Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3721
  • Last Modified:

Use a 2008 TS Session broker behind a firewall

I have 2 2008 terminal servers in a farm, everything seems to be working internally, but I need to have users access it from outside. The session broker role is on one of the TS boxes, not ideal, but this is just a trial to get the bugs worked out. I have NAT rules setup to point the RDP traffic to the session broker, but you always connect to the same server. What do I need to do to get the broker working for external users?

Thanks
0
tjd01
Asked:
tjd01
  • 4
  • 3
  • 2
  • +2
1 Solution
 
SteveJCommented:
Not really sure what you mean by:

"have NAT rules setup to point the RDP traffic to the session broker, but you always connect to the same server. "

Also, please block out the private stuff and post a config.

Thanks,
Steve
0
 
tjd01Author Commented:
On the firewall, I have 3389 pointed to the session broker from one of the external IP addresses using NAT rules. So if you were to RDP to 55.55.55.55 it would connect you to that server which is both a TS and the session broker. I thought that when the broker seen the connection it would send it to the server in the farm with the lightest load, but it just logs in to that server, it never sends it to the other one in the farm.

What config would you like to see?

Thanks
0
 
SteveJCommented:
Sorry, I was confused and assumed "Cisco" when you said you had NAT rules . . .

I'm not sure how the session broker works. Does it proxy the connection or does it send a new connection end point back to the asker? In other words, when I connect to 55.55.55.55 does that server "load balance" by proxying the connection so that all communication is between the remote source and the 55.55.55.55 machine? Or is there a chance that the session broker logs the connection and then attempts to contact the remote and (a) that is blocked by the firewall or (b) the session broker tells the remote "you've been granted a session, now connect to 55.55.55.56" which then fails because the connection never gets to 55.55.55.56 because all 3389 traffic is pointed to 55.55.55.55?

Good luck,
SteveJ
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
tjd01Author Commented:
Internally, you point your TS client to the dns name of the TS farm, say farm1. On the DNS server you have an entry for farm1 pointing to each IP of the TS in the farm. The Session Broker is there to balace the load according to rules that you set based on priority, it also will check and see if a user has an active session and reconnect it to the disconnected session. Currently if I go to farm1 it will alternate between the 2 servers when inside the firewall. The problem is since I need to forward the ports through the firewall, and I can only point it to an IP, not a dns name. The end result is that it will always connect to the same server, not balance between the two.

Thanks
0
 
ro6otCommented:
Is the session broker routing users correctly when they access the farm from the inside of the firewall?
0
 
tjd01Author Commented:
Yes, internally if I go to Farm_1 it will direct me to either of the 2 TS.
0
 
ro6otCommented:
Can you reach each Terminal Server's IP from outside the firewall? Does every TS have a NAT rule?

For Session Broker to work properly; the requester must be able to communicate with every TS directly. It sounds like the outside requesters can communicate with the session broker but don't know how to talk to each TS (there's no route).

You'll need to use the Network Load Balancing option instead of the broker if you have one external routeable IP.
0
 
tjd01Author Commented:
You are right, I have the outside IP pointed to the session broker, which is also one of the TS in the farm. Originally I had 2 IPs on different providers each pointed to a TS, and just used round robin dns outside to balance it out. The problem that I was running into was that people would get a session on each server, or denied a session because they were logged on the other server. I cannot make them actually log off at gunpoint, they constantly just X out and disconnect leaving their sessions open.
0
 
ro6otCommented:
Do you only have one external IP? The outside users need to be able to talk to each TS in the farm. You can point the outside users to the broker but they still need a route to each TS. You can try using port address translation (PAT) to accomplish this.

or..

You can set a timeout for the disconnected users in TS. So you can use load balancing.

0
 
mpcorselloCommented:
probably not the answer you want to hear, but . . .to use the sesion broker behind a firewall you really need to use a TS gateway (in a DMZ). The users would connect to the TS Gateway and it would proxy the connection via SSL to your internal Session Director. See the attached link http://technet.microsoft.com/en-us/library/ff519225(WS.10).aspx

0
 
Glen KnightCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now