Solved

RDP and Token Based Redirection

Posted on 2013-01-11
4
2,159 Views
Last Modified: 2013-01-17
I'm trying to understand how to setup and use token based redirection with Session Broker to do load balancing for a TS farm instead of using the default IP address redirection.

I have an F5 load balancer that supports token based redirection. I understand the setup on the F5 side, but I don't really understand how it works from the TS side.

On the broker setup on each terminal server, obviously you choose token based redirection, and select the ipv4 address of the server in question.

1) So connections come into the load balancer
2) LB forwards connection to one of the TS Servers
3) TS Server contacts broker and sends back actual TS Server to connect to

At this point when using IP based redirection, it just sends the client back the ip of the TS to connect to. With token based redirection, I don't really understand what it does at this point. Where does the LB come into play, and how does it use this token to redirect the TS session?
0
Comment
Question by:jschweg
  • 3
4 Comments
 
LVL 63

Expert Comment

by:btan
ID: 38769863
This is a quick understanding btw the two methods

http://technet.microsoft.com/en-us/library/cc732852(v=ws.10).aspx

You must use IP address redirection if you use any of the following as your load-balancing solution:

-TS Session Broker Load Balancing, using DNS round robin
-Network Load Balancing (NLB)
-A hardware load balancer that does not support TS Session Broker routing tokens

If you configure a terminal server to use TS Session Broker routing tokens as the redirection method, the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct terminal server in the farm.

If you switch to token redirection mode, you can select only one IP address for reconnection. The address that you select must meet both of the following criteria:

-It must be the IP address of the network adapter that is connected to the load balancer.
-It must be the address that is configured on the load balancer as the IP address for the terminal server.
0
 
LVL 63

Expert Comment

by:btan
ID: 38769871
if you take a look at F5 deployment guide, it is depicting scenario 1 - The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routing tokens. Pg 5 has useful MSDN link for setup as well included the F5 recommendations and steps. key point is to have RDP persistence set in LTM

http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf
0
 
LVL 4

Author Comment

by:jschweg
ID: 38770019
Thanks for the link to the deployment guide. That part of it I have successfully configured. The part the is eluding me are the two requirements for what the redirection IP needs to be when configuring the token redirection on each terminal server.

--It must be the IP address of the network adapter that is connected to the load balancer.

--It must be the address that is configured on the load balancer as the IP address for the terminal server.

How can both of the above be true? So F5 is configured to load balance via the private IPs of the terminal servers. Okay, so the redirect IP just needs to be the local address. I don't understand the first requirement abotu needing to be the ip address that is connected to the LB.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 38770184
How I understand it is when client try to connect the virtual ip of LTM serving as the broker ip which always the first address that client needs to hit, LTM with session directory enabled will checked which host server ip to be directed. The token back to client will then be lead to that rdp host server,  in this case the client will reconnect to host virtual server of LTM. There are only two virtual ips altogether fronted by LTM which the client needs to know in anytime. LTM will direct to the pool accordingly. This is as in pg 6 and 7 of the F5 guide.

==>To better clarify above, you should look at below two link esp the second one to better understand the flow
(see the "Down on the Server Farm")
@ http://technet.microsoft.com/en-us/magazine/hh413262.aspx
(see the "How Hardware Load Balancers Work" Fig 7.4 - IP redirection (DNS LB) and Fig 7.5 - Token routing)
@ http://www.brianmadden.com/blogs/terminal_services_for_microsoft_windows_server_2003_advanced_technical_design_guide/pages/load-balancing-options.aspx

In all, in token routing, the client will always go to the LB virtual IP (initial req) and and LB reply is always for client to go back to same LB virtual IP passing the token it received. But because LB (session directory enabled) saw the token from client and it will direct the traffic to the right Host server ip in its pool.

If you interested to know more about the token or cookie, you can see this
@ http://www.snakelegs.org/2011/02/06/rdp-cookies-2/
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question