[Webinar] Streamline your web hosting managementRegister Today


TS Gateway and NLB

Posted on 2010-04-08
Medium Priority
Last Modified: 2013-11-21
I am about to deploy a terminal services solution and need some guidance.  I will have 4 Server 2008 terminal servers and they will be using NLB for load balancing.  What I would like to do is install a virtual machine as well and install TS Gateway on it.

It is my understanding that TS Gateway will produce a webpage over SSL where users can login, and then type in the name or virtual IP of the NLB Farm and get directed to one of the 4 Terminal Servers. I would then have to assign a Public IP on my Cisco ASA firewall and NAT that address to the internal IP of the TS Gateway server.

Is this correct?  Does anyone see anything wrong with this, or any suggestions?
Question by:BSModlin
LVL 31

Accepted Solution

Cláudio Rodrigues earned 2000 total points
ID: 30211149
What you need is more than that.
On the VM you will need:
- RDS Web Access (this is the one that will give you the web page users will logon to).
- RDS Gateway (this will do RDP over HTTPS so users will connect using HTTPS only). You will forward port 443 from the outside to this box.
- RDS Connection Broker. This is the one that will send users to the correct RDS Session Host (TS server) even if a disconnection happens (so it can find where the user had a session and get him back to that).
In terms of certificates/names you will need:
- External AND internal DNS entry for something like gateway.yourcompany.com, pointing to the VM that has WA, Gateway, CB. SSL certificate issued to that name.
- Farm name like farm.yourcompany.com. All TSs configured to use that farm name. CB/WA/Gateway configured to use that farm name. SSL certificate issued to that name. All RemoteApps published to the users MUST be signed using this certificate.
Some links for you:

I am working with Microsoft to publish a guide explaining this EXACT scenario.
My honest opinion on this is, Microsoft screwed up BIG time and this is by far one of the WORST things they could have ever developed. It is a PITA to setup, understand and so on.

Cláudio Rodrigues
Citrix CTP

Author Comment

ID: 30211782
Thank you for the thorough response.  I have a couple more questions:

Will this same scenario work if I am NOT publishing Apps, but delivering the entire desktop?

I setup a TS Farm deployment a few months ago and ran into this issue.  I installed and configured 4 Terminal Servers.  Configured NLB on them, and configured a Session Broker as well.  I then created a NAT in my firewall that sent all inbound RDP requests destine for the dedicated public IP address to the internal virtual IP for the farm.  Because my firewall is a stateful, connection-oriented device it would not maintain connections from outside into the internal Vitual IP because of the NLB sharing IP's and MAC's.  My question is will the scenario above fix this issue, and if so how?

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question