Solved

Configuring a Dual-WAN Router for improved Terminal Services (RDP) performance

Posted on 2008-10-22
5
6,439 Views
Last Modified: 2013-12-14
I have two servers, one a file server running Windows Server 2000 and the other is a terminal server running Windows Server 2003.  Most of my remote terminal services uses complain about the performance, particularly during the day when my office is full and has many people accessing the internet at the same time.

To try to improve the situation, I added a second WAN connection and purchased a FortiGate-50B dual wan firewall router.  The way I wanted it setup was to use my WAN1 (Bell DSL with static IP) solely for the port 3389 on the terminal server, and then use WAN2 (Rogers Cable) for all other internet usage (web browsing/e-mail/etc.).  The company that installed this had it setup this way at first, but the problem came up that I could no longer access Bell's SMTP server because it needs to go through the Bell ISP (it won't let you access their SMTP from another ISP, in my case Roger's).  They tried to fix this, but in the end they've setup load balancing with means that although I can access the SMTP, my Bell connection is being used for more that terminal services, and as a result the remote user's performance isn't much improved.

Does anyone know how I can setup my FortiGate-50B so that:

All 3389 traffic uses WAN1 (Bell)
All 25 traffic (SMTP) uses WAN1 (Bell)
All other traffic (web browsing, port 587 SMTP, incoming mail, etc.) uses WAN2 (Rogers)

Thanks in advance!
0
Comment
Question by:jamiejolliffe
  • 3
  • 2
5 Comments
 
LVL 1

Accepted Solution

by:
culverfranchising earned 500 total points
Comment Utility
Hello,

The feature that you are looking to configure on the Fortinet is known as policy routing.  You can find the configuration under the following.

Router -> Static -> Policy Route Tab

Policy Routing controls which interface handles outbound traffic.  The Fortinet is not a load balancing device as the device does not make decsions on where to send the traffic based on use, but rather it is a load sharing device in which it must be told where to send traffic.

The Policy Route that you want to create would look similar to the following.

Protocol: 6 (Alway Use Protocol 6 for TCP/UDP Traffic)
Incoming Interface: Your LAN Interface
Source address / mask   0.0.0.0/0.0.0.0 (For All Addresses)
Destination address / mask    0.0.0.0/0.0.0.0 (For All Addresses)
Destination Ports From:  3389  To:  3389 (RDP Ports or Any other protocol)
Force traffic to:  
Outgoing interface WAN1 (Bell)
Gateway Address  0.0.0.0 (Default Route)

Repeat the same configuration for port 25 SMTP for the WAN1 Interface.  You can then repeat for the other protocols over your WAN2 interface.

Here's a good article from the Fortinet Knowledge Center on using Policy Routing.

http://kc.forticare.com/default.asp?id=777&Lang=1

Since you have 2 WAN connections you probably want to configure you WAN links to faily over to each other in the event one link is lost.

Checkout the following article on using different default route metrics for which kind of failover you would like to perform.

http://kc.forticare.com/default.asp?id=376&Lang=1&SID=

In this scenario make sure to have the appropriate firewall rules that point from your internal interface to each individual WAN link.
0
 
LVL 2

Author Comment

by:jamiejolliffe
Comment Utility
Thanks for the info,

I had already setup that SMTP policy, with the exception of specifiying Protocol 6 (I had left the default Protocol 0, which would force SMTP through WAN1, but it would also force all other traffice (HTTP 80, etc.) through WAN1.  Changing to Protocol 6 seems to have done what I want by only forcing SMTP through WAN1 while still sending the other traffice through WAN2.

To date, I have been using a "Virtual IP" to map all 3389 traffice to the internal IP of my terminal server.  Is there any reason for me to setup the policy you mentioned above for port 3389 as well (keep in mind that obviously all 3389 communication would be external access, no internal 3389 connections would exist)?
0
 
LVL 1

Expert Comment

by:culverfranchising
Comment Utility
Policy Routes are only used for traffic that is heading outbound to another interface on the device.  Virutal IP's are used to map inbound services from interface to another, of which in your case you are correctly using.  The only other recommendation I would have would be to configure failover routing using static routes, and then configure the same firewall rule you have currently to your other WAN connection.   This will make sure in the event of an outage on your WAN interface that is servicing the TS sessions that you can still gain access through your second WAN interface.
0
 
LVL 2

Author Comment

by:jamiejolliffe
Comment Utility
Thanks, I will set that up.  The only issue there is that my second WAN does not have static IP, so I will need to setup dynamic DNS for it to be a viable backup connection for my remote users.
0
 
LVL 2

Author Closing Comment

by:jamiejolliffe
Comment Utility
Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now