RD Session Host Access to farm from outside the office

We currently have a Terminal server farm with a server acting as a session broker and 5 terminal servers. We have the farm name in DNS which points to the session broker. Internally we have it working where the session broker load balances to the terminal servers. Outside users are only going to one server that isnt part of the farm. I tried looking but i cant seem to find anything that easily explains how to get users from the outside to load balance to the farm servers. At times we may have 20-30 people from the outside which slows down that one server.

some articles i've ready say to put the session broker as the outside server but from the outside they use login.companyname.com and from inside they just use companyname as the farm name.

Other suggestions i've seen mention that each server you want to have access to from outside would need a static IP and attached to the farm.

We are using Windows 2008R2.
LVL 2
msidnamAsked:
Who is Participating?
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
I don't know how that Session Broker works, but it should be able to be configured as "manager" (or man in the middle) for connections. That way the Broker's IP is the one all RDP traffic from public is directed at, and the Broker then holds the connections to the RDP farm.

Internal DNS Round-Robin could be used with very short TTL, if (and only if) the NAT router allows for port forwarding to DNS entries.
The stateful firewall would work because the individual connection will have its individual and correct internal target IP, so RDP traffic from that specific RDP server will hit the internal session table, allowing traffic to flow back to the requester. Otherwise firewall rules need to be set up to allow for outgoing RDP traffic (from port 3389) without TCP session flag checking (which defines a stateful firewall).
0
 
reredokIT ConsultantCommented:
Which remote access do you have? VPN-Client?

Your DNS loadbalancer is RR?

RDSFARM 192.168.1.100
RDSFARM 192.168.1.105
RDSFARM 192.168.1.110

Does extern Computers have right Name Resolution?
nslookup RDSFarm.yourdomain.local
0
 
msidnamAuthor Commented:
For remote access we have the user open up RDC and put in login.companyname.com

Load balancer is the session broker. We have the farm name pointed to the IP of the session broker.

from the outside login.mycompany.com point to a public IP that we have passing through our firewall port 3389 to one server.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
reredokIT ConsultantCommented:
0
 
msidnamAuthor Commented:
The link seems to be for internal RR DNS. inside we have the farm working, but for external users (who are not using VPN) how do we get the ability to let them log in to the farm which has multiple servers and not just one static server?
0
 
reredokIT ConsultantCommented:
the ip Adress of the RDS-Farm must point to each Remote Desktop Server not to the Sessionbroker
0
 
msidnamAuthor Commented:
I'm not following, sorry. by changing the internal DNs to point to the server directly how will that help when users login from the outside using a public static IP that is NATd to a single server?
0
 
gurutcCommented:
Hi,

You'll never get load balancing from outside if users are connecting to an external IP that only NATs to one internal server.  What kind of router are you using?  You comment about VPN is very relevant.  Your users can't get the benefit of load-balancing unless their connectivity allows them to see multiple servers to get load-balanced services from such as VPN.  You're probably going to have to have mulitple IP's NATted to the outside world to do this.

- gurutc
0
 
msidnamAuthor Commented:
Currently we use our MPLS to NAT the traffic. I think the firewall is a cisco ASDM.  that NATs login.companyname.com to public IP X.X.X.X. The internal IP is 172.16.X.X.

I don't have the ability to point that external IP to multiple internal IP's (that i know of. i can check with tech support though).

I can't give everyone a VPN u/pw since we only have 50 licensed and they only go to IT and our developers.
0
 
msidnamAuthor Commented:
If i point the public IP address to the session broker, the session broker should be able to then route the requests to an available TS in the farm?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
"Should" is exactly correct ;-).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.