Solved

Windows RDS - Combining RD Gateway and RD Web Access Roles on same NLB Cluster

Posted on 2014-07-28
4
2,562 Views
Last Modified: 2014-07-30
Hi,

I was wondering if anybody knows whether the following configuration is possible and supported by Microsoft in Windows Server 2008 R2 Remote Desktop Services (RDS):

Perimeter Network (DMZ):
-------------------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Gateway
- RD Web Access

Internal Network:
--------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Session Host

1 x Windows Server 2008 R2 server running the following RDS roles:
- RD Connection Broker
- RD Licensing

My main concern here is whether I can provide redundancy and high availability for the RD Gateway and RD Web Access roles by combining them on an NLB cluster.  I can't justify creating 4 servers for this purpose to the client.  I realize that the RD Connection Broker role in RDS 2008 R2 must be configured as a failover cluster for HA, so I have opted to pass on that for now.

Will this DMZ setup work? And if so, are there any strong reasons why I should avoid combining the perimeter roles in this fashion?

Thanks in advance,

Jon
0
Comment
Question by:KPI1
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40227823
There isn’t any KB article as such stating that RD Gateway and RDWeb on the same box is a supported deployment. But below deployment scenarios that points to the same.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx 
       
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

According to my understanding, I don't see any good reason to separate these TWO roles, since both roles required TCP 443 and I can save below by combining both roles:
Server Hardware (Physical \ Virtual)
ONE Public IP
ONE SSL Certificate

You can simply use NLB \ HLB to evenly distribute both functions traffic efficiently
In order to get this work efficiently you need to create TWO DNS Host(A) records in public DNS and internal DNS servers (If your public name space is different than internal AD domain name) which will points to VIP of NLB\HLB
One DNS record pointing to RD Web access
One DNS Record Pointing to RD Gateway
Ex:
gateway.domain.com
WebAccess.domain.com
Both above records should point to same VIP

Mahesh.
0
 
LVL 27

Expert Comment

by:Steve
ID: 40227929
It is possible as both roles use port 443 and connections are not tied to a particular server.
0
 

Author Closing Comment

by:KPI1
ID: 40228076
Thanks Mahesh! I had read the exact document you referenced and assumed that it would work as you have stated, but I needed some experts to confirm this for me in case I overlooked a small detail that negated the entire possibility.  Thank you so much for the detailed explanation.  I appreciate your input!

Jon
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40228592
Thanks
There is one correction in above article
The article says that WMI service port needs to be opened from RD Web Access to RD Session Host Servers and vice versa
In reality, WMI Service port need to be made static on RD Session hosts only and RD Web access should be able to access RD Session host through that WMI service port.
Check below article which is correct
http://technet.microsoft.com/en-us/library/cc770330.aspx
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now