Solved

RDP and Token Based Redirection

Posted on 2013-01-11
4
2,028 Views
Last Modified: 2013-01-17
I'm trying to understand how to setup and use token based redirection with Session Broker to do load balancing for a TS farm instead of using the default IP address redirection.

I have an F5 load balancer that supports token based redirection. I understand the setup on the F5 side, but I don't really understand how it works from the TS side.

On the broker setup on each terminal server, obviously you choose token based redirection, and select the ipv4 address of the server in question.

1) So connections come into the load balancer
2) LB forwards connection to one of the TS Servers
3) TS Server contacts broker and sends back actual TS Server to connect to

At this point when using IP based redirection, it just sends the client back the ip of the TS to connect to. With token based redirection, I don't really understand what it does at this point. Where does the LB come into play, and how does it use this token to redirect the TS session?
0
Comment
Question by:jschweg
  • 3
4 Comments
 
LVL 61

Expert Comment

by:btan
ID: 38769863
This is a quick understanding btw the two methods

http://technet.microsoft.com/en-us/library/cc732852(v=ws.10).aspx

You must use IP address redirection if you use any of the following as your load-balancing solution:

-TS Session Broker Load Balancing, using DNS round robin
-Network Load Balancing (NLB)
-A hardware load balancer that does not support TS Session Broker routing tokens

If you configure a terminal server to use TS Session Broker routing tokens as the redirection method, the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct terminal server in the farm.

If you switch to token redirection mode, you can select only one IP address for reconnection. The address that you select must meet both of the following criteria:

-It must be the IP address of the network adapter that is connected to the load balancer.
-It must be the address that is configured on the load balancer as the IP address for the terminal server.
0
 
LVL 61

Expert Comment

by:btan
ID: 38769871
if you take a look at F5 deployment guide, it is depicting scenario 1 - The BIG-IP LTM provides advanced load balancing to farm members, while honoring RD Connection Broker routing tokens. Pg 5 has useful MSDN link for setup as well included the F5 recommendations and steps. key point is to have RDP persistence set in LTM

http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf
0
 
LVL 4

Author Comment

by:jschweg
ID: 38770019
Thanks for the link to the deployment guide. That part of it I have successfully configured. The part the is eluding me are the two requirements for what the redirection IP needs to be when configuring the token redirection on each terminal server.

--It must be the IP address of the network adapter that is connected to the load balancer.

--It must be the address that is configured on the load balancer as the IP address for the terminal server.

How can both of the above be true? So F5 is configured to load balance via the private IPs of the terminal servers. Okay, so the redirect IP just needs to be the local address. I don't understand the first requirement abotu needing to be the ip address that is connected to the LB.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 38770184
How I understand it is when client try to connect the virtual ip of LTM serving as the broker ip which always the first address that client needs to hit, LTM with session directory enabled will checked which host server ip to be directed. The token back to client will then be lead to that rdp host server,  in this case the client will reconnect to host virtual server of LTM. There are only two virtual ips altogether fronted by LTM which the client needs to know in anytime. LTM will direct to the pool accordingly. This is as in pg 6 and 7 of the F5 guide.

==>To better clarify above, you should look at below two link esp the second one to better understand the flow
(see the "Down on the Server Farm")
@ http://technet.microsoft.com/en-us/magazine/hh413262.aspx
(see the "How Hardware Load Balancers Work" Fig 7.4 - IP redirection (DNS LB) and Fig 7.5 - Token routing)
@ http://www.brianmadden.com/blogs/terminal_services_for_microsoft_windows_server_2003_advanced_technical_design_guide/pages/load-balancing-options.aspx

In all, in token routing, the client will always go to the LB virtual IP (initial req) and and LB reply is always for client to go back to same LB virtual IP passing the token it received. But because LB (session directory enabled) saw the token from client and it will direct the traffic to the right Host server ip in its pool.

If you interested to know more about the token or cookie, you can see this
@ http://www.snakelegs.org/2011/02/06/rdp-cookies-2/
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now