Windows 2008 Terminal Services - remote connections freeze at "Welcome" screen and disconnect

ConnectNZ
ConnectNZ used Ask the Experts™
on
I have a four-server Win2k8 Terminal Services Farm, currently utilizing TS Session Broker + DNS Round Robin for load balancing. All servers are 64-bit and have SP2 installed. Our TS Session Broker machine is a 32-bit Windows 2008 (SP2) VM running on VMware ESX Server 3.5.

Whenever our remote users connect from the WAN (via a basic port forwarding rule on the firewall), they will usually get as far as entering their username and password, but then as the server appears to begin logging them in, it will hang at the "Welcome" screen and then disconnect them after about 10-20 seconds.

The problem does not happen every time, but does happen most of the time. Probably about a 70/30 failure/success ratio. Interestingly, the problem _never_ happens when connecting from the LAN. I have tried changing the firewall and I have reviewed the NAT and filtering rules extensively. The firewall is a Snapgear SG580.

The issue has been present for some time now (3 months+). We have involved Microsoft and have tried various potential fixes but none have worked. We are currently at the point where MS has escalated it to their Chinese team but I am yet to see a solution from them.

I have replaced our core switch (HP Procurve) and tried both NLB and DNS Round Robin load balancing solutions. I have tried adding another NIC to one of the Terminal Servers and forwarding RDP requests to this NIC (ruling out TS Session Broker). I have even tried disabling Trend Micro AV, all to no avail.

Interestingly, when we forward port 3389 to a Windows 2003 server on the network, it works perfectly, every time.

I saw this problem once before on a Windows 2008 SBS machine, which leads me to believe that this is a bug in Windows 2008 server. Googling brings up nothing. Surely I'm not the first person to experience this??

cheers,

Dave
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
To confirm:  does this happen even if the user does not have a disconected session on a server?

Have you enabled verbose logging for the session directory?
Sorry for the late response, we have been testing various solutions. The ultimate solution was to deploy a TS Gateway server. The root of the problem was a NAT issue - the TS Broker was redirecting sessions to other Terminal Servers that were not visible from the internet.

I suggest that anyone who has this problem in the future not waste any time trying to get it going. Just deploy TS Gateway, buy an SSL certificate, and be done wtih it. We spent in excess of 100 hours on this over 3 months before it was resolved.
With regards ConnectNZ's suggestion of 'just deploy TS Gateway' it is worth noting that this will only work if your clients support the TS Gateway - for example there are many thin client devices that do *not* support the TS Gateway and as a result this would not work.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Hi, We have the same disconnecting issue at the LAN Level,
Quote :
"Whenever our remote users connect from the LAN ...., they will usually get as far as entering their username and password, but then as the server appears to begin logging them in, it will hang at the "Welcome" screen and then disconnect them after about 10-20 seconds."

What could create this issue in a LAN Level??
Plz Advice'

Author

Commented:
Do you have your servers on a different IP range/subnet from your clients? It could be routing related. The issue for us was that our TS Broker could not redirect/route client connections from the WAN (Internet) to the LAN interfaces of our Terminal Servers, UNLESS the server that was chosen by the Broker was the server that received the intiial connection request.  In the case that the TS Broker decided to redirect a client to a different server, the user would get as far as the "Welcome" screen and then the connection would time out because it was trying to redirect the internet client to an internal IP address which was simply unaccessible from that location. Because port 3389 was NATed to one of the servers, when the Broker would direct clients to that server, it would work, and therefore users could try and try again and eventually get in. This made the troubleshooting process all the more difficult because we thought we had an intermittent problem.

Hope that helps!
Hi,
 thanks for your comment, i think your suggestion looks very close to the solution because the issue is exactly what your are describing, but the problem is that we are using Thin Client inside our LAN and the devices are using DHCP, i also tried fixed IP with the same rang, gateway and DNS...may be there is something im missed!
Plz Advice on a fix!

Author

Commented:
Are you using TS Session Broker? How many Terminal Servers? What load balancing method are you using? Can you thin clients ping all of the servers? Can your Broker ping all of the servers?
Hi,
I have three TS server Windows 2008 SP2, the session Borker is in a fourth win 2k8 SP2 that conatin also licensing server Per user, and all the fourth can ping each other by FQN or by hostname.
i'm using Round Robin on a Windows 2k3 SBS that contain the DNS.I'm using HP Thin client t5145 and t5135 as remote users.
The solution work perfectly when using RDP on Desktop PC, but the issue appears only when using Thin Clients.
Plz Advice!

Author

Commented:
I think that you may be experiencing a different issue to us, even though your symptoms are similar. Or problem was that TS clients simply had no path to the Terminal Servers, as they were connecting through a NAT port forwarding rule - they could access the server that was NATed, and that server could query the Broker, but redirects to other servers failed because there was no path to those other servers. I'm not sure that i can offer you any more help. Good luck!
Hi:  

Was the NAT configuration eliminated or did you keep it along with the TS Gateway?

I think im having the same issue but i have one TS server....just added a router (and opened up 3389 and 3390 for XP) and its ONLY configured for WAN access and the clients are freezing every few min.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial