TS Gateway and NLB

I am about to deploy a terminal services solution and need some guidance.  I will have 4 Server 2008 terminal servers and they will be using NLB for load balancing.  What I would like to do is install a virtual machine as well and install TS Gateway on it.

It is my understanding that TS Gateway will produce a webpage over SSL where users can login, and then type in the name or virtual IP of the NLB Farm and get directed to one of the 4 Terminal Servers. I would then have to assign a Public IP on my Cisco ASA firewall and NAT that address to the internal IP of the TS Gateway server.

Is this correct?  Does anyone see anything wrong with this, or any suggestions?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cláudio RodriguesFounder and CEOCommented:
What you need is more than that.
On the VM you will need:
- RDS Web Access (this is the one that will give you the web page users will logon to).
- RDS Gateway (this will do RDP over HTTPS so users will connect using HTTPS only). You will forward port 443 from the outside to this box.
- RDS Connection Broker. This is the one that will send users to the correct RDS Session Host (TS server) even if a disconnection happens (so it can find where the user had a session and get him back to that).
In terms of certificates/names you will need:
- External AND internal DNS entry for something like gateway.yourcompany.com, pointing to the VM that has WA, Gateway, CB. SSL certificate issued to that name.
- Farm name like farm.yourcompany.com. All TSs configured to use that farm name. CB/WA/Gateway configured to use that farm name. SSL certificate issued to that name. All RemoteApps published to the users MUST be signed using this certificate.
Some links for you:

I am working with Microsoft to publish a guide explaining this EXACT scenario.
My honest opinion on this is, Microsoft screwed up BIG time and this is by far one of the WORST things they could have ever developed. It is a PITA to setup, understand and so on.

Cláudio Rodrigues
Citrix CTP

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BSModlinAuthor Commented:
Thank you for the thorough response.  I have a couple more questions:

Will this same scenario work if I am NOT publishing Apps, but delivering the entire desktop?

I setup a TS Farm deployment a few months ago and ran into this issue.  I installed and configured 4 Terminal Servers.  Configured NLB on them, and configured a Session Broker as well.  I then created a NAT in my firewall that sent all inbound RDP requests destine for the dedicated public IP address to the internal virtual IP for the farm.  Because my firewall is a stateful, connection-oriented device it would not maintain connections from outside into the internal Vitual IP because of the NLB sharing IP's and MAC's.  My question is will the scenario above fix this issue, and if so how?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.