It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

Remote Desktop Services Deployment (Including Remote Desktop Gateway)

  • Last updated on
Required Product Version
This article describes how to deploy your Barracuda Load Balancer ADC version 5.1, 5.2, 5.3, 5.4, and 6.0 with Microsoft® Remote Desktop Services.

The Barracuda Load Balancer ADC increases the performance and reliability of Microsoft Remote Desktop Services by load balancing between multiple terminal servers. It can also maintain session persistence by honoring the routing tokens provided by the Connection Broker, allowing a client that disconnects from an active session on a terminal server to reconnect from another location and resume its session.

Terminology

Term
Definition
Domain ControllerA server that responds to security authentication requests.
Fully Qualified Domain Name (FQDN)The unique name for a specific computer or host that can resolve to an IP address (for example, www.example.com).
Remote Desktop Connection Broker

A component of Remote Desktop Services. Maintains a list of active and disconnected sessions so that a disconnected user is transparently redirected and reconnected to the server.

The Connection Broker (also known as the Session Broker) can be configured to load balance remote desktop sessions. However, this guide describes load balancing provided by the Barracuda Load Balancer ADC.

Remote Desktop GatewayReformats information from one network so that it's compatible with another network.
Remote Desktop ServicesKnown as Terminal Services in Windows Server 2003 and Windows Server 2008. This component of Microsoft Windows lets users remotely access applications and data.
Remote Desktop Session HostThe terminal server that runs the applications for the Remote Desktop users.
Remote Desktop Web AccessCreates a web interface for clients to easily access applications and desktop environments hosted on the session host.
Routing Token Redirects users to their existing sessions on the correct terminal server. 
ServiceA service is defined by a combination of a virtual IP (VIP) address and one or more TCP/UDP ports that the Barracuda Load Balancer ADC listens on. Traffic arriving over the specified ports is directed to one of the real servers associated with that service. 

Microsoft TechNet References

For Windows Server 2008 R1:

For Windows Server 2008 R2:

For Windows Server 2012:

Remote Desktop Services Deployment Options

Deployments of Remote Desktop Services are supported in either a Choosing Your Deployment Mode and Service Types, with either a single or multiple subnet configuration. Unless users must directly access individual servers, it is recommended that the servers be placed in one or more subnets that are reachable by an internal-facing port of the Barracuda Load Balancer ADC. If clients must directly access individual servers, a one-armed deployment is recommended.

Direct Server Return (DSR) is not supported in a Remote Desktop Services deployment.

Deployment Scenario

RemoteDesktopServer_deployment_new.png

Prerequisites

To complete this procedure, you must have the following:

  • Windows Server 2008 R2 or newer. Barracuda Networks recommends using the latest release of Windows Server.
  • The Barracuda Load Balancer ADC must be connected to the web interface with its subscription activated. 
  • If you want to deploy Remote Desktop Services with high availability, cluster two or more Barracuda Load Balancer ADCs. For more information, see High Availability.

Step 1. Configure the Servers

  1. Setup the servers that provide the Remote Desktop Services.
  2. Configure the Remote Desktop (RD) Session Host, RD Web Access (optional), and RD gateway (optional) on at least 2 servers so they can be load balanced.
  3. If you deploy an RD Licensing Server, ensure that it is properly configured and operational.
  4. Install and configure the necessary certificates for each role on each server.
  5. If you deploy an RD Gateway, configure the gateway server name (under deployment properties). The gateway server name is tied to the FQDN. The FQDN is tied to the DNS entry you create for the VIP.
  6. When you have deployed a Session or Connection Broker, you must also complete the steps listed in this article: Remote Desktop Services Configuration When the Session or Connection Broker Is Deployed.

Step 2. Create Services on the Barracuda Load Balancer ADC

Add the Remote Desktop Service on the active Barracuda Load Balancer ADC (you can load balance any of these services):

  1. Go to the BASIC > Certificates page, and create or upload a certificate for the service.
  2. Go to the BASIC > Services page.
  3. To add a Remote Desktop services (RDP, RDWeb and RD Gateway), click Add Service.
    • If you are load balancing Remote Desktop Session Hosts, configure the RDP Session Host services as follows:

      Table 1. RDP Session Host Services

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor
      RDPTCP Proxy

      VIP address for the FQDN of your Remote Desktop Service

      For example: 10.5.7.193

      33891800
      • Persistence Type: Source IP

      Testing Method: RDP Test

      Ensure that your session host servers do not require NLA (Network Level Authentication) clients

    • If you are load balancing Remote Desktop Session Hosts with a Connection Broker, configure the RDP Session Host services as follows:

      Table 2. RDP Session Hosts with a Connection Broker

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor
      RDPRDP Proxy

      VIP address for the FQDN of your Remote Desktop Service

      For example: 10.5.7.193

      33891800N/A

      Testing Method: RDP Test

      Ensure that your session host servers do not require NLA (Network Level Authentication) clients

      On the Remote Desktop Session Hosts, enable token redirection.

    • If you are load balancing Remote Desktop Session Hosts and Remote Desktop Gateway Servers with a Connection Broker, configure the RDP Session Host services as follows:

      Table 3. RDP Session Hosts and RD Gateway Servers with a Connection Broker

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor
      RDPRDP Proxy

      VIP address for the FQDN of your Remote Desktop Service

      For example: 10.5.7.193

      33891800N/A

      Testing Method: RDP Test

      Ensure that your session host servers do not require NLA (Network Level Authentication) clients

    • If you are load balancing only Remote Desktop Gateway Server(s) with a Connection Broker 2008R2, configure the Remote Desktop Gateway Services as follows:

      Table 4. RD Gateway Services with a Connection Broker 2008R2

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor
      RD_GATEWAY_RDWebHTTPS or Instant SSL

      VIP address for the FQDN of your RD Gateway
      For example: 10.5.7.193

      4431800
      • Persistence Type: HTTP Header
      • Header Name: Authorization
      • Persistence Time: 1200
      Testing Method: Simple HTTPS

      Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

      Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor

      Status Code: 200

      Test Delay: 30 seconds

      HTTP Method: HEAD

    • If you are load balancing only Remote Desktop Gateway Server(s) with a Connection Broker 2012R2, configure the Remote Desktop Gateway Services as follows:

      Table 5. RD Gateway Servers with a Connection Broker 2012R2

      NameTypeIP AddressPortSession TimeoutLoad BalancingServer Monitor
      RD_GATEWAY_RDWebHTTPS, Instant SSL, or UDP Proxy

      VIP address for the FQDN of your RD Gateway
      For example: 10.5.7.193

      443 (HTTPS)
      3391 (UDP Proxy)
      1800
      • Service Groups Persistence Type: Source IP
      • Persistence Time: 1200
      Testing Method: Simple HTTPS

      Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

      Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor

      Status Code: 200

      Test Delay: 30 seconds

      HTTP Method: HEAD

    • If you are load balancing both Remote Desktop Session Hosts and Remote Desktop Gateway Server(s) with a Connection Broker 2008R2, configure the RDP and Remote Desktop Gateway Services as follows:

      Table 6. RDP and RD Gateway Services with a Connection Broker 2008R2

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor

      RDP

      RDP Proxy

      VIP address for the FQDN of your Remote Desktop Service

      For example: 10.5.7.193

      3389

      1800
      • Persistence Type:Source IP
      • Persistence Time: 1200

      Testing Method: RDP Test

      Ensure that your session host servers do not require NLA (Network Level Authentication) clients

      RD_GATEWAY_RDWebHTTPS or Instant SSLVIP address for the FQDN of your RD Gateway For example: 10.5.7.1934431800
      • Persistence Type:HTTP Header
      • Header Name: Authorization
      • Persistence Time: 1200
      Testing Method: Simple HTTPS

      Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

      Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor

      Status Code: 200

      Test Delay: 30 seconds

      HTTP Method: HEAD

On the BASIC > Services page for the RD_GATEWAY_RDWeb service, configure the following:

      1. SSL Settings section (only for Instant SSL service type):

        • Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:  *.barracuda.com.
        • If your Barracuda Load Balancer ADC is running version 5.1.1 and above, set the Rewrite Support option to Off. For versions below 5.1.1, this option is named Instant SSL.
      2. Certificates section:
        • Select the certificate that was uploaded for the service.

    • If you are load balancing both Remote Desktop Session Hosts and Remote Desktop Gateway Server(s) with a Connection Broker 2012R2, configure the RDP and Remote Desktop Gateway Services as follows:

      Table 7. RDP Session Hosts and RD Gateway Services with a Connection Broker 2012R2

      Name
      Type
      IP Address
      Port
      Session TimeoutLoad BalancingServer Monitor
      RDPRDP Proxy

      VIP address for the FQDN of your Remote Desktop Service

      For example: 10.5.7.193

      33891800
      • Persistence Type: Source IP
      • Persistence Time : 1200

      Testing Method: RDP Test

      Ensure that your session host servers do not require NLA (Network Level Authentication) clients

      RD_GATEWAY_RDWebHTTPS, Instant SSL, or UDP ProxyVIP address for the FQDN of your RD Gateway For example: 10.5.7.193443 (HTTPS)
      3391 (UDP Proxy)
      1800
      • Service Group Persistence Type: Source IP
      • Header Name: Authorization
      • Persistence Time : 1200
      Testing Method (HTTPS): Simple HTTPS

      Test Target: /rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx

      Additional Headers: User-Agent: Barracuda Load Balancer ADC Server Monitor

      Status Code: 200

      Test Delay: 30 seconds

      HTTP Method: HEAD

      On the BASIC > Services page for the RD_GATEWAY_RDWeb service, configure the following:

      1. SSL Settings section (only for Instant SSL service type):

        • Secure Site Domain - Enter the domain name of your Remote Desktop Services server. If the internal and external domain are different, you can use wildcard characters. For example:  *.barracuda.com.
        • If your Barracuda Load Balancer ADC is running version 5.1.1 and above, set the Rewrite Support option to Off. For versions below 5.1.1, this option is named Instant SSL.
      2. Certificates section:
        • Select the certificate that was uploaded for the service.

Step 3. Add the Real Servers

  Add your Remote Desktop servers to your services. For each Remote Desktop server:

  On the BASIC > Services page, verify that the correct service for the server is displayed.

  1. Click Add Server.
  2. Enter the IP address and port of the server.
    • If you are adding the Session Host server to an RDP service, use Port 3389
    • If you are adding the Web or Gateway server to an RD_GATEWAY_RDWeb service, use Port 443.
  3. If the server is part of a cluster, specify whether it is a Backup server and enter its Weight for the load balancing algorithm.
  4. If you are adding the server to an RD_GATEWAY_RDWeb service, enable SSL.
    • Set Server uses SSL to On. If you do not enable the server to use SSL, unencrypted traffic is passed to the server because the Barracuda Load Balancer ADC decrypts incoming traffic to maintain session persistence using HTTP cookies.
    • Select the certificate that was uploaded for the service.
  5. Click Create.

Step 4. Configure the DNS

  Create an A record to point the VIP address that you set on the Barracuda Load Balancer ADC for the Remote Desktop Service.  

  For example, if you want to use the name rdp and your domain is barracuda.com, your A record would appears as follows:  

Name
IP Address
rdp.barracuda.com

10.5.7.193


  Step 5. Configure an HTTP Request Rewrite Rule (Optional)

To simplify access to the Remote Desktop Web Services site for your users, you may configure a rewrite rule to automatically add /rdweb to the end of the URL

  1. Go to the TRAFFIC > Web Translations page.
  2. From the Service list, select the RD_GATEWAY_RDWeb service you configured for RDWeb Access
  3. In the HTTP Request Rewrite section, click on Add Rule and enter the values in the corresponding fields.

    Rule NameSequence NumberActionOld ValueRewrite ValueRewrite Condition
    RDWeb3Redirect URL//rdweb*
  4. Click Save.

Verify Your Configuration

  1. Create two test users that have permission to log into Remote Desktop Services (for example, testuser1 and testuser2).

  2. Using Remote Desktop Connection, connect testuser1 to the Virtual IP Address. Open Notepad and enter some text; do not close Notepad.

  3. Click Start > Disconnect.
  4. Connect testuser2 to the same Virtual IP Address.
  5. Once testuser2 is logged in, click Start > Disconnect.
  6. Log in testuser1 again and ensure it reconnects to the session with Notepad open.
  7. Log in testuser2 again and ensure the session reconnects to the testuser2 session.
  8. If you have RD Web Access configured, verify that it is working by navigating to the FQDN that you set in the A record in Step 4 and verify that the page displays correctly.

    Example: https://rdp.barracuda.com/rdweb without the redirect rule, or rdp.barracuda.com with the instant ssl service and redirect rule configured.