Solved

Use a 2008 TS Session broker behind a firewall

Posted on 2010-11-24
14
3,635 Views
Last Modified: 2013-11-21
I have 2 2008 terminal servers in a farm, everything seems to be working internally, but I need to have users access it from outside. The session broker role is on one of the TS boxes, not ideal, but this is just a trial to get the bugs worked out. I have NAT rules setup to point the RDP traffic to the session broker, but you always connect to the same server. What do I need to do to get the broker working for external users?

Thanks
0
Comment
Question by:tjd01
  • 4
  • 3
  • 2
  • +2
14 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 34234663
Not really sure what you mean by:

"have NAT rules setup to point the RDP traffic to the session broker, but you always connect to the same server. "

Also, please block out the private stuff and post a config.

Thanks,
Steve
0
 
LVL 2

Author Comment

by:tjd01
ID: 34234858
On the firewall, I have 3389 pointed to the session broker from one of the external IP addresses using NAT rules. So if you were to RDP to 55.55.55.55 it would connect you to that server which is both a TS and the session broker. I thought that when the broker seen the connection it would send it to the server in the farm with the lightest load, but it just logs in to that server, it never sends it to the other one in the farm.

What config would you like to see?

Thanks
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 34235301
Sorry, I was confused and assumed "Cisco" when you said you had NAT rules . . .

I'm not sure how the session broker works. Does it proxy the connection or does it send a new connection end point back to the asker? In other words, when I connect to 55.55.55.55 does that server "load balance" by proxying the connection so that all communication is between the remote source and the 55.55.55.55 machine? Or is there a chance that the session broker logs the connection and then attempts to contact the remote and (a) that is blocked by the firewall or (b) the session broker tells the remote "you've been granted a session, now connect to 55.55.55.56" which then fails because the connection never gets to 55.55.55.56 because all 3389 traffic is pointed to 55.55.55.55?

Good luck,
SteveJ
0
 
LVL 2

Author Comment

by:tjd01
ID: 34241737
Internally, you point your TS client to the dns name of the TS farm, say farm1. On the DNS server you have an entry for farm1 pointing to each IP of the TS in the farm. The Session Broker is there to balace the load according to rules that you set based on priority, it also will check and see if a user has an active session and reconnect it to the disconnected session. Currently if I go to farm1 it will alternate between the 2 servers when inside the firewall. The problem is since I need to forward the ports through the firewall, and I can only point it to an IP, not a dns name. The end result is that it will always connect to the same server, not balance between the two.

Thanks
0
 
LVL 1

Expert Comment

by:ro6ot
ID: 34253752
Is the session broker routing users correctly when they access the farm from the inside of the firewall?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Author Comment

by:tjd01
ID: 34256989
Yes, internally if I go to Farm_1 it will direct me to either of the 2 TS.
0
 
LVL 1

Expert Comment

by:ro6ot
ID: 34257541
Can you reach each Terminal Server's IP from outside the firewall? Does every TS have a NAT rule?

For Session Broker to work properly; the requester must be able to communicate with every TS directly. It sounds like the outside requesters can communicate with the session broker but don't know how to talk to each TS (there's no route).

You'll need to use the Network Load Balancing option instead of the broker if you have one external routeable IP.
0
 
LVL 2

Author Comment

by:tjd01
ID: 34258716
You are right, I have the outside IP pointed to the session broker, which is also one of the TS in the farm. Originally I had 2 IPs on different providers each pointed to a TS, and just used round robin dns outside to balance it out. The problem that I was running into was that people would get a session on each server, or denied a session because they were logged on the other server. I cannot make them actually log off at gunpoint, they constantly just X out and disconnect leaving their sessions open.
0
 
LVL 1

Expert Comment

by:ro6ot
ID: 34258783
Do you only have one external IP? The outside users need to be able to talk to each TS in the farm. You can point the outside users to the broker but they still need a route to each TS. You can try using port address translation (PAT) to accomplish this.

or..

You can set a timeout for the disconnected users in TS. So you can use load balancing.

0
 
LVL 1

Accepted Solution

by:
mpcorsello earned 500 total points
ID: 34476857
probably not the answer you want to hear, but . . .to use the sesion broker behind a firewall you really need to use a TS gateway (in a DMZ). The users would connect to the TS Gateway and it would proxy the connection via SSL to your internal Session Director. See the attached link http://technet.microsoft.com/en-us/library/ff519225(WS.10).aspx

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 34830253
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now