Use a 2008 TS Session broker behind a firewall

Not really sure what you mean by:

"have NAT rules setup to point the RDP traffic to the session broker, but you always connect to the same server. "

Also, please block out the private stuff and post a config.

Thanks,
Steve

On the firewall, I have 3389 pointed to the session broker from one of the external IP addresses using NAT rules. So if you were to RDP to 55.55.55.55 it would connect you to that server which is both a TS and the session broker. I thought that when the broker seen the connection it would send it to the server in the farm with the lightest load, but it just logs in to that server, it never sends it to the other one in the farm.

What config would you like to see?

Thanks

Sorry, I was confused and assumed "Cisco" when you said you had NAT rules . . .

I'm not sure how the session broker works. Does it proxy the connection or does it send a new connection end point back to the asker? In other words, when I connect to 55.55.55.55 does that server "load balance" by proxying the connection so that all communication is between the remote source and the 55.55.55.55 machine? Or is there a chance that the session broker logs the connection and then attempts to contact the remote and (a) that is blocked by the firewall or (b) the session broker tells the remote "you've been granted a session, now connect to 55.55.55.56" which then fails because the connection never gets to 55.55.55.56 because all 3389 traffic is pointed to 55.55.55.55?

Good luck,
SteveJ

Internally, you point your TS client to the dns name of the TS farm, say farm1. On the DNS server you have an entry for farm1 pointing to each IP of the TS in the farm. The Session Broker is there to balace the load according to rules that you set based on priority, it also will check and see if a user has an active session and reconnect it to the disconnected session. Currently if I go to farm1 it will alternate between the 2 servers when inside the firewall. The problem is since I need to forward the ports through the firewall, and I can only point it to an IP, not a dns name. The end result is that it will always connect to the same server, not balance between the two.

Thanks

Is the session broker routing users correctly when they access the farm from the inside of the firewall?

Yes, internally if I go to Farm_1 it will direct me to either of the 2 TS.

Can you reach each Terminal Server's IP from outside the firewall? Does every TS have a NAT rule?

For Session Broker to work properly; the requester must be able to communicate with every TS directly. It sounds like the outside requesters can communicate with the session broker but don't know how to talk to each TS (there's no route).

You'll need to use the Network Load Balancing option instead of the broker if you have one external routeable IP.

You are right, I have the outside IP pointed to the session broker, which is also one of the TS in the farm. Originally I had 2 IPs on different providers each pointed to a TS, and just used round robin dns outside to balance it out. The problem that I was running into was that people would get a session on each server, or denied a session because they were logged on the other server. I cannot make them actually log off at gunpoint, they constantly just X out and disconnect leaving their sessions open.

Do you only have one external IP? The outside users need to be able to talk to each TS in the farm. You can point the outside users to the broker but they still need a route to each TS. You can try using port address translation (PAT) to accomplish this.

or..

You can set a timeout for the disconnected users in TS. So you can use load balancing.

This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.