• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2434
  • Last Modified:

RDP and Token Based Redirection

I'm trying to understand how to setup and use token based redirection with Session Broker to do load balancing for a TS farm instead of using the default IP address redirection.

I have an F5 load balancer that supports token based redirection. I understand the setup on the F5 side, but I don't really understand how it works from the TS side.

On the broker setup on each terminal server, obviously you choose token based redirection, and select the ipv4 address of the server in question.

1) So connections come into the load balancer
2) LB forwards connection to one of the TS Servers
3) TS Server contacts broker and sends back actual TS Server to connect to

At this point when using IP based redirection, it just sends the client back the ip of the TS to connect to. With token based redirection, I don't really understand what it does at this point. Where does the LB come into play, and how does it use this token to redirect the TS session?
  • 3
1 Solution
btanExec ConsultantCommented:
This is a quick understanding btw the two methods


You must use IP address redirection if you use any of the following as your load-balancing solution:

-TS Session Broker Load Balancing, using DNS round robin
-Network Load Balancing (NLB)
-A hardware load balancer that does not support TS Session Broker routing tokens

If you configure a terminal server to use TS Session Broker routing tokens as the redirection method, the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct terminal server in the farm.

If you switch to token redirection mode, you can select only one IP address for reconnection. The address that you select must meet both of the following criteria:

-It must be the IP address of the network adapter that is connected to the load balancer.
-It must be the address that is configured on the load balancer as the IP address for the terminal server.
btanExec ConsultantCommented:
if you take a look at F5 deployment guide, it is depicting scenario 1 - The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routing tokens. Pg 5 has useful MSDN link for setup as well included the F5 recommendations and steps. key point is to have RDP persistence set in LTM

jschwegAuthor Commented:
Thanks for the link to the deployment guide. That part of it I have successfully configured. The part the is eluding me are the two requirements for what the redirection IP needs to be when configuring the token redirection on each terminal server.

--It must be the IP address of the network adapter that is connected to the load balancer.

--It must be the address that is configured on the load balancer as the IP address for the terminal server.

How can both of the above be true? So F5 is configured to load balance via the private IPs of the terminal servers. Okay, so the redirect IP just needs to be the local address. I don't understand the first requirement abotu needing to be the ip address that is connected to the LB.
btanExec ConsultantCommented:
How I understand it is when client try to connect the virtual ip of LTM serving as the broker ip which always the first address that client needs to hit, LTM with session directory enabled will checked which host server ip to be directed. The token back to client will then be lead to that rdp host server,  in this case the client will reconnect to host virtual server of LTM. There are only two virtual ips altogether fronted by LTM which the client needs to know in anytime. LTM will direct to the pool accordingly. This is as in pg 6 and 7 of the F5 guide.

==>To better clarify above, you should look at below two link esp the second one to better understand the flow
(see the "Down on the Server Farm")
@ http://technet.microsoft.com/en-us/magazine/hh413262.aspx
(see the "How Hardware Load Balancers Work" Fig 7.4 - IP redirection (DNS LB) and Fig 7.5 - Token routing)
@ http://www.brianmadden.com/blogs/terminal_services_for_microsoft_windows_server_2003_advanced_technical_design_guide/pages/load-balancing-options.aspx

In all, in token routing, the client will always go to the LB virtual IP (initial req) and and LB reply is always for client to go back to same LB virtual IP passing the token it received. But because LB (session directory enabled) saw the token from client and it will direct the traffic to the right Host server ip in its pool.

If you interested to know more about the token or cookie, you can see this
@ http://www.snakelegs.org/2011/02/06/rdp-cookies-2/

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now