whether it is a Backup server and enter its Weight for the load balancing algorithm.
- If you are adding the server to an RD_GATEWAY_RDWeb service, enable SSL.
- Set Server uses SSL to On. If you do not enable the server to use SSL, unencrypted traffic is passed to the server because the Barracuda Load Balancer ADC decrypts incoming traffic to maintain session persistence using HTTP cookies.
- Select the certificate that was uploaded for the service.
- Click Create.
Step 4. Configure the DNS
Create an A record to point the VIP address that you set on the Barracuda Load Balancer ADC for the Remote Desktop Service.
For example, if you want to use the name rdp
and your domain is barracuda.com
, your A record would appears as follows:
Name | IP Address |
---|---|
rdp.barracuda.com |
|
Step 5. Configure an HTTP Request Rewrite Rule (Optional)
To simplify access to the Remote Desktop Web Services site for your users, you may configure a rewrite rule to automatically add /rdweb to the end of the URL
- Go to the TRAFFIC > Web Translations page.
- From the Service list, select the RD_GATEWAY_RDWeb service you configured for RDWeb Access
In the HTTP Request Rewrite section, click on Add Rule and enter the values in the corresponding fields.
Rule Name Sequence Number Action Old Value Rewrite Value Rewrite Condition RDWeb 3 Redirect URL / /rdweb * Click Save.
Verify Your Configuration
Create two test users that have permission to log into Remote Desktop Services (for example, testuser1 and testuser2).
Using Remote Desktop Connection, connect testuser1 to the Virtual IP Address. Open Notepad and enter some text; do not close Notepad.
- Click Start > Disconnect.
- Connect testuser2 to the same Virtual IP Address.
- Once testuser2 is logged in, click Start > Disconnect.
- Log in testuser1 again and ensure it reconnects to the session with Notepad open.
- Log in testuser2 again and ensure the session reconnects to the testuser2 session.
If you have RD Web Access configured, verify that it is working by navigating to the FQDN that you set in the A record in Step 4 and verify that the page displays correctly.
Example:
https://rdp.barracuda.com/rdweb
without the redirect rule, orrdp.barracuda.com
with the instant ssl service and redirect rule configured.