RDP and Token Based Redirection

Posted on 2013-01-11
Medium Priority
Last Modified: 2013-01-17
I'm trying to understand how to setup and use token based redirection with Session Broker to do load balancing for a TS farm instead of using the default IP address redirection.

I have an F5 load balancer that supports token based redirection. I understand the setup on the F5 side, but I don't really understand how it works from the TS side.

On the broker setup on each terminal server, obviously you choose token based redirection, and select the ipv4 address of the server in question.

1) So connections come into the load balancer
2) LB forwards connection to one of the TS Servers
3) TS Server contacts broker and sends back actual TS Server to connect to

At this point when using IP based redirection, it just sends the client back the ip of the TS to connect to. With token based redirection, I don't really understand what it does at this point. Where does the LB come into play, and how does it use this token to redirect the TS session?
Question by:jschweg
  • 3
LVL 66

Expert Comment

ID: 38769863
This is a quick understanding btw the two methods


You must use IP address redirection if you use any of the following as your load-balancing solution:

-TS Session Broker Load Balancing, using DNS round robin
-Network Load Balancing (NLB)
-A hardware load balancer that does not support TS Session Broker routing tokens

If you configure a terminal server to use TS Session Broker routing tokens as the redirection method, the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct terminal server in the farm.

If you switch to token redirection mode, you can select only one IP address for reconnection. The address that you select must meet both of the following criteria:

-It must be the IP address of the network adapter that is connected to the load balancer.
-It must be the address that is configured on the load balancer as the IP address for the terminal server.
LVL 66

Expert Comment

ID: 38769871
if you take a look at F5 deployment guide, it is depicting scenario 1 - The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routing tokens. Pg 5 has useful MSDN link for setup as well included the F5 recommendations and steps. key point is to have RDP persistence set in LTM


Author Comment

ID: 38770019
Thanks for the link to the deployment guide. That part of it I have successfully configured. The part the is eluding me are the two requirements for what the redirection IP needs to be when configuring the token redirection on each terminal server.

--It must be the IP address of the network adapter that is connected to the load balancer.

--It must be the address that is configured on the load balancer as the IP address for the terminal server.

How can both of the above be true? So F5 is configured to load balance via the private IPs of the terminal servers. Okay, so the redirect IP just needs to be the local address. I don't understand the first requirement abotu needing to be the ip address that is connected to the LB.
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 38770184
How I understand it is when client try to connect the virtual ip of LTM serving as the broker ip which always the first address that client needs to hit, LTM with session directory enabled will checked which host server ip to be directed. The token back to client will then be lead to that rdp host server,  in this case the client will reconnect to host virtual server of LTM. There are only two virtual ips altogether fronted by LTM which the client needs to know in anytime. LTM will direct to the pool accordingly. This is as in pg 6 and 7 of the F5 guide.

==>To better clarify above, you should look at below two link esp the second one to better understand the flow
(see the "Down on the Server Farm")
@ http://technet.microsoft.com/en-us/magazine/hh413262.aspx
(see the "How Hardware Load Balancers Work" Fig 7.4 - IP redirection (DNS LB) and Fig 7.5 - Token routing)
@ http://www.brianmadden.com/blogs/terminal_services_for_microsoft_windows_server_2003_advanced_technical_design_guide/pages/load-balancing-options.aspx

In all, in token routing, the client will always go to the LB virtual IP (initial req) and and LB reply is always for client to go back to same LB virtual IP passing the token it received. But because LB (session directory enabled) saw the token from client and it will direct the traffic to the right Host server ip in its pool.

If you interested to know more about the token or cookie, you can see this
@ http://www.snakelegs.org/2011/02/06/rdp-cookies-2/

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question