Windows RDS - Combining RD Gateway and RD Web Access Roles on same NLB Cluster

Hi,

I was wondering if anybody knows whether the following configuration is possible and supported by Microsoft in Windows Server 2008 R2 Remote Desktop Services (RDS):

Perimeter Network (DMZ):
-------------------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Gateway
- RD Web Access

Internal Network:
--------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Session Host

1 x Windows Server 2008 R2 server running the following RDS roles:
- RD Connection Broker
- RD Licensing

My main concern here is whether I can provide redundancy and high availability for the RD Gateway and RD Web Access roles by combining them on an NLB cluster.  I can't justify creating 4 servers for this purpose to the client.  I realize that the RD Connection Broker role in RDS 2008 R2 must be configured as a failover cluster for HA, so I have opted to pass on that for now.

Will this DMZ setup work? And if so, are there any strong reasons why I should avoid combining the perimeter roles in this fashion?

Thanks in advance,

Jon
KPI1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
There isn’t any KB article as such stating that RD Gateway and RDWeb on the same box is a supported deployment. But below deployment scenarios that points to the same.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx 
       
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

According to my understanding, I don't see any good reason to separate these TWO roles, since both roles required TCP 443 and I can save below by combining both roles:
Server Hardware (Physical \ Virtual)
ONE Public IP
ONE SSL Certificate

You can simply use NLB \ HLB to evenly distribute both functions traffic efficiently
In order to get this work efficiently you need to create TWO DNS Host(A) records in public DNS and internal DNS servers (If your public name space is different than internal AD domain name) which will points to VIP of NLB\HLB
One DNS record pointing to RD Web access
One DNS Record Pointing to RD Gateway
Ex:
gateway.domain.com
WebAccess.domain.com
Both above records should point to same VIP

Mahesh.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveCommented:
It is possible as both roles use port 443 and connections are not tied to a particular server.
0
KPI1Author Commented:
Thanks Mahesh! I had read the exact document you referenced and assumed that it would work as you have stated, but I needed some experts to confirm this for me in case I overlooked a small detail that negated the entire possibility.  Thank you so much for the detailed explanation.  I appreciate your input!

Jon
0
MaheshArchitectCommented:
Thanks
There is one correction in above article
The article says that WMI service port needs to be opened from RD Web Access to RD Session Host Servers and vice versa
In reality, WMI Service port need to be made static on RD Session hosts only and RD Web access should be able to access RD Session host through that WMI service port.
Check below article which is correct
http://technet.microsoft.com/en-us/library/cc770330.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.