Solved

Windows RDS - Combining RD Gateway and RD Web Access Roles on same NLB Cluster

Posted on 2014-07-28
4
2,433 Views
Last Modified: 2014-07-30
Hi,

I was wondering if anybody knows whether the following configuration is possible and supported by Microsoft in Windows Server 2008 R2 Remote Desktop Services (RDS):

Perimeter Network (DMZ):
-------------------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Gateway
- RD Web Access

Internal Network:
--------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Session Host

1 x Windows Server 2008 R2 server running the following RDS roles:
- RD Connection Broker
- RD Licensing

My main concern here is whether I can provide redundancy and high availability for the RD Gateway and RD Web Access roles by combining them on an NLB cluster.  I can't justify creating 4 servers for this purpose to the client.  I realize that the RD Connection Broker role in RDS 2008 R2 must be configured as a failover cluster for HA, so I have opted to pass on that for now.

Will this DMZ setup work? And if so, are there any strong reasons why I should avoid combining the perimeter roles in this fashion?

Thanks in advance,

Jon
0
Comment
Question by:KPI1
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40227823
There isn’t any KB article as such stating that RD Gateway and RDWeb on the same box is a supported deployment. But below deployment scenarios that points to the same.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
       
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

According to my understanding, I don't see any good reason to separate these TWO roles, since both roles required TCP 443 and I can save below by combining both roles:
Server Hardware (Physical \ Virtual)
ONE Public IP
ONE SSL Certificate

You can simply use NLB \ HLB to evenly distribute both functions traffic efficiently
In order to get this work efficiently you need to create TWO DNS Host(A) records in public DNS and internal DNS servers (If your public name space is different than internal AD domain name) which will points to VIP of NLB\HLB
One DNS record pointing to RD Web access
One DNS Record Pointing to RD Gateway
Ex:
gateway.domain.com
WebAccess.domain.com
Both above records should point to same VIP

Mahesh.
0
 
LVL 27

Expert Comment

by:Steve
ID: 40227929
It is possible as both roles use port 443 and connections are not tied to a particular server.
0
 

Author Closing Comment

by:KPI1
ID: 40228076
Thanks Mahesh! I had read the exact document you referenced and assumed that it would work as you have stated, but I needed some experts to confirm this for me in case I overlooked a small detail that negated the entire possibility.  Thank you so much for the detailed explanation.  I appreciate your input!

Jon
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40228592
Thanks
There is one correction in above article
The article says that WMI service port needs to be opened from RD Web Access to RD Session Host Servers and vice versa
In reality, WMI Service port need to be made static on RD Session hosts only and RD Web access should be able to access RD Session host through that WMI service port.
Check below article which is correct
http://technet.microsoft.com/en-us/library/cc770330.aspx
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now