[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

RDP and Token Based Redirection

Posted on 2013-01-11
4
Medium Priority
?
2,368 Views
Last Modified: 2013-01-17
I'm trying to understand how to setup and use token based redirection with Session Broker to do load balancing for a TS farm instead of using the default IP address redirection.

I have an F5 load balancer that supports token based redirection. I understand the setup on the F5 side, but I don't really understand how it works from the TS side.

On the broker setup on each terminal server, obviously you choose token based redirection, and select the ipv4 address of the server in question.

1) So connections come into the load balancer
2) LB forwards connection to one of the TS Servers
3) TS Server contacts broker and sends back actual TS Server to connect to

At this point when using IP based redirection, it just sends the client back the ip of the TS to connect to. With token based redirection, I don't really understand what it does at this point. Where does the LB come into play, and how does it use this token to redirect the TS session?
0
Comment
Question by:jschweg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 65

Expert Comment

by:btan
ID: 38769863
This is a quick understanding btw the two methods

http://technet.microsoft.com/en-us/library/cc732852(v=ws.10).aspx

You must use IP address redirection if you use any of the following as your load-balancing solution:

-TS Session Broker Load Balancing, using DNS round robin
-Network Load Balancing (NLB)
-A hardware load balancer that does not support TS Session Broker routing tokens

If you configure a terminal server to use TS Session Broker routing tokens as the redirection method, the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct terminal server in the farm.

If you switch to token redirection mode, you can select only one IP address for reconnection. The address that you select must meet both of the following criteria:

-It must be the IP address of the network adapter that is connected to the load balancer.
-It must be the address that is configured on the load balancer as the IP address for the terminal server.
0
 
LVL 65

Expert Comment

by:btan
ID: 38769871
if you take a look at F5 deployment guide, it is depicting scenario 1 - The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routing tokens. Pg 5 has useful MSDN link for setup as well included the F5 recommendations and steps. key point is to have RDP persistence set in LTM

http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf
0
 
LVL 4

Author Comment

by:jschweg
ID: 38770019
Thanks for the link to the deployment guide. That part of it I have successfully configured. The part the is eluding me are the two requirements for what the redirection IP needs to be when configuring the token redirection on each terminal server.

--It must be the IP address of the network adapter that is connected to the load balancer.

--It must be the address that is configured on the load balancer as the IP address for the terminal server.

How can both of the above be true? So F5 is configured to load balance via the private IPs of the terminal servers. Okay, so the redirect IP just needs to be the local address. I don't understand the first requirement abotu needing to be the ip address that is connected to the LB.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 38770184
How I understand it is when client try to connect the virtual ip of LTM serving as the broker ip which always the first address that client needs to hit, LTM with session directory enabled will checked which host server ip to be directed. The token back to client will then be lead to that rdp host server,  in this case the client will reconnect to host virtual server of LTM. There are only two virtual ips altogether fronted by LTM which the client needs to know in anytime. LTM will direct to the pool accordingly. This is as in pg 6 and 7 of the F5 guide.

==>To better clarify above, you should look at below two link esp the second one to better understand the flow
(see the "Down on the Server Farm")
@ http://technet.microsoft.com/en-us/magazine/hh413262.aspx
(see the "How Hardware Load Balancers Work" Fig 7.4 - IP redirection (DNS LB) and Fig 7.5 - Token routing)
@ http://www.brianmadden.com/blogs/terminal_services_for_microsoft_windows_server_2003_advanced_technical_design_guide/pages/load-balancing-options.aspx

In all, in token routing, the client will always go to the LB virtual IP (initial req) and and LB reply is always for client to go back to same LB virtual IP passing the token it received. But because LB (session directory enabled) saw the token from client and it will direct the traffic to the right Host server ip in its pool.

If you interested to know more about the token or cookie, you can see this
@ http://www.snakelegs.org/2011/02/06/rdp-cookies-2/
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question