Solved

Windows RDS - Combining RD Gateway and RD Web Access Roles on same NLB Cluster

Posted on 2014-07-28
4
2,844 Views
Last Modified: 2014-07-30
Hi,

I was wondering if anybody knows whether the following configuration is possible and supported by Microsoft in Windows Server 2008 R2 Remote Desktop Services (RDS):

Perimeter Network (DMZ):
-------------------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Gateway
- RD Web Access

Internal Network:
--------------------------------

2 x Microsoft NLB Clustered RDS servers running the following RDS roles:
- RD Session Host

1 x Windows Server 2008 R2 server running the following RDS roles:
- RD Connection Broker
- RD Licensing

My main concern here is whether I can provide redundancy and high availability for the RD Gateway and RD Web Access roles by combining them on an NLB cluster.  I can't justify creating 4 servers for this purpose to the client.  I realize that the RD Connection Broker role in RDS 2008 R2 must be configured as a failover cluster for HA, so I have opted to pass on that for now.

Will this DMZ setup work? And if so, are there any strong reasons why I should avoid combining the perimeter roles in this fashion?

Thanks in advance,

Jon
0
Comment
Question by:KPI1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40227823
There isn’t any KB article as such stating that RD Gateway and RDWeb on the same box is a supported deployment. But below deployment scenarios that points to the same.
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx 
       
If RD Web Access and RD Gateway are on the same server in the perimeter network or when RD Web Access is in the perimeter network, the following additional firewall rules need to be configured between the perimeter network (RD Web Access) and the internal network (RemoteApp Server).

According to my understanding, I don't see any good reason to separate these TWO roles, since both roles required TCP 443 and I can save below by combining both roles:
Server Hardware (Physical \ Virtual)
ONE Public IP
ONE SSL Certificate

You can simply use NLB \ HLB to evenly distribute both functions traffic efficiently
In order to get this work efficiently you need to create TWO DNS Host(A) records in public DNS and internal DNS servers (If your public name space is different than internal AD domain name) which will points to VIP of NLB\HLB
One DNS record pointing to RD Web access
One DNS Record Pointing to RD Gateway
Ex:
gateway.domain.com
WebAccess.domain.com
Both above records should point to same VIP

Mahesh.
0
 
LVL 27

Expert Comment

by:Steve
ID: 40227929
It is possible as both roles use port 443 and connections are not tied to a particular server.
0
 

Author Closing Comment

by:KPI1
ID: 40228076
Thanks Mahesh! I had read the exact document you referenced and assumed that it would work as you have stated, but I needed some experts to confirm this for me in case I overlooked a small detail that negated the entire possibility.  Thank you so much for the detailed explanation.  I appreciate your input!

Jon
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40228592
Thanks
There is one correction in above article
The article says that WMI service port needs to be opened from RD Web Access to RD Session Host Servers and vice versa
In reality, WMI Service port need to be made static on RD Session hosts only and RD Web access should be able to access RD Session host through that WMI service port.
Check below article which is correct
http://technet.microsoft.com/en-us/library/cc770330.aspx
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question