Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Terminal Server Session brokering and publishing via ISA 2006

Posted on 2008-11-05
4
Medium Priority
?
422 Views
Last Modified: 2013-11-21
I'm in the process of setting up 3 Terminal servers for use by externally located individuals. I'm hoping to set them up with a Terminal Server Session Broker, but have a few questions before I finalize the plan.

The 3 Terminal Servers will be published externally via 3 ISA 2006 Standard servers. Each ISA server is on a different internet connection. For ease of use by end users, I'd like to only publish 1 TS per ISA server (since I'd have to set the second and 3rd to use non-standard ports to publish them).

The round robin-DNS would obviously be different internally than externally.

So, what I need to know, is when the Broker returns the Terminal Server to connect to back to the client, what will it return? With IP address redirection turned on, I kind of assume that the Session Broker will return the server's internal IP, since neither it, nor the terminal server itself, are aware that it's also associated with an external IP. I'm also assuming that this will prevent the client on the outside from being able to connect.

If I leave IP address redirection turned off, and stick with token redirection, will this work any better, or are the token's still based on IP?

Short of round-robin DNS, is there any way to effectively load-balance, or at least provide Session re-connection to clients outside the WAN?

0
Comment
Question by:tilbard
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888781
Great question - shame I don't know the answer. I have not used a TS Broker before.

Your comment about various port number requirements is valid if you only have one public ip address on each of your internet connections. the restriction is one protocol/port per IP address instance, not per connection instance.

Round-robin is never a great solution really as a node down will give you a one in three hit failure - yes, most can live with it but it is still a bit 'iffy.

If the broker is inside then it will return the internal ip address - not much you can do about that as far as I know. Personally we publish (securely) the TSweb portal so that authorised users select the connection to use AFTER they have connected initially - this removes the issue with the NAT of internal/external Ip addresses. Doesn't really help for published apps though.

Sorry that this is little help - ISA is my area but TS is a bit of a dark art to me.

Keith
ISA MVP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 23251470
No point PAQ'ing it as, although it is fact, you cannot tell if it resolved the issue therefore it is of no value to the database. It cannot be accepted for the same reason. A delete - no refund would be my suggestion.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 23278130
Question PAQ'd, 500 points not refunded, and stored in the solution database.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question