?
Solved

Windows RDS - Combining RD Gateway and RD Web Access Roles on same NLB Cluster

Posted on 2014-07-28
4
Medium Priority
?
3,232 Views
Last Modified: 2014-07-30
Hi,

I was wondering if anybody knows whether the following configuration is possible and supported by Microsoft in Windows Server 2008 R2 Remote Desktop Services (RDS):

Perimeter Network (DMZ):
-------------------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Gateway
- RD Web Access

Internal Network:
--------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Session Host

1 x Windows Server 2008 R2 server running the following RDS roles:
- RD Connection Broker
- RD Licensing

My main concern here is whether I can provide redundancy and high availability for the RD Gateway and RD Web Access roles by combining them on an NLB cluster.  I can't justify creating 4 servers for this purpose to the client.  I realize that the RD Connection Broker role in RDS 2008 R2 must be configured as a failover cluster for HA, so I have opted to pass on that for now.

Will this DMZ setup work? And if so, are there any strong reasons why I should avoid combining the perimeter roles in this fashion?

Thanks in advance,

Jon
0
Comment
Question by:KPI1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40227823
There isn’t any KB article as such stating that RD Gateway and RDWeb on the same box is a supported deployment. But below deployment scenarios that points to the same.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx 
       
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

According to my understanding, I don't see any good reason to separate these TWO roles, since both roles required TCP 443 and I can save below by combining both roles:
Server Hardware (Physical \ Virtual)
ONE Public IP
ONE SSL Certificate

You can simply use NLB \ HLB to evenly distribute both functions traffic efficiently
In order to get this work efficiently you need to create TWO DNS Host(A) records in public DNS and internal DNS servers (If your public name space is different than internal AD domain name) which will points to VIP of NLB\HLB
One DNS record pointing to RD Web access
One DNS Record Pointing to RD Gateway
Ex:
gateway.domain.com
WebAccess.domain.com
Both above records should point to same VIP

Mahesh.
0
 
LVL 27

Expert Comment

by:Steve
ID: 40227929
It is possible as both roles use port 443 and connections are not tied to a particular server.
0
 

Author Closing Comment

by:KPI1
ID: 40228076
Thanks Mahesh! I had read the exact document you referenced and assumed that it would work as you have stated, but I needed some experts to confirm this for me in case I overlooked a small detail that negated the entire possibility.  Thank you so much for the detailed explanation.  I appreciate your input!

Jon
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40228592
Thanks
There is one correction in above article
The article says that WMI service port needs to be opened from RD Web Access to RD Session Host Servers and vice versa
In reality, WMI Service port need to be made static on RD Session hosts only and RD Web access should be able to access RD Session host through that WMI service port.
Check below article which is correct
http://technet.microsoft.com/en-us/library/cc770330.aspx
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question